IP Prefix List

IP prefix lists provide ordered sets of permit/deny rules for filtering IPv4 routes based on network prefix and prefix length, serving as a fundamental building block for routing policy on NX-OS. Each entry supports exact match or range-based matching with configurable minimum and maximum prefix lengths, enabling precise control over which routes are accepted or advertised by routing protocols. Prefix lists are commonly referenced by route maps, BGP neighbor policies, OSPF redistribution, and other routing policy constructs to implement granular route filtering and traffic engineering.

Diagram

Classes

configuration (nxos.devices)

Name	Type	Constraint	Mandatory	Default Value
ip_prefix_lists	List	`[ip_prefix_lists]`	No

ip_prefix_lists (nxos.devices.configuration)

Name	Type	Constraint	Mandatory
name	String		Yes
description	String		No
entries	List	`[entries]`	No

entries (nxos.devices.configuration.ip_prefix_lists)

Name	Type	Constraint	Mandatory	Default Value
seq	Integer		Yes
action	Choice	`permit`, `deny`	No	`permit`
prefix	IP		No
mask	IP		No
criteria	Choice	`exact`, `inexact`	No	`exact`
ge	Integer	min: `0`, max: `128`	No	0
le	Integer	min: `0`, max: `128`	No	0

Examples

Example 1: Simple prefix list to match loopback addresses for OSPF-to-BGP redistribution

nxos:
  devices:
    - name: SPINE1
      configuration:
        ip_prefix_lists:
          - name: PL-LOOPBACKS
            description: "Match all fabric loopback /32 addresses"
            entries:
              - seq: 10
                action: permit
                prefix: 10.1.100.0/24
                criteria: inexact
                ge: 32
                le: 32
              - seq: 20
                action: permit
                prefix: 10.1.200.0/24
                criteria: inexact
                ge: 32
                le: 32

Example 2: Multiple prefix lists for BGP route filtering — tenant subnets and default route

nxos:
  devices:
    - name: LEAF1
      configuration:
        ip_prefix_lists:
          # Match tenant subnet routes
          - name: PL-TENANT-NETS
            description: "Permit tenant network prefixes"
            entries:
              - seq: 10
                action: permit
                prefix: 192.168.1.0/24
                criteria: exact
              - seq: 20
                action: permit
                prefix: 192.168.2.0/24
                criteria: exact
              - seq: 30
                action: permit
                prefix: 172.17.1.0/24
                criteria: exact
          # Match only the default route
          - name: PL-DEFAULT-ONLY
            description: "Permit default route only"
            entries:
              - seq: 10
                action: permit
                prefix: 0.0.0.0/0
                criteria: exact

Example 3: Advanced prefix lists with range matching for route aggregation policy on a border leaf

nxos:
  devices:
    - name: BORDER-LEAF1
      configuration:
        ip_prefix_lists:
          # Deny specific subnets, permit summary only
          - name: PL-EXTERNAL-PREFIXES
            description: "Accept external routes between /8 and /24"
            entries:
              - seq: 10
                action: deny
                prefix: 10.0.0.0/8
                criteria: exact
              - seq: 20
                action: deny
                prefix: 172.16.0.0/12
                criteria: exact
              - seq: 30
                action: deny
                prefix: 192.168.0.0/16
                criteria: exact
              - seq: 40
                action: permit
                prefix: 0.0.0.0/0
                criteria: inexact
                ge: 8
                le: 24
          # Firewall redirect destinations
          - name: PL-FIREWALL-REDIRECT
            description: "Prefixes to redirect through firewall"
            entries:
              - seq: 10
                action: permit
                prefix: 10.50.202.0/24
                criteria: inexact
                ge: 24
                le: 32