Network Tool
Prefix List Generator
Generate Cisco, Juniper, Palo Alto, and Fortinet prefix lists from CIDR blocks, IP ranges, and bare addresses.
This free prefix list generator converts a list of IP prefixes (CIDR notation, single IPs, or ranges) into ready-to-paste route filter syntax for Cisco IOS, Juniper Junos, Palo Alto Networks, and Fortinet. Generating prefix lists by hand for large route tables is error-prone; this tool does the translation in your browser with no server round-trip.
Prefix lists vs. access lists — the key difference
A Cisco IOS prefix-list matches on both the network address and the prefix length using le/ge qualifiers, making it purpose-built for route filtering in BGP and policy-based routing. An access control list (ACL) uses a destination address and wildcard mask designed for packet filtering — it can match prefixes but cannot express prefix-length conditions natively. For BGP route filtering and redistribution policies, always prefer a prefix-list: it is more expressive, easier to read, and has lower processing overhead on the routing engine.
Supported vendors and output formats
The generator produces syntax for four platforms: Cisco IOS ip prefix-list and extended ACL (with wildcard masks), Juniper Junos route-filter policy statements, Palo Alto Networks address objects and address groups, and Fortinet FortiOS address objects. Input can be any mix of CIDR blocks (192.0.2.0/24), single host addresses (192.0.2.1), or hyphenated ranges (192.0.2.1-192.0.2.50). Ranges are automatically decomposed into the minimal set of covering CIDR prefixes.
Input formats and CIDR decomposition
Not every IP range maps cleanly to a single CIDR block. When you enter a range like 10.0.0.5-10.0.0.20, the tool decomposes it into the smallest set of CIDR prefixes that covers exactly that range — a process sometimes called range-to-CIDR conversion. This is important for prefix-list entries: most platforms require CIDR notation, and an incorrectly sized block will either over-match (leaking unwanted routes) or under-match (dropping legitimate ones).
Frequently asked questions
What is the difference between a prefix-list and an access-list?+
A prefix-list matches on the network address and prefix length together (using ge/le operators), making it suitable for route filtering. An ACL matches on address and wildcard mask for packet filtering. For BGP and route policy work, use a prefix-list.
Which vendors are supported?+
Cisco IOS (ip prefix-list and extended ACL), Juniper Junos (route-filter), Palo Alto Networks (address objects/groups), and Fortinet FortiOS (address objects).
What is a wildcard mask?+
A wildcard mask is the bitwise inverse of a subnet mask. Where the subnet mask uses 1s to mark network bits, the wildcard mask uses 0s. Cisco ACLs and OSPF network statements use wildcard masks; 0.0.0.255 matches any address in a /24.
Can I paste in a mix of CIDRs, single IPs, and ranges?+
Yes. The tool accepts all three formats — one per line — and normalizes them to CIDR before generating vendor-specific output.