Prefix-lists are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows:

ip prefix-list LIST permit w.x.y.z/len

Where w.x.y.z is your exact prefix
And where len is your exact prefix-length

“ip prefix-list LIST permit″ would be an exact match for the prefix with a subnet mask of This does not match, nor does it match, nor anything in between.

When you add the keywords “GE” and “LE” to the prefix-list, the “len” value changes its meaning. When using GE and LE, the len value specifies how many bits of the prefix you are checking, starting with the most significant bit.

ip prefix-list LIST permit le 32

This means:
Check the first 24 bits of the prefix
The subnet mask must be less than or equal to 32

This equates to the access-list syntax:

access-list 1 permit
ip prefix-list LIST permit le 32

This means:
Check the first 0 bits of the prefix
The subnet mask must be less than or equal to 32
This equates to anything

ip prefix-list LIST permit

This means:
The exact prefix, with the exact prefix-length 0.
This is matching a default route.

ip prefix-list LIST permit ge 21 le 29

This means:
Check the first 8 bits of the prefix
The subnet mask must be greater than or equal to 21, and less than or
equal to 29.

ip prefix-list CLASS_A permit ge 8 le 8

This matches all class A addresses with classful masks. It means:
Check the first bit of the prefix, it must be a 0.
The subnet mask must be greater than or equal to 8, and less than or equal to 8. ( It is exactly 8 )

When using the GE and LE values, you must satisfy the condition:

Len < GE <= LE

Therefore “ip prefix-list LIST permit ge 8″ is not a valid list.

What you can not do with the prefix-list is match on arbitrary bits like you can in an access-list. Prefix-lists cannot be used to check if a number is even or odd, nor check if a number is divisible by 15, etc… Bit checking in a prefix-list is sequential, starting with the most significant (leftmost) bit.

About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website

You can leave a response, or trackback from your own site.

46 Responses to “How do prefix-lists work?”

  1. Tim says:

    I don’t understand why you say

    “This does not match″

    Yes it will, won’t it?

  2. No, it has to match all 32 bits of the address and the subnet mask must be 24. It is exactly the route The route is a different network.

  3. [...] > CC: > > Hello Mike/Arnold, > > This should help: > > > 2009/5/18 mike arnold > > > Hi, > > > > Am not perfect in prefix-lists can anybody send me a [...]

  4. Nadeem Rafi says:

    Quite good and helpful information.

  5. Peter says:

    Very good article…
    I have been going through some sample configuration(given below) where prefix-list has been used to prevent default route out of the interface. My question is do we really need both these prefix-list statements? Can’t we omit the second line in the prefix-list to acheive this purpose?

    ip prefix-list NODEF_OUT seq 5 deny
    ip prefix-list NODEF_OUT seq 10 permit le 32

    router eigrp 10
    distribute-list prefix NODEF_OUT out Tunnel0

  6. Ciprian says:

    Thank you Brian ! Great explanations !

  7. says:

    What does following prefix list mean?

    ip prefix-list LIST permit

  8. Happy says:

    What should be the prefix list to permit prefix ?

  9. Sumit says:

    Most concise and informative article ever on prefix-list.
    Thanks a lot.

  10. Mark says:

    So if I used to do a reverse mask like:
    permit ip any

    It would now be:
    permit le 32 ?



  11. zak dandashi says:

    Would any Host within the subnet with a prefix-list match the prefix-list?

  12. Bikas Pandey says:

    Thanks for your great explanation.It Solve my problem.

  13. Juan Arce says:

    hey guy, when you say means with netmask — Why did you say that it represents the Class A range?

    Thanks for your future explanation.

    • Kleine says:


      I think you’re right, the correct will be:

      ip prefix-list CLASS_A permit ge 2 le 8

      instead of:

      ip prefix-list CLASS_A permit ge 8 le 8

      to match the entire class A.

      Please, let me know if its wrong.


  14. Juan Arce says:

    ok ok, I’ve got it. Don’t worry, just take it easy!

  15. Frank says:


    ip prefix-list LIST permit le 32

    equates to:

    access-list 100 permit

    A std-access-list can not match on netmasks

  16. Leo says:

    CCNP guide v 3.2, 3-54

    Requirement: The ISP will not accept routes with subnet masks longer than /24; subnet masks from class B address space will be no longer than /20.

    Alegedly the solution is…

    ip prefix-list Peer seq 5 permit le 20
    ip prefix-list Peer seq 10 permit le 24

    I tried it with and it works, the route is permitted and in bgp table. I believe the second statement should permit it. and I think their solution is wrong.
    Can you guys please confirm this?

    Thanks for help guys


  17. Mark says:

    I found this in a prefix list… my question is, due to seq 20, would seq 25-70 be redundant?

    seq 20 permit le 32
    seq 25 permit
    seq 30 permit
    seq 35 permit
    seq 40 permit
    seq 45 permit
    seq 50 permit
    seq 55 permit
    seq 60 permit
    seq 65 permit
    seq 70 permit

    Per seq 20, match the first 8 bits… yes, they all do. Subnet mask has to be less than or equal to 32, so… anything in the 30-dot network is covered, right?

  18. Dragos says:

    What’s happening when I have to following:

    ip prefix-list LIST permit

    The all traffic will be denied or only the traffic from host will be permitted?

    • It depends on how you are applying it. Remember prefix-list are used for route filtering or matching, not for filtering traffic like an access-list. If your case the prefix-list with match only the host route

  19. [...] to filter BGP Updates by Ivan Pepelnjak Using Extended ACLs for BGP Filtering by Brian Dennis How do prefix-lists work? by Brian McGahan Share this:TwitterFacebookLike this:Like Loading… Categories cisco ios, [...]

  20. Basile says:


    What’s happening when I have:

    seq 10 deny ge 16
    seq 15 deny ge 12
    seq 20 deny ge 8
    seq 25 deny ge 8
    seq 35 permit ge 1

    It’ll accept just:,,,

    Thank you for your help.

  21. Basile says:


    In fact, i have this configuration in a Cisco Router but i can’t understand it as well. For my example, what is accepted?

    seq 10 deny ge 16
    seq 15 deny ge 12
    seq 20 deny ge 8
    seq 25 deny ge 8
    seq 35 permit ge 1

    Thank you again,

  22. Priya says:

    Hi All,

    While filtering out the prefixes

    router ospf 1
    area 1 filter-list prefix 10 in

    ip prefix-list 10 seq 20 permit le 32

    what difference it makes if i apply

    ip prefix-list 10 seq 20 permit le 8 instead of 32 ?

    Could you please explain…Thanks in advance.

  23. Manuel says:

    If I want to allow any subnet inside
    Is it enough to use or should it be le 8?

  24. mohammed says:

    hi brain,
    if you want to prevent telneting between two different routing domains with traffic coming from ge 16 le 24

    how can we do that ?

  25. Pradeep says:

    awaesome.Now i can imagine prifixes bit wise and can apply easliy on my project defense project

  26. Kumar Rishikesh says:

    Can we deny Class A and Class B in a single “ip prefix-list” statement?

    This is my assignment question. Kindly help.

  27. Chris says:

    This is excellent thank you!!!!!!

  28. Jon Isunza says:

    Thank you! Your explanation made sense to me.

  29. Ditmar says:

    I am wondering how can we match the default-route.
    I want to receive all the routes from the neighbor except the default-route

    I tried
    IP prefix-list NAME

    but this didn’t work.


Leave a Reply


CCIE Bloggers