CiscoCCNPEnterprise NetworkingIntermediate24 min read

What Is Prefix List in Networking?

Also known as: prefix list, Cisco prefix list, route filtering, CCNP ENCOR, BGP prefix list

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A prefix list is a tool used in Cisco routers to filter network routes. Think of it as a bouncer that checks the address and size of every route trying to enter or leave your router. It decides which routes are allowed and which are blocked based on their network address and subnet mask. Network engineers use prefix lists to control routing updates and keep networks efficient.

Must Know for Exams

Prefix lists are a core topic in the CCNP Enterprise ENCOR 350-401 exam. The exam objectives explicitly list route filtering using prefix lists and distribute-lists under the Routing Technologies section. Cisco expects candidates to understand the syntax, the order of evaluation, and the use of ge and le operators. Questions often require you to interpret an existing prefix list configuration and predict which routes it will permit or deny. You may also be asked to identify the correct prefix list to achieve a specific filtering goal in a multi-protocol environment.

In the exam, prefix list questions often combine with BGP, OSPF, and route redistribution. For example, you might be given a topology with two routing domains and asked to filter only certain routes during redistribution. The correct answer will involve configuring a prefix list and applying it with a route-map. The exam tests your ability to distinguish between prefix lists and access lists. A common pitfall is using an ACL where a prefix list is more appropriate. Cisco explicitly tests this distinction because it is a real-world source of confusion.

Additionally, the ENCOR exam includes troubleshooting scenarios where a prefix list is misconfigured. You may be shown the output of show ip prefix-list and asked to find the error, such as a wrong order of entries or an incorrect ge/le value. Understanding the implicit deny at the end is critical. Many learners forget that if a route does not match any entry, it is denied. The exam will use this to create traps where a candidate assumes that routes not matched are permitted.

For those taking the CCNP Enterprise core exam, prefix lists are also relevant to the automation and assurance sections because modern network automation tools like Ansible often manage prefix list configurations. While the exam focuses on CLI configuration, understanding the logic behind prefix lists helps in automated deployments. Practicing with packet tracer or GNS3 labs that require prefix list configuration for route filtering is highly recommended for exam preparation.

Simple Meaning

Imagine you are a post office sorter. Every piece of mail that comes in has a destination address and sometimes a size or package type. As the sorter, you need to decide which mail goes where and which mail to reject.

A prefix list is like a set of instructions that tells the sorter exactly which addresses and package sizes to accept and which to throw away. In networking, routers constantly share information about the paths they know to reach different networks. This sharing is called routing.

A router might receive thousands of these path announcements. Some of those paths lead to networks that the router should know about, while others are invalid, undesirable, or even dangerous. The prefix list acts as a filter that inspects each incoming or outgoing route announcement.

It checks two things: the network address itself, such as 10.1.1.0, and the subnet mask, such as 255.255.255.0. By comparing the route against the criteria in the list, the router decides whether to accept the route, reject it, or modify it.

This is different from an access control list, which filters based on source and destination IP addresses in data packets. A prefix list focuses on the route itself, not the traffic traveling along that route. That makes it a powerful tool for shaping how routing tables are built and how traffic flows across an enterprise network.

For exam purposes, think of a prefix list as a precise scalpel that lets you control routing behavior with surgical accuracy, rather than a blunt hammer. It helps network administrators enforce policies, prevent routing loops, and keep the network stable.

Full Technical Definition

A prefix list is a Cisco IOS feature used to match network prefixes and prefix lengths for the purpose of route filtering and redistribution. It operates at the routing protocol level, commonly used with protocols such as OSPF, EIGRP, and BGP. The prefix list consists of a sequence of entries with an implicit deny all at the end. Each entry includes a sequence number, a permit or deny action, a network prefix, and a ge or le keyword to specify prefix length range. For example, a prefix list entry ip prefix-list EXAMPLE permit 10.0.0.0/8 le 16 permits any route that falls within the 10.0.0.0/8 range and has a prefix length of 16 or less, meaning it matches 10.0.0.0/8, 10.0.0.0/9, 10.0.0.0/10, and so on up to /16. The ge keyword specifies a minimum prefix length, while le specifies a maximum. When used together, they define a range. A prefix list without ge or le matches only the exact prefix and exact length. This granularity allows engineers to filter routes based on subnet size, which is critical in BGP route filtering where you may want to accept only aggregate routes and reject more specific subnets.

In real environments, prefix lists are applied using the distribute-list command in routing protocol configuration mode, or directly in BGP using the neighbor prefix-list command. They are also used in route-map clauses for redistribution. Unlike access lists, prefix lists are evaluated in order until a match is found. If no match occurs, the route is denied by default. Performance is a key advantage: prefix lists are processed in hardware on many Cisco platforms, making them faster than extended access lists. They also support sequence numbers, allowing you to insert or delete entries without rebuilding the entire list.

Prefix lists are integral to BGP policy implementation. For example, an ISP might use a prefix list to accept only customer prefixes that fall within a registered address range. In enterprise networks, prefix lists control which routes are advertised between routing domains or to branch offices. The syntax is straightforward but requires careful planning. A common exam scenario is configuring a prefix list to allow only a specific set of networks while blocking all others. Engineers must understand the difference between the prefix and the prefix length. The prefix is the network address, while the length is the subnet mask in slash notation. Mistaking one for the other is a frequent error in both real-world and exam configurations.

Real-Life Example

Imagine you work in a large office building with multiple floors. Each floor has a different department: sales on floor two, engineering on floor three, and HR on floor four. The building has a central mailroom that receives all packages and distributes them to the correct floors.

However, some packages are addressed incorrectly or come from untrusted sources. The mailroom manager creates a list of approved senders and acceptable package sizes. This is the prefix list.

For example, the manager decides that only packages from the corporate headquarters with a size between small and medium will be accepted for engineering. Packages from any other sender or with a large size are rejected. In this analogy, the sender address is the network prefix, like 10.

1.2.0. The package size is the subnet mask, like /24, which tells you how big the network is. The mailroom manager’s list is the prefix list. When a package arrives from address 10.

1.2.0 with size /24, the mailroom checks the list. If the list says permit 10.1.2.0/24, the package goes through. If the list says permit 10.0.0.0/8 le 24, the package also goes through because the address falls within the 10.

0.0.0 block and the size is 24 or smaller. If the list says deny any, the package is discarded. This step-by-step checking mirrors how a router processes routes using a prefix list.

The router examines each route, compares it to the entries in the prefix list in order, and either accepts or rejects it. The mailroom manager can update the list by inserting new rules without rewriting the whole manual. Similarly, network engineers can add new entries to a prefix list without deleting existing ones, using sequence numbers.

This analogy demonstrates the precision and flexibility of prefix lists in controlling routing information.

Why This Term Matters

Prefix lists matter because they give network engineers fine-grained control over routing behavior in production networks. Without prefix lists, routers would accept every route they receive from neighboring routers, which could lead to routing loops, suboptimal paths, and even security breaches. For example, if a router accidentally learns a more specific route to a critical internal network through an external BGP peer, traffic could be misdirected outside the enterprise. A prefix list can block such specific routes and only accept aggregated ones.

In enterprise networking, prefix lists are used to implement traffic engineering policies. An administrator can decide which branch locations receive default routes and which receive full routing tables. This control saves bandwidth and memory on smaller routers. In BGP peering scenarios, ISPs use prefix lists to enforce their routing policies, such as accepting only routes that belong to their customers. This prevents route hijacking and accidental advertisement of prefixes that the ISP does not own.

Security is another reason prefix lists are critical. By filtering routes at the edge of the network, you can prevent certain networks from being reachable from the outside. For instance, an organization might use a prefix list to block any route that advertises its internal RFC 1918 address space to the internet. This stops potential attackers from learning about the internal network structure. In MPLS and VPN environments, prefix lists control which customer routes are imported into the VRF. Without proper filtering, routes could leak between customers, causing data breaches.

For IT professionals working toward CCNP certification, mastering prefix lists is non-negotiable. They appear in almost every routing configuration scenario. Understanding how to design and apply prefix lists reduces troubleshooting time. A misconfigured prefix list can silently drop routes, causing traffic black holes that are difficult to diagnose. Therefore, learning to verify prefix lists with show ip prefix-list detail and debugging commands is a practical skill that separates competent engineers from novices.

How It Appears in Exam Questions

Prefix list questions appear in several forms across the ENCOR exam. The most common type is the direct configuration question. For example, the exam might present a scenario where a router is learning unwanted routes from a neighbor via BGP. The candidate must select the correct prefix list syntax to block those routes. The answer choices often include variations with wrong ge or le values, reversed permit and deny, or incorrect prefix notation. You must carefully read the prefix and the range requested.

Another frequent question type is the interpretation question. The exam shows a prefix list output, such as ip prefix-list FILTER seq 5 deny 192.168.0.0/16 ge 20 le 24, and asks you to determine which of several sample routes are permitted or denied. You need to evaluate each route against the entry. For example, 192.168.1.0/24 would be denied because it matches the prefix and has a prefix length of 24 which falls within the range 20 to 24. 192.168.0.0/16 would be denied only if the entry explicitly matches that length, but since this entry requires a length of at least 20, 192.168.0.0/16 does not match and would be evaluated by subsequent entries or denied by the implicit deny all.

Scenario-based troubleshooting questions are very common. A question describes a network where certain routes are not being advertised after a redistribution operation. The configuration includes a prefix list applied with a route-map. The candidate must identify that the prefix list is misconfigured, perhaps because it is missing the le keyword needed to include the specific subnet in question. These questions test deep understanding of the order of evaluation and the default deny.

Architecture questions may ask about best practices: when to use prefix lists versus route-maps versus access lists. For example, a question might ask which method is most appropriate for filtering routes based on subnet size. The correct answer is a prefix list because it can match prefix length. Access lists cannot match prefix length directly. This distinction is a classic exam point.

Finally, drag-and-drop and multiple-select questions require you to sequence the steps to configure a prefix list correctly. You may need to place the commands in the correct order: create the prefix list, apply it under the routing protocol with distribute-list, verify with show commands. Cisco expects you to know the exact CLI syntax and the order of operations.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: You are the network administrator for a company with two branch offices and a headquarters. The HQ router runs BGP with an ISP, and also runs OSPF internally. You want to advertise only the summary route 10.

0.0.0/8 to the ISP, but you also want to block any route that is more specific than /24 from entering your OSPF domain from the ISP. You decide to use a prefix list. First, you create a prefix list named TO_ISP that permits 10.

0.0.0/8 exactly. Then you apply it outbound on the BGP session to the ISP. This ensures the ISP only receives the summary. Next, you create a prefix list named FROM_ISP that denies any route with a prefix length greater than 24, and permits everything else.

You apply this inbound on the same BGP session. Now, when the ISP sends a route like 10.1.2.0/25, the prefix list checks the length: 25 is greater than 24, so the route is denied and does not enter the OSPF domain.

The HQ router’s routing table stays clean and efficient. This scenario demonstrates how prefix lists help control the granularity of routing information both inbound and outbound.

Common Mistakes

Confusing prefix list sequence numbers with ACL line numbers, thinking that higher sequence numbers are processed first

Prefix lists are evaluated in ascending sequence number order from lowest to highest, not highest first. The first match is applied. If a lower sequence number matches, higher ones are ignored. Thinking the reverse causes incorrect filtering.

Remember that sequence numbers start at 5 by default and increase by 5. The router always starts at the smallest number. When adding new entries, insert them with sequence numbers that place them in the correct evaluation order.

Using an access list instead of a prefix list to filter routes based on subnet mask length

Access lists can only match source and destination IP addresses, not the prefix length or subnet mask of a route. They cannot distinguish between a /24 and a /25 route. For route filtering based on network size, only prefix lists or route-maps with prefix-list match work.

If you need to filter routes by subnet mask, always use a prefix list. For example, to allow only /24 routes from 192.168.0.0/16, use ip prefix-list ALLOW24 permit 192.168.0.0/16 ge 24 le 24.

Forgetting the implicit deny at the end of the prefix list and assuming unmatched routes are permitted

A prefix list ends with an implicit deny all. If a route does not match any permit entry, it is automatically denied. Many learners write only permit entries and believe that all other routes pass through, but that is incorrect.

Always include a permit any any entry if you want to allow all routes that were not explicitly denied. For example, add ip prefix-list EXAMPLE permit 0.0.0.0/0 le 32 as the last entry to permit everything else.

Misunderstanding the ge and le keywords: thinking that ge means greater than or equal to the prefix length of the network statement

The ge and le keywords modify the range of prefix lengths that match, but they are relative to the prefix in the network statement. For example, ip prefix-list TEST permit 10.0.0.0/8 ge 16 means the prefix must be within 10.0.0.0/8, and the prefix length must be at least 16. It does not mean the prefix length is greater than or equal to 8. The base prefix is a starting point, not a length threshold.

Interpret the network statement as the starting prefix and the ge and le as the allowable range of prefix lengths. A route 10.1.0.0/16 matches 10.0.0.0/8 ge 16 le 24 because it is within the 10.0.0.0/8 block and its length 16 is in the range 16 to 24. A route 10.0.0.0/8 does not match because its length 8 is less than 16.

Not using sequence numbers and then trying to delete or insert entries, causing the entire prefix list to be rebuilt

Without sequence numbers, entries are automatically assigned incrementing numbers starting from 5. If you delete an entry, the remaining entries retain their original numbers, but you cannot insert an entry between them without removing and re-adding. This leads to accidental removal of valid entries.

Always specify sequence numbers explicitly when configuring prefix lists, especially in production. Use ip prefix-list NAME seq 10 permit ... to control the order. To insert a new entry between seq 10 and seq 15, use seq 12. This maintains the intended order without deleting existing entries.

Applying the prefix list to the wrong direction (inbound vs outbound) in a distribute-list or BGP neighbor statement

Applying an inbound prefix list filters routes coming into the router from a neighbor. Applying an outbound prefix list filters routes being advertised out of the router. Confusing the two can block the routes you want to receive while allowing the routes you want to block.

Use the mnemonic: inbound filters what you learn, outbound filters what you tell others. In BGP, neighbor x.x.x.x prefix-list NAME in filters incoming routes. neighbor x.x.x.x prefix-list NAME out filters outgoing routes. Always verify with show ip bgp neighbors x.x.x.x advertised-routes or received-routes.

Exam Trap — Don't Get Fooled

The exam shows a prefix list with entry ip prefix-list DENY permit 10.0.0.0/8 and asks if a route 10.0.0.0/16 is permitted or denied. Many candidates incorrectly think that 10.0.0.0/16 matches because it starts with 10.

0.0.0. Always check the prefix length when ge or le are absent. If no range is specified, the entry matches only routes with that exact network and exact prefix length. In the example, /16 is not /8, so no match.

The route would fall through to the next entry or be denied by implicit deny. Use the ge and le keywords if you intend to match subnets within a larger block.

Commonly Confused With

Prefix ListvsAccess Control List (ACL)

An ACL filters data packets based on source and destination IP addresses, ports, and protocols. A prefix list filters routing updates based on network prefixes and prefix lengths. ACLs cannot match subnet mask length, while prefix lists cannot match port numbers or protocol types.

To block traffic from 10.0.0.0/8, use an ACL. To block route advertisement of 10.0.0.0/8 from a BGP neighbor, use a prefix list.

Prefix ListvsRoute Map

A route map is a more complex conditional structure that can match routes using prefix lists or ACLs and then set attributes like metric or next-hop. A prefix list is a simpler filter that only permits or denies based on prefix and length. Route maps can perform actions like setting BGP local preference, while prefix lists cannot.

Use a prefix list to deny all /32 routes. Use a route map to match that prefix list and then set the weight for permitted routes.

Prefix ListvsDistribute List

A distribute list is the command that applies an ACL or prefix list to a routing protocol. The prefix list is the actual filter; the distribute list is the mechanism to apply it. Learners often use the terms interchangeably, but they are distinct: distribute-list prefix-list NAME in applies a prefix list.

ip prefix-list PL permit 10.0.0.0/8 is the prefix list. router ospf 1 distribute-list prefix-list PL in is the distribute list that applies it.

Prefix ListvsFilter List (BGP)

A filter list in BGP uses a path access list that matches AS-path strings. It is different from a prefix list which matches network prefixes. Filter lists are used to control BGP routes based on the AS path, not the network address or mask.

To block routes originating from AS 65000, use a filter list with ip as-path access-list. To block routes with prefix 10.0.0.0/8, use a prefix list.

Step-by-Step Breakdown

1

Define the filtering goal

Determine which routes you want to permit or deny. Specify the network prefixes and the range of prefix lengths. For example, you may want to deny all /32 routes from a BGP peer and permit only /24 to /28 routes.

2

Create the prefix list with sequence numbers

Use the command ip prefix-list NAME seq NUMBER permit|deny PREFIX/LENGTH [ge VALUE] [le VALUE]. Sequence numbers control evaluation order. Start with seq 5 or 10. Add entries from most specific to most general to ensure correct matching.

3

Verify the prefix list syntax

Use show ip prefix-list NAME detail to display all entries, their sequence numbers, and the matched count. Check for typos in the prefix, length, or ge/le values. The router will accept the command even if the prefix is invalid, so verification is essential.

4

Apply the prefix list to the routing protocol

For OSPF or EIGRP, use the distribute-list prefix-list NAME in|out under the routing process. For BGP, use neighbor IP-ADDRESS prefix-list NAME in|out. The direction determines whether you filter incoming or outgoing route updates.

5

Test and monitor the filtering

After applying, use show ip route to confirm the expected routes are present or absent. Use show ip bgp neighbors IP-ADDRESS received-routes to see what BGP routes are being filtered. Clear routing protocol adjacencies if necessary to force updates.

6

Troubleshoot if necessary

If routes are missing or unexpected routes appear, check the prefix list entry order. Remember the implicit deny. Use debug ip ospf distribute-list or similar commands to see which routes are being permitted or denied. Adjust sequence numbers or add new entries as needed.

Practical Mini-Lesson

Prefix lists are a foundational tool for any network engineer working with Cisco routers. Their core purpose is to filter routing information based on the network prefix and its length, which is essential for controlling route advertisement, preventing routing loops, and implementing security policies. In practice, you will encounter prefix lists most frequently in BGP configurations. For example, when an enterprise connects to an ISP, the ISP typically provides a prefix list that defines exactly which customer networks they will accept. If the customer accidentally advertises a prefix that is not on the list, the ISP will reject it. This prevents route hijacking and keeps the global routing table stable.

To illustrate a typical configuration, consider a network that has two BGP peers. You want to receive only the default route from one peer and all routes from the other. For the default-only peer, you create a prefix list that permits only 0.0.0.0/0 exactly: ip prefix-list DEFAULT permit 0.0.0.0/0. Then you apply it inbound on that peer: neighbor 192.0.2.1 prefix-list DEFAULT in. For the full route peer, you create a prefix list that permits any prefix up to /24: ip prefix-list ALLOW permit 0.0.0.0/0 le 24, and apply it inbound. This ensures you do not overload your router with thousands of more specific routes.

What can go wrong? The most common issue is the silent discard. A misconfigured prefix list may deny routes that you need, causing traffic black holes. For example, if you mistakenly use le 23 instead of le 24, you will block all /24 routes. Another problem is order sensitivity. If you have a deny entry that matches a broad range placed before a permit entry for a specific subnet, the specific subnet will be denied because the first match wins. Always put more specific entries before broad ones.

Professionals also use prefix lists in route-maps for redistribution. For example, when redistributing OSPF into BGP, you can use a route-map that calls a prefix list to filter which OSPF routes are injected. This is a two-step process: create the prefix list, then create the route-map with match ip address prefix-list NAME. The route-map can also set BGP attributes like community or metric.

In exam labs, you will be expected to configure prefix lists from scratch. Practice using the command line: start with ip prefix-list PL permit 10.10.0.0/16 ge 20 le 24. Then verify with show ip prefix-list PL. Understand that the ge 20 means the prefix length must be at least 20, and le 24 means at most 24. So a route 10.10.16.0/20 matches, but 10.10.0.0/16 does not because its length 16 is below 20. This concept is the most challenging for beginners, so invest time in building mental models. A good drill is to write down a prefix list entry and then list five sample routes, determining whether each is permitted or denied. Do this until it becomes automatic.

Prefix lists integrate with broader networking concepts like summarization, route aggregation, and policy-based routing. Understanding them deeply will help you in the ENCOR exam and in real-world troubleshooting. Always remember to test your configuration in a lab environment before applying it to production.

Memory Tip

Remember the acronym PLG: Prefix, Length, and ge/le. The prefix tells you the network block, the length gives the exact match, and ge/le modify the range. If neither ge nor le is present, the match is exact. For exams, think of the prefix list as a gate that checks the address and the size of the route.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between a prefix list and an access list?

A prefix list filters routes based on network prefix and prefix length, while an access list filters data packets based on IP addresses and ports. Prefix lists are used in routing protocols, not for traffic filtering.

Can I use a prefix list to filter traffic like a firewall?

No. Prefix lists only filter routing updates, not actual data traffic. To filter data packets, you need an access list applied to an interface or a firewall rule.

What does the ge keyword mean in a prefix list?

Ge stands for greater than or equal to. It sets the minimum prefix length that a route must have to match. For example, ge 16 means the route must have a prefix length of at least 16.

What is the implicit rule at the end of a prefix list?

There is an implicit deny any at the end of every prefix list. If a route does not match any permit entry, it is denied by default.

Do prefix lists support IPv6?

Yes. Cisco IOS has ipv6 prefix-list for IPv6 routes. The syntax is similar: ipv6 prefix-list NAME permit 2001:db8::/32 ge 48 le 64.

How do I apply a prefix list to OSPF?

Use the command router ospf PROCESS-ID, then distribute-list prefix-list NAME in or out. The distribute-list applies the prefix list to filter OSPF routes.

Can I use a prefix list to filter routes in EIGRP?

Yes. EIGRP uses the same distribute-list prefix-list command under the EIGRP process. Prefix lists work with EIGRP, OSPF, and BGP.

What happens if I delete a prefix list that is currently applied?

The route filtering stops, and the router will accept or advertise routes without that filter. It is safest to remove the prefix list application under the routing process before deleting the list.

Why do prefix lists have sequence numbers?

Sequence numbers allow you to insert, delete, or reorder entries without removing the entire list. They also determine the evaluation order, from lowest to highest.

Is a prefix list case-sensitive?

No. Cisco IOS prefix list names are case-sensitive, but the network prefixes and keywords like permit, deny, ge, le are not. Always use consistent naming.

Summary

A prefix list is a Cisco IOS feature that filters routing updates based on network prefix and prefix length. It is an essential tool for controlling which routes enter or leave a router, enabling network administrators to enforce policies, prevent routing loops, and secure the routing infrastructure. Unlike access lists, prefix lists can match the subnet mask of a route, making them ideal for BGP, OSPF, and EIGRP route filtering.

For the CCNP ENCOR exam, you must understand the syntax, evaluation order, and the use of ge and le keywords. Common mistakes include confusing prefix lists with ACLs, forgetting the implicit deny, and misinterpreting ge/le ranges. To master prefix lists, practice building them in a lab environment and verifying their effect on the routing table.

Remember that the first matching entry in a prefix list determines the action, and unmatched routes are denied. By thoroughly understanding prefix lists, you will be prepared to tackle routing policy questions in both the exam and real-world network scenarios.