Saturday, July 10, 2021

BGP Message Types logs and PCAPS

 

Introduction:

BGP stands for Border Gateway Protocol, as the name implies it is a protocol that works on our network border devices, BGP is a an application layer protocol and it does work with TCP protocol 179 to establish it's peering connection with neighbors.

BGP is the internet protocol, all external routing protocols that used and exchanged on the internet are with the help of BGP.

you can check BGP is "application" here:





as stated above (Routing protocol is "Application")


 BGP version4 does support Multi-protocol BGP which means (IPv6, L2VPN, IPv4, VPNv4, VPNv6)

BGP RFC 4271 link > https://datatracker.ietf.org/doc/html/rfc4271 

You can see the BGP version from the command show ip bgp summary below under the letter "V":

 




 

 

 

 

 

NOTE: BGP Version is not the same as BGP table version.


We are going to create a small lab for BGP using Cisco IOS and Cisco IOS-XE using GNS3.

This is going to be the topology:







 

 

 

 

 

 

 

 

As been mentioned that BGP uses TCP to establish connections with neighbors, check below pcap for the connection between two routers:








BGP messages exchanged between the Routers will be and of course will continue to be exchanged between the peers are:

1.OPEN messages (establishing TCP Connection)

2.UPDATES (Updates of prefixes advertised or withdrawn)

3.Keep Alive message (it is like a hello message to make sure peer is still alive)

4.Notification message(when error happen in the connections)


These messages can be seen in two ways:

1.Debug on the routers

2.Packet Capture 

We are going view both of them here below:

#debug BGP all

*Jul 10 06:15:19.833: BGP: ses global 12.12.12.2 (0x7FA8710B3168:0) pas Enhanced Refresh cap received in open message

    Line 2: *Jul 10 06:15:12.352: BGP: ses global 12.12.12.1 (0x7FA84FFADDB0:1) Send NOTIFICATION 6/4 (Administrative Reset) 0 bytes
    Line 4: *Jul 10 06:15:12.352: BGP: ses global 12.12.12.2 (0x7FA8710B2D08:1) Send NOTIFICATION 6/4 (Administrative Reset) 0 bytes
    Line 5: *Jul 10 06:15:12.352: %BGP-3-NOTIFICATION_MANY: sent to 2 sessions 6/4 (Administrative Reset) for all peers

 

CSR#debug ip bgp updates


*Jul 10 06:21:01.715: BGP(0): 12.12.12.2 rcvd UPDATE w/ attr: nexthop 12.12.12.2, origin i, metric 0, merged path 2, AS_PATH
*Jul 10 06:21:01.715: BGP(0): 12.12.12.2 rcvd 123.123.123.1/32
*Jul 10 06:21:01.715: BGP(0): Revise route installing 1 of 1 routes for 123.123.123.1/32 -> 12.12.12.2(global) to main IP table
*Jul 10 06:21:01.715: BGP_Router: unhandled major event code 128, minor 0
*Jul 10 06:21:01.717: BGP(0): 12.12.12.1 NEXT_HOP is on same subnet as the bgp peer and set to 12.12.12.2 for net 123.123.123.1/32, flags 200, sb: C0C0C00, mask: FFFFFF00
*Jul 10 06:21:01.717: BGP(0): (base) 12.12.12.1 send UPDATE (format) 123.123.123.1/32, next 12.12.12.2, metric 0, path 2
*Jul 10 06:21:01.718: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.2, origin i, merged path 1 2, AS_PATH
*Jul 10 06:21:01.718: BGP(0): 12.12.12.1 rcvd 123.123.123.1/32

As you can see above, we have notification, updates, open message, below the keepalives>>>

#debug ip bgp keepalive

*Jul 10 06:22:43.252: BGP: 12.12.12.1 KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.252: BGP: 12.12.12.1 service 1 read request in BGP_IO
*Jul 10 06:22:43.990: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.990: BGP: 12.12.12.2 passive KEEPALIVE requested (rcv_open)
*Jul 10 06:22:43.990: BGP: ses global 12.12.12.2 (0x7FA879168DC8:0) pas service keepalive IO request.
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive service 2 read request in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive service 2 read request in BGP_IO

*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive received KEEPALIVE, length (excl. header) 0

*Jul 10 06:22:43.991: %BGP-5-ADJCHANGE: neighbor 12.12.12.2 Up

The other way is to use the PCAP using wireshark capturing on GNS3 (this is of course in lab environment):







Let's check the update message here and see what does it contain.









 

 

 

As you can see here, the NLRI is being advertised in the update message and it has Router2 loopback prefix (2.2.2.2/32) as it is being sent to Router1.



I hope this was useful for you!


Samer R. Saleem.


First Image Source: Cisco.com























No comments:

Post a Comment

Securing Small Businesses: A Roadmap to Continuity and Confidence

  In an ever-expanding world of cyberspace, the prevalence of cyber-attacks grows daily. Allocating budgetary resources to network and cyber...