Hour 413: BGP Administrative Distance manipulation

In some design situations, you might need to set up a BGP interconnection that will act as backup link to an IGP. The problem with this situation is that by default, eBGP will have an AD of 20 and will take precedence over any IGP (OSPF= 110, EIGRP = 90, IS-IS = 115, RIP = 120). Today, I will be talking about the different options to implement this sort of design and the different problems you can encounter with each of them.

Option 1: Change BGP Administrative Distance per neighbor

This is probably the easiest and most scalable way of changing the AD of BGP routes. It is done under the address-family (unicast, multicast or vrf) with the distance <AD> <neighbor> <wildcard> <optional ACL>. The reason this is scalable solution is that you can specify the neighbor that you want the AD changed as well as an ACL that matches prefixes of that neighbor. One problem with this method is that these prefixes will have their AD changed but BGP will still re-advertise them to any eBGP neighbors that have don’t have any inbound filtering. This can lead to asymmetrical routing for these routes because AD will only be changed locally. To exaplain this situation let’s take for example this topology:


If SW1 ( sends traffic to SW2 (, by default the traffic will go through SW1-R1-R3-R2-SW2 then come back SW2-R2-R3-R1-SW1. If we change the AD on R1 the traffic will go through SW1-R1-R2-SW2 and come back SW2-R2-R3-R1-SW1. Again, the reason for this is that AD will be changed for the prefix locally only and result in asymmetrical routing. We can be fix this by changing the AD of R2 or by having strict inbound filtering of prefixes on R1 (do not accept from neighbor R2).

Option 2: Change BGP Administrative Distance per address-family

The second option available is of course, changing the AD of BGP per address-family. This means that you will change the AD of all routes in the unicast, multicast or vrf address-family. This is done under the address-family section of the BGP process with the distance bgp <ebgp> <ibgp> <local routes>. The problem with this is that it is not scalable as all future BGP routes in that address-family will have their AD changed. Why would you ever use this then? Well, if you just don’t care about future BGP connections this could be an option. Another reason is that in some platforms like 3000 NX-OS switches that have limited BGP capabilities, Option 1 is not available as a command and this is the only solution.

Option 3: BGP backdoor

BGP backdoor is a command introduced to avoid the problem encountered in Option 1. Under the BGP process address-family you use the network <network> mask <network mask> backdoor command. Any eBGP prefixes in that address-family that matches the network command will have their AD changed from 20 to 200 and will not cause BGP to generate an advertisement for that network. This last statement is the important part, as not advertising that network will not cause the problem we had in Option 1. The problem with this option is that if you have 200 unique prefixes to change, you will have to enter 200 network <network> mask <network mask> backdoor commands in the BGP process.

Option 4: Change IGP Administrative Distance

Another method to a BGP backup link design would be to lower the IGP AD. For all IGP’s in IOS (OSPF, EIGRP, RIP and IS-IS), the command is the same. You will use under the IGP process the distance <AD> <IP source address> <wildcard mask> <optional ACL>. This is a very similar method as Option 1 and has the same problems. To avoid asymmetry you will need to change the AD on neighboring routers or have an inbound filtering for the IGP.

Option 5: Change AD through PBR

This option is not available on all platforms (only NX-OS 7000 switches as far as I know) but I have to mention it as it might be available in future releases. It is the called Policy-based administrative distance. Using this method you can change the distance of a prefix by creating a route-map. The command goes something like this:

route-map CHANGE-AD permit 10

match ip address prefix-list <prefix list name>

set distance <eBGP AD> <iBGP AD> <local AD>

router bgp

address-family ipv4 unicast

table-map CHANGE-AD

Again, this option is not offered on IOS or every NX-OS platforms so you are most likely to use the other methods.

Hope this was informative.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s