Solved: Problem with BGP backdoor

nick-moore · ‎11-07-2018

Good evening. I am working on a bgp routing issue and decided that using the backdoor switch to make my router prefer my eigrp route over bgp would make routing this particular set of networks more efficient. So, here is the problem: I am advertising vpn client routes from my firewall at the time they connect. These are 192.168.251.x /32 routes. This works very well. However, in this one site, I need to force the eigrp route to be chosen over bgp. My config looks like this:

router bgp 65017

bgp log-neighbor-changes

timers bgp 15 45

neighbor 10.x.x.x remote-as 1850

address-family ipv4

network 10.x.x.x mask 255.255.252.0

network 192.168.251.0 mask 255.255.255.0 backdoor

neighbor 10.x.x.x activate

etc.

This does not work. The 192.168.251.x /32 route remains ebgp with an ad of 20.

When I change the network statement to: network 192.168.251.134 255.255.255.255 backdoor, it DOES work. The eigrp ex route is added to the routing table with the ad of 170.

So, is there a way to fix this without adding 255 network...backdoor statements? I've tried configuring route-maps in combination with the network....backdoor statement, but no luck.

The issue is obviously related to matching the prefix and mask, but this puzzle should have a solution. Any ideas?

paul driver · ‎11-08-2018

Hello

Simplistic solution would be to aggregate that ip range then backdoor on the received aggregate.

RTRx

router bgp xx
aggregate-address 192.168.251.0 255.255.255.0 summary-only

RTRy
network 192.168.251.0 mask 255.255.255.0 backdoor

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎11-07-2018

Hello,

Is the /24 route actually in the routing table ? If not, try and add a null route for the /24 network...

nick-moore · ‎11-08-2018

I do not see a /24 supernet in the routing table. This is what these routes look like in the table.

[cid:image001.png@01D47745.24620780]

nick-moore · ‎11-08-2018

Sorry, the graphic doesn't come through.

192.168.251.0/32 is subnetted, 37 subnets

B 192.168.251.2 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.107 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.115 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.123 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.132 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.133 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.140 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.144 [20/0] via 10.250.250.86, 06:14:54

B 192.168.251.145 [20/0] via 10.250.250.86, 02:12:33

B 192.168.251.146 [20/0] via 10.250.250.86, 03:38:24

B 192.168.251.147 [20/0] via 10.250.250.86, 02:04:47

B 192.168.251.148 [20/0] via 10.250.250.86, 01:58:18

B 192.168.251.150 [20/0] via 10.250.250.86, 01:34:38

B 192.168.251.151 [20/0] via 10.250.250.86, 01:30:51

B 192.168.251.152 [20/0] via 10.250.250.86, 01:18:40

Georg Pauwen · ‎11-08-2018

Hello,

add the static null route below:

ip route 192.168.251.0 255.255.255 null 0

nick-moore · ‎11-08-2018

No luck with adding the null route. I added the following:

ip route 192.168.251.0 255.255.255.0 Null0

And now my routing table looks like this:

192.168.251.0/24 is variably subnetted, 43 subnets, 2 masks

S 192.168.251.0/24 is directly connected, Null0

B 192.168.251.2/32 [20/0] via 10.250.250.86, 07:29:45

B 192.168.251.107/32 [20/0] via 10.250.250.86, 07:29:45

B 192.168.251.115/32 [20/0] via 10.250.250.86, 07:29:45

B 192.168.251.123/32 [20/0] via 10.250.250.86, 07:29:45

B 192.168.251.132/32 [20/0] via 10.250.250.86, 07:29:45

B 192.168.251.133/32 [20/0] via 10.250.250.86, 00:01:32

B 192.168.251.140/32 [20/0] via 10.250.250.86, 07:29:45

B 192.168.251.144/32 [20/0] via 10.250.250.86, 00:59:03

B 192.168.251.145/32 [20/0] via 10.250.250.86, 00:49:31

B 192.168.251.146/32 [20/0] via 10.250.250.86, 04:53:15

B 192.168.251.147/32 [20/0] via 10.250.250.86, 03:19:38

B 192.168.251.148/32 [20/0] via 10.250.250.86, 03:13:09

B 192.168.251.149/32 [20/0] via 10.250.250.86, 00:34:13

B 192.168.251.150/32 [20/0] via 10.250.250.86, 02:49:29

B 192.168.251.151/32 [20/0] via 10.250.250.86, 02:45:42

I cleared one of the above /32 routes and it immediately repopulated as ebgp ad 20

This is my backdoor statement:

network 192.168.251.0 mask 255.255.255.0 backdoor

paul driver · ‎11-08-2018

Hello

Simplistic solution would be to aggregate that ip range then backdoor on the received aggregate.

RTRx

router bgp xx
aggregate-address 192.168.251.0 255.255.255.0 summary-only

RTRy
network 192.168.251.0 mask 255.255.255.0 backdoor

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

nick-moore · ‎11-08-2018

Interesting. I tried the aggregate-address statement in my datacenter router and it then the network...backdoor statement on this branch router does add a backdoor eigrp route, but the more specific 192.168.251.x/32 ebgp routes still exist as well. Here is the routing table after setting this config:

192.168.251.0/24 is variably subnetted, 42 subnets, 2 masks

D EX 192.168.251.0/24

[170/41984] via 192.168.77.17, 00:02:08, GigabitEthernet0/2

B 192.168.251.2/32 [20/0] via 10.250.250.86, 10:48:09

B 192.168.251.107/32 [20/0] via 10.250.250.86, 00:00:49

B 192.168.251.115/32 [20/0] via 10.250.250.86, 01:45:34

B 192.168.251.123/32 [20/0] via 10.250.250.86, 10:48:09

B 192.168.251.132/32 [20/0] via 10.250.250.86, 10:48:09

B 192.168.251.133/32 [20/0] via 10.250.250.86, 03:14:34

B 192.168.251.140/32 [20/0] via 10.250.250.86, 10:48:09

B 192.168.251.144/32 [20/0] via 10.250.250.86, 04:17:27

paul driver · ‎11-08-2018

Hello

did you include Summary Only

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

nick-moore · ‎11-09-2018

I cleared the bgp peer and the bgp route aggregation that Paul suggested worked. Thanks much. I appreciate the help.

paul driver · ‎11-08-2018

@Georg Pauwen wrote:

Hello,

add the static null route below:

ip route 192.168.251.0 255.255.255 null 0

@Georg Pauwen this wont work it will just blackhole traffic not active

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

nick-moore · ‎11-08-2018

I tried adding the static null /32 route and it did not resolve my problem.

Georg Pauwen · ‎11-08-2018

Hello,

can't you just run the VPN client routes under a different EIGRP process and then redistribute with a lower metric (19) ? That said, how do you currently redistribute EIGRP and BGP ?

nick-moore · ‎11-08-2018

I use rri to advertise the vpn routes into the eigrp process in my datacenter and at my datacenter router, I do mutual redistribution between eigrp and bgp.

Georg Pauwen · ‎11-08-2018

Hello,

here is what I mean:

router eigrp 1
distance 19 192.168.12.2 0.0.0.0 <-- this is your EIGRP neighbor

or

distance eigrp 19 19 <-- this sets the AD to 19 for both internal and external routes
!
router bgp 1
bgp router-id 1.1.1.1
bgp log-neighbor-changes
redistribute eigrp 1

This will result in the redistributed routes to have an AD of 19, so you won't even need the backdoor.