BGP Messages

BGP uses a variety of messages for establishing the connection, exchanging routing information, checking if the remote BGP neighbor is still there and/or notifying the remote side if any errors occur.

To do all of this, BGP uses 4 messages:

  • Open Message
  • Update Message
  • Keepalive Message
  • Notification Message

All of these BGP messages use a fixed-size header, it includes a type field that indicates what type of message it is.

To explain these BGP messages I will show you some Wireshark captures. I will use the following topology for this:

BGP R1 R2 AS1 AS2 Topology

Open Message

Once two BGP routers have completed a TCP 3-way handshake they will attempt to establish a BGP session, this is done using open messages. In the open message you will find some information about the BGP router, these have to be negotiated and accepted by both routers before we can exchange any routing information. Here are some of the items you will find in the open message:

  • Version: this includes the BGP version that the router is using. The current version of BGP is version 4 which is described in RFC 4271. Two BGP routers will try to negotiate a compatible version, when there is a mismatch then there will be no BGP session.
  • My AS: this includes the AS number of the BGP router, the routers will have to agree on the AS number(s) and it also defines if they will be running iBGP or eBGP.
  • Hold Time: if BGP doesn’t receive any keepalive or update messages from the other side for the duration of the hold time then it will declare the other side ‘dead’ and it will tear down the BGP session. By default the hold time is set to 180 seconds on Cisco IOS routers, the keepalive message is sent every 60 seconds. BGP routers will use the lowest configured hold down timer.
  • BGP Identifier: this is the local BGP router ID which is elected just like OSPF does:
    • Use the router-ID that was configured manually with the bgp router-id command.
    • Use the highest IP address on a loopback interface.
    • Use the highest IP address on a physical interface.
  • Optional Parameters: here you will find some optional capabilities of the BGP router. This field has been added so that new features could be added to BGP without having to create a new version.Things you might find here are:

Here’s an example of a wireshark capture of an open message between R1 and R2:

Wireshark Capture BGP Open Message

Above you can see the open message from R1 to R2. You can see the things that we discussed, the BGP version, AS number, hold time, BGP ID and the optional parameters (MP-BGP and route refresh). The marker field on top is used to indicate if we use MD5 authentication or not. When it’s filled with 1’s then we are not using authentication.

Update Message

Once two routers have become BGP neighbors, they can start exchanging routing information. This is done with the update message. In the update message you will find information about the prefixes that are advertised.In “BGP language” a prefix is referred to as NLRI (Network Layer Reachability Information). Here are some of the things you will find in an update message:

  • Withdrawn Route Length: this field shows the length of the Withdrawn Routes field in bytes. When it is set to 0, there are no routes withdrawn and the Withdrawn Routes field will not show up.
  • Withdrawn Routes: this field shows all the prefixes that should be removed from the BGP table.
  • Total Path Attribute Length: here you will find the total length of the Path Attributes field.
  • Path Attributes: the BGP attributes for the prefix are stored here, for example: origin, as_path, next_hop, med, local preference, etc. These path attributes are stored in TLV-format (Type, Length, Value).

Each of the BGP attributes also has an attribute flag that tells the BGP router how to treat the attribute. Here are the different bit flags:

  • Optional: when the attribute is well-known this bit is set to 0, when its optional it is set to 1.
  • Transitive: when an optional attribute is non-transitive this bit is set to 0, when it is transitive it is set to 1.
  • Partial: when an optional attribute is complete this bit is set to 0, when it’s partial it is set to 1.
  • Extended Length: when the attribute length is 1 octet it is set to 0, for 2 octets it is set to 1. This extended length flag may only be used if the length of the attribute value is greater than 255 octets.

Let’s take a look at an update message from R1:

R1(config)#router bgp 1
R1(config-router)#network 1.1.1.1 mask 255.255.255.255

Here’s the capture:

Wireshark Capture BGP Update Route Message

Above you can see a update message from R1. No routes are withdrawn and there are a couple of BGP attributes. You can see the ORIGIN, AS_PATH and MULTI_EXIT_DISC (MED). I also highlighted some of the flags. The AS_PATH attribute is transitive while MULTI_EXIT_DISC is optional. At the bottom you can find the NLRI information with our prefix.

Let’s remove the network command for the loopback interface on R1 so that we can see a withdrawn in the update message:

R1(config)#interface loopback 0
R1(config-if)#shutdown

Here’s the capture:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

567 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Nice summary , thanks

  2. Rene,

    Great lesson, how do I capture traffic in GNS3 to see these messages. Please let me know.

    Thanks

    Hamood

  3. Hi Hamood,

    GNS3 makes this really simple. You can right-click on any interface and select “capture”. It will automatically start Wireshark and show you the traffic that flows through the link.

    Rene

  4. Rene,

    Thank you so much, your lessons with wireshark are very help full to read and understand these BGP messages.

    Question,
    Is there is a need to change hold time on the production network to optimize network performance.

    Thanks
    Hamood

    Hamood

  5. Hi Hamood,

    You are welcome. I also like the wireshark captures, they help to visualize things.

    Changing the hold time won’t matter much, it’s only used to check if the other BGP neighbor is “alive” or not. There are some other BGP timers that you can play with though to improve convergence speed.

    Rene

35 more replies! Ask a question or join the discussion by visiting our Community Forum