Thank you Jakob. This is exactly what I need, and indeed scaling will be terrific. Meaning, you can immediately prove it scales to the entire DFZ and has a margin. That is, if you change AS-SET prefix-list to AS-SET asn origin + synthesized you get configuration which will always commit, pathological AS-SET are an Internet problem, not a Me problem. While improving security, because non ROAd route objects will get their origin checked as well. On Sat, 7 Mar 2026 at 04:20, Jakob Heitz (jheitz) via NANOG <nanog@lists.nanog.org> wrote:

That was fixed in IOS-XR about 5 years ago. Previously, we could only do it with as-path-set in route-policy. as-path-set allows whole paths to be specified, so it's slow. If all you want is to match on a single ASN, it can be done much faster using a tree lookup instead of linear. So, I invented the as-set for route-policy configuration. Here is a config sample:

as-set asset1 2914, 174, 3356 end-set ! route-policy asd if as-path originates-from asset1 then pass endif end-policy

If that doesn't meet your needs, let me know. Kind Regards, Jakob Heitz

Date: Tue, 24 Feb 2026 20:15:00 +0200 From: Saku Ytti <saku@ytti.fi>

For SROS, IOSXR 90k would be quite a ridiculous attempt, and it's probably cheaper just to expand to a million lines of prefix-list, since prefix-list scale is more tested than AS_PATH scale. In SROS as-path-group can contain only 128 lines, so if you match a single ASN per line, you'd need 700 terms just to check the origin, unless you use regexp OR in the lines to put multiple origins per line.

_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/EAP7ZNT3...

-- ++ytti