T3 or not to T3

I'm not clear on the distinction -- but since the first location we
want to do this would be based in San Francisco, I'm referring mostly to
mae-west, the pacbell nap, and CIX.

Only one of these is an NSF NAP (PAC*BELL in San Francisco).

>Generally for each connection to each provider, you would have to set up

Yeah, definately. But most backbones seem to have "customer routes" as
an option, and if I trust them enough to get those routes correct then
I will hopefully not have to bother with extreme amounts of filtering.

If you pursue getting that option, there will still be some routes
that you will get via a transit connection that will have to pass through
some interconnect. That means you are still going to to depend on some
interconnect somewhere. Of course, if you don't have a transit agreement
anywhere, you just won't see these routes at all.

It's pretty easy to enforce "no transit" at the packet filtering level
-- only packets destined for my nets will be allowed in. Is there some
other aspect of filtering I'm forgetting about? We have a dedicated
and backup network engineer at any rate. The border router would be a
cisco 7200 or 7500 series with 128Mb.

The main thing is to insure that you don't get route announcements from places
you don't expect them and that you do get them from places you do expect them.
Expectations will change from time to time as changes in the routing mesh
do occur. That means that your routing folks will have to monitor for such
changes and make adjustments from time to time. The RA (and others) have
been doing such monitoring and you can get some idea how such things
affect you by looking at some of their work.