Friday, 20 May 2022

What is BGP Backdoor? How to configure BGP Backdoor?

 BGP backdoor it’s a well-known feature of the BGP which is used to change the AD (administrative distance) of eBGP. By default, external BGP (eBGP) has an administrative distance value of 20 with the help of a backdoor command you can set 200 AD. If two routing protocols is providing route information for the same destination the administrative distance is the first criterion that a router uses to determine which routing protocol to use for the best path.  The lowest AD value is a more reliable protocol and link.

 

Why do we need to change eBGP AD?

Whenever our router learns about a network (prefix) through eBGP and also with an IGP protocol like OSPF EIGRP or RIP then our router always chooses Ebgp route because Ebgp uses an administrative distance value of 20 so our router by default preferred eBGP over EIGRP AD 90, RIP AD 120, OSPF AD 110.

 In some scenarios this becomes a problem let’s see the configuration.


Topology:


Goal:

  • configure the topology as per the diagram.
  • assign the IP addresses 
  • configure EIGRP 100 on router 1 and router 3
  • advertise the interfaces
  • configure eBGP peering between router 1 and 2
  • configure eBGP peering between router 2 and router 3
  •  make sure router 1 gets the 192.168.30.1 route from serial 4/3 link via EIGRP. 
  • configure backdoor in order to get 192.168.30.1 route via serial link 4/3 from router 3.

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#interface serial 4/2
R1(config-if)#ip address 3.3.3.2 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.10.1 255.255.255.255
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive

R2(config-if)#exit

R2(config)#interface loopback 0
R2(config-if)#ip address 192.168.20.1 255.255.255.255
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)# no shutdown
R3(config-if)#exit

R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit



R1(config)#router eigrp 100
R1(config-router)#network 192.168.10.0
R1(config-router)#network 3.0.0.0
R1(config-router)#exit

*May 20 13:40:19.679: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 3.3.3.1 (Serial4/2) is up: new adjacency

R1(config)#router bgp 6111
R1(config-router)#neighbor 1.1.1.2 remote-as 6100
R1(config-router)#network 192.168.10.1 mask 255.255.255.255
R1(config-router)#network 10.0.0.0
R1(config-router)#exit
R1(config)#end

*May 20 13:43:29.459: %BGP-5-ADJCHANGE: neighbor 1.1.1.2 Up

R2(config)#router bgp 6100
R2(config-router)#neighbor 1.1.1.1 remote-as 6111
R2(config-router)#network 192.168.20.1 mask 255.255.255.255
R2(config-router)#neighbor 2.2.2.2 remote-as 6333
R2(config-router)#exit

 20 13:43:29.531: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

R3(config)#router eigrp 100
R3(config-router)#network 3.0.0.0
R3(config-router)#network 192.168.30.0
R3(config-router)#exit

*May 20 13:40:19.663: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency

R3(config)#router bgp 6333
R3(config-router)#neighbor 2.2.2.1 remote-as 6100
R3(config-router)#network 30.0.0.0
R3(config-router)#network 192.168.30.1 mask 255.255.255.255
R3(config-router)#exit
R3(config)#end

*May 20 13:42:50.559: %BGP-5-ADJCHANGE: neighbor 2.2.2.1 Up

R3#show ip route 192.168.10.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.10.0/32 is subnetted, 1 subnets
B        192.168.10.1 [20/0] via 2.2.2.1, 00:02:03


( as can see from the above output router 3 is getting  (R1) 192.168.10.1 route from route via serial 4/0 to serial 4/1 {2.2.2.1} R2. because of the lower AD value of eBGP )

 Let's see on  router 1 from where it's getting 192.168.30.1 network 


R1#show ip route 192.168.30.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.30.0/32 is subnetted, 1 subnets
B        192.168.30.1 [20/0] via 1.1.1.2, 00:01:44

( router 1 is also installing 192.168.30.1 network  from router 1 because of lower AD of eBGP)

We need to fix this with help of the BGP backdoor command.

R1(config)#router bgp 6111
R1(config-router)#network 192.168.30.1 mask 255.255.255.255 backdoor
R1(config-router)#exit

R3(config)#router bgp 6333
R3(config-router)#network 192.168.10.1 mask 255.255.255.255 backdoor



R3#show ip route 192.168.10.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.10.0/32 is subnetted, 1 subnets
D        192.168.10.1 [90/2297856] via 3.3.3.2, 00:38:02, Serial4/2


( as you can see after applying the backdoor command now our routers installing a new path)


A backdoor network is treated as a local network, except that it is not advertised. 

R1#show ip route 192.168.30.1 longer-prefixes
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      192.168.30.0/32 is subnetted, 1 subnets
D        192.168.30.1 [90/2297856] via 3.3.3.1, 00:02:17, Serial4/2

No comments:

What is ASA firewall? How to configure Adaptive Security Appliance?

Introduction to firewalls The firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall...