BGP backdoor link

Similar Messages

• BGP BACKDOOR

  From the documentation that i have read concerning bgp backdoor, i assume that a network marked as backdoor is NOT advertised:
  network x.x.x.x backdoor
  -> if network x.x.x.x is received from eBGP, its admin distance is changed to 200, to prefer an IGP learned network. However, network x.x.x.x is not advertised to BGP peers by this command, even if x.x.x.x has an exact match in our routing table. Correct ?
  But what will happen in the following situation:
  router eigrp 1
  network x.x.x.x
  router bgp 65000
  network x.x.x.x backdoor
  redistribute eigrp 1
  neighbor y.y.y.y remote-as 65100
  Will network x.x.x.x be advertised to AS65100 by the redistribute command ?? Or will the backdoor command prevent this ?? Will the backdoor command only work on received routes from AS65100 ???
  Can someone shed some light on this ?? I am unable to test this in a lab at this time.
  Regards,
  Geert

  Hi Geert,
  According to what i have read in CCIE Professional Development Routing TCPIP, Volume TWO.
  The address specified by the network backboor command is not advertised to EBGP peers.

• Allow_As, as-verride, SOO,bgp-backdoor

  Hi,
  Can any body pls share the above attribute usefullness & where we need/should to use the attirbute.
  Pls share practival example.
  Br/Subhojit                  

  Hi Geert,
  According to what i have read in CCIE Professional Development Routing TCPIP, Volume TWO.
  The address specified by the network backboor command is not advertised to EBGP peers.

• Backdoor routes

  We are starting a conversion of a rather large network from atm/frame to mpls. We will be managing the ce routers and talk bgp to the pe routers. Our current network is eigrp. We will have quite a few backdoor links in the network. Some will be backup only and not carry normal traffic, others such as the backdoor links between our data centers will be the primary path between the sites.
  My question is what is the best way to handle the backdoor links. We are looking at:
  1)running bgp on the backdoor links also and ibgp between the routers for the backdoor and the ce router.
  2)running eigrp on the backdoor but under a seperate eigrp as number and redistributing into the primary eigrp as.
  Both have their pros and cons. I was wondering which way other organization have gone and why.

  Hello,
  my 2 cents on the subject.
  I haven´t been involved with a customer in the situation you are. So those are some thoughts on the subject not backed up by experience.
  First, you need mutual redistribution BGP<->EIGRP on all CE routers.
  Second, as EIGRP will always prefer internal routes over external ones, you need another protocol on the backdoor links, which should be really backdoor.
  This said I would first select the links, which really shall be backup to the MPLS network. All other (prefered) links should be running EIGRP with main AS to reduce complexity.
  So lets first look at the "MPLS is backup" scenario. You will have the same networks on the CE learned through EIGRP and eBGP. The latter having AD=20 is prefered, which is undesired in this case. Setting eBGP to AD=150 could fix this. Additionally you need to tag the EIGRP networks learned from BGP with a site specific tag, which would allow to exclude them from redistribution back into BGP once they are announced through EIGRP to another CE.
  Generally a tag should indicate that this network was already passed through the MPLS VPN and thus MUST not be redistributed again.
  Now lets have a look at the "MPLS is primary" scenario. As you already stated you need another routing protocol/EIGRP AS in this case. On the CE this would still work, because external EIGRP with AD=170 is worse than (modified) AD=150 of BGP.
  What remains is again to set proper filters to avoid routing loops most likely again with tags and route-maps for scalability.
  With all this mutual redistribution it is clear, that any mistake in configuration or design of the filters will result in a routing loop.
  The other option would be BGP everywhere. Be aware however, that this will most likely not remove the redistribution and filter complexity.
  What I do not quite understand is, how the physical design looks like, i.e. where you have BGP routers and where EIGRP (main AS). In case you don´t want to black hole yourself, you need to redistribute back into EIGRP in any case, or run an iBGP full mesh on most of your internal routers.
  So in the end you have a lot of complexity in both solutions. Both of them can be implemented. From an operation point of view I would say, that my tendency would be towards EIGRP instead of BGP. But just because your staff might know the latter good enough to operate the whole thing without too much pain.
  Looking from a distance:
  1) Have you pushed the SP hard enough (=$$ ?) to allow EIGRP on the PE-CE link? This would simplify the whole situation.
  2) Have you thought of pushing the SP into OSPF on PE-CE and convert everything to OSPF internally? This would also simplify things. OSPF is better prepared to handle routing loops in MPLS VPNs and also sham links allow for having backdoor links, when required.
  Hope this helps! PLease rate all posts.
  Regards, Martin

• Configuring BGP and OSPF to BGP always prefer.

  Hi,
  I´m configuring a VPNv4 between two sites. In principal site I receive some prefixes through OSPF and in the backup site the same prefixes through OSPF. I´m redistributing OSPF routes through BGP to backup site.
  In summary, in backup site the ASR9K receives the same prefixes through OSPF (local) and BGP but ASR must prefer BGP routes
  instead of OSPF.
  How can I configure it?.
  Thanks.

  Hi Jaime,
  a L3 network topology would possibly help to understand your goals and challenges. In general, in scenarios with OSPF and VPNv4 there's a challenge, that OSPF prefixes will be preferred indeed, if the two sites have a backdoor link. To overcome this, there's a feature in OSPF called 'sham-link', which makes the prefixes learned across the backbone(and hence via MP-BGP) more prefrred.
  HTH,
  Ivan.

• OSPF Sham-link

  Does anyone know exactly how the ospf sham-link operates. By default bgp learned routes do not get a label assigned (only the next hop). OSPF sham-link host interfaces MUST be advertised by BGP and not the ospf process. This says to me that the sham-link CANNOT be lable switched throughout the core network. However every document not very clearly always states the sham-link will follow the label forwarding table.
  snippit below
  The source and destination IP addresses
  must belong to the VRF and be advertised by Border Gateway Protocol (BGP) to remote PE routers. The
  sham-link endpoint addresses should not be advertised by OSPF.
  Anyone any decent explanation of why this is.

  The sham link is used to perfer the path via MPLS BGP VPN backbone instead of the backdoor link when it exists between two sites. The sham link is just like a virtual link and are configured between the 2 PE devices that connect to CE devices which have a backdoor link between them. Loopback interfaces are used to configure the sham link on the PE devices, and these are advertised thru BGP so that the PE devices can reach these addresses only thru the backbone and not included in OSPF so that the PE devices will not try to reach them through the backdoor link. Since the addresses are learned via BGP and there is a label assoicated with the BGP next-hop for these addresses (which might be another loopback or a physical address on the PE devices), the sham link between the PE devices can be label switched and OSPF routes are exchanged over this sham link ro prefer the routes via the backbone.

• RTP Traffic Prioritization over BGP

  We have implemented our QoS Policies throughout our network. DSCP tagged EF and CS6 packets are being prioritized correctly on all of our interfaces with the exception of the BGP connected link. CS6 packets are being prioritized, however, EF packets (RTP traffic) is not. The BGP link is using VRF VPN's- does this have something to do with it? Is there something special that has to be done to be able to prioritize this traffic?
  Greg

  Actually, we are tagging traffic ourselves as it comes into our router. EF IS being tagged correctly, and going outbound toward the serial, ethernet, and multilink interfaces it is prioritized correctly going out. On our BGP connections between core routers and to provider edge routers, it is not. All of these BGP links are within our system- no external provider.
  Greg

• RIP Between CPE & PE in a MPLS VPN

  When RIP is used as the dynamic routing protocol between dual homed CPE and PE in a MPLS VPN scenario with a backdoor link, there are chances of loops occurring and traffic transiting low bandwidth links. What precautions or actions can be taken to prevent these behaviors with RIP?
                 CPE
                    |
  CPE-------PE---P
      |                      |
  CPE-------PE---P
                   |
                CPE

  Hi,
  When you redistribute the MP-BGP routes into RIP on PE, you have an option of specifying the metric with which RIP redistributes the routes. You can make use of this feature, set the RIP metric accordingly while you redistribute the RIP of remote CE location into local CE location. Also make the metric over the backdoor link less or more preferrable (whichever way you opt for) with offset list on that specific interface. By this way local CE receives updates with two different metric (one over MPLS provider and other over backdoor link) and the one with least metric is preferred.
  Also you have to stop advertising the LAN prefixes of remote CE router  to unwanted interfaces by using distribute list command. This can be done on the interface of CE connecting to PE routers where distribute list contains LAN of remote CE locations. Though split horizon stops advertising I am bit skeptical about the prefixes with different metrics works with split horizon.
  If the backdoor is TDM or the ethernet link where physical layer is going down on Layer 1 issues, then better option is to have static routing with higher/lower AD than RIP over backdoor link. There is no chance of looping in this case and you have better control.
  HTH
  Arun

• Webvpn GW's on one router with domain names

  Hi,
  I'm trying to configure multiple WebVPN gateways on one router using one front door VRF and multiple back door VRF's. Think of this like a cloud service provider with several customers using different VRFs and one Internet VRF used for the incoming connections for the remote users.
  Doing so, several scenarios arise:
  Using one gateway and several context with a seperate VRF for each.
  Please let me know if I am wrong here:
  I can only assign one trustpoint because I only have one gateway. This means that all users connecting can only use one domain name like "*.isp.com". This also implies the use of a wildcard certificate.
  Using several gateways and several context with a seperate VRF for each.
  I can only assign multiple trustpoints because I only have one gateway. This means that users connecting can use multiple domains name like "webvpn.clientA.com" and "webvpn.clientB.com".
  I would prefer the first situation but then I run into a second problem:
  There are several commands related to hostname and up till now I have not figured out which one does exactly what:
  ROUTER(config)#webvpn gateway WEB_GW
  ROUTER(config-webvpn-gateway)#hostname
  ROUTER(config)#webvpn context CUST1_CT
  ROUTER(config-webvpn-context)#gateway WEB_GW domain
  ROUTER(config-webvpn-context)#gateway WEB_GW virtual-host
  Is there anyone who can explain to me what exactly does what?
  My personal guest is that I only need to configure the virtual-host like this" CUST1_CT -> virtual-host cust1.isp.com and CUST2_CT -> virtual-host cust2.isp.com". But I'm not sure about this and up till now I have not found any documentation that describes this very clearly.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• NAT and Routed Network with Two ISP's on one router

  I'm sure this has been done covered many times, but I am not finding it.
  I have two ISP connections.
  With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
  With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
  On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
  I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
  Everything on 192.168.100.x should use NAT and go out ISP-B
  I have tried
  ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
  route-map ISP-B permit 10
   match ip address 101
   match interface GigabitEthernet0/1
   set ip next-hop 100.0.0.1
  route-map ISP-A permit 10
   match ip address 111
   match interface Multilink1
   set ip next-hop 1.1.1.1
  The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• JMS Routing over two AS Nodes

  Hi,
  Is it possible to have a single JMS/AQ point in front of a ACTIVE-ACTIVE AS cluster that routes to a single JMS inbound node?
  Suppose you have two servers with an OC4J instance on each AS. You have a Cache objects running on each OC4J instance.
  A single message is consumed , a MDB calls an EJB on each OC4J instance to check for instance presence in each cache. the JMS should be routed to the OC4J Node whose cache contains the instance.
  Should it be feasible ??
  how??
  Please advise.
  thanks
  JO

  The following document by Mr. Omar Santo should lead you on a correct path of Network salvation ;-)
  https://supportforums.cisco.com/document/148471/what-bgp-backdoor-feature
  Manish

• Modifying iBGP distance for a Specific Prefix

  Hi
  I have scenario where I wish bgp backdoor could be used, but it can't in this case.
  I have router learning a single prefix via EIGRP and iBGP. I would like it to prefer iBGP, but of course EIGRP wins due to distance (90).
  I would like to modify a single prefix learned via iBGP to say 80 for example. So long as it wins over EIGRP.
  I've researched few posts, but they point to eBGP. I would imagine the same could be acheived for iBGP. Has anyone done this and is there any other ways it can be acheived other than using ACL with distance command under BGP.
  thank you

  You may change the EIGRP AD for the specific prefix, as Julio outlines, it is probably best doing it this way than to play with BGP.
  The way you can accomplish that is here:
  R1 is advertising a connected network 1.1.1.0. There is an iBGP peering between R1 and R2. Also an EIGRP neighborship between them both. I want to influence R2's route to 1.1.1.0/24 to prefer iBGP (200) over eigrp (90).
  Here is my current config and routes.
  router eigrp 10
   network 1.1.1.0 0.0.0.255
   network 10.0.0.1 0.0.0.0
   no auto-summary
  router bgp 100
   no synchronization
   bgp router-id 10.0.0.1
   bgp log-neighbor-changes
   network 1.1.1.0 mask 255.255.255.0
   neighbor 10.0.0.2 remote-as 100
   no auto-summary
  Rack1R2
  router eigrp 10
   network 10.0.0.2 0.0.0.0
  no auto-summary
  router bgp 100
   no synchronization
   bgp router-id 10.0.0.2
   bgp log-neighbor-changes
   neighbor 10.0.0.1 remote-as 100
   no auto-summary
  Rack1R2#show ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is not set
       1.0.0.0/24 is subnetted, 1 subnets
  D       1.1.1.0 [90/409600] via 10.0.0.1, 00:06:30, FastEthernet0/0
       10.0.0.0/30 is subnetted, 1 subnets
  C       10.0.0.0 is directly connected, FastEthernet0/0
  Rack1R2#       
  Rack1R2#show ip bgp
  BGP table version is 4, local router ID is 10.0.0.2
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  r>i1.1.1.0/24       10.0.0.1                 0    100      0 i
  Rack1R2#
  Now to modify the AD for the particular prefix in EIGRP.
  Rack1R2(config)#router eigrp 10
  Rack1R2(config-router)#distance ?
    <1-255>  Administrative distance
    eigrp    IP-EIGRP distance
  Rack1R2(config-router)#distance 201 ? -Make it worse that iBGP
    A.B.C.D  IP Source address
  Rack1R2(config-router)#distance 201 10.0.0.1 ? - Where you are learning the route from
    A.B.C.D  Wildcard bits
  Rack1R2(config-router)#distance 201 10.0.0.1 0.0.0.0 1 - Followed by an ACL to match the prefix
  Rack1R2(config)#ip access-list standard 1
  Rack1R2(config-std-nacl)#permit 1.1.1.0
  Rack1R2(config-std-nacl)#exit
  Rack1R2(config)#
  For me, it took effect immediately, but you may need to clear ip route x.x.x.x (i've experienced this before)
  Rack1R2(config)#do show ip route
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route
  Gateway of last resort is not set
       1.0.0.0/24 is subnetted, 1 subnets
  B       1.1.1.0 [200/0] via 10.0.0.1, 00:03:28
       10.0.0.0/30 is subnetted, 1 subnets
  C       10.0.0.0 is directly connected, FastEthernet0/0
  Now it has changed to prefer the iBGP route. Please take extra caution as doing this even with IGPs generally can cause routing loops.
  hth.

• What's this Shopping Cart Trick I here of?

  Check out this thread: http://ficoforums.myfico.com/t5/Credit-Card-Applications/Shopping-cart-trick-work-for-you-Please-add-to-list/td-p/2869327 I advise only getting a card that you really want anyway and will use as many (included myself) have indulged and regretted it later. You can get these cards via SP but you will still take a ding to your AAoA for the new account (although depending on your credit profile, this may not have a huge effect).  Hope this helps. 

  designated_knitter wrote:
  @core -- define "scores in the dump", please?  And thank you ;-)I wasn't doing great recordskeeping at the time, and I wasn't paying for myfico, but 10 days before I applied for the Sportsman's Guide, my Discover-provided FICO (TU 08) showed me at 647.  That's the "dump" for me because I was stuck there for 5-6 years with no hope; don't mean to offend anyone who just got there or anything. My EX score must also have been around 647 because both BofA and Discover provided that same EX score in unfavorable terms letters.  That same day, CapOne denied me for a QS and listed a CapOne-generated score of 672 based on EX data.   The SG was coming off the tail end of an app spree obviously; I only applied for it for kicks because someone posted a link.  I know those aren't all "real" scores but that's the best I can do with next to no records from a long time ago.  Also I used a backdoor link to get the shopping cart trick to work on Sportsman's Guide (search this forum for it, a new one was posted again within the last 2-3 mos), but I don't know for sure if that helped me or not.  I _know_ Comenity isn't stupid enough to hand out fat limits just based on some trick and no credit data, but it probably saved me the hard pull. 

• Jotform warning

  when i upload my site i get this warning dialogue:
  1Warning
  .Connection to PHP file failed. Unable to check if this web server supports PHP needed by Muse forms. Be sure the domain name entered in the FTP upload dialog is correct.
  my site is not live yet but in the "backdoor" link i am using it looks ok.
  any ideas?
  here is the link:
  http://mtp-it3.com/marcoislandwatersports.com/

  Hi,
  Please try some steps given in this document below
  http://forums.adobe.com/docs/DOC-3581

• First Gen Touch + Tiger

  How do I upgrade a first gen Touch to 3.1.3?
  I am running X.4.11 and iTunes 9.2.1
  Obviously there's some issue where iTunes knows there's higher version of iOS 3.1.3 but it won't download it. What's the work around or what's the direct backdoor link to the ips package on Apple's servers

  Hello Langdon,
  See this article about updating your 1st generation iPod Touch to 3.1
  http://support.apple.com/kb/HT2052
  B-rock