BGP Backdoor Routes

This topic is to discuss the following lesson:

1 Like

excellent and very helpful note . easily to understand . for all u articles… i’n new to your website but really i thanksfull for your great effort. .

Thanx a lot Rene … Excellent explanation … It was so systematic … to the point … and U made it so easy to understand … Great work

1 Like

Great topic. Thanks Rene

Excellent! Thank you Rene! Can we assume that R1 and R2 are remote offices interconnected via L2 MPLS and the BGP peering is used for redundancy?

Hi Marty,

That could be possible yes. MPLS L3 VPN is also possible, perhaps a topology like this:

MPLS L3 VPN Configuration


Hi Rene,
when we write

router bgp 100
network mask backdoor

is that mean changing the AD to 200 for all network or only default route?

Why did the AD go from 20 to 200 at the end? How did the backdoor command influence that?

In the example you cite, the AD would only be changing for the specific default route–not all routes.

What you are seeing is the effect of the backdoor command. The backdoor command changes the BGP administrative distance of the selected route from 20 to 200. 200 is chosen because that AD is worse than any IGP’s AD. This way, BGP will be used as a last resort if either static or other IGP routing mechanisms become unavailable.

1 Like

Why would someone run OSPF between 2 different AS? Could you please provide me with practical scenarios? Because I don’t understand that when there is BGP to run between AS then why is that OSPF being used.


Hello Ravi

There are many situations in which it would be beneficial for you to run an IGP such as OSPF between AS’s. These include:

  1. Allowing multiple routing protocols to inject routes into the routing table provides backup routing capabilities if a routing protocol fails
  2. In order for BGP to function, and in order for it to be able to share routing between neighbours, the neighbours themselves must be reachable to each other. In order to achieve this, an IGP is often used.

I hope this has been helpful!


Hi Rene,

Can you please help to explain what is BGP backdoor routes. As the page only shows practical. Please explain the theory also.

Hello Ankit

Say you have two enterprise networks connected to an ISP, and they are exchanging routing information via eBGP. Now imagine that these two enterprises are sister companies, and they have arranged to have an independent link between their campuses for internal network connectivity for sharing applications and other network resources. Let’s that these two companies are sharing routing information via this link using OSPF or EIGRP. Under normal circumstances, any routing between these two companies would take place via the eBGP links over the ISP because eBGP has an AD of 20 while OSPF and EIGRP have ADs of 110 and 90 respectively.

Now in order to resolve this routing issue, the “backdoor” feature is used. What this does is it increases the administrative distance of eBGP to 200 with the goal of making the IGP learned routes to be preferred. This allows all traffic between the enterprise sites to be routed via the private link rather than via the ISP. Note that a backdoor network is treated as a local network, except that it is not advertised.

I hope this has been helpful!




Does the BGP ‘backdoor’ feature is related with the [NSA scandal]?(

Hello Giovanni

The BGP backdoor routes feature is not related with the “backdoor” discovered in Cisco equipment as part of the NSA scandal.

The term “backdoor” used in the context of security refers to any type of secret, intentionally created method of bypassing normal authentication or encryption procedures of any system, thus allowing those who know about the backdoor, to gain access to an otherwise restricted system. This term refers to any device or computer of any type, using any communication protocol.

The BGP backdoor feature is a specifically designed feature of BGP to resolve a problem produced by a “backdoor connection” between two AS’es. This backdoor connection is defined as an additional route via which routers in each AS can communicate with each other via an IGP.

Remember, that under normal circumstances, communication between each AS should be achieved only via BGP. No IGP communication should take place. A backdoor connection however, is good practice, whenever it can be implemented, to create redundancy. If an IGP is used on that redundant link, then the BGP backdoor feature must be activated.

I hope this has been helpful!


Hi Guys,

I’m a little bit confused with the network command that you used for this.

R1: network mask backdoor
R2: network mask backdoor

So BGP can only advertise what is already has in the routing table, and the goal is to increase the administrative distance of eBGP to 200 for that route.

For R1, the route is in the routing table, learned from R3. Then you’re advertising it back out via BGP with the “backdoor” tag to R3?

I’m just wondering are the commands correct, or should the commands be:

R1: network mask backdoor
R2: network mask backdoor

Hello Joseph

The way the command is implemented is somewhat confusing. A backdoor network is treated as a local network, except that it is not advertised. This is why we use the network command and issue it as if the network itself is local to the router. When you apply the following command to R1:

R1(config-router)#network mask backdoor

…what you are saying is that the network, if it is found in my routing table, should have an AD of 200. So even you’re using the network address, that address is not actually advertised out again.

The command itself has only local consequences. In other words, it doesn’t send advertisements, and only modifies the AD of a route in the local routing table.

I hope this has been helpful!


Hi Rene,

Just wanted to ask, why the AD of and became 200 instead of 20? as both of these loopback address was learned over the EBGP and not IBGP?? thanks

Hello Joed

By definition the network commands that use the backdoor keyword cause those networks advertised by eBGP to have an AD of 200. That is what the backdoor feature actually achieves.

This is done to ensure that the IGP AD will be preferred over the eBGP AD (which has now become 200).

This is explicitly stated in the command reference of this particular command found here:

As it states:

A backdoor network is assigned an administrative distance of 200. The objective is to make Interior Gateway Protocol (IGP) learned routes preferred.

I hope this has been helpful!


1 Like