Network Backdoor

Scenario to verify BGP network backdoor command functionality. Tests backdoor route functionality for both iBGP and eBGP sessions. Backdoor routes modify the administrative distance to prefer IGP routes over BGP.

../../../../_images/networkbackdoor.svg

Test BGP Network Backdoor iBGP

Description

Test BGP network backdoor with iBGP using 3 routers. DUT0 announces 192.168.10.0/24 via OSPF and BGP. DUT1 has OSPF and BGP with backdoor, so it prefers OSPF route (AD 110) over iBGP route (AD 20 with backdoor instead of 200). DUT2 learns the route via iBGP from DUT1.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.1.1.1/24
set protocols bgp 10 neighbor DUT1 nexthop-self
set protocols bgp 10 neighbor DUT1 remote-address 10.1.1.2
set protocols bgp 10 neighbor DUT1 remote-as 10
set protocols bgp 10 network 192.168.10.0/24
set protocols ospf area 0 network 10.1.1.0/24
set protocols ospf redistribute static
set protocols static route 192.168.10.0/24 blackhole
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.1.1.2/24
set interfaces ethernet eth1 address 10.1.2.100/24
set protocols bgp 10 neighbor DUT0 remote-address 10.1.1.1
set protocols bgp 10 neighbor DUT0 remote-as 10
set protocols bgp 10 neighbor DUT2 nexthop-self
set protocols bgp 10 neighbor DUT2 remote-address 10.1.2.101
set protocols bgp 10 neighbor DUT2 remote-as 10
set protocols bgp 10 network 192.168.10.0/24 backdoor
set protocols bgp 10 redistribute ospf
set protocols ospf area 0 network 10.1.1.0/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.2.101/24
set protocols bgp 10 neighbor DUT1 remote-address 10.1.2.100
set protocols bgp 10 neighbor DUT1 remote-as 10
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify OSPF neighbor is established between DUT0 and DUT1

Step 4: Run command protocols ospf show neighbor at DUT1 and check if output matches the following regular expressions:

10.1.1.1
Show output
Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
10.1.1.1          1 2-Way/DROther   1.648s            38.351s 10.1.1.1        eth0:10.1.1.2                        0     0     0

Attention

Verify DUT1 learns 192.168.10.0/24 via OSPF from DUT0

Step 5: Run command protocols ip show route at DUT1 and check if output matches the following regular expressions:

O>[*]\s+192.168.10.0/24
Show output
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
O   10.1.1.0/24 [110/10] is directly connected, eth0, weight 1, 00:00:51
C>* 10.1.1.0/24 is directly connected, eth0, weight 1, 00:00:51
K * 10.1.1.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:51
L>* 10.1.1.2/32 is directly connected, eth0, weight 1, 00:00:51
C>* 10.1.2.0/24 is directly connected, eth1, weight 1, 00:00:51
L>* 10.1.2.100/32 is directly connected, eth1, weight 1, 00:00:51
O>* 192.168.10.0/24 [110/20] via 10.1.1.1, eth0, weight 1, 00:00:05

Attention

Verify BGP sessions are established

Step 6: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

10.1.1.2.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 10.1.1.1, local AS number 10 VRF default vrf-id 0
BGP table version 1
RIB entries 1, using 128 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.1.1.2        10.1.1.1        4         10         5         6        1    0    0 00:00:50  Established        0        1 FRRouting/10.4.1

Total number of neighbors 1

Step 7: Run command protocols bgp show ip summary at DUT1 and check if output matches the following regular expressions:

10.1.1.1.*Established[\s\S]+10.1.2.101.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 10.1.2.100, local AS number 10 VRF default vrf-id 0
BGP table version 2
RIB entries 1, using 128 bytes of memory
Peers 2, using 47 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.1.1.1        10.1.1.2        4         10         5         5        2    0    0 00:00:50  Established        1        1 FRRouting/10.4.1
10.1.2.101      10.1.2.100      4         10         4         6        2    0    0 00:00:49  Established        0        1 FRRouting/10.4.1

Total number of neighbors 2

Attention

Verify DUT1 prefers OSPF route over BGP backdoor route (OSPF AD 110 < backdoor AD 20 would not install BGP)

Step 8: Run command protocols ip show route at DUT1 and check if output matches the following regular expressions:

O>[*]\s+192.168.10.0/24
Show output
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
O   10.1.1.0/24 [110/10] is directly connected, eth0, weight 1, 00:00:51
C>* 10.1.1.0/24 is directly connected, eth0, weight 1, 00:00:51
K * 10.1.1.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:51
L>* 10.1.1.2/32 is directly connected, eth0, weight 1, 00:00:51
C>* 10.1.2.0/24 is directly connected, eth1, weight 1, 00:00:51
L>* 10.1.2.100/32 is directly connected, eth1, weight 1, 00:00:51
O>* 192.168.10.0/24 [110/20] via 10.1.1.1, eth0, weight 1, 00:00:05

Attention

Verify DUT2 learns 192.168.10.0/24 via iBGP from DUT1

Step 9: Run command protocols bgp show ip at DUT2 and check if output matches the following regular expressions:

[*]>i\s+192.168.10.0/24
Show output
BGP table version is 1, local router ID is 10.1.2.101, vrf id 0
Default local pref 100, local AS 10
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 192.168.10.0/24  10.1.2.100              20    100      0 ?

Displayed 1 routes and 1 total paths

Attention

Verify route is installed in DUT2 routing table

Step 10: Run command protocols ip show route at DUT2 and check if output matches the following regular expressions:

B>[*]\s+192.168.10.0/24
Show output
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
C>* 10.1.2.0/24 is directly connected, eth1, weight 1, 00:00:50
K * 10.1.2.0/24 [0/0] is directly connected, eth1, weight 1, 00:00:50
L>* 10.1.2.101/32 is directly connected, eth1, weight 1, 00:00:50
B>* 192.168.10.0/24 [200/20] via 10.1.2.100, eth1, weight 1, 00:00:05

Test BGP Network Backdoor eBGP

Description

Test BGP network backdoor with eBGP using 3 routers. DUT0 (AS 10) announces 192.168.10.0/24 via OSPF and BGP. DUT1 (AS 10) has OSPF and BGP with backdoor. DUT2 (AS 20) learns the route via eBGP from DUT1.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.1.1.1/24
set protocols bgp 10 neighbor DUT1 nexthop-self
set protocols bgp 10 neighbor DUT1 remote-address 10.1.1.2
set protocols bgp 10 neighbor DUT1 remote-as 10
set protocols bgp 10 network 192.168.10.0/24
set protocols ospf area 0 network 10.1.1.0/24
set protocols ospf redistribute static
set protocols static route 192.168.10.0/24 blackhole
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.1.1.2/24
set interfaces ethernet eth1 address 10.1.2.100/24
set protocols bgp 10 neighbor DUT0 remote-address 10.1.1.1
set protocols bgp 10 neighbor DUT0 remote-as 10
set protocols bgp 10 neighbor DUT2 remote-address 10.1.2.101
set protocols bgp 10 neighbor DUT2 remote-as 20
set protocols bgp 10 neighbor DUT2 route-map export PERMIT
set protocols bgp 10 network 192.168.10.0/24 backdoor
set protocols ospf area 0 network 10.1.1.0/24
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 10.1.2.101/24
set protocols bgp 20 neighbor DUT1 remote-address 10.1.2.100
set protocols bgp 20 neighbor DUT1 remote-as 10
set protocols bgp 20 neighbor DUT1 route-map import PERMIT
set protocols route-map PERMIT rule 1 action permit
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Attention

Verify OSPF neighbor is established between DUT0 and DUT1

Step 4: Run command protocols ospf show neighbor at DUT1 and check if output matches the following regular expressions:

10.1.1.1
Show output
Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
10.1.1.1          1 2-Way/DROther   2.066s            37.933s 10.1.1.1        eth0:10.1.1.2                        0     0     0

Attention

Verify DUT1 learns 192.168.10.0/24 via OSPF from DUT0

Step 5: Run command protocols ip show route at DUT1 and check if output matches the following regular expressions:

O>[*]\s+192.168.10.0/24
Show output
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
O   10.1.1.0/24 [110/10] is directly connected, eth0, weight 1, 00:00:51
C>* 10.1.1.0/24 is directly connected, eth0, weight 1, 00:00:51
K * 10.1.1.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:51
L>* 10.1.1.2/32 is directly connected, eth0, weight 1, 00:00:51
C>* 10.1.2.0/24 is directly connected, eth1, weight 1, 00:00:51
K * 10.1.2.0/24 [0/0] is directly connected, eth1, weight 1, 00:00:51
L>* 10.1.2.100/32 is directly connected, eth1, weight 1, 00:00:51
O>* 192.168.10.0/24 [110/20] via 10.1.1.1, eth0, weight 1, 00:00:05
B   192.168.10.0/24 [200/0] via 10.1.1.1, eth0, weight 1, 00:00:49

Attention

Verify BGP sessions are established

Step 6: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:

10.1.1.2.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 10.1.1.1, local AS number 10 VRF default vrf-id 0
BGP table version 1
RIB entries 1, using 128 bytes of memory
Peers 1, using 24 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.1.1.2        10.1.1.1        4         10         5         8        1    0    0 00:00:51  Established        0        1 FRRouting/10.4.1

Total number of neighbors 1

Step 7: Run command protocols bgp show ip summary at DUT1 and check if output matches the following regular expressions:

10.1.1.1.*Established[\s\S]+10.1.2.101.*Established
Show output
IPv4 Unicast Summary:
BGP router identifier 10.1.2.100, local AS number 10 VRF default vrf-id 0
BGP table version 1
RIB entries 1, using 128 bytes of memory
Peers 2, using 47 KiB of memory

Neighbor        LocalAddr       V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down        State   PfxRcd   PfxSnt Desc
10.1.1.1        10.1.1.2        4         10         5         4        1    0    0 00:00:51  Established        1        0 FRRouting/10.4.1
10.1.2.101      10.1.2.100      4         20         6        11        1    0    0 00:00:50  Established (Policy)        1 N/A

Total number of neighbors 2

Attention

Verify DUT1 prefers OSPF route over BGP backdoor route

Step 8: Run command protocols ip show route at DUT1 and check if output matches the following regular expressions:

O>[*]\s+192.168.10.0/24
Show output
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
O   10.1.1.0/24 [110/10] is directly connected, eth0, weight 1, 00:00:52
C>* 10.1.1.0/24 is directly connected, eth0, weight 1, 00:00:52
K * 10.1.1.0/24 [0/0] is directly connected, eth0, weight 1, 00:00:52
L>* 10.1.1.2/32 is directly connected, eth0, weight 1, 00:00:52
C>* 10.1.2.0/24 is directly connected, eth1, weight 1, 00:00:52
K * 10.1.2.0/24 [0/0] is directly connected, eth1, weight 1, 00:00:52
L>* 10.1.2.100/32 is directly connected, eth1, weight 1, 00:00:52
O>* 192.168.10.0/24 [110/20] via 10.1.1.1, eth0, weight 1, 00:00:06
B   192.168.10.0/24 [200/0] via 10.1.1.1, eth0, weight 1, 00:00:50

Attention

Verify DUT2 learns 192.168.10.0/24 via eBGP from DUT1

Step 9: Run command protocols bgp show ip at DUT2 and check if output matches the following regular expressions:

[*]>\s+192.168.10.0/24
Show output
BGP table version is 1, local router ID is 10.1.2.101, vrf id 0
Default local pref 100, local AS 20
local address -
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  192.168.10.0/24  10.1.2.100                             0 10 i

Displayed 1 routes and 1 total paths

Attention

Verify route is installed in DUT2 routing table

Step 10: Run command protocols ip show route at DUT2 and check if output matches the following regular expressions:

B>[*]\s+192.168.10.0/24
Show output
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

IPv4 unicast VRF default:
C>* 10.1.2.0/24 is directly connected, eth1, weight 1, 00:00:50
K * 10.1.2.0/24 [0/0] is directly connected, eth1, weight 1, 00:00:50
L>* 10.1.2.101/32 is directly connected, eth1, weight 1, 00:00:50
B>* 192.168.10.0/24 [20/0] via 10.1.2.100, eth1, weight 1, 00:00:49