BGP backdoor

30/01/11 11:32 Filed in: bgp | backdoor

BGP network backdoor allows to use a non-BGP backdoor link between two ASs.

Look at the topology:

bgp-backdoor

If AS300 and AS500 are not BGP peers, the connection between the loopbacks on R3 and R5 goes through AS100:


R3#traceroute 5.5.5.5 so l0 probe 1 timeout 1 numeric 
  1 10.0.23.2 16 msec
  2 10.0.12.1 24 msec
  3 10.0.14.4 24 msec
  4 10.0.45.5 [AS 100] 16 msec

Even if R3 and R5 are OSPF neighbors, OSPF routes have AD 110 while eBGP has AD 20 and wins:


R3#sir 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "bgp 300", distance 20, metric 0
  Tag 100, type external
  Last update from 10.0.23.2 00:03:04 ago
  Routing Descriptor Blocks:
  * 10.0.23.2, from 10.0.23.2, 00:03:04 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 100

How do we allow R3 and R5 do use backdoor link between S1/1 interfaces? Creating a backdoor:


R3(config)#router bgp 300
R3(config-router)#network 5.5.5.5 mask 255.255.255.255 backdoor

Verify:


R3#sir 5.5.5.5
Routing entry for 5.5.5.5/32
  Known via "ospf 1", distance 110, metric 101, type intra area
  Last update from 10.0.35.5 on Serial1/1, 00:00:19 ago
  Routing Descriptor Blocks:
  * 10.0.35.5, from 10.0.35.5, 00:00:19 ago, via Serial1/1
      Route metric is 101, traffic share count is 1

What about the eBGP route?


R3#sh ip bgp 5.5.5.5
BGP routing table entry for 5.5.5.5/32, version 13
Paths: (1 available, best #1, table Default-IP-Routing-Table, RIB-failure(17))
  Not advertised to any peer
  100 500
    10.0.23.2 from 10.0.23.2 (2.2.2.2)
      Origin IGP, localpref 100, valid, external, best

It's stil there but "RIB-failure" means a better IGP route was found, as we expected while creating the backdoor.
On R5 we still transit through AS100 to reach R3 L0.


R5#sir 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "bgp 500", distance 20, metric 0
  Tag 100, type external
  Last update from 10.0.45.4 00:05:14 ago
  Routing Descriptor Blocks:
  * 10.0.45.4, from 10.0.45.4, 00:05:14 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 100

We need the backdoor command on R5 too to keep traffic symmetric:


R5(config)#router bgp 500
R5(config-router)#network 3.3.3.3 mask 255.255.255.255 backdoor

Verify:


R5#sir 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 21, type intra area
  Last update from 10.0.35.3 on Serial1/1, 00:00:15 ago
  Routing Descriptor Blocks:
  * 10.0.35.3, from 10.0.35.3, 00:00:15 ago, via Serial1/1
      Route metric is 21, traffic share count is 1

Can we achieve the same result without using the backdoor command? Of course!
Remove the backdoor from R5:


R5(config)#router bgp 500
R5(config-router)#no network 3.3.3.3 mask 255.255.255.255 backdoor

We reach R3 L0 though AS 100 again:


R5(config-router)#do sir 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "bgp 500", distance 20, metric 0
  Tag 100, type external
  Last update from 10.0.45.4 00:00:25 ago
  Routing Descriptor Blocks:
  * 10.0.45.4, from 10.0.45.4, 00:00:25 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 100

Now on R3 we set AD 200 to prefix 3.3.3.3/32 learnt from 10.0.45.4:


R5(config)# access-list 3 permit 3.3.3.3
R5(config)#router bgp 500
R5(config-router)# distance 200 10.0.45.4 0.0.0.0 3

After clearing the BGP session we get again:


R5(config-router)#do sir 3.3.3.3                   
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 21, type intra area
  Last update from 10.0.35.3 on Serial1/1, 00:06:28 ago
  Routing Descriptor Blocks:
  * 10.0.35.3, from 10.0.35.3, 00:06:28 ago, via Serial1/1
      Route metric is 21, traffic share count is 1

And now again: is there another way to achieve the same result? Actually, there is. Can you guess it?

Here's a clue: "bgp maxas-limit 1"

On AS500 R5 learns prefix 3.3.3.3/32 with AS-PATH "100 300 i":


R5(config-router)#do show ip bgp
BGP table version is 6, local router ID is 5.5.5.5
   Network          Next Hop            Metric LocPrf Weight Path
*> 3.3.3.3/32       10.0.45.4                              0 100 300 i

If we set "maxas-limit" to 1 R5 filters all prefixes with an AS-PATH longer than 1, in other words any prefix learnt from AS300. In this particular topology that means that R5 will use the OSPF route to reach prefix 3.3.3.3/32.

This is the message we get after applying the command and clearing the BGP session:


*Mar  1 03:52:25.171: %BGP-6-ASPATH: Long AS path 100 300 received from 10.0.45.4: More than configured MAXAS-LIMIT

And this is the route as expected:


R5(config-router)#do sir 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 21, type intra area
  Last update from 10.0.35.3 on Serial1/1, 00:08:50 ago
  Routing Descriptor Blocks:
  * 10.0.35.3, from 10.0.35.3, 00:08:50 ago, via Serial1/1
      Route metric is 21, traffic share count is 1

As many trainers say: "CCIE is not best-practices".

HTH

www.ifconfig.it

CCIE Stuff

BGP backdoor