Quick tip: Matching default route in a standard ACL

I've got the following question from Matthew: »how would one go about matching the default route for filtering using standard ACLs?«

In all routing protocols but EIGRP (which can carry the »default candidate« flag on any IP prefix), the default route has IP address and subnet mask

To match the default route with a standard ACL, use access-list x permit To match it with an extended ACL (which matches the IP address and the subnet mask portions), you have to use access-list y permit ip host host And finally, to match the default route in a prefix list, use ip prefix-list z permit

This article is part of You've asked for it series.


  1. I have never quite understood why cisco IOS allows prefix or route matching using ACLs. This should purely be the function of prefix lists. ACLs should only be used to match IP header fields. In case Cisco decided to keep it to extend legacy support, they should deprecate this capability asap as it only ends up complicating things

  2. Route filters were implemented very early in IOS' history when the designers tried to reuse existing mechanisms (ACLs) instead of creating zillion of new commands and configuration modes.

    Sometimes they've got it right, sometimes they've tried to use a hammer on a bolt :) IP prefix lists should be used whenever possible and the only viable reason to use ACLs for route filters is to pass the CCIE lab exam.

  3. I don't understand this. I have been told to reference a default route using an ACL you would type in the following:

    access-list 100 permit ip any host

    doesn't this translate into access-list 100 permit ip ?

    Is this not correct?

  4. Your ACL match ANY IP prefix with a /0 mask. There could only be one (, so it also works, but if you want to match other things (like, you have to be more careful.

    Anyway, prefix lists are the way to go.


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.