Saturday, July 10, 2021

BGP Message Types logs and PCAPS

 

Introduction:

BGP stands for Border Gateway Protocol, as the name implies it is a protocol that works on our network border devices, BGP is a an application layer protocol and it does work with TCP protocol 179 to establish it's peering connection with neighbors.

BGP is the internet protocol, all external routing protocols that used and exchanged on the internet are with the help of BGP.

you can check BGP is "application" here:





as stated above (Routing protocol is "Application")


 BGP version4 does support Multi-protocol BGP which means (IPv6, L2VPN, IPv4, VPNv4, VPNv6)

BGP RFC 4271 link > https://datatracker.ietf.org/doc/html/rfc4271 

You can see the BGP version from the command show ip bgp summary below under the letter "V":

 




 

 

 

 

 

NOTE: BGP Version is not the same as BGP table version.


We are going to create a small lab for BGP using Cisco IOS and Cisco IOS-XE using GNS3.

This is going to be the topology:







 

 

 

 

 

 

 

 

As been mentioned that BGP uses TCP to establish connections with neighbors, check below pcap for the connection between two routers:








BGP messages exchanged between the Routers will be and of course will continue to be exchanged between the peers are:

1.OPEN messages (establishing TCP Connection)

2.UPDATES (Updates of prefixes advertised or withdrawn)

3.Keep Alive message (it is like a hello message to make sure peer is still alive)

4.Notification message(when error happen in the connections)


These messages can be seen in two ways:

1.Debug on the routers

2.Packet Capture 

We are going view both of them here below:

#debug BGP all

*Jul 10 06:15:19.833: BGP: ses global 12.12.12.2 (0x7FA8710B3168:0) pas Enhanced Refresh cap received in open message

    Line 2: *Jul 10 06:15:12.352: BGP: ses global 12.12.12.1 (0x7FA84FFADDB0:1) Send NOTIFICATION 6/4 (Administrative Reset) 0 bytes
    Line 4: *Jul 10 06:15:12.352: BGP: ses global 12.12.12.2 (0x7FA8710B2D08:1) Send NOTIFICATION 6/4 (Administrative Reset) 0 bytes
    Line 5: *Jul 10 06:15:12.352: %BGP-3-NOTIFICATION_MANY: sent to 2 sessions 6/4 (Administrative Reset) for all peers

 

CSR#debug ip bgp updates


*Jul 10 06:21:01.715: BGP(0): 12.12.12.2 rcvd UPDATE w/ attr: nexthop 12.12.12.2, origin i, metric 0, merged path 2, AS_PATH
*Jul 10 06:21:01.715: BGP(0): 12.12.12.2 rcvd 123.123.123.1/32
*Jul 10 06:21:01.715: BGP(0): Revise route installing 1 of 1 routes for 123.123.123.1/32 -> 12.12.12.2(global) to main IP table
*Jul 10 06:21:01.715: BGP_Router: unhandled major event code 128, minor 0
*Jul 10 06:21:01.717: BGP(0): 12.12.12.1 NEXT_HOP is on same subnet as the bgp peer and set to 12.12.12.2 for net 123.123.123.1/32, flags 200, sb: C0C0C00, mask: FFFFFF00
*Jul 10 06:21:01.717: BGP(0): (base) 12.12.12.1 send UPDATE (format) 123.123.123.1/32, next 12.12.12.2, metric 0, path 2
*Jul 10 06:21:01.718: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.2, origin i, merged path 1 2, AS_PATH
*Jul 10 06:21:01.718: BGP(0): 12.12.12.1 rcvd 123.123.123.1/32

As you can see above, we have notification, updates, open message, below the keepalives>>>

#debug ip bgp keepalive

*Jul 10 06:22:43.252: BGP: 12.12.12.1 KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.252: BGP: 12.12.12.1 service 1 read request in BGP_IO
*Jul 10 06:22:43.990: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.990: BGP: 12.12.12.2 passive KEEPALIVE requested (rcv_open)
*Jul 10 06:22:43.990: BGP: ses global 12.12.12.2 (0x7FA879168DC8:0) pas service keepalive IO request.
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive service 2 read request in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive service 2 read request in BGP_IO

*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive received KEEPALIVE, length (excl. header) 0

*Jul 10 06:22:43.991: %BGP-5-ADJCHANGE: neighbor 12.12.12.2 Up

The other way is to use the PCAP using wireshark capturing on GNS3 (this is of course in lab environment):







Let's check the update message here and see what does it contain.









 

 

 

As you can see here, the NLRI is being advertised in the update message and it has Router2 loopback prefix (2.2.2.2/32) as it is being sent to Router1.



I hope this was useful for you!


Samer R. Saleem.


First Image Source: Cisco.com























Tuesday, July 6, 2021

Top 70 networking blogs on the internet

First, I want to take the chance and say thanks to feedspot.com for selecting my blog as one of top 70 networking blogs on the internet It was nice to see an email from feedspot.com in my inbox this morning!


Feedspot.com is a website that has index for many great blogs on the internet.

Here is A little introduction of feedspot.com 


Feedspot Reader helps you find and keep track of interesting stuff on the web. You can subscribe to your favorite websites, and keep up with what's popular. New content comes to your Feespot Reader when it's posted, so you don't need to visit individual sites.

Plus, Reader keeps track of which posts you've read, so you only see unread posts when you come back. Unread posts appear bold. As you read, Reader will mark the post as read.

You can visit the link below and have a look at many blogs and recommended sites!


https://www.feedspot.com/

Here is also a list created by feedspot.com listing 70 of top networking blogs on the internet!

https://blog.feedspot.com/networking_blogs/

Enjoy surfing!

Hope this was useful!

Samer 


Monday, July 5, 2021

CSMA/CD quick post

One of the topics that we need to understand which will happen on our daily tasks maybe even without knowing it is really happening.

we are talking about collisions and how and when they happen on a network.

let's take the two topology below and compare what will happen in each of them.


As we all know, HUB is an old device that used to connect devices (Computers, Printers) together in a shared network.

the HUB is not smart enough to prevent problems like loops or collisions and it is not manageable and still work with one vlan or any vlan that comes from another attached network.

This is why, in our networks today we don't use Hubs no more. and switches replaced these hubs.

ok, so let's talk about collisions.

Simply, they happen when two or more devices talk (send frames) at the same time. this can easily happen on the Hub devices, simply because they don't have any mechanism to prevent this.


on the other hand, stations do have a feature which was created to limit these collisions and it is called CSMA/CD.

which stands for (Carrier Sense Multiple Access/ Collision detection)

The devices connected to Hub ports will sense the traffic on the shared medium and send frames when there is no frames sent by other devices.

If there is a collision, all ports will send jamming signal to stop sending more frames.

this jamming signal will then ends, and each part of the collided frames will wait for a timer before sending more frames again, these timers will be randomized by each device to make sure no collision happens again. Hence the name of MAC came from (Media Access Control)

A better option than CSMA/CD is CSMA/CA which stands for the same but instead of detection, we have Collision avoidance here, in which a computer will send like a test frame to see if there is any senders then continue sending frames to destination so this can lower the collision chance even more.

So this will be done by computers as a feature working in layer2 to solve some of Hub problems.

This however is not the same on switches, where each port is a separated collision domain from the rest of the ports.

Hope this was useful.


Samer R. Saleem

























Securing Small Businesses: A Roadmap to Continuity and Confidence

  In an ever-expanding world of cyberspace, the prevalence of cyber-attacks grows daily. Allocating budgetary resources to network and cyber...