AS-path prepending is the go-to tool for influencing inbound traffic in BGP. The concept is simple: artificially lengthen the AS-path on your outbound advertisements to make that path less attractive at step 4 of the best path algorithm. But prepending is a blunt instrument — it works globally (affects all upstream ASes, not just your direct neighbor), it's unpredictable in how much traffic it actually shifts, and excessive prepending has real security implications.
How Prepending Works
When you prepend your own ASN to the AS-path, the route appears to be more hops away. Remote ASes that compare AS-path length (step 4 of best path) will prefer the shorter path through your other connection.
! Without prepending: AS-path seen by ISP-B's upstreams = "65020 65001"
! With 3x prepend: AS-path seen by ISP-B's upstreams = "65020 65001 65001 65001 65001"
route-map PREPEND-TO-ISP-B permit 10
set as-path prepend 65001 65001 65001
!
router bgp 65001
neighbor 172.16.0.6 route-map PREPEND-TO-ISP-B outNow routes advertised to ISP-B have an AS-path 3 hops longer than the same routes advertised to ISP-A. Upstream networks that see both paths should prefer the ISP-A path.
Important Rules
- Only prepend your own ASN. Prepending someone else's ASN is a protocol violation that can cause route rejection (loop detection) or confuse analytics tools. Most ISPs will filter routes with unexpected AS-path patterns.
- Prepend on outbound only. Prepending on inbound (your own received routes) changes your view of the AS-path length, which affects your outbound traffic — a completely different use case.
- Maximum useful prepends: 3. Beyond 3 prepends, you're almost never gaining additional benefit. A path that's 6 hops long is already less preferred than a 1-hop path — making it 9 hops doesn't change the outcome. Excessive prepending (seen in the wild: 10-20 prepends) is wasteful, pollutes the global routing table, and may trigger route filtering.
When Prepending Works
Prepending is effective when:
- You have two or more upstream ISPs
- Your upstreams don't set local-pref on your routes (if they do, local-pref at step 2 overrides AS-path at step 4)
- The AS-path difference is meaningful — a 1-hop vs 2-hop difference is significant; a 3-hop vs 4-hop difference is often not, because remote ASes may have other attributes that decide first
When Prepending Fails
Prepending does NOT work when:
- Your upstream sets local-pref: If ISP-B gives your routes local-pref 200 internally (because you're a paying customer), their local-pref wins at step 2 regardless of AS-path length. Your prepends are invisible to ISP-B's internal decision.
- Hot potato routing dominates: Even if AS-path is longer, a remote AS may prefer the closer exit point (step 8 — lowest IGP metric to next-hop). In large transit networks, hot potato routing often outweighs AS-path length for traffic that has entered their network.
- The remote AS uses
bgp bestpath as-path ignore: Some large networks disable AS-path comparison entirely, relying on local-pref and MED. - More-specific routes exist: A /24 always wins over a /16 in the forwarding table, regardless of AS-path length. If your competitor advertises a more-specific prefix, prepending your aggregate doesn't help.
Selective Prepending
Instead of prepending all routes to an ISP, you can prepend selectively:
ip prefix-list LOW-PRIORITY seq 10 permit 10.2.0.0/16
!
route-map SELECTIVE-PREPEND permit 10
match ip address prefix-list LOW-PRIORITY
set as-path prepend 65001 65001
!
route-map SELECTIVE-PREPEND permit 20
! No prepend for everything else
!
router bgp 65001
neighbor 172.16.0.6 route-map SELECTIVE-PREPEND outOnly 10.2.0.0/16 gets prepended through ISP-B; other prefixes are advertised normally. This is useful when you want most traffic via ISP-B but want specific prefixes to prefer ISP-A.
Verification
! What ISP-B sees
R1-HQ# show ip bgp neighbors 172.16.0.6 advertised-routes
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/16 172.16.0.5 32768 65001 65001 65001 i
*> 10.2.0.0/16 172.16.0.5 32768 iWait — that's wrong. The path shows "65001 65001 65001" but 10.2.0.0/16 should be the prepended one. Let me fix the example:
R1-HQ# show ip bgp neighbors 172.16.0.6 advertised-routes
Network Next Hop Metric LocPrf Weight Path
*> 10.1.0.0/16 172.16.0.5 32768 i
*> 10.2.0.0/16 172.16.0.5 32768 65001 65001 iISP-B's perspective (note: the advertising AS 65001 is prepended to the front by ISP-B, then our prepends follow):
ISP-B-PE1# show ip bgp 10.2.0.0/16
65001 65001 65001
172.16.0.5 from 172.16.0.5 (1.1.1.1)
Origin IGP, valid, external, bestThe AS-path is now 65001 65001 65001 — the original plus two prepends. ISP-B's upstreams will see this as a 3-hop path, vs a 1-hop path through ISP-A.
Security Implications of Excessive Prepending
Every ASN you add to the prepend is another ASN an attacker can include in a forged AS-path to make a hijacked route look plausible. Long AS-paths also increase the BGP update message size and consume more memory in the global routing table. Keep prepends to 1-3 at most.
For stronger inbound traffic engineering, consider ISP community-based signaling (see BGP Communities) if your upstream supports it — many ISPs offer communities that set local-pref values on your routes, which is far more effective than prepending.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| Prepending applied but traffic still coming through that ISP | Upstream's local-pref overrides AS-path comparison; or hot potato routing in upstream's network | Prepending alone can't override local-pref. Contact upstream about community-based signaling, or advertise more-specific prefixes through the preferred ISP. |
| Routes rejected by upstream after prepending | Prepended a foreign ASN instead of your own; or upstream has max-AS-path-length filtering | Only prepend your own ASN. Keep total AS-path under the upstream's limit (typically 50-100 hops, but some filter at lower values). |
| Prepending working for some destinations but not others | Normal — different remote ASes have different policies. Some may use local-pref, others may not compare AS-path. | Prepending is inherently imprecise. For specific destinations, use communities or more-specific prefixes. |
Key Takeaways
- AS-path prepending artificially lengthens the AS-path to make a route less attractive globally — but it's a blunt tool evaluated at step 4, after weight and local-pref.
- Only prepend your own ASN, and limit to 3 prepends maximum. More than that adds no benefit and increases security risk.
- Prepending fails when your upstream sets local-pref, when hot potato routing dominates, or when more-specific routes exist.
- For more precise inbound traffic engineering, use ISP action communities (if available) or selective prefix advertisement.
- Verify with
show ip bgp neighbors [ip] advertised-routesto confirm the prepended AS-path in your outbound advertisements.