Fortinet black logo

Handbook

Access list vs. prefix list

Access list vs. prefix list

Access lists and prefix lists are different mechanisms that you can use to control traffic into and out of a network.

Access lists

Access lists allow you to filter packets so that you can permit or deny them from crossing specified network interfaces. You can control whether packets are forwarded or blocked at the routers' interfaces based on the criteria set in the access lists.

Access lists fall into two categories: standard and extended. A standard access list (1-99) only checks the source addresses of all IP packets, whereas an extended access list (100-199) checks both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.

Range comparison between standard access list and extended access list below provides a comparison between standard access lists and extended access lists in terms of range.

Range comparison between standard access list and extended access list

Access List Type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

Note: For this release, FortiADC only supports user-defined access lists. It does NOT support either standard or extended access lists. Access lists are NOT required for BGP routing configuration. However, if you wan to include access lists in BGP routing configuration, we highly recommend that you have them configured ahead of time.

Prefix list

Prefix lists are used to configure filter IP routes. They are configured with the permit or deny keywords to either allow or block the prefix based on the matching conditions. A prefix list is made up of an IP address and a bit mask. The IP address can be a classful network, a subnet, or a single host route, whereas the bit mask can be a numeric value ranging from 1 to 32. An implicit deny is applied to the route that matches any entry in the prefix list.

A prefix list contains one or multiple sequential entries which are evaluated sequentially, starting with the entry with the lowest sequence number. Evaluation of a prefix against a prefix list comes to an end when a match is found and the permit or deny statement is applied to that network.

Although extended access lists, and, to some extent, standard access lists, can be utilized to match prefix announcements, prefix lists are considered more graceful.

Note: Prefix lists are NOT required for BGP routing configuration. However, if you want to include prefix lists in BGP routing configuration, we highly recommend that you have them configured ahead of time.

Access list vs. prefix list

Access lists and prefix lists are different mechanisms that you can use to control traffic into and out of a network.

Access lists

Access lists allow you to filter packets so that you can permit or deny them from crossing specified network interfaces. You can control whether packets are forwarded or blocked at the routers' interfaces based on the criteria set in the access lists.

Access lists fall into two categories: standard and extended. A standard access list (1-99) only checks the source addresses of all IP packets, whereas an extended access list (100-199) checks both source and destination addresses, specific UDP/TCP/IP protocols, and destination ports.

Range comparison between standard access list and extended access list below provides a comparison between standard access lists and extended access lists in terms of range.

Range comparison between standard access list and extended access list

Access List Type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

Note: For this release, FortiADC only supports user-defined access lists. It does NOT support either standard or extended access lists. Access lists are NOT required for BGP routing configuration. However, if you wan to include access lists in BGP routing configuration, we highly recommend that you have them configured ahead of time.

Prefix list

Prefix lists are used to configure filter IP routes. They are configured with the permit or deny keywords to either allow or block the prefix based on the matching conditions. A prefix list is made up of an IP address and a bit mask. The IP address can be a classful network, a subnet, or a single host route, whereas the bit mask can be a numeric value ranging from 1 to 32. An implicit deny is applied to the route that matches any entry in the prefix list.

A prefix list contains one or multiple sequential entries which are evaluated sequentially, starting with the entry with the lowest sequence number. Evaluation of a prefix against a prefix list comes to an end when a match is found and the permit or deny statement is applied to that network.

Although extended access lists, and, to some extent, standard access lists, can be utilized to match prefix announcements, prefix lists are considered more graceful.

Note: Prefix lists are NOT required for BGP routing configuration. However, if you want to include prefix lists in BGP routing configuration, we highly recommend that you have them configured ahead of time.