In one of the Discords that I’m in there was a user with a complex network consisting of a mix of DMVPN, BGP over MPLS VPN circuits, and SD-WAN. For some prefixes, the path via the private MPLS is preferred, for others, the SD-WAN path. Now, if a prefix is available in two different protocols, BGP vs Overlay Management Protocol (OMP), there is nothing we can do in BGP or OMP to modify which one gets installed into the Routing Information Base (RIB). This is no different than if EIGRP and OSPF were competing to install a prefix into the RIB, the protocol with the lower Administrative Distance (AD) would have its route installed.

The default AD values used on a Cisco device for these protocols are:

  • eBGP – 20
  • iBGP – 200
  • OMP – 251

Based on the AD, OMP will always lose out. It is of course possible to change the AD of BGP, but that would have an effect of all prefixes and we lose the ability to have some prefixes preferred via BGP and others via OMP. I had never changed the AD of a specific BGP prefix before, so I turned to Twitter to see what my options were and got some good responses back. It turns out that there is a way of modifying AD of prefixes from a neighbor and that it’s not very well documented. To test this, I created a simple lab with three routers, R1, R2, and R3, that are Catalyst8000v devices running IOS-XE 17.6.3. To save time, I have not setup SD-WAN in the lab but I will use a static route with AD of 251 to simulate OMP. R1 will point this static route towards R3. R1 will also run BGP towards R2. R3 will advertise two routes via BGP:


R1 is receiving the routes via BGP:

R1#sh bgp ipv4 uni
BGP table version is 3, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>                0             0 64512 i
 *>                0             0 64512 i

These routes are installed in the RIB:

R1#show ip route
Routing entry for
  Known via "bgp 65000", distance 20, metric 0
  Tag 64512, type external
  Last update from 00:03:14 ago
  Routing Descriptor Blocks:
  *, from, 00:03:14 ago
      opaque_ptr 0x7FC3B83EC038 
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 64512
      MPLS label: none
R1#show ip route 
Routing entry for
  Known via "bgp 65000", distance 20, metric 0
  Tag 64512, type external
  Last update from 00:02:54 ago
  Routing Descriptor Blocks:
  *, from, 00:02:54 ago
      opaque_ptr 0x7FC3B83EC038 
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 64512
      MPLS label: none

Notice that the distance is set to 20 which is the AD of eBGP. We can traceroute to confirm that traffic is going through R2 and then to R3:

Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 1 msec 1 msec 0 msec
  2 2 msec *  1 msec

Now, let’s see if we can modify just one of these routes to go directly via R3 instead of via R2. The first step is to create an access-list:

R1(config)#ip access-list standard MODIFY_AD_R2_198-NET

This ACL will match any prefix within, regardless of mask. Now here comes the tricky part, to modify AD we do it under the IPv4 address family in BGP:

R1(config)#router bgp 65000
R1(config-router)#address-family ipv4
R1(config-router-af)#distance ?
  <1-255>  Administrative distance
  bgp      BGP distance

The trick here is to NOT use the distance bgp command but rather the distance command. Let’s have a look:

R1(config)#router bgp 65000
R1(config-router)#address-family ipv4
R1(config-router-af)#distance ?
  <1-255>  Administrative distance
  bgp      BGP distance

R1(config-router-af)#distance 252 ?
  A.B.C.D  IP Source address

R1(config-router-af)#distance 252 ?
  A.B.C.D  Wildcard bits

R1(config-router-af)#distance 252 ?
  <1-99>       IP Standard access list number
  <1300-1999>  IP Standard expanded access list number
  WORD         Standard access-list name
  <cr>         <cr>

R1(config-router-af)#distance 252 MODIFY_AD_R2_198-NET

The syntax here is as follows:

  • AD to set on prefixes matching
  • Neighbor IP of BGP peer(s)
  • Wild card to match one or more peers
  • Access-list for the prefixes to be modified

Did this have any effect? Let’s take a look:

R1#show ip route   
Routing entry for
  Known via "bgp 65000", distance 20, metric 0
  Tag 64512, type external
  Last update from 00:00:09 ago
  Routing Descriptor Blocks:
  *, from, 00:00:09 ago
      opaque_ptr 0x7FC3B83EC038 
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 64512
      MPLS label: none

Now this doesn’t look very promising, does it? What’s the problem here? It seems that this mechanism perhaps is only triggered when peer comes up so clearing the BGP session may be needed to trigger it:

R1#clear bgp ipv4 uni

Let’s check the routing table again:

R1#show ip route  
Routing entry for
  Known via "static", distance 251, metric 0
  Routing Descriptor Blocks:
      Route metric is 0, traffic share count is 1
R1#show ip route 
Routing entry for
  Known via "bgp 65000", distance 20, metric 0
  Tag 64512, type external
  Last update from 00:00:37 ago
  Routing Descriptor Blocks:
  *, from, 00:00:37 ago
      opaque_ptr 0x7FC3B83EC038 
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 64512
      MPLS label: none

Now this looks better! Finally, let’s confirm with traceroute:

Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 2 msec *  1 msec
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 1 msec 1 msec 1 msec
  2 2 msec *  1 msec

Traffic to the first prefix is direct and for the other it goes via R2 first. This feature does not seem to be well known and poorly documented so I hope this post can help those that have run into a scenario where they need to modify AD of specific prefixes. Thanks to all the people at Twitter that responded to my query.

Modifying Administrative Distance of Specific BGP Route
Tagged on:         

7 thoughts on “Modifying Administrative Distance of Specific BGP Route

  • July 5, 2022 at 11:36 am

    Great hint, i hope i get a chance to use it in real life 🙂

    • October 19, 2022 at 1:09 pm

      Don’t hope that. Thats a nerd knob for specific issues, like this one. Usually only temporary for a project or redesign. And be sure to delete this stuff after everything is finished. Its not fun fo find stuff like that in production networks after serveral years.

  • July 18, 2022 at 12:27 am

    Thanks for sharing!

  • March 4, 2023 at 2:11 am

    Shame it only supports standard ACLs and not extended, or better still prefix-lists. Not possible to match an exact prefix/mask….

  • August 13, 2024 at 7:02 am

    You just saved my skin!! Thank you for posting this tutorial! I needed EXACTLY this in my company’s production network. If I were to explain to you how I needed it / used it, I would have to draw out a whole big network diagram on a whiteboard. But trust me, this really helped me out! Thank you, from the bottom of my heart! Keep these sort of tutorials coming! I already bookmarked this site, and I will be sure to check it out periodically from now on.

    • August 14, 2024 at 7:45 am

      Thank you for leaving a comment, Ben! It’s always great to hear that people find the content useful. I hope to see you around 🙂

  • February 1, 2025 at 6:17 pm

    Nice find thanks. I tried soft clear but this didn’t do anything. Was going mad and thought it may be a bug in the virtual IOS! I noticed the same ‘quirk’ is there when using the distance bgp command.


Leave a Reply to Travis Stroebele Cancel reply

Your email address will not be published. Required fields are marked *