BGP Backdoor Feature

By Joe Astorino
October 25, 2011
5 Comments

Introduction

In this blog, we are going to be taking a look at the BGP backdoor feature. We will explain what problem the feature allows us to solve and look at implementing the feature on a rack of real Cisco gear.

“Mr Potatohead!!! Backdoors are NOT secrets!!!”

– Jim from “Wargames”

Of course in “Wargames” they were talking about backdoor passwords put in place to hack into systems, but still…gotta love it! Today we won’t be talking about backdoor passwords, but we will be talking about the backdoor feature of BGP.

Topology Summary

As usual, a quick diagram explanation — We have a point-to-point serial link between R2 and R5 running HDLC. We are running OSPF over this serial link. At the same time, both R2 and R5 peer eBGP to R4 over frame-relay at layer 2. R2 is in AS 2 while R5 is in AS 5. Both peer eBGP to R4 in AS 4. The OSPF and BGP configurations are relatively straight forward — R2 and R5 advertise in their /32 loopback addresses and run OSPF on the HDLC link. In BGP both R2 and R5 also advertise their /32 loopbacks.

This is a fairly typical type of setup for WAN redundancy. You can think of R4 as a service provider in this case. Since I was mucking about with using VRF light on a single router I went ahead and implemented VRFs on R4, but that is not really important here.

Initial Configs

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial0/1/0
 no ip address
 encapsulation frame-relay
 no fair-queue
 no frame-relay inverse-arp
!
interface Serial0/1/0.24 point-to-point
 ip address 24.24.24.2 255.255.255.0
 snmp trap link-status
 frame-relay interface-dlci 204
!
interface Serial0/2/0
 ip address 25.25.25.2 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 25.25.25.2 0.0.0.0 area 0
!
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 network 2.2.2.2 mask 255.255.255.255
 neighbor 24.24.24.4 remote-as 4
 no auto-summary

ip vrf VPN
 rd 4:1
 route-target export 4:1
 route-target import 4:1
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no fair-queue
 no frame-relay inverse-arp
!
interface Serial0/0.24 point-to-point
 ip vrf forwarding VPN
 ip address 24.24.24.4 255.255.255.0
 frame-relay interface-dlci 402
!
interface Serial0/0.45 point-to-point
 ip vrf forwarding VPN
 ip address 45.45.45.4 255.255.255.0
 frame-relay interface-dlci 405
!
router bgp 4
 no synchronization
 bgp log-neighbor-changes
 no auto-summary
 !
 address-family ipv4 vrf VPN
 neighbor 24.24.24.2 remote-as 2
 neighbor 24.24.24.2 activate
 neighbor 45.45.45.5 remote-as 5
 neighbor 45.45.45.5 activate
 no synchronization
 exit-address-family

interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface Serial2/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no fair-queue
 no frame-relay inverse-arp
!
interface Serial2/0.45 point-to-point
 ip address 45.45.45.5 255.255.255.0
 frame-relay interface-dlci 504
!
interface Serial2/1
 ip address 25.25.25.5 255.255.255.0
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 network 5.5.5.5 0.0.0.0 area 0
 network 25.25.25.5 0.0.0.0 area 0
!
router bgp 5
 no synchronization
 bgp log-neighbor-changes
 network 5.5.5.5 mask 255.255.255.255
 neighbor 45.45.45.4 remote-as 4
 no auto-summary
!

Let’s do a bit of simple verification. First up, is our layer 2 and basic layer 3 connectivity working?

R2#ping 24.24.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.24.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R2#ping 25.25.25.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 25.25.25.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R5#ping 25.25.25.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 25.25.25.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 45.45.45.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms

I’m satisfied with that. How about OSPF and BGP?

R2#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
5.5.5.5           0   FULL/  -        00:00:36    25.25.25.5      Serial0/2/0

R2#show ip bgp sum | b Neighbor
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
24.24.24.4      4     4      62      58       12    0    0 00:53:43        1

R5#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:37    25.25.25.2      Serial2/1

R5#show ip bgp sum | b Neighbor
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
45.45.45.4      4     4      60      59       12    0    0 00:52:32        1

Good!

Feature Summary

Like many things in networking in general, the BGP backdoor feature exists to solve a specific problem. So, what is the problem? Well, it all depends on how you are looking at it and what you want in your network. Ask yourself how R2 will route to get to R5’s loopback and visa versa by default? If you guessed over the frame-relay network via BGP you are correct. Why? Because we will learn the route via both OSPF and BGP and eBGP routes have a lower administrative distance (20) than OSPF routes (110). Let’s verify our logic on R2 and R5

R2#sh ip route bgp
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [20/0] via 24.24.24.4, 00:00:36

R5#show ip route bgp
     2.0.0.0/32 is subnetted, 1 subnets
B       2.2.2.2 [20/0] via 45.45.45.4, 00:00:50

If you want to be routing over the frame-relay network in this case, that is all fine and good. However, what if you wanted R2 and R5 to reach each others routes over the point-to-point HDLC link instead? Well, we COULD modify the administrative distance of BGP with the distance bgp command from router config mode to make eBGP routes less preferred than OSPF. We COULD modify the administrative distance of OSPF to make OSPF routes more preferred than eBGP routes, but there is another way. We might not want to modify the AD for some good reasons. In BGP there is also no way to modify the AD per route, so you would be changing the AD for ALL eBGP routes which you might not want to do. We can use the BGP backdoor feature to accomplish our goal.

Under the BGP routing process we can simply use the network command followed by the backdoor route we wish to prefer, and then the keyword backdoor. This tells BGP under the hood to not actually advertise that route out through BGP but to give it an administrative distance of 200. Thus, it will make the route less preferred than OSPF and fix our issue here.

Implementation

The implementation of BGP backdoor is very simple. We use the network command. We will do this on both sides here to avoid asynchronous routing issues.

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router bgp 2
R2(config-router)#network 5.5.5.5 mask 255.255.255.255 backdoor

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#router bgp 5
R5(config-router)#network 2.2.2.2 mask 255.255.255.255 backdoor

Let’s see how we did by checking the routing tables again

R2#show ip route 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "ospf 1", distance 110, metric 65, type intra area
  Last update from 25.25.25.5 on Serial0/2/0, 00:01:10 ago
  Routing Descriptor Blocks:
  * 25.25.25.5, from 5.5.5.5, 00:01:10 ago, via Serial0/2/0
      Route metric is 65, traffic share count is 1

R5#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
  Known via "ospf 1", distance 110, metric 65, type intra area
  Last update from 25.25.25.2 on Serial2/1, 00:01:02 ago
  Routing Descriptor Blocks:
  * 25.25.25.2, from 2.2.2.2, 00:01:02 ago, via Serial2/1
      Route metric is 65, traffic share count is 1

Excellent! What if we shut down our point-to-point serial link on R2?

R2(config)#int s0/2/0
R2(config-if)#shutdown
R2(config-if)#
*Oct 25 20:41:23.175: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on Serial0/2/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2(config-if)#
*Oct 25 20:41:25.175: %LINK-5-CHANGED: Interface Serial0/2/0, changed state to administratively down
*Oct 25 20:41:26.175: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/2/0, changed state to down

R2(config-if)#do sh ip route 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "bgp 2", distance 200, metric 0
  Tag 4, type locally generated
  Last update from 24.24.24.4 00:00:27 ago
  Routing Descriptor Blocks:
  * 24.24.24.4, from 24.24.24.4, 00:00:27 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 4

There we go…notice the AD is 200 and not the standard eBGP value of 20! So, what we learned is that the BGP backdoor feature is useful for modifying the default routing behavior of BGP for specific networks in situations where we wish to route over a backdoor link running some other normally less preferred IGP. Hope this was useful to everybody!

Last but not least, the video inspiring the comment at the beginning from one of my favorite movies : )

Tags: backdoor, bgp, ccie, CCNP

5 Comments

N1c says:

October 25, 2011 at 5:32 pm

gr8 :)

Reply
Maka says:

November 14, 2011 at 5:20 pm

Good stuff!

Reply
sandy says:

April 2, 2013 at 1:40 pm

Really helpful

Reply
rene molenaar and gns3vault… | ccie or die says:

April 5, 2013 at 7:38 am

[…] http://astorinonetworks.com/2011/10/25/bgp-backdoor-feature/ This entry was posted in ccie and tagged gns3 vault, joe astorino, rene molenaar on April 5, 2013 by arteq. […]

Reply
Mohamed Taher says:

September 6, 2014 at 12:38 am

Thanks so much, it is really helpful

Good Job ;)

Reply