Understanding IP prefix lists

By stretch | Monday, February 1, 2010 at 4:38 a.m. UTC

IOS prefix lists work like access lists for route advertisements (prefixes). While extended (and to a limited extent, standard) access lists can be employed to match prefix announcements, prefix lists are generally more graceful. Prefix lists work very similarly to access lists; a prefix list contains one or more ordered entries which are processed sequentially. As with access lists, the evaluation of a prefix against a prefix list ends as soon as a match is found.

Assume you wanted to prevent a route for from being redistributed from OSPF to BGP. One way to accomplish this would be to define an extended ACL matching this prefix and reference it from the BGP redistribution route map:

router ospf 1
router bgp 65100
 no synchronization
 bgp router-id
 bgp log-neighbor-changes
 redistribute ospf 1 route-map OSPF->BGP
 neighbor remote-as 65100
 no auto-summary
ip access-list extended OSPF_Redist
 deny   ip host host
 permit ip any any
route-map OSPF->BGP permit 10
 match ip address OSPF_Redist

The above configuration prevents the exact prefix from being advertised by denying the network ("source" address) with a mask of ("destination" address). All other prefixes are allowed by the permit ip any any statement.

This can be accomplished more intuitively by employing a prefix list:

router ospf 1
router bgp 65100
 no synchronization
 bgp router-id
 bgp log-neighbor-changes
 redistribute ospf 1 route-map OSPF->BGP
 neighbor remote-as 65100
 no auto-summary
ip prefix-list OSPF_Redist seq 5 deny
ip prefix-list OSPF_Redist seq 10 permit le 32
route-map OSPF->BGP permit 10
 match ip address prefix-list OSPF_Redist

As you can see, there are two entries in the prefix list defined above. These accomplish the same tasks as the two access list entries in the earlier example: deny denies the exact prefix, and permit le 32 allows all other prefixes.

The second prefix list entry warrants some explanation. Two keywords can be optionally appended to a prefix list entry: le (less than or equal to) and ge (greater than or equal to). Without either, an entry will match an exact prefix. The le parameter can be included to match all more-specific prefixes within a parent prefix up to a certain length. For example, le 30 will match and all prefixes contained therein with a length of 30 or less.

We can use le to create an entry to match "any" prefix: le 32 matches any prefix with a length between 0 and 32 bits (inclusive). This matches all possible IPv4 prefixes.

The ge parameter works similarly to le but in the opposite direction; it specifies a minimum prefix length whereas le specifies a maximum length. For example, ge 16 will match all prefixes within the network that are at least 16 bits in length. The length specified by ge should naturally be longer than the length of the initial prefix as it is impossible to match anything larger than the initial prefix.

le and ge can also be combined. Continuing the ge example, ge 16 le 24 will match all prefixes within the network having a mask both a) greater than or equal to 16 bits, and b) less than or equal to 24 bits in length. For instance, would be matched, because its length is between 16 and 24 (inclusive), but neither nor would be matched.

Prefix lists take some getting used to, but can be very helpful in expressing routing policy within IOS configuration once you've gotten the hang of them.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Routing


February 1, 2010 at 5:15 a.m. UTC

Very informative Stretch. For disaster recovery, I need the same IP brought up in another subnet so I use mobile ARP to move it (Local Area Mobility). I use route-maps and prefix lists to redistribute IP addresses of hosts that I need to move into the other subnet in BGP. I create a route map for a neighbor in BGP outbound, and use the prefix list to permit what IP addresses to move. It works out pretty nice.

February 1, 2010 at 1:00 p.m. UTC

Good stuff.

February 1, 2010 at 3:07 p.m. UTC

Nice! I must say, my favorite Cisco exam so far was BGP; and maybe my favorite topic was prefix lists, community lists, route maps, and AS path lists.

Alex (guest)
February 2, 2010 at 7:43 p.m. UTC

Thanks! This cleared things up a lot for me

Marcelo (guest)
February 4, 2010 at 10:56 a.m. UTC

In terms of cpu process, ¿wich has the higher cost? ACL or Prefix List? Sorry for my english.

PS: Great site stretch.

April 22, 2010 at 5:53 a.m. UTC

Thanks a lot

May 13, 2010 at 3:34 p.m. UTC

Good info... Interesting though is how the "default" route handled if you wanted to do an exact match on that specific prefix for filtering? The match all possible example looks close to how I thought it would be written?

Ashish (guest)
July 28, 2010 at 2:35 a.m. UTC

Good Stuff..!! Easy to understand.


randy (guest)
August 26, 2010 at 7:00 p.m. UTC

great stuff, really made prefix-list clearer to me. thanx man!

balister kumar (guest)
December 17, 2010 at 12:39 p.m. UTC

many many thanks

very informative for the Beginner. specially permit le 32

Robert (guest)
December 29, 2010 at 9:09 a.m. UTC
  1. an extended acl for toute filtering is nonsense
  2. the acl entry is also nonsense:
ip access-list extended OSPF_Redist
 deny   ip host host
 permit ip any any

should be:

ip access-list extended OSPF_Redist
 deny   ip
 permit ip any any

but even better:

ip access-list standard OSPF_Redist
 permit any


Rahil (guest)
January 14, 2011 at 8:36 p.m. UTC

Gud One

Piter (guest)
February 14, 2011 at 4:37 p.m. UTC


mokhtar (guest)
February 22, 2011 at 8:37 a.m. UTC

thank you all

May 18, 2011 at 2:33 p.m. UTC


January 13, 2012 at 1:04 p.m. UTC

muchas muchas

mark (guest)
March 21, 2012 at 4:54 p.m. UTC

Hi Jeremy ,

At Your Statement " but neither"
There is no network

There is, ,,, etc,

Maybe you meant ?

Just want some clarity on that, Please CMIIW

April 23, 2012 at 4:10 a.m. UTC

Got the confusion cleared.

Thanks Jeremy

Dan (guest)
July 16, 2012 at 2:08 a.m. UTC


f0rgiv3n (guest)
August 20, 2012 at 10:29 p.m. UTC

Nicely explained. Thank you. The question I have is this:

Could you also do ge 0 ?

Why might I ask this? No reason, just curious.

kakou31 (guest)
September 12, 2012 at 7:59 a.m. UTC

Merci Jeremy, c'est très clairement expliqué!

f0rgiv3n (guest)
September 19, 2012 at 4:36 p.m. UTC

Hey just to follow up on my question with regards to the twisted logic above... I tried to use ge 0. There are two problems:
1. The second prefix value cannot be 0, it has to be 1-32
2. Even if you set it to 1, you get an error stating that the first prefix value needs to be less than the second prefix value at all times.

winder (guest)
April 23, 2013 at 9:53 a.m. UTC

Hi stretch,
I dont understand the first exmaple you provided using route-map to block redistribution.
if you use "route-map OSPF->BGP permit 10" with access-list OSPF_Redist's entries "deny ip host host", would the route-map block I think it will only take the "permit" networks and ignore all "deny" ones, right?

winder (guest)
April 24, 2013 at 2:50 a.m. UTC

pls ignore the last comment, I think I have figured it out myself.

Roger Perkin (guest)
May 13, 2013 at 9:51 p.m. UTC

Great post Stretch,

Just to let you know the prefix-list link to cisco is broken at the start of the article.


August 21, 2013 at 9:58 a.m. UTC

Thanks so much! Made it easy for me to understand.

Goncalo (guest)
October 25, 2013 at 12:03 p.m. UTC

To Robert (guest) commented on Wednesday, December 29, 2010 at 9:09 a.m. UTC

Before Prefix List were invented the way of filtering routes was using ACLs (extended/standard).

The use of extended ACL is fine although superseded by Prefix list. It works, config may looks a little stange but it is valid. On extended ACLs, source host=network and destination host=subnet mask.



Mo (guest)
April 18, 2014 at 5:16 a.m. UTC

How do you interpret this? access-list 100 permit ip any host

Does that mean "any source ip with destination of any" or does that mean "any source ip with mask of"

Secondly, how do you interpret this? access-list 100 permit ip

Does that mean "any source ip with mask of /0" with destination of "any"

I am kind of lost here. I can interpret ACLs just fine for traditional processing but I get confused when I have to interpret them in terms of route advertisement/prefix matching.

Any help will be HIGHLY appreciated.

SM (guest)
July 4, 2014 at 10:05 a.m. UTC

a) greater than or equal to 16 bits, and b) less than or equal to 24 bits in length. I always assume this is true but I was creating a prefix list and by mistake i type X.X.X.X/23 ge 22. The error I got include "len < ge-val <<= le".

Abigail (guest)
September 22, 2014 at 9:25 a.m. UTC

This is very helpful. I'm reading about OSPF Route Filtering and found one option to use prefix list and I totally forgot about prefix-lists.. This quick read helped me regain my memory lol. Great and helpful blog!

Milan (guest)
October 17, 2014 at 8:02 a.m. UTC

Thanks a lot!

Ibby (guest)
December 3, 2014 at 3:43 p.m. UTC

As Robert mentioned above, The ACL statement seems to be wrong: ip access-list extended OSPF_Redist deny ip host host permit ip any any That statement would block packets only with a source IP of sending to a host with a destination IP of It would not deal with subnets.

But Robert is also Wrong. Robert is writing a Standard ACL not an Extended one.

It should be as follows: ip access-list extended OSPF_Redist deny ip any permit ip any any

mark (guest)
April 10, 2015 at 2:51 a.m. UTC

nice explanation sir!

M Farooq Vayani (guest)
May 9, 2015 at 5:29 p.m. UTC

Great explanation...thanks..

Jastin (guest)
June 15, 2015 at 7:17 p.m. UTC

Good explanation,

Leave a Comment

Optional; will not be displayed publicly or given out.
No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
_____ resolves an IPv4 address to a MAC address.