Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

What is the BGP Backdoor Feature?

The term “backdoor” is a very controversial term when it comes to privacy and security. However, when it comes to BGP, it is a well-known feature that is used to change the administrative distance of eBGP in order for an interior gateway routing protocol (IGP) to take precedence over an eBGP route.

By default, external BGP (eBGP) has an administrative distance value of 20. Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination. Administrative distance is a measure of the best path and reliability of the source of the routing information. The smaller the administrative distance value, the more reliable the protocol/link.

Note: For more information about administrative distance in routing protocols refer to:

BGP selects a single path, by default, as the best path to a destination host or network. The best path selection algorithm analyzes path attributes to determine which route is installed as the best path in the BGP routing table. Each path carries well-known mandatory, discretionary, and optional transitive attributes that are used in BGP best path analysis.

The “Backdoor Feature” is often used to increase the administrative distance of eBGP to 200 with the goal of making the IGP learned routes to be preferred. A backdoor network is treated as a local network, except that it is not advertised. This is configured by using the network backdoor BGP command.

For example, in Figure 1 three separate networks are illustrated: a network in New York (AS 1010); another in Research Triangle Park (RTP), NC (AS 2020); and a third one in San Jose, CA (AS 3030).

Figure 1 – eBGP default admin distance

BGP backdoor Figure  1.jpg

With the default administrative distances of BGP and EIGRP, if a device in the New York network ( communicates with a device in RTP ( the packets will route via the network in San Jose. This is because eBGP has a lower administrative distance (20) than EIGRP (90). To avoid this, the Cisco IOS Software network backdoor command can be used in New York’s R1 router (NY-R1) and vice-versa, as shown below.

NY-R1(config)#router bgp 1010

NY-R1(config-router)#network mask backdoor

In Cisco IOS XR Software, the network backdoor command is configured under the address family configuration mode, as shown in the following example:

RP/0/RP0/CPU0:NY-R1(config)# router bgp 109

RP/0/RP0/CPU0:NY-R1(config-bgp)# address-family ipv4 unicast

RP/0/RP0/CPU0:NY-R1(config-bgp-af)# network backdoor

After the network backdoor command is used in NY-R1, the administrative distance of eBGP is changed to 200 and the preferred path will be via the direct connection between NY-R1 and RTP-R1, as shown in Figure 2. The same steps can be followed in RTP, accordingly.

Figure 2 – eBGP admin distance after network backdoor command is used

BGP backdoor Figure  1.jpg

The following are several additional references regarding BGP configuration and troubleshooting:

BGP Case Studies:

Cisco IOS Software BGP Configuration Guide

BGP Command Reference

BGP Frequently Asked Questions

Version history
Revision #:
1 of 1
Last update:
‎07-11-2013 03:19 PM
Updated by:
Labels (1)
New Member

It looks like you went through a lot of trouble to write this article, but I get bothered when I start seeing false facts spread around.  It's like everyone read the same Todd Lammle/Sybex book when trying to get a CCNA... "Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination."  No, "longest match" is the first criteria.  I feel like I'm nit-picking except where this is an important distinction I see young network administrators miss time and time again.  This is basic stuff that can kill downtime metrics.  Errors like this also bring into question the integrity of the remainder of the article..

New Member

You're focusing on the wrong end of the statement. He did say "if the two protocols provide route information for the same destination". This article is about which path from which routing protocol makes it into the routing table, not which path the router chooses when forwarding a packet.

I  use "backdoor" on my main site and the Disaster recovery site,as they have EIGRP between them.

In your example NY is my Main site, RTP is DR. what happens if the link between NY and San Jose goes down, will then RTP advetise the routes in NY through BGP or does the "backdoor" stop it from advertising the backdoor routes at all times?

New Member

Figures 1 and 2 look identical; was Figure 2 supposed to illustrate a change?

You are missing the point. If you have the same exact prefix from multiple routing protocol such as BGP, OSPF, EIGRP then router will use the administrative distance of the protocol to select the route.

This is an excellent explanation of of the concept.

New Member

No the article is correct.  We're talking about installing routes into the routing table, you are talking about packet forwarding. This is about a control plane operation not a data plane operation. The prefix length isn't considered when installing routes. If it receives and it installs both routes (because /16 offers a path to more potential destinations than /24). In this case we're saying "what does the router do when it receives two routes to the same destination?" The destination field in a route entry is a network prefix. Thus "same destination" in this context means "same prefix".

New Member

Obviously the same destination means longest match can not be used. Also note the use of "if" in his sentence, which indicates a caveat/condition is coming next.

"Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination."

This is both technically and grammatically correct.

New Member

Hi Richard,

I am seeing this post after 2 years and hope your query is already been resolved but if not then backdoor is a network command within the BGP, so if your BGP process is running then it should work and if your BGP process is not working then you only have EIGRP in place, so you need not to worry.

If someone is very strict on not using Backdoor, even though we have a different way, we can filter that prefix over BGP and use EIGRP, and for redundancy purpose we can use EEM to remove the filter in case of EIGRP failure.


Mithun Adhikary

New Member

Nice Article Omar, you deserve a thumbs up and 5 star. :)


Mithun Adhikary

New Member

Well explained Mr.Santos!! Thank you so much!!

New Member

But what if IBGP was there instead of EIGRP, will this feature work, provided both of these protocol now have AD value of 200 ?

Please comment!!


Ankit Prasad