Get Unlimited Access to 803 Cisco Lessons Now Get $1 Trial
You are here: Home » BGP

BGP Active vs Passive

BGP uses a TCP connection and listens on TCP port 179. When two routers want to establish a neighbor adjacency, one of the two has to initiate a connection.  One router will be the passive router, and the other will be the active router:

  • The passive router acts as the server and listens on TCP port 179.
  • The active router acts as the client with a random source TCP port number and initiates the connection to TCP port 179

Once the connection has been established, it doesn’t matter who is active or passive. The only difference is that the passive router uses TCP port number 179, and the active router uses a random TCP port number.




How do BGP routers figure out which one is active or passive? They can compare the BGP router identifier (router ID). Each BGP router knows its identifier and the identifier of the other router, which is configured with the neighbor command. There might be differences between different platforms and OS versions, though.

In this lesson, I’ll show you how to verify which router is active or passive and how to change this if required. There are a number of scenarios where this could be useful:

  • If you need to allow BGP through a firewall, it’s easier to make rules when the connection is deterministic instead of random.
  • When two BGP routers attempt to establish a connection simultaneously, we have a connection collision. The chance that this happens is small, though, and BGP has something built-in to deal with this.
  • When you use a route reflector with many clients, you might want to configure the route reflector as passive so it won’t attempt to connect to any BGP routers that are not there (yet).

Configuration

This is the topology we’ll use:

R1 R2 Bgp Active Passive Topology

We only need two routers. I’m using Cisco IOSv routers running IOSv Version 15.9(3)M8.

Configurations

Want to take a look for yourself? Here, you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
interface GigabitEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router bgp 1
 neighbor 192.168.12.2 remote-as 2
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router bgp 2
 neighbor 192.168.12.1 remote-as 1
!
end

Let’s check the BGP router identifiers:

R1#show ip bgp summary | include identifier
BGP router identifier 192.168.12.1, local AS number 1
R2#show ip bgp summary | include identifier
BGP router identifier 192.168.12.2, local AS number 2

This gives us the identifiers. These are advertised in the BGP OPEN message.

Default Behavior

We can see who initiated the connection here:

R1#show ip bgp neighbors | include host
Local host: 192.168.12.1, Local port: 179
Foreign host: 192.168.12.2, Foreign port: 59365
R2#show ip bgp neighbors | include host
Local host: 192.168.12.2, Local port: 59365
Foreign host: 192.168.12.1, Foreign port: 179

This output shows that R1 is the passive router and R2 is the active router. When TCP initiates a connection, it selects a random source port and then attempts to connect to the required destination port. The output above shows that R2 has the random source port (59365) and initiates the connection to R1. Depending on your platform and/or OS you use, you might see a different output. This is what I see on my Cisco IOSv routers.

We can also see this in a packet capture. Here’s R2:

Frame 12: 111 bytes on wire (888 bits), 111 bytes captured (888 bits)
Ethernet II, Src: 52:54:00:bb:2f:e4 (52:54:00:bb:2f:e4), Dst: 52:54:00:95:cc:fa (52:54:00:95:cc:fa)
Internet Protocol Version 4, Src: 192.168.12.2, Dst: 192.168.12.1
Transmission Control Protocol, Src Port: 59365, Dst Port: 179, Seq: 1, Ack: 1, Len: 57
Border Gateway Protocol - OPEN Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 57
    Type: OPEN Message (1)
    Version: 4
    My AS: 2
    Hold Time: 180
    BGP Identifier: 192.168.12.2
    Optional Parameters Length: 28
    Optional Parameters

And here is R1:

Frame 14: 111 bytes on wire (888 bits), 111 bytes captured (888 bits)
Ethernet II, Src: 52:54:00:95:cc:fa (52:54:00:95:cc:fa), Dst: 52:54:00:bb:2f:e4 (52:54:00:bb:2f:e4)
Internet Protocol Version 4, Src: 192.168.12.1, Dst: 192.168.12.2
Transmission Control Protocol, Src Port: 179, Dst Port: 59365, Seq: 1, Ack: 58, Len: 57
Border Gateway Protocol - OPEN Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 57
    Type: OPEN Message (1)
    Version: 4
    My AS: 1
    Hold Time: 180
    BGP Identifier: 192.168.12.1
    Optional Parameters Length: 28
    Optional Parameters
Even if you change the router ID with the bgp router-id command, you’ll see the IP addresses that are used for the neighbor command. However, you will see a different identifier in the OPEN message.

You can also use this command to see a similar output:

R1#show tcp brief all
TCB       Local Address               Foreign Address             (state)
1107B308  192.168.12.1.179           192.168.12.2.59365          ESTAB
0D0E9430  0.0.0.0.179                192.168.12.2.*              LISTEN
R2#show tcp brief all
TCB       Local Address               Foreign Address             (state)
0D12AEC8  192.168.12.2.59365         192.168.12.1.179            ESTAB
0D0EFDD8  0.0.0.0.179                192.168.12.1.*              LISTEN

You can also see in action which router is active or passive with this debug command:

R1 & R2
#debug ip bgp
BGP debugging is on for address family: IPv4 Unicast

Let’s reset the BGP neighbor adjacency:

R1#clear ip bgp *

You’ll see this on R1:

R1#
BGP: 192.168.12.2 passive rcv OPEN, version 4, holdtime 180 seconds
BGP: 192.168.12.2 passive rcv OPEN w/ OPTION parameter len: 28
BGP: 192.168.12.2 passive rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 192.168.12.2 passive OPEN has CAPABILITY code: 1, length 4
BGP: 192.168.12.2 passive OPEN has MP_EXT CAP for afi/safi: 1/1
BGP: 192.168.12.2 passive rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.2 passive OPEN has CAPABILITY code: 128, length 0
BGP: 192.168.12.2 passive OPEN has ROUTE-REFRESH capability(old) for all address-families
BGP: 192.168.12.2 passive rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.2 passive OPEN has CAPABILITY code: 2, length 0
BGP: 192.168.12.2 passive OPEN has ROUTE-REFRESH capability(new) for all address-families
BGP: 192.168.12.2 passive rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.2 passive OPEN has CAPABILITY code: 70, length 0
BGP: ses global 192.168.12.2 (0xD14C940:0) pas Enhanced Refresh cap received in open message
BGP: 192.168.12.2 passive rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 192.168.12.2 passive OPEN has CAPABILITY code: 65, length 4
BGP: 192.168.12.2 passive OPEN has 4-byte ASN CAP for: 2
BGP: 192.168.12.2 passive rcvd OPEN w/ remote AS 2, 4-byte remote AS 2
BGP: ses global 192.168.12.2 (0xD14C940:0) pas Adding topology IPv4 Unicast:base
BGP: ses global 192.168.12.2 (0xD14C940:0) pas Send OPEN
BGP: ses global 192.168.12.2 (0xD14C940:0) pas Building Enhanced Refresh capability
BGP: 192.168.12.2 passive went from Connect to OpenSent
BGP: 192.168.12.2 passive sending OPEN, version 4, my as: 1, holdtime 180 seconds, ID C0A80C01
BGP: 192.168.12.2 passive went from OpenSent to OpenConfirm
BGP: 192.168.12.2 passive went from OpenConfirm to Established
BGP: ses global 192.168.12.2 (0xD14C940:1) pas Assigned ID
BGP: nbr global 192.168.12.2 Stop Active Open timer as all topologies are allocated
BGP: ses global 192.168.12.2 (0xD14C940:1) Up
%BGP-5-ADJCHANGE: neighbor 192.168.12.2 Up

Above, you can see the word “passive” in most of the debug output.R2 shows up as active:

R2#
BGP: 192.168.12.1 active went from Active to OpenSent
BGP: 192.168.12.1 active sending OPEN, version 4, my as: 2, holdtime 180 seconds, ID C0A80C02
BGP: 192.168.12.1 active rcv message type 1, length (excl. header) 38
BGP: ses global 192.168.12.1 (0xD129FA8:0) act Receive OPEN
BGP: 192.168.12.1 active rcv OPEN, version 4, holdtime 180 seconds
BGP: 192.168.12.1 active rcv OPEN w/ OPTION parameter len: 28
BGP: 192.168.12.1 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 192.168.12.1 active OPEN has CAPABILITY code: 1, length 4
BGP: 192.168.12.1 active OPEN has MP_EXT CAP for afi/safi: 1/1
BGP: 192.168.12.1 active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.1 active OPEN has CAPABILITY code: 128, length 0
BGP: 192.168.12.1 active OPEN has ROUTE-REFRESH capability(old) for all address-families
BGP: 192.168.12.1 active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.1 active OPEN has CAPABILITY code: 2, length 0
BGP: 192.168.12.1 active OPEN has ROUTE-REFRESH capability(new) for all address-families
BGP: 192.168.12.1 active rcvd OPEN w/ optional parameter type 2 (Capability) len 2
BGP: 192.168.12.1 active OPEN has CAPABILITY code: 70, length 0
BGP: ses global 192.168.12.1 (0xD129FA8:0) act Enhanced Refresh cap received in open message
BGP: 192.168.12.1 active rcvd OPEN w/ optional parameter type 2 (Capability) len 6
BGP: 192.168.12.1 active OPEN has CAPABILITY code: 65, length 4
BGP: 192.168.12.1 active OPEN has 4-byte ASN CAP for: 1
BGP: 192.168.12.1 active rcvd OPEN w/ remote AS 1, 4-byte remote AS 1
BGP: 192.168.12.1 active went from OpenSent to OpenConfirm
BGP: 192.168.12.1 active went from OpenConfirm to Established
BGP: ses global 192.168.12.1 (0xD129FA8:1) act Assigned ID
BGP: ses global 192.168.12.1 (0xD129FA8:1) Up
%BGP-5-ADJCHANGE: neighbor 192.168.12.1 Up

Above, we see the word “active” come up in all of the debug lines.

Transport Connection Mode

We can make the connection deterministic by using the transport connection-mode command. This tells which router should be active or passive. Let’s configure R1:

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 transport connection-mode active

This command on R1 tells R2 that R1 will be the active router. We’ll configure R2 to be the passive router:

R2(config)#router bgp 2
R2(config-router)#neighbor 192.168.12.1 transport connection-mode passive

This tells R2 that it should be the passive router. Let’s test this:

R1#clear ip bgp *

This is what we have now:

R1#show ip bgp neighbors | include host
Local host: 192.168.12.1, Local port: 12776
Foreign host: 192.168.12.2, Foreign port: 179
R2#show ip bgp neighbors | include host
Local host: 192.168.12.2, Local port: 179
Foreign host: 192.168.12.1, Foreign port: 12776

As you can see, R1 is now the active router, and R2 is the passive router.

Configurations

Want to take a look for yourself? Here, you will find the final configuration of each device.

R1

hostname R1
!
ip cef
!
interface GigabitEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router bgp 1
 neighbor 192.168.12.2 remote-as 2
 neighbor 192.168.12.2 transport connection-mode active
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router bgp 2
 neighbor 192.168.12.1 remote-as 1
 neighbor 192.168.12.1 transport connection-mode passive
!
end

Conclusion

You have now learned what BGP active and passive routers are, how to verify which router is active or passive, and how to make the connection deterministic. I hope you enjoyed this lesson. If you have any questions, please leave a comment.

Ask a question or start a discussion by visiting our Community Forum