How BGP Works – Step-by-Step Flow, Packet Types, and NLRI

Continuing from our introduction to BGP, let’s now look at how BGP actually works – how two routers become neighbors, what packets are exchanged between them, and how route information is shared

---

Peering in BGP – No Auto Discovery Here

BGP doesn’t work like OSPF or EIGRP. It doesn’t discover neighbors automatically. You have to manually configure the neighbor using their IP address. Only then BGP will try to form a peering session.

This peering can be between routers inside the same AS (we call it iBGP) or between routers in different ASes (eBGP). In both cases, BGP starts by forming a TCP connection on port 179.

Once the TCP connection is established, BGP begins its own packet exchange.

---

How the BGP Packet Exchange Happens

After TCP is up, the BGP session moves through a fixed flow:

• First, BGP sends an Open packet to introduce itself.
• If the Open is accepted, the other router responds with a Keepalive.
• After that, BGP starts sending Update packets with route information.
• Once peering is up, Keepalives are sent every 60 seconds to maintain the session.
• If no message is received within the hold time (usually 180 seconds), the session is brought down.

So, BGP doesn’t just say “hello” and start working. It goes through proper setup and keeps checking if the other side is still alive.

---

BGP Packet Types

BGP uses only four types of packets. Each has a specific role.

Open Packet

This is the first message sent once TCP is up. It contains:

• BGP version
• Router ID
• Hold time (used for session timeout)
• Optional parameters like password and capabilities (e.g., support for MP-BGP)

This is basically where both routers negotiate session settings.

Notification Packet

If anything goes wrong during session setup – say, the BGP version doesn’t match, or authentication fails – BGP sends a Notification packet and immediately brings down the session. It’s like saying: “Something’s wrong here, let’s stop.”

Keepalive Packet

Once the Open packet is accepted, routers start sending Keepalive packets to keep the session active.

By default:

• Keepalives are sent every 60 seconds
• The Hold time is usually set to 180 seconds

Keepalive interval is typically calculated as:

Keepalive Time = Hold Time / 3

So if the hold time is 180 seconds, the router sends a keepalive every 60 seconds. If no packet (Keepalive or Update) is received before the hold time expires, the BGP session is declared down and all routes learned from that neighbor are withdrawn.

You can also customize these values while configuring BGP – both routers negotiate and agree on which one to use during the session setup

Update Packet

This is the most important one. BGP uses Update packets to send routing information. An Update packet contains:

• NLRI (Network Layer Reachability Information):
• Path attributes for those routes
• Any previously advertised routes that are now withdrawn

What is NLRI?

In protocols like OSPF or RIP, we often talk about advertising a “network” – like saying “here’s a network I can reach.” But BGP is different. Instead of calling it a network, BGP uses a more generic term: NLRI, which stands for Network Layer Reachability Information.

The reason BGP uses this term is simple – BGP was designed to support more than just IPv4 unicast routing. It can advertise:

• IPv6 routes
• MPLS VPN prefixes (VPNv4, VPNv6)
• Multicast routing info
• EVPN routes etc.

Because of this, using the word “network” would be too limiting. So BGP just says “Here’s some reachability information,” and lets the address family define what kind of data is being advertised.

In an IPv4 network, each NLRI entry used to advertise networks includes:

• A prefix (like 192.168.10.0)
• A prefix length (like /24)

Another example:
In an MPLS VPN setup, BGP uses MP-BGP to advertise VPNv4 routes.
In this case, each NLRI entry includes:

• A Route Distinguisher (RD) – to make the prefix globally unique across customers
• A prefix (like 10.10.10.0)
• A prefix length (like /24)
• And it’s associated with a label used for MPLS forwarding

So instead of just saying “I can reach 10.10.10.0/24”, BGP says:

“This is customer A’s 10.10.10.0/24 (identified using RD), and here’s the MPLS label to reach it.

And that’s tied to a set of path attributes (like AS Path, Next Hop, Local Preference) that describe how to reach that prefix.

So in short:

NLRI is the generic container used in BGP updates to advertise any kind of reachable destination, not just IPv4 networks.

---

Why BGP Peering Often Uses Loopback Interfaces

In iBGP (internal BGP), it’s a common practice to use the loopback interface instead of a physical interface for peering. The reason is simple: loopbacks are always up as long as the router is up. Physical interfaces can go down due to link failure or flapping, which might break the peering.

By using loopback IPs, you make the BGP session more stable. You just need to make sure that there’s a proper IGP (like OSPF or static routes) that knows how to reach the loopback IP of the other router.

Also, when a router has multiple paths to the neighbor’s loopback (say, via redundant links), the peering stays intact even if one link goes down – because the loopback is still reachable via the other path. This improves reliability.

---