BGP Backdoor Routes

ReneMolenaar · December 26, 2016, 10:58pm

This topic is to discuss the following lesson:

mukeshchaubeymca · September 23, 2014, 5:57am

excellent and very helpful note . easily to understand . for all u articles… i’n new to your website but really i thanksfull for your great effort. .

ReneMolenaar · October 26, 2014, 11:03am

Thanx a lot Rene … Excellent explanation … It was so systematic … to the point … and U made it so easy to understand … Great work

ammar.eng100 · December 27, 2015, 3:38am

Great topic. Thanks Rene

marty.stoyanoff · February 26, 2016, 2:46pm

Excellent! Thank you Rene! Can we assume that R1 and R2 are remote offices interconnected via L2 MPLS and the BGP peering is used for redundancy?

ReneMolenaar · February 28, 2016, 11:19am

Hi Marty,

That could be possible yes. MPLS L3 VPN is also possible, perhaps a topology like this:

MPLS L3 VPN Configuration

Rene

elecommeng · December 10, 2016, 7:19pm

Hi Rene,
when we write

router bgp 100
network 0.0.0.0 mask 0.0.0.0 backdoor

is that mean changing the AD to 200 for all network or only default route?

rafaeltirado2 · December 10, 2016, 8:31pm

Why did the AD go from 20 to 200 at the end? How did the backdoor command influence that?

andrew · December 13, 2016, 12:14am

Mahmoud,
In the example you cite, the AD would only be changing for the specific default route–not all routes.

andrew · December 13, 2016, 12:25am

Rafa,
What you are seeing is the effect of the backdoor command. The backdoor command changes the BGP administrative distance of the selected route from 20 to 200. 200 is chosen because that AD is worse than any IGP’s AD. This way, BGP will be used as a last resort if either static or other IGP routing mechanisms become unavailable.

ravi.pande12 · March 12, 2018, 2:35am

Why would someone run OSPF between 2 different AS? Could you please provide me with practical scenarios? Because I don’t understand that when there is BGP to run between AS then why is that OSPF being used.

Thanks,
Ravi

lagapidis · March 12, 2018, 2:28pm

Hello Ravi

There are many situations in which it would be beneficial for you to run an IGP such as OSPF between AS’s. These include:

Allowing multiple routing protocols to inject routes into the routing table provides backup routing capabilities if a routing protocol fails
In order for BGP to function, and in order for it to be able to share routing between neighbours, the neighbours themselves must be reachable to each other. In order to achieve this, an IGP is often used.

I hope this has been helpful!

Laz

Ankit_mangla123 · February 15, 2019, 9:27am

Hi Rene,

Can you please help to explain what is BGP backdoor routes. As the page only shows practical. Please explain the theory also.

lagapidis · February 15, 2019, 10:30am

Hello Ankit

Say you have two enterprise networks connected to an ISP, and they are exchanging routing information via eBGP. Now imagine that these two enterprises are sister companies, and they have arranged to have an independent link between their campuses for internal network connectivity for sharing applications and other network resources. Let’s that these two companies are sharing routing information via this link using OSPF or EIGRP. Under normal circumstances, any routing between these two companies would take place via the eBGP links over the ISP because eBGP has an AD of 20 while OSPF and EIGRP have ADs of 110 and 90 respectively.

Now in order to resolve this routing issue, the “backdoor” feature is used. What this does is it increases the administrative distance of eBGP to 200 with the goal of making the IGP learned routes to be preferred. This allows all traffic between the enterprise sites to be routed via the private link rather than via the ISP. Note that a backdoor network is treated as a local network, except that it is not advertised.

I hope this has been helpful!

Laz

Giovanni · May 15, 2020, 3:38pm

Hi,

Does the BGP ‘backdoor’ feature is related with the [NSA scandal]?(https://community.cisco.com/t5/other-security-subjects/backdoor-in-cisco-routers-and-firewalls/td-p/2369806)

lagapidis · May 18, 2020, 8:12am

Hello Giovanni

The BGP backdoor routes feature is not related with the “backdoor” discovered in Cisco equipment as part of the NSA scandal.

The term “backdoor” used in the context of security refers to any type of secret, intentionally created method of bypassing normal authentication or encryption procedures of any system, thus allowing those who know about the backdoor, to gain access to an otherwise restricted system. This term refers to any device or computer of any type, using any communication protocol.

The BGP backdoor feature is a specifically designed feature of BGP to resolve a problem produced by a “backdoor connection” between two AS’es. This backdoor connection is defined as an additional route via which routers in each AS can communicate with each other via an IGP.

Remember, that under normal circumstances, communication between each AS should be achieved only via BGP. No IGP communication should take place. A backdoor connection however, is good practice, whenever it can be implemented, to create redundancy. If an IGP is used on that redundant link, then the BGP backdoor feature must be activated.

I hope this has been helpful!

Laz

joseph · December 7, 2020, 5:37pm

Hi Guys,

I’m a little bit confused with the network command that you used for this.

R1: network 2.2.2.2 mask 255.255.255.255 backdoor
R2: network 1.1.1.1 mask 255.255.255.255 backdoor

So BGP can only advertise what is already has in the routing table, and the goal is to increase the administrative distance of eBGP to 200 for that route.

For R1, the 2.2.2.2/32 route is in the routing table, learned from R3. Then you’re advertising it back out via BGP with the “backdoor” tag to R3?

I’m just wondering are the commands correct, or should the commands be:

R1: network 1.1.1.1 mask 255.255.255.255 backdoor
R2: network 2.2.2.2 mask 255.255.255.255 backdoor

lagapidis · December 10, 2020, 6:03am

Hello Joseph

The way the command is implemented is somewhat confusing. A backdoor network is treated as a local network, except that it is not advertised. This is why we use the network command and issue it as if the network itself is local to the router. When you apply the following command to R1:

R1(config-router)#network 2.2.2.2 mask 255.255.255.255 backdoor

…what you are saying is that the network 2.2.2.2, if it is found in my routing table, should have an AD of 200. So even you’re using the network address, that address is not actually advertised out again.

The command itself has only local consequences. In other words, it doesn’t send advertisements, and only modifies the AD of a route in the local routing table.

I hope this has been helpful!

Laz

joedmangonon08 · April 17, 2022, 9:52am

Hi Rene,

Just wanted to ask, why the AD of 2.2.2.2 and 1.1.1.1 became 200 instead of 20? as both of these loopback address was learned over the EBGP and not IBGP?? thanks

lagapidis · April 19, 2022, 10:54am

Hello Joed

By definition the network commands that use the backdoor keyword cause those networks advertised by eBGP to have an AD of 200. That is what the backdoor feature actually achieves.

This is done to ensure that the IGP AD will be preferred over the eBGP AD (which has now become 200).

This is explicitly stated in the command reference of this particular command found here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/command/irg-cr-book/bgp-m1.html#wp2167927492

As it states:

A backdoor network is assigned an administrative distance of 200. The objective is to make Interior Gateway Protocol (IGP) learned routes preferred.

I hope this has been helpful!

Laz