/
Sign up to Ping Labz!
Already have an account? Sign in
BGP

BGP AS-Path Prepending: When It Works and When It Doesn't

AS-path prepending is the go-to tool for influencing inbound BGP traffic: artificially lengthen the AS-path so remote ASes prefer your other exit. It is blunt, global, and has real security implications. When it works, and when it does not.
J
5 min read
BGP AS-Path Prepending: When It Works and When It Doesn't
In: BGP

AS-path prepending is the go-to tool for influencing inbound traffic in BGP. The concept is simple: artificially lengthen the AS-path on your outbound advertisements to make that path less attractive at step 4 of the best path algorithm. But prepending is a blunt instrument — it works globally (affects all upstream ASes, not just your direct neighbor), it's unpredictable in how much traffic it actually shifts, and excessive prepending has real security implications.

How Prepending Works

When you prepend your own ASN to the AS-path, the route appears to be more hops away. Remote ASes that compare AS-path length (step 4 of best path) will prefer the shorter path through your other connection.

! Without prepending: AS-path seen by ISP-B's upstreams = "65020 65001"
! With 3x prepend:   AS-path seen by ISP-B's upstreams = "65020 65001 65001 65001 65001"

route-map PREPEND-TO-ISP-B permit 10
 set as-path prepend 65001 65001 65001
!
router bgp 65001
 neighbor 172.16.0.6 route-map PREPEND-TO-ISP-B out

Now routes advertised to ISP-B have an AS-path 3 hops longer than the same routes advertised to ISP-A. Upstream networks that see both paths should prefer the ISP-A path.

Important Rules

  • Only prepend your own ASN. Prepending someone else's ASN is a protocol violation that can cause route rejection (loop detection) or confuse analytics tools. Most ISPs will filter routes with unexpected AS-path patterns.
  • Prepend on outbound only. Prepending on inbound (your own received routes) changes your view of the AS-path length, which affects your outbound traffic — a completely different use case.
  • Maximum useful prepends: 3. Beyond 3 prepends, you're almost never gaining additional benefit. A path that's 6 hops long is already less preferred than a 1-hop path — making it 9 hops doesn't change the outcome. Excessive prepending (seen in the wild: 10-20 prepends) is wasteful, pollutes the global routing table, and may trigger route filtering.

When Prepending Works

Prepending is effective when:

  • You have two or more upstream ISPs
  • Your upstreams don't set local-pref on your routes (if they do, local-pref at step 2 overrides AS-path at step 4)
  • The AS-path difference is meaningful — a 1-hop vs 2-hop difference is significant; a 3-hop vs 4-hop difference is often not, because remote ASes may have other attributes that decide first

When Prepending Fails

Prepending does NOT work when:

  • Your upstream sets local-pref: If ISP-B gives your routes local-pref 200 internally (because you're a paying customer), their local-pref wins at step 2 regardless of AS-path length. Your prepends are invisible to ISP-B's internal decision.
  • Hot potato routing dominates: Even if AS-path is longer, a remote AS may prefer the closer exit point (step 8 — lowest IGP metric to next-hop). In large transit networks, hot potato routing often outweighs AS-path length for traffic that has entered their network.
  • The remote AS uses bgp bestpath as-path ignore: Some large networks disable AS-path comparison entirely, relying on local-pref and MED.
  • More-specific routes exist: A /24 always wins over a /16 in the forwarding table, regardless of AS-path length. If your competitor advertises a more-specific prefix, prepending your aggregate doesn't help.

Selective Prepending

Instead of prepending all routes to an ISP, you can prepend selectively:

ip prefix-list LOW-PRIORITY seq 10 permit 10.2.0.0/16
!
route-map SELECTIVE-PREPEND permit 10
 match ip address prefix-list LOW-PRIORITY
 set as-path prepend 65001 65001
!
route-map SELECTIVE-PREPEND permit 20
! No prepend for everything else
!
router bgp 65001
 neighbor 172.16.0.6 route-map SELECTIVE-PREPEND out

Only 10.2.0.0/16 gets prepended through ISP-B; other prefixes are advertised normally. This is useful when you want most traffic via ISP-B but want specific prefixes to prefer ISP-A.

Verification

! What ISP-B sees
R1-HQ# show ip bgp neighbors 172.16.0.6 advertised-routes
   Network          Next Hop         Metric LocPrf Weight Path
*> 10.1.0.0/16      172.16.0.5                        32768 65001 65001 65001 i
*> 10.2.0.0/16      172.16.0.5                        32768 i

Wait — that's wrong. The path shows "65001 65001 65001" but 10.2.0.0/16 should be the prepended one. Let me fix the example:

R1-HQ# show ip bgp neighbors 172.16.0.6 advertised-routes
   Network          Next Hop         Metric LocPrf Weight Path
*> 10.1.0.0/16      172.16.0.5                        32768 i
*> 10.2.0.0/16      172.16.0.5                        32768 65001 65001 i

ISP-B's perspective (note: the advertising AS 65001 is prepended to the front by ISP-B, then our prepends follow):

ISP-B-PE1# show ip bgp 10.2.0.0/16
  65001 65001 65001
    172.16.0.5 from 172.16.0.5 (1.1.1.1)
      Origin IGP, valid, external, best

The AS-path is now 65001 65001 65001 — the original plus two prepends. ISP-B's upstreams will see this as a 3-hop path, vs a 1-hop path through ISP-A.

Security Implications of Excessive Prepending

Every ASN you add to the prepend is another ASN an attacker can include in a forged AS-path to make a hijacked route look plausible. Long AS-paths also increase the BGP update message size and consume more memory in the global routing table. Keep prepends to 1-3 at most.

For stronger inbound traffic engineering, consider ISP community-based signaling (see BGP Communities) if your upstream supports it — many ISPs offer communities that set local-pref values on your routes, which is far more effective than prepending.

Troubleshooting

SymptomCauseFix
Prepending applied but traffic still coming through that ISPUpstream's local-pref overrides AS-path comparison; or hot potato routing in upstream's networkPrepending alone can't override local-pref. Contact upstream about community-based signaling, or advertise more-specific prefixes through the preferred ISP.
Routes rejected by upstream after prependingPrepended a foreign ASN instead of your own; or upstream has max-AS-path-length filteringOnly prepend your own ASN. Keep total AS-path under the upstream's limit (typically 50-100 hops, but some filter at lower values).
Prepending working for some destinations but not othersNormal — different remote ASes have different policies. Some may use local-pref, others may not compare AS-path.Prepending is inherently imprecise. For specific destinations, use communities or more-specific prefixes.

Key Takeaways

  • AS-path prepending artificially lengthens the AS-path to make a route less attractive globally — but it's a blunt tool evaluated at step 4, after weight and local-pref.
  • Only prepend your own ASN, and limit to 3 prepends maximum. More than that adds no benefit and increases security risk.
  • Prepending fails when your upstream sets local-pref, when hot potato routing dominates, or when more-specific routes exist.
  • For more precise inbound traffic engineering, use ISP action communities (if available) or selective prefix advertisement.
  • Verify with show ip bgp neighbors [ip] advertised-routes to confirm the prepended AS-path in your outbound advertisements.
Written by

J

View all posts
More from Ping Labz
MPLS L3VPN with MP-BGP and VPNv4
MPLS

MPLS L3VPN with MP-BGP and VPNv4

MPLS L3VPN architecture: VRFs, Route Distinguishers, Route Targets, MP-BGP for VPNv4, the two-label stack, PE-CE routing, and the Cisco IOS XE configuration.
J
7 min read
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.