cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
43591
Views
50
Helpful
11
Comments
Omar Santos
Cisco Employee
Cisco Employee

The term “backdoor” is a very controversial term when it comes to privacy and security. However, when it comes to BGP, it is a well-known feature that is used to change the administrative distance of eBGP in order for an interior gateway routing protocol (IGP) to take precedence over an eBGP route.

By default, external BGP (eBGP) has an administrative distance value of 20. Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination. Administrative distance is a measure of the best path and reliability of the source of the routing information. The smaller the administrative distance value, the more reliable the protocol/link.

Note: For more information about administrative distance in routing protocols refer to:

http://www.cisco.com/en/US/partner/tech/tk365/technologies_tech_note09186a0080094195.shtml

BGP selects a single path, by default, as the best path to a destination host or network. The best path selection algorithm analyzes path attributes to determine which route is installed as the best path in the BGP routing table. Each path carries well-known mandatory, discretionary, and optional transitive attributes that are used in BGP best path analysis.

The “Backdoor Feature” is often used to increase the administrative distance of eBGP to 200 with the goal of making the IGP learned routes to be preferred. A backdoor network is treated as a local network, except that it is not advertised. This is configured by using the network backdoor BGP command.

For example, in Figure 1 three separate networks are illustrated: a network in New York (AS 1010); another in Research Triangle Park (RTP), NC (AS 2020); and a third one in San Jose, CA (AS 3030).

Figure 1 – eBGP default admin distance

BGP backdoor Figure  1.jpg

With the default administrative distances of BGP and EIGRP, if a device in the New York network (10.10.10.0/24) communicates with a device in RTP (10.20.20.0/24) the packets will route via the network in San Jose. This is because eBGP has a lower administrative distance (20) than EIGRP (90). To avoid this, the Cisco IOS Software network backdoor command can be used in New York’s R1 router (NY-R1) and vice-versa, as shown below.

NY-R1(config)#router bgp 1010

NY-R1(config-router)#network 10.20.20.0 mask 255.255.255.0 backdoor

In Cisco IOS XR Software, the network backdoor command is configured under the address family configuration mode, as shown in the following example:

RP/0/RP0/CPU0:NY-R1(config)# router bgp 109

RP/0/RP0/CPU0:NY-R1(config-bgp)# address-family ipv4 unicast

RP/0/RP0/CPU0:NY-R1(config-bgp-af)# network 10.20.20.0/24 backdoor

After the network backdoor command is used in NY-R1, the administrative distance of eBGP is changed to 200 and the preferred path will be via the direct connection between NY-R1 and RTP-R1, as shown in Figure 2. The same steps can be followed in RTP, accordingly.

Figure 2 – eBGP admin distance after network backdoor command is used

BGP backdoor Figure  1.jpg

The following are several additional references regarding BGP configuration and troubleshooting:

BGP Case Studies:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800c95bb.shtml#bgpbackdoor

Cisco IOS Software BGP Configuration Guide

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-overview.html

BGP Command Reference
http://www.cisco.com/en/US/docs/ios/iproute_bgp/command/reference/irg_bgp4.html#wp1145478

BGP Frequently Asked Questions

http://www.cisco.com/en/US/partner/tech/tk365/technologies_q_and_a_item09186a00800949e8.shtml

Comments
damian.langley
Level 1
Level 1

It looks like you went through a lot of trouble to write this article, but I get bothered when I start seeing false facts spread around.  It's like everyone read the same Todd Lammle/Sybex book when trying to get a CCNA... "Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination."  No, "longest match" is the first criteria.  I feel like I'm nit-picking except where this is an important distinction I see young network administrators miss time and time again.  This is basic stuff that can kill downtime metrics.  Errors like this also bring into question the integrity of the remainder of the article..

leesa
Level 1
Level 1

You're focusing on the wrong end of the statement. He did say "if the two protocols provide route information for the same destination". This article is about which path from which routing protocol makes it into the routing table, not which path the router chooses when forwarding a packet.

I  use "backdoor" on my main site and the Disaster recovery site,as they have EIGRP between them.

In your example NY is my Main site, RTP is DR. what happens if the link between NY and San Jose goes down, will then RTP advetise the routes in NY through BGP or does the "backdoor" stop it from advertising the backdoor routes at all times?

noemi.berry
Level 1
Level 1

Figures 1 and 2 look identical; was Figure 2 supposed to illustrate a change?

You are missing the point. If you have the same exact prefix from multiple routing protocol such as BGP, OSPF, EIGRP then router will use the administrative distance of the protocol to select the route.

This is an excellent explanation of of the concept.

paul.jerome1
Level 1
Level 1

No the article is correct.  We're talking about installing routes into the routing table, you are talking about packet forwarding. This is about a control plane operation not a data plane operation. The prefix length isn't considered when installing routes. If it receives 10.1.0.0/16 and 10.1.0.0/24 it installs both routes (because /16 offers a path to more potential destinations than /24). In this case we're saying "what does the router do when it receives two routes to the same destination?" The destination field in a route entry is a network prefix. Thus "same destination" in this context means "same prefix".

Afilias Canada
Level 1
Level 1

Obviously the same destination means longest match can not be used. Also note the use of "if" in his sentence, which indicates a caveat/condition is coming next.

"Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination."

This is both technically and grammatically correct.

Mithun Adhikary
Level 1
Level 1

Hi Richard,

I am seeing this post after 2 years and hope your query is already been resolved but if not then backdoor is a network command within the BGP, so if your BGP process is running then it should work and if your BGP process is not working then you only have EIGRP in place, so you need not to worry.

If someone is very strict on not using Backdoor, even though we have a different way, we can filter that prefix over BGP and use EIGRP, and for redundancy purpose we can use EEM to remove the filter in case of EIGRP failure.

Regards,

Mithun Adhikary

Mithun Adhikary
Level 1
Level 1

Nice Article Omar, you deserve a thumbs up and 5 star. :)

Regards,

Mithun Adhikary

ankit.prasad
Level 1
Level 1

Well explained Mr.Santos!! Thank you so much!!

ankit.prasad
Level 1
Level 1

But what if IBGP was there instead of EIGRP, will this feature work, provided both of these protocol now have AD value of 200 ?

Please comment!!

Regards,

Ankit Prasad

ank55it@rediffmail.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco