BGP AS Path Policy Checker

Observed BGP routes:

Use CSV rows such as 203.0.113.0/24, 64512 65500 64496, rs1 or paste BGP table lines; next-hop, MED, local-pref, and weight columns are skipped.

CSV, pipe, and common BGP table lines are parsed locally.

Allowed ASNs:

Leave blank to skip whole-path allowlist checks.

Expected origin ASNs:

Use this to catch origin drift, hijack suspicion, or a route leak from an unexpected origin.

Blocked or special ASNs:

Keep private and documentation ranges here for public-internet policy checks; remove them for a lab-only review.

Maximum path length:

Set the longest acceptable AS path for this neighbor, customer, or route-server view.

ASNs

AS-path policy rules:

First matching rule wins. Use examples like permit ^64512_65500_64496$ or deny _23456_.

When no regex rule matches:

Choose deny for strict ordered policy reviews, or permit when regex rules are only exceptions.

Review policy inputs

{{ message }}

Expected first-hop ASNs:

Leave blank unless the route sample should come from known neighbor ASNs.

Prepend alert threshold:

This does not reject routes; it only marks unusual prepending for review.

repeats

Prefix	Source	AS path	Length	Verdict	Regex result	Operator action	Copy
{{ row.prefix }}	{{ row.source }}	{{ row.asPath }}	{{ row.length }}	{{ row.verdict }}	{{ row.regexResult }}	{{ row.action }}

Prefix	Severity	Policy check	Evidence	Next action	Copy
{{ row.prefix }}	{{ row.severity }}	{{ row.check }}	{{ row.evidence }}	{{ row.action }}

Seq	Action	Regex	Hits	State	Readout	Copy
{{ row.sequence }}	{{ row.action }}	{{ row.pattern }}	{{ row.hits }}	{{ row.state }}	{{ row.readout }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

When a prefix appears in a Border Gateway Protocol table, the AS path is one of the first clues an operator checks before trusting the route. It shows the autonomous systems attached to that route from the observing router's point of view, so a familiar prefix can still be suspicious if it arrives through the wrong neighbor, carries a private-use ASN, ends at an unexpected origin, or relies on a path that is much longer than normal for the peering session.

AS path policy is not the same as reachability. A route can be visible and still violate the policy a network wants to enforce for a customer, route server, upstream, or lab review. Operators commonly compare a pasted route sample against several expectations at once: which ASN should appear first from this viewpoint, which origin should appear at the far end, whether any special or blocked ASNs slipped into the path, and whether an ordered AS-path regex would permit or deny the route.

First-hop ASN: The leftmost parsed ASN in the sample, useful when the route came from a known collector or neighbor view.
Origin ASN: The rightmost parsed ASN, commonly read as the network that originated the prefix in that displayed path.
Special ASN: A reserved, documentation, private-use, or transition ASN that usually should not appear in public Internet policy evidence.

BGP AS path direction from collector view to origin with policy gates.

The same AS path can be acceptable for one review and unacceptable for another because the policy question changes. A customer-prefix audit may care most about the origin ASN and private-use leakage. A peering review may care about the first hop and AS-path regex behavior. A route-leak investigation may look for a surprising transit ASN, an AS_TRANS placeholder, or an unusually long path that appeared after a change.

AS path evidence should be treated as a policy clue, not a complete routing verdict. It does not prove prefix ownership, RPKI origin validity, IRR accuracy, traffic reachability, or whether a router will install the route after local preference and other attributes are considered. It is most useful when paired with the route view, the intended neighbor policy, and a follow-up check on the target platform.

How to Use This Tool:

Use route samples from the same vantage point you want to audit. A route server, customer edge, and upstream router can show different first-hop ASNs for the same prefix.

Paste one route per line in Observed BGP routes. CSV rows, pipe-separated rows, and common route-table output are accepted when a prefix and AS path can be extracted.
Click Normalize when copied rows include mixed delimiters or extra route-table columns. The input should become prefix, AS path, and optional source values before you rely on verdicts.
Fill Allowed ASNs only when the whole expected path is known. Leave it blank for broader route samples because one missing approved transit ASN will create a reject finding.
Set Expected origin ASNs, review Blocked or special ASNs, and choose Maximum path length. Fix any warning under Review policy inputs before treating the route count or charts as evidence.
Add ordered permit or deny lines in AS-path policy rules when regex policy is part of the review. The first matching rule decides the regex result; When no regex rule matches applies only after all valid rules miss.
Open Advanced when sample direction or prepending matters. Expected first-hop ASNs checks the leftmost ASN, and Prepend alert threshold marks repeated adjacent ASNs as watch findings without rejecting the route by itself.
Start with Route Verdicts and Policy Findings. Use Regex Rule Hits, Path Length Bands, and Policy Finding Mix only after the row-level evidence matches the pasted route sample.

Interpreting Results:

The summary shows the batch state, but the route rows explain why a route passed, needs review, or failed. policy clean means the current inputs produced no reject or watch findings. watch paths means at least one route crossed the prepend threshold without failing a reject check. policy rejects means one or more routes conflicted with the configured policy.

Pass means the parsed AS path satisfies the current origin, first-hop, blocked-ASN, allowlist, length, and regex inputs. It does not prove global route legitimacy.
Watch means no reject condition fired, but repeated adjacent ASNs exceeded Prepend alert threshold. Confirm the prepending is intentional traffic engineering before accepting the route as normal.
Reject means at least one policy check failed. Read the Policy Findings evidence and next action before changing a regex rule or adding an ASN exception.
A regex permit is not enough by itself. A route can match a permit line and still reject because it has a blocked ASN, wrong origin, wrong first hop, excessive path length, or allowlist failure.
Chart totals are only as good as the parsed rows. Fix parse warnings and unexpected path strings before using Path Length Bands or Policy Finding Mix in a change record.

Technical Details:

BGP carries AS path information as a path attribute, and ordinary route displays usually show a flattened sequence of ASNs. In that displayed sequence, repeated adjacent ASNs are commonly used for AS path prepending, and the route sample is interpreted from the observer toward the origin. Direction is important because the leftmost ASN says something about the observed neighbor path, while the rightmost ASN is the origin check used for this policy review.

ASN parsing accepts plain decimal numbers, AS-prefixed numbers, asdot notation, single values, and ranges from 0 through 4294967295. Pasted route-table rows can contain next hops, MED, local preference, weight, and origin-code tokens, so those common non-path fields are ignored when the AS path is extracted.

Formula Core:

Path length is the number of ASNs parsed from one route row. The reject percentage is a batch measure, calculated from the route rows that produced a Reject verdict.

L = count (parsed ASNs in one path)

reject percent = \frac{reject routes}{total parsed routes} \times 100

For the path 6939 3356 3356 3356 15169, L is 5. A Maximum path length of 5 still passes the length check because only paths greater than the limit reject. If the prepend threshold is 2, the same path becomes a watch case because the largest consecutive ASN run is 3.

Rule Core:

Reject checks are cumulative: a route can collect more than one finding, and the final verdict becomes Reject as soon as any reject finding exists. The prepend check is different because it creates Watch only when no reject condition has already made the route fail.

BGP AS path policy checks and boundary rules
Check	Condition	Boundary or exception
AS path parse	No ASN can be extracted from the route row.	Rejects the row and asks for AS path data.
Path length ceiling	Parsed path length is greater than `Maximum path length`.	Equal to the limit passes.
Allowed ASN list	An allowlist is present and any path ASN is outside it.	Blank allowlist disables this check.
Blocked or special ASN	Any ASN falls inside a blocked value or range.	The default list covers AS0, AS_TRANS, documentation, private-use, and reserved ranges.
Origin ASN	The rightmost ASN is outside `Expected origin ASNs`.	Blank expected origin disables this check.
First-hop ASN	The leftmost ASN is outside `Expected first-hop ASNs`.	Use only when the route sample direction is known.
AS-path regex	The first matching rule is `deny`, or no valid rule matches and the default action is `deny`.	Invalid regex rules are ignored and reported in warnings.
Prepend watch	Largest consecutive ASN run is greater than `Prepend alert threshold`.	Threshold `0` disables the watch check.

AS-path regex matching uses a Cisco-style underscore token for AS boundaries after the path is normalized into spaces. A pattern such as _65001_ can match AS65001 anywhere in the path, while ^6939_3356_15169$ matches that complete three-AS path. Device syntax and route-map behavior should still be tested on the target platform before a policy change is deployed.

Accuracy Notes:

This checker evaluates pasted route text and configured policy inputs. It does not query routers, validate ROAs, consult IRR data, or confirm that a route is installed or preferred in a live forwarding path.

Use route samples from the same collector or neighbor view when comparing runs.
Keep special ASNs in the blocked list for public-policy reviews, and remove them only for lab cases where those values are expected.
Confirm AS-path regex syntax on the router platform that will enforce the policy.

Worked Examples:

Customer prefix with the expected origin. A row such as 203.0.113.0/24, 6939 3356 15169, rs-a with Allowed ASNs set to 6939, 3356, 15169, Expected origin ASNs set to 15169, and Maximum path length set to 5 produces Pass when the regex policy permits the path. The Route Verdicts row is the compact record to keep with the review.

Private-use ASN in a public route sample. A route such as 198.51.100.0/24, 6939 65001 15169, rs-a rejects against the default blocked list because AS65001 is private-use. If Allowed ASNs also omits AS65001, Policy Findings can show both the blocked-ASN finding and the allowlist finding for the same prefix.

Long but otherwise familiar path. A path such as 6939 3356 3356 3356 15169 has length 5. With Maximum path length set to 4, Route Verdicts shows Reject; with the limit set to 5 and a prepend threshold of 2, the same row becomes Watch instead.

Paste without AS path data. A route-table line that contains a prefix and next hop but no ASNs lands in Reject with an AS path parse finding. Paste the row again with the AS path column, or use a CSV row with prefix, AS path, and source.

FAQ:

Which route formats can I paste?

Paste one route per line. CSV rows, pipe-separated rows, and common BGP table lines work when the row contains AS path values that can be parsed.

Why did a row reject with an AS path parse finding?

No ASN was found after common route-table noise was ignored. Use a plain row such as 203.0.113.0/24, 6939 3356 15169, rs-a and check Route Verdicts again.

Does the rightmost ASN always prove the origin?

No. The checker treats the rightmost parsed ASN as the origin for the pasted path, but RPKI, IRR, routing policy, and live device state must be checked separately when they matter.

Why did a permit regex path still reject?

Regex policy is only one check. A route can match a permit rule and still reject because of path length, blocked ASNs, wrong origin, wrong first hop, or allowlist failure.

Does this checker connect to routers?

No. It evaluates pasted route text in the page and does not open BGP sessions, query routers, collect live route tables, or change network policy.

Glossary:

BGP: Border Gateway Protocol, the interdomain routing protocol used to exchange reachability between autonomous systems.
ASN: Autonomous System Number, the numeric identifier assigned to an autonomous system.
AS path: The ASN sequence attached to a route, read here from the observing route sample toward the origin.
First-hop ASN: The leftmost parsed ASN, used here as the first external AS seen from the route sample.
Origin ASN: The rightmost parsed ASN, used here as the expected origin check for the prefix.
AS_TRANS: AS23456, a transition placeholder associated with four-octet ASN handling.
AS path prepending: Repeating an ASN in the AS path so the route appears longer for traffic-engineering purposes.

References:

RFC 4271: A Border Gateway Protocol 4 (BGP-4), IETF, January 2006.
RFC 6793: BGP Support for Four-Octet AS Number Space, IETF, December 2012.
RFC 6811: BGP Prefix Origin Validation, IETF, January 2013.
RFC 7908: Problem Definition and Classification of BGP Route Leaks, IETF, June 2016.
IANA Special-Purpose Autonomous System (AS) Numbers, IANA.
Regular Expressions for BGP AS Paths, Cisco.