Networking

Cisco IOS Route Filtering: Distribution Lists, Prefix Lists, Route-Maps

Part of pathway: Full Guide for All IOS Commands
5 min read

Three Tools for Selecting Routes

Route filtering is how you decide which routes go where: which prefixes to redistribute between protocols, which to advertise to a peer, which to install in the routing table. Cisco IOS has three filter tools that work in concert: distribution lists, prefix lists, and route-maps. Knowing when to reach for each is the difference between fluent CCNP-level routing and hacking around the protocol.

Distribution Lists — The Simple Filter

Filter routes in or out of a routing process using an ACL, prefix-list, or route-map.

! Filter incoming OSPF updates with an ACL
R1(config)# access-list 10 deny 10.99.0.0 0.0.0.255
R1(config)# access-list 10 permit any
R1(config)# router ospf 1
R1(config-router)# distribute-list 10 in

Translation: routes matching ACL 10 (10.99.0.0/24) are blocked from being installed into the routing table; everything else is permitted. The route still exists in the LSDB — it’s only blocked from the routing table.

Outbound version controls what gets advertised to neighbors:

R1(config-router)# distribute-list 10 out

Distribution lists with ACLs are limited — ACLs match exact prefixes only, not ranges. For more flexibility, point at a prefix-list:

R1(config-router)# distribute-list prefix MYPL in

Prefix Lists — Match Prefixes by Range

Prefix-lists describe IP prefix patterns with prefix-length matching. Far more expressive than ACLs for routing-filter work.

! Match exactly 10.0.0.0/8
R1(config)# ip prefix-list FILTER seq 5 permit 10.0.0.0/8

! Match anything in 10.0.0.0/8 with prefix-length 16-24
R1(config)# ip prefix-list FILTER seq 10 permit 10.0.0.0/8 ge 16 le 24

! Match exactly 0.0.0.0/0 (the default route)
R1(config)# ip prefix-list FILTER seq 15 permit 0.0.0.0/0

! Match ANY IPv4 prefix
R1(config)# ip prefix-list FILTER seq 20 permit 0.0.0.0/0 le 32

! Implicit deny at end

The two key qualifiers:

  • ge N — minimum prefix length (greater-or-equal)
  • le N — maximum prefix length (less-or-equal)

Common patterns:

  • Match any specific subnet of 10/8 with mask /24 to /28: 10.0.0.0/8 ge 24 le 28
  • Match only the default route: 0.0.0.0/0
  • Match any prefix at all: 0.0.0.0/0 le 32
  • Match any host route: 0.0.0.0/0 ge 32

Route-Maps — Match X, Set Y

Route-maps are the universal “match this, then do that” tool. They consist of numbered clauses, each with optional match conditions and set actions, and a permit/deny verdict.

R1(config)# route-map ADJUST permit 10
R1(config-route-map)# match ip address prefix-list MINE
R1(config-route-map)# match interface GigabitEthernet0/1
R1(config-route-map)# set local-preference 200
R1(config-route-map)# set community 65001:100

R1(config)# route-map ADJUST permit 20
R1(config-route-map)# match as-path 1
R1(config-route-map)# set as-path prepend 65001 65001

R1(config)# route-map ADJUST deny 30
R1(config-route-map)# match ip address 99

R1(config)# route-map ADJUST permit 40
! No match = match anything; no set = leave unchanged

Evaluation: clauses are checked in sequence number order. First match wins. The verdict (permit or deny) determines whether the route is allowed through; set statements run only on permitted matches.

Like ACLs, the implicit final clause is “deny everything that didn’t match.” If you want a fall-through-permit, add an empty permit clause at the end (clause 40 in the example above).

Common match conditions

  • match ip address PREFIX-LIST-NAME or match ip address ACL-NUM
  • match ip next-hop — the next-hop IP
  • match ip route-source — who advertised the route
  • match interface — outbound interface
  • match metric — current metric
  • match tag — route tag set elsewhere
  • match as-path — BGP AS-path regex
  • match community — BGP community

Common set actions

  • set ip next-hop
  • set metric
  • set metric-type
  • set local-preference (BGP)
  • set community
  • set as-path prepend
  • set tag
  • set weight

Where Route-Maps Plug In

Route-maps are referenced by other features:

! In BGP, on a neighbor
R1(config-router)# neighbor 198.51.100.1 route-map ADJUST in
R1(config-router)# neighbor 198.51.100.1 route-map ADJUST out

! In redistribution
R1(config-router)# redistribute static route-map ADJUST
R1(config-router)# redistribute eigrp 100 route-map ADJUST

! In PBR (already covered)
R1(config-if)# ip policy route-map ADJUST

Tags — The Glue Between Protocols

When redistributing routes from one protocol to another, attach a tag so you can filter on the same tag in the reverse direction. Prevents redistribution loops.

! Redistributing OSPF into EIGRP, tag the routes
R1(config)# route-map OSPF-INTO-EIGRP permit 10
R1(config-route-map)# set tag 100

R1(config)# router eigrp 100
R1(config-router)# redistribute ospf 1 route-map OSPF-INTO-EIGRP metric 10000 100 255 1 1500

! Going back, deny anything tagged 100 (it came from OSPF; don’t loop)
R1(config)# route-map EIGRP-INTO-OSPF deny 10
R1(config-route-map)# match tag 100
R1(config)# route-map EIGRP-INTO-OSPF permit 20

R1(config)# router ospf 1
R1(config-router)# redistribute eigrp 100 route-map EIGRP-INTO-OSPF subnets

Verifying

R1# show route-map
R1# show ip prefix-list
R1# show ip prefix-list detail FILTER
R1# show ip protocols   ! shows distribute-lists in effect

Common Pitfalls

  • Route-map missing fallthrough. Implicit deny at end. Forget to add the permit-anything-else clause and your filter rejects everything you didn’t explicitly permit.
  • Prefix-list ge/le defaults. Without ge/le, the prefix-list matches the prefix exactly. 10.0.0.0/8 alone matches only the literal /8, not any subset.
  • ACL vs prefix-list misuse. ACLs aren’t designed for prefix matching with mask-length flexibility. Use prefix-lists for routing filters; ACLs for ACLs.
  • Distribute-list filtering OSPF intra-area routes outbound. Doesn’t work; OSPF floods LSAs by design. Filter at redistribution boundaries instead.
  • Route-map clause order. Numbers determine sequence. Leave gaps (10, 20, 30) so you can insert later without renumbering.
  • Forgotten redistribution loop. Without tags, redistributing protocol A into protocol B and B back into A creates a loop. Always tag.

Conclusion

Three tools, one decision tree:

  1. Need to filter routes by exact prefix? ACL in a distribute-list (legacy but works).
  2. Need to filter routes by prefix range with mask flexibility? Prefix-list, referenced from a distribute-list or route-map.
  3. Need to filter and set attributes (local-pref, community, tag, next-hop)? Route-map, calling a prefix-list inside.

For BGP and redistribution, route-maps are the right answer almost always. They cost a few extra config lines but give you a single place to tweak both filtering and attribute manipulation.

Tags: #CCNP #Cisco IOS #Prefix Lists #Route Maps

Related Articles

Leave a Reply