BGP Backdoor Routes

When your router learns about a prefix through EBGP and an IGP (RIP, OSPF or EIGRP) then it will always prefer the external BGP route. EBGP uses an administrative distance of 20 so it’s preferred over OSPF (110), RIP (120) or EIGRP (90).

This can introduce a problem, let me show you a scenario:

R1 R2 R3 AS1 AS2 AS3

Above you see 3 routers, R1,R2 and R3. Imagine R1 and R2 are two sites from a customer and R3 is the ISP router.

R1 and R2 have a fast “backdoor” link and OSPF is configured to exchange some prefixes between the two sites. To illustrate this I have added a loopback interface on these two routers.

R1 and R2 are also configured to use EBGP with R3, they advertise the same prefixes as they do in OSPF. This introduces a problem:

R1 prefix learned OSPF BGP

Above you see that R1 learns about the /32 prefix through BGP (R3) and OSPF (R2). Since EBGP has a lower (thus better) AD it will install this path in its routing table. The same thing applies to R2 for the /32 prefix.

Let’s take a look at this scenario on our routers, I’ll configure OSPF and BGP and you will learn how to fix this problem.

OSPF Configuration

First we’ll configure R1 and R2 to run OSPF. I’ll advertise their loopback interfaces:

R1(config)#router ospf 1
R1(config-router)#network area 0
R1(config-router)#network area 0
R2(config)#router ospf 1
R2(config-router)#network area 0
R2(config-router)#network area 0

Nothing special here, just a basic OSPF configuration. Here’s what the routing table of R1 and R2 looks like now:

R1#show ip route ospf | include 2.2
O [110/2] via, 00:00:12, FastEthernet0/0
R2#show ip route ospf | include 1.1
O [110/2] via, 00:00:27, FastEthernet0/0

They learned about each others prefixes, great! Our next move is configuring BGP…

BGP Configuration

R1 and R2 will both peer with R3 and I’ll advertise their loopback interfaces in BGP:

R1(config-router)#neighbor remote-as 3
R1(config-router)#network mask
R2(config-router)#neighbor remote-as 3
R2(config-router)#network mask
R3(config)#router bgp 3
R3(config-router)#neighbor remote-as 1   
R3(config-router)#neighbor remote-as 2

Just a plain and simple BGP configuration. Now look again at the routing table of R1 and R2:

R1#show ip route | incl 2.2 
B [20/0] via, 00:00:45
R2#show ip route | incl 1.1
B [20/0] via, 00:01:23

R1 and R2 will now use R3 to reach each others loopback interfaces. This happens because the AD of EBGP is 20 while OSPF has an AD of 110. As a result, OSPF is removed from the routing table. So how do we fix this? You could change the administrative distance manually but this tutorial is about the “backdoor” feature so let’s see how it works.

BGP Backdoor Configuration

We have to configure the network that we want to use our “backdoor” for, here’s what it looks like:

R1(config-router)#network mask backdoor
R2(config-router)#network mask backdoor

You use the network command but add the backdoor keyword at the end.


Let’s see what changed:

R1#show ip route | incl 2.2
O [110/2] via, 00:00:42, FastEthernet0/0

R2#show ip route | incl 1.1
O [110/2] via, 00:00:28, FastEthernet0/0

Great! Our routers now prefer the OSPF routes again. The prefixes are still in BGP as you can see here:

R1#show ip bgp         
BGP table version is 7, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>                  0         32768 i
r>                           0 3 2 i
R2#show ip bgp
BGP table version is 7, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
r>                           0 3 1 i
*>                  0         32768 i

This is a good thing. When the backdoor link fails we can still use the information from BGP, let’s simulate that:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 710 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

444 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Thanx a lot Rene … Excellent explanation … It was so systematic … to the point … and U made it so easy to understand … Great work

  2. Rafa,
    What you are seeing is the effect of the backdoor command. The backdoor command changes the BGP administrative distance of the selected route from 20 to 200. 200 is chosen because that AD is worse than any IGP’s AD. This way, BGP will be used as a last resort if either static or other IGP routing mechanisms become unavailable.

  3. Hello Ravi

    There are many situations in which it would be beneficial for you to run an IGP such as OSPF between AS’s. These include:

    1. Allowing multiple routing protocols to inject routes into the routing table provides backup routing capabilities if a routing protocol fails
    2. In order for BGP to function, and in order for it to be able to share routing between neighbours, the neighbours themselves must be reachable to each other. In order to achieve this, an IGP is often used.

    I hope this has been helpful!


  4. Hello Ankit

    Say you have two enterprise networks connected to an ISP, and they are exchanging routing information via eBGP. Now imagine that these two enterprises are sister companies, and they have arranged to have an independent link between their campuses for internal network connectivity for sharing applications and other network resources. Let’s that these two companies are sharing routing information via this link using OSPF or EIGRP. Under normal circumstances, any routing between these two companies would take place via the eBGP links over the ISP be

    ... Continue reading in our forum

10 more replies! Ask a question or join the discussion by visiting our Community Forum