BGP AS Path Policy Checker

Observed BGP routes:

Use CSV rows such as 203.0.113.0/24, 64512 65500 64496, rs1 or paste BGP table lines; next-hop, MED, local-pref, and weight columns are skipped.

CSV, pipe, and common BGP table lines are parsed locally.

Allowed ASNs:

Leave blank to skip whole-path allowlist checks.

Expected origin ASNs:

Use this to catch origin drift, hijack suspicion, or a route leak from an unexpected origin.

Blocked or special ASNs:

Keep private and documentation ranges here for public-internet policy checks; remove them for a lab-only review.

Maximum path length:

Set the longest acceptable AS path for this neighbor, customer, or route-server view.

ASNs

AS-path policy rules:

First matching rule wins. Use examples like permit ^64512_65500_64496$ or deny _23456_.

When no regex rule matches:

Choose deny for strict ordered policy reviews, or permit when regex rules are only exceptions.

Review policy inputs

{{ message }}

Expected first-hop ASNs:

Leave blank unless the route sample should come from known neighbor ASNs.

Prepend alert threshold:

This does not reject routes; it only marks unusual prepending for review.

repeats

Prefix	Source	AS path	Length	Verdict	Regex result	Operator action	Copy
{{ row.prefix }}	{{ row.source }}	{{ row.asPath }}	{{ row.length }}	{{ row.verdict }}	{{ row.regexResult }}	{{ row.action }}

Prefix	Severity	Policy check	Evidence	Next action	Copy
{{ row.prefix }}	{{ row.severity }}	{{ row.check }}	{{ row.evidence }}	{{ row.action }}

Seq	Action	Regex	Hits	State	Readout	Copy
{{ row.sequence }}	{{ row.action }}	{{ row.pattern }}	{{ row.hits }}	{{ row.state }}	{{ row.readout }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Border Gateway Protocol (BGP) AS path policy checks whether the autonomous systems in an observed route match the path shape an operator expects. The AS path is the visible chain of networks attached to a BGP route, so it is one of the first places engineers look when a prefix appears through the wrong transit, carries a private ASN, shows an unexpected origin, or needs a route-policy review before acceptance.

Most operational AS path displays read from the collector or neighbor view toward the origin. The leftmost AS is the first external AS seen from that view, and the rightmost AS is treated as the origin AS for the prefix. That direction matters because a route can have the expected origin while still arriving through an unexpected first hop, blocked transit ASN, or path length that is too long for the neighbor role.

Diagram showing a BGP AS path from collector to origin with policy checks for first hop, transit ASNs, origin, and path length.

AS path policy is often used during peering changes, route-server reviews, incident triage, and customer turnups. A clean path can support a planned acceptance decision, while a rejected path points to the exact ASN, length, origin, or regex condition that needs investigation.

A pass does not prove that a route is legitimate across every routing view. AS path checks do not replace prefix ownership checks, Route Origin Authorization (ROA) validation, Internet Routing Registry (IRR) review, or live router policy testing. They narrow the review to the path evidence present in the pasted route sample.

Technical Details:

AS_PATH is a mandatory BGP path attribute. In ordinary route output, it is read as a sequence of ASNs, with prepending shown as repeated adjacent ASNs. BGP itself can carry more detailed segment structure, but operational policy checks usually work with the normalized path string shown by a router, route server, looking glass, or collector.

The checker treats each route row as one observed prefix and one AS path. It accepts comma-separated rows such as 203.0.113.0/24, 6939 3356 15169, rs1, pipe-separated rows such as 2001:db8:40::/48 | 6939 23456 15169 | rs-v6, and common route-table lines that include a prefix, next hop, local preference, weight, ASNs, and an origin code. Decimal ASNs, AS-prefixed tokens, asdot notation, individual ASN values, and ASN ranges are parsed up to 4294967295.

Rule Core:

Each route is evaluated with ordered checks. Reject findings always win over watch findings. A route becomes Watch only when it has no reject finding and crosses the prepend watch threshold.

BGP AS path policy rule pipeline
Check	Condition	Result effect
AS path parse	No ASN can be extracted from the route row.	`Reject` with a paste-format recovery cue.
Path length ceiling	Parsed AS count is greater than `Maximum path length`.	`Reject`; equal to the limit still passes this check.
Allowed ASN list	An allowlist is configured and any ASN in the path is outside it.	`Reject` with the unexpected ASN listed.
Blocked or special ASN	Any ASN in the path matches the blocked list.	`Reject` with the matched ASN and special-range label when known.
Origin ASN	Expected origin is configured and the rightmost ASN is outside it.	`Reject` for origin drift, route leak, or hijack suspicion review.
First-hop ASN	Expected first hop is configured and the leftmost ASN is outside it.	`Reject` for collector direction or neighbor-filter review.
AS-path regex policy	The first matching ordered rule is `deny`, or no rule matches and the default action is `deny`.	`Reject`; `permit` rules and a permit default do not clear other reject findings.
AS path prepending	The largest consecutive ASN run is greater than `Prepend alert threshold`.	`Watch` only; threshold `0` disables the watch check.

The default blocked list matches common values that should not appear in ordinary public route acceptance checks. Remove private or documentation ranges only for lab reviews, controlled private interconnects, or cases where those ASNs are intentionally present in the sample.

Default blocked and special ASN ranges
ASN or range	Meaning	Policy reason
`0`	AS0	Reserved and not valid in AS path propagation.
`23456`	AS_TRANS	Placeholder used during four-octet ASN transition handling.
`64496-64511`, `65536-65551`	Documentation ASNs	Reserved for examples and documentation, not production routing.
`64512-65534`, `4200000000-4294967294`	Private-use ASNs	Not globally unique and usually filtered from public advertisements.
`65535`, `4294967295`	Reserved ASN values	Should be treated as special or invalid for ordinary public policy checks.

Regex rules use ordered permit and deny lines. The underscore token is interpreted as an AS boundary over the normalized path string, so _65001_ can match AS65001 anywhere in the path, and ^6939_3356_15169$ can match a complete three-AS path. This is useful for policy rehearsal, but final router syntax should still be checked on the target platform before a live configuration change.

Everyday Use & Decision Guide:

Start with route rows from the same viewpoint you plan to enforce. A route-server sample, a customer edge table, and a transit neighbor table can show different leftmost ASNs for the same prefix. Paste one route per line in Observed BGP routes, then use Normalize if the rows came from mixed CSV, pipe, and show-output formats.

For a strict first pass, fill Allowed ASNs, Expected origin ASNs, Blocked or special ASNs, and Maximum path length. Leave Allowed ASNs blank when the full transit chain is not known, because a partial allowlist will reject every unlisted transit ASN even when the origin is expected.

Use Expected origin ASNs to catch a prefix that ends in the wrong origin, such as a route leak or hijack suspicion.
Keep the default Blocked or special ASNs for public route samples unless the review is intentionally lab-only.
Use AS-path policy rules for ordered permit or deny expressions. The first matching rule wins, and When no regex rule matches decides only the regex outcome for unmatched paths.
Open Advanced when collector direction matters. Expected first-hop ASNs checks the leftmost ASN, while Prepend alert threshold marks repeated adjacent ASNs for review without rejecting the route by itself.
Compare Route Verdicts with Policy Findings. The verdict tells you whether to pass, watch, or reject; the finding row tells you which policy condition caused that result.

A rejected route does not automatically identify the party at fault. It means the pasted route sample disagrees with the policy you entered. Check the collector direction, route age, configured neighbor role, and intended exceptions before copying the operator action into a change record.

The checker evaluates the text in the page. It does not open a BGP session, query a router, perform ROA validation, or prove that a route is visible elsewhere on the Internet.

Step-by-Step Guide:

Use one clean sample, then tighten the policy controls until the verdicts match the route-acceptance rule you want to review.

Paste route rows into Observed BGP routes. The summary should move from Add AS paths to a route count and reject count after ASNs are parsed.
Press Normalize if the rows contain mixed delimiters or copied route-table columns. The field should settle into prefix, AS path, and optional source text for each parsed row.
Enter Allowed ASNs only when every AS in the expected path is known. Use commas, spaces, or ranges such as 64512-64520.
Set Expected origin ASNs, keep or edit Blocked or special ASNs, and choose Maximum path length. Watch Policy Findings for invalid range tokens or no-ASN parse failures.
Add ordered permit or deny lines in AS-path policy rules. If a regex is invalid, the warning area names the rule number so you can fix the pattern before trusting rule-hit counts.
Open Advanced when needed, then set Expected first-hop ASNs or Prepend alert threshold. A repeated ASN run greater than the threshold should show Watch unless another check already rejects the route.
Read Route Verdicts, Policy Findings, and Regex Rule Hits before using the charts. Path Length Bands and Policy Finding Mix are best for summarizing a batch after the row-level findings make sense.

A useful handoff includes the route prefix, parsed AS path, verdict, first reject or watch finding, and the rule or threshold that produced the result.

Interpreting Results:

The summary badge gives the batch status, but the row-level tables carry the useful evidence. policy clean means no reject or watch findings were detected for the current inputs. watch paths means prepending crossed the watch threshold without a reject finding. policy rejects means at least one route has a reject finding.

Route Verdicts is the quick triage table. Policy Findings is the audit table because it names the policy check, evidence, and operator action. Regex Rule Hits helps explain whether explicit permit and deny rules matched, remained unused, or fell through to the default action.

Pass means the route fits the current AS path policy inputs. It does not prove the prefix is authorized or reachable from other views.
Watch means the path is acceptable only after confirming that the repeated ASN sequence is intentional traffic engineering.
Reject means at least one configured policy condition failed. Fix the policy input only if the route is known to be acceptable under a documented exception.
Chart counts are summaries of the current parsed sample. If a route row parsed incorrectly, fix the row before using Path Length Bands or Policy Finding Mix.

Worked Examples:

Expected path through approved transit:

A route row such as 203.0.113.0/24, 6939 3356 15169, rs1 with Allowed ASNs set to 6939, 3356, 15169, Expected origin ASNs set to 15169, and Maximum path length set to 5 produces a Pass verdict when the permit regex also matches. The useful result is the parsed AS path and a clean Route Verdicts row, not just the green summary.

Private ASN leak in a public route sample:

A route row such as 198.51.100.0/24, 6939 65001 15169, rs1 is rejected with the default blocked list because AS65001 is private-use. If the allowlist is still 6939, 3356, 15169, the same route also fails the Allowed ASN list check. Policy Findings should show the blocked ASN evidence and the operator action before the route is accepted.

Intentional prepending that should slow review:

A path such as 6939 3356 3356 3356 15169 fits a max length of 5 and the expected origin 15169. Setting Prepend alert threshold to 2 marks the route Watch because the largest consecutive ASN run is 3. That is not a rejection by itself, but it should be confirmed as intentional traffic engineering before saving the policy evidence.

FAQ:

Which route formats can I paste?

Use one route per line. CSV rows, pipe-separated rows, and common BGP table lines are accepted as long as a prefix and one or more ASNs can be found.

Why does a row show an AS path parse rejection?

The row did not contain a usable ASN after comments, next-hop addresses, route-table numbers, and origin codes were ignored. Paste a plain row such as 203.0.113.0/24, 6939 3356 15169, rs1 and run the check again.

Does the rightmost ASN always mean the origin?

In this checker, yes. The rightmost parsed ASN is treated as the origin AS, and the leftmost parsed ASN is treated as the first hop from the collector view. Confirm the sample direction before using first-hop or origin findings.

How does the underscore in a regex rule behave?

The underscore is treated as an AS boundary in the normalized path string. For example, _23456_ can match AS_TRANS anywhere in the path, while ^6939_3356_15169$ matches that exact complete path.

Does a Pass verdict mean the route is safe to accept?

No. Pass means the route matched the AS path policy inputs shown on the page. Verify prefix authorization, neighbor policy, route age, and live device behavior before relying on the route in production.

Does the checker connect to routers?

No. It evaluates pasted route text in the page and does not open BGP sessions, query routers, or collect live route tables.

Glossary:

BGP: Border Gateway Protocol, the interdomain routing protocol that carries reachability between autonomous systems.
ASN: Autonomous System Number, the numeric identity of a routed network.
AS path: The sequence of ASNs attached to a BGP route, usually read from the collector view toward the origin.
Origin ASN: The rightmost ASN in the parsed path, treated here as the AS that originated the prefix.
First-hop ASN: The leftmost ASN in the parsed path, treated here as the first external AS seen from the route sample.
AS_TRANS: AS23456, a placeholder used when older BGP speakers interact with four-octet ASNs.
Private-use ASN: An ASN range reserved for private routing contexts and usually filtered from public advertisements.
AS path prepending: Repeating an ASN in the path, commonly used to make one BGP path look longer for traffic engineering.

References:

RFC 4271: A Border Gateway Protocol 4 (BGP-4), IETF, January 2006.
RFC 6793: BGP Support for Four-Octet AS Number Space, RFC Editor, December 2012.
RFC 6996: Autonomous System (AS) Reservation for Private Use, RFC Editor, July 2013.
RFC 5398: Autonomous System (AS) Number Reservation for Documentation Use, IETF, December 2008.
RFC 7607: Codification of AS 0 Processing, IETF, August 2015.
Use Regular Expressions in BGP, Cisco, January 12, 2024.