← Back to posts
Networking

Autonomous System Numbers Explained: What ASNs Are, How They Work, and How to Get One

By Travis · · 7 min read
#bgp#asn#routing#networking#rir#internet

What Is an Autonomous System?

The internet is not a single network — it’s tens of thousands of independently operated networks connected to each other. Each of these networks is called an Autonomous System (AS): a collection of IP prefixes under the control of a single administrative entity that presents a common routing policy to the internet.

An AS might be:

  • A tier-1 carrier like AT&T or Telia
  • A regional ISP serving a single country
  • A cloud provider like AWS or Google Cloud
  • A large enterprise with its own IP space and upstream providers
  • A university or research network
  • A content delivery network like Cloudflare or Akamai
  • A data center colocation provider

The key characteristic of an AS is that it has a single, coherent routing policy to the outside world — even if internally it uses multiple routing protocols, multiple data centers, or thousands of routers.

What Is an ASN?

Every Autonomous System is identified by a unique Autonomous System Number (ASN). This number is what BGP (the internet’s routing protocol) uses to identify which AS is advertising which IP prefixes, and to track the path a route has taken through the internet.

The ASN is what you see in a BGP AS path. When a route for 1.1.1.0/24 travels from Cloudflare (AS13335) through a transit provider to your ISP and then to your router, the AS path carries the record of every AS it traversed:

BGP route: 1.1.1.0/24
AS Path:   64512 3356 13335
           ↑      ↑     ↑
           Your   Level3 Cloudflare
           ISP   (transit)

BGP uses this AS path for two purposes:

  1. Loop prevention: If a router sees its own ASN in the AS path of an incoming route, it discards the route — it already knows about this network
  2. Path selection: Shorter AS paths are generally preferred (though many other attributes influence this)

2-Byte vs 4-Byte ASNs

The Original Range (2-byte ASNs)

ASNs were originally defined as 16-bit integers, allowing for 65,536 unique values (0–65,535). Of these, specific ranges are reserved:

  • 0: Reserved
  • 1–64,495: Public ASNs (globally unique, assigned by RIRs)
  • 64,496–64,511: Reserved for documentation and examples (RFC 5398)
  • 64,512–65,534: Private ASNs (like RFC 1918 for IP addresses)
  • 65,535: Reserved

By the mid-2000s, the pool of available 2-byte public ASNs was depleting rapidly as the internet grew. RFC 4893 (later replaced by RFC 6793) extended ASNs to 32 bits.

4-Byte ASNs (RFC 6793)

4-byte ASNs extend the range to 0–4,294,967,295, providing over 4 billion unique ASNs. The 4-byte range was introduced in 2007 and became mandatory support for BGP implementations by 2009.

Key 4-byte ranges:

  • 1–4,199,999,999: Public 4-byte ASNs
  • 4,200,000,000–4,294,967,294: Private 4-byte ASNs
  • 4,294,967,295: Reserved

4-byte ASNs are written in two formats:

  • Decimal: 131072 (most common in configs)
  • Dot notation: 2.0 (ASPLAIN vs ASDOT — the 2.0 means 2×65536+0 = 131072)

Cisco IOS uses decimal by default. Some operators prefer dot notation for readability. You can configure the display format:

! IOS-XE — show in dot notation
bgp asnotation dot

! Verify
show bgp ipv4 unicast summary

Public vs Private ASNs

Public ASNs

Public ASNs are globally unique, assigned by Regional Internet Registries (RIRs), and used for BGP sessions that connect to the internet. They appear in global BGP routing tables and can be seen in AS path data worldwide.

When to use a public ASN:

  • You’re connecting your network to multiple upstream providers (multihoming)
  • You’re operating a hosting provider, ISP, or enterprise with direct internet peering
  • You need to advertise your own IP space independently of your upstream provider

Private ASNs

Private ASNs (64,512–65,534 for 2-byte, 4,200,000,000–4,294,967,294 for 4-byte) serve the same purpose as RFC 1918 private IP addresses — they’re for internal use and should be stripped before routes reach the public internet.

Common private ASN use cases:

Single-homed customers using BGP with their ISP: An enterprise that runs BGP with one upstream provider but doesn’t need a globally unique ASN. The ISP typically assigns them a private ASN.

! Enterprise using private ASN with single upstream
router bgp 65001
  neighbor 203.0.113.1 remote-as 64512  ! ISP assigns private ASN
  
! ISP strips private ASNs before advertising to internet
! (remove-private-as on the ISP side)

Data center VXLAN EVPN fabrics: In a BGP EVPN fabric, spine and leaf switches use private ASNs for the iBGP overlay. These never leave the data center.

! VXLAN fabric using private ASNs
router bgp 65000  ! Private ASN for the fabric

Service provider MPLS networks: PE-CE BGP sessions within an MPLS VPN use private ASNs per-customer to avoid conflicts.

How BGP Uses ASNs

eBGP vs iBGP

eBGP (External BGP): Sessions between routers in different ASes. This is how internet routing works — your router speaks eBGP with your upstream provider’s router.

iBGP (Internal BGP): Sessions between routers in the same AS. Used to distribute externally learned routes throughout your AS without re-advertising to the outside world.

The AS Path Attribute

Every route in BGP carries an AS path — a list of ASNs the route has traversed. When a router advertises a route via eBGP, it prepends its own ASN to the AS path. The result is a trail showing exactly which ASes the route passed through:

Origin (Cloudflare, AS13335): 1.1.1.0/24, AS-PATH: 13335
After Level3 (AS3356):        1.1.1.0/24, AS-PATH: 3356 13335
After your ISP (AS64512):     1.1.1.0/24, AS-PATH: 64512 3356 13335

AS Path Prepending

Network operators sometimes intentionally prepend their own ASN multiple times to make a route look less attractive — useful for traffic engineering when you want to steer traffic toward a preferred upstream:

! Make this path look longer (less preferred) by prepending our ASN twice
route-map SET-PREPEND permit 10
  set as-path prepend 65001 65001

router bgp 65001
  neighbor 203.0.113.1 route-map SET-PREPEND out

This results in an AS path of 65001 65001 65002 13335 being seen by remote peers — they’ll prefer the shorter path through your primary upstream.

ASN Lookup and Research Tools

Looking Up Any ASN

RIPE Stat: The most comprehensive tool for BGP and ASN research.

  • https://stat.ripe.net/AS13335 — full info for Cloudflare’s ASN
  • Shows announced prefixes, peer relationships, routing history, RPKI status

BGP.tools: Excellent for exploring peering relationships and prefix announcements.

  • https://bgp.tools/as/13335

Hurricane Electric BGP Toolkit: Long-standing resource for AS information.

  • https://bgp.he.net/AS13335

PeeringDB: For networks that participate in public peering, PeeringDB shows IXP memberships, peering policies, and contact info.

  • https://www.peeringdb.com/net/4224 (Cloudflare’s PeeringDB entry)

From the Command Line

# Using RIPE Stat API
curl "https://stat.ripe.net/data/as-overview/data.json?resource=AS13335" | jq '.data'

# Whois lookup
whois AS13335
whois -h whois.radb.net AS13335

# On a Cisco router — show BGP neighbor's ASN
show bgp ipv4 unicast neighbors | include remote AS

# Show which AS a prefix comes from
show bgp ipv4 unicast 1.1.1.0/24

How to Get Your Own ASN

Do You Actually Need One?

Before applying, consider whether you need a public ASN:

You need a public ASN if:

  • You’re multihomed (connecting to 2+ different upstream providers) and need to advertise your own IP space independently
  • You’re building a transit network that will carry traffic for other networks
  • You’re operating an IXP or building internet exchange point infrastructure

You probably don’t need one if:

  • You’re single-homed to one ISP (your ISP can advertise your space under their ASN)
  • You only need BGP internally (use a private ASN)
  • Your upstream provider can handle your routing policy for you

The Application Process

ASNs are assigned by Regional Internet Registries (RIRs) — the same organizations that assign IP address space:

RegionRIRWebsite
North AmericaARINarin.net
Europe/Middle East/Central AsiaRIPE NCCripe.net
Asia-PacificAPNICapnic.net
Latin America/CaribbeanLACNIClacnic.net
AfricaAFRINICafrinic.net

General process (varies by RIR):

  1. Become a member or create an account with your regional RIR
  2. Document your need — most RIRs require you to demonstrate:
    • Existing or planned multihomed connectivity (connections to 2+ upstream providers)
    • A network operations plan showing you’ll actually use BGP
  3. Submit the ASN request form through the RIR’s online portal
  4. Pay the fee — ASN assignment fees vary by RIR. ARIN charges a one-time fee plus annual maintenance. RIPE NCC membership includes ASN assignment.
  5. Receive your ASN — typically within a few business days to a few weeks

Working with an LIR

If you’re in the RIPE NCC region (Europe/Middle East) and don’t want to become a full RIPE NCC member, you can work with a Local Internet Registry (LIR) — an organization that sponsors your ASN and IP address requests. Many hosting providers and ISPs offer LIR sponsorship as a service.

Cost

ASN fees as of 2025 (subject to change):

  • ARIN: $550 one-time registration + $100/year maintenance
  • RIPE NCC: Included in RIPE NCC membership (~€1,400/year for smallest tier), or via LIR sponsorship
  • APNIC: Included in APNIC membership fees
  • LACNIC: ~$500 one-time + annual fee

Notable ASNs Worth Knowing

ASNOrganizationNotes
AS1APNIC (formerly IANA)The first ASN
AS3356Lumen (Level3)Major US tier-1 transit
AS6939Hurricane ElectricWidely peered transit / IPv6 backbone
AS13335CloudflareCDN, DNS, security
AS15169GoogleGoogle’s primary AS
AS16509Amazon AWSAWS cloud infrastructure
AS8075MicrosoftAzure and Microsoft services
AS32934MetaFacebook, Instagram, WhatsApp
AS714AppleApple’s network
AS2914NTT CommunicationsMajor global transit
AS7018AT&TUS carrier
AS17557Pakistan TelecomFamous for the 2008 YouTube hijack
AS10297eNET/XLHostUsed in the 2018 Route53 hijack
// Found this useful? Share it or start a conversation.
Y Hacker News 𝕏 X in LinkedIn 🦋 Bluesky r/ Reddit
// Related More on similar topics.
Networking May 25, 2025

BFD Explained: How Bidirectional Forwarding Detection Makes BGP Failover Instant

A deep dive into Bidirectional Forwarding Detection — why BGP's default failure detection is dangerously slow, how BFD provides sub-second link failure detection, and how to configure it on Cisco IOS-XE, IOS-XR, and NX-OS.
Networking May 27, 2025

BGP Prefix Lists and Route Maps: The Complete Guide to Controlling What You Accept and Advertise

A comprehensive guide to prefix-lists and route-maps in Cisco BGP — what they do, how they differ from ACLs, when to use each, and practical configurations for inbound/outbound BGP policy.
Networking May 23, 2025

The Day Pakistan Telecom Took Down YouTube: A BGP Hijack Postmortem

How a government censorship order, a leaked more-specific route, and one upstream provider that didn't filter turned into a global internet outage that took YouTube offline for nearly two hours in 2008 — and what it proved about BGP's fundamental trust problem.