1 Quick Facts

• BGP uses TCP port 179 and is path vector protocol, rather than distance vector or link-state
• Keep-alive is 60s by default and Hold time is 180s 
• Only hold time is negotiated in Open message
• Lowest hold time is used
• Routes are only installed in the routing table and advertised to peer is deemed valid (*) and best (>)
• For BGP to advertise a route using network command such route has to be in the routing table first
• BGP transport and route advertisement (known as NLRI in BGP) are independent
• Transport can use either IPv4 or IPv6
• IPv6 NLRI can be advertised over an IPv4 BGP connection and vice-versa

2. The BGP peering for IPv4

BIG-IP establishes TCP connection on port 179 with peer and each one exchange OPEN Message:

Here's BIG-IP's OPEN Message:

Here's Cisco's OPEN Message:

Marker is always the same value and is just to signal the beginning of BGP message so don't worry about it.

Length is just the total length of this BGP message

Type could be UPDATE (2), KEEPALIVE (4) but in this case it is an OPEN Message (1).

Version is always the same as this is BGPv4.

My AS is the same because this is iBGP but if it was eBGP My AS on both sides would differ.

Hold Time picked value is the lowest one and this is negotiated. Since lowest value on BIG-IP's side is 90 seconds then both peers will send KEEPALIVE messages at 30 seconds interval.

BGP Identifier is the bgp router-id that we typed in.

Optional Parameters Length is the total length combined of all BGP extensions 

Optional Parameters are BGP extensions.

At this point, if something goes wrong with peering, we should see BGP sending a NOTIFICATION message to terminate peering process:

The above one was issued because I shutdown the neighbour relationship manually but other types of error would reveal a different message.

In a running packet capture, we should see KEEPALIVE messages and corresponding TCP ACKs at agreed interval based on Hold Time:

Other than that, UPDATE messages are also common and I will show them right now.

3. The UPDATE message for IPv4

It's kind of built-in. For IPv4 we will see Type 2 message (UPDATE) and the NLRI (routes).

The 2 prefixes below share the same attributes and this is why they're grouped together:

4. The BGP peering for IPv6

It's the same thing as IPv4 but an additional capability is negotiated called Multiprotocol extensions capability with IPv6 as AFI value:

In case you never heard of AFI/SAFI here's what they mean:

• AFI (Address Family Indicator): This is the kind of route BGP is capable of handling, normally IPv4 or IPv6 but can also be VPNv4 for MP-BGP (out of scope here).
• SAFI (Subsequent Address Family Indicator): This is whether route is UNICAST or MULTICAST, normally UNICAST.

If you ever configured BGP and typed in address-family commands then you've touched AFI/SAFI already.

5. BONUS! Carrying IPv4 prefixes over an IPv6 BGP connection (WHAT?)

Yes, it's possible but next-hop of an IPv4 route is going to be IPv4 so make sure there is connectivity or create the relevant route-map.

Notice that we're transporting BGP packets over IPv6 but routes advertised are IPv4 prefixes:

You can also carry IPv6 prefixes over IPv4 if we do the other way round.