IP access-list vs. IP prefix-list
Both IP access-list and IP prefix-list allow us to define rules. Route-map is the tool to implement those rules. There are quite a lot documents explain these two commands in details, but I would like to explain them in small paragraph in my point of view.
IP access-list is designed to match traffic. It will analyze IP header or TCP header. The standard IP access-list will be used to match on arbitrary bit patterns for source IP and destination IP. The extended IP access-list will provide more analysis for protocols working on IP.
R6(config-ext-nacl)#permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
From above we can see, the protocols such as EIGRP, OSPF and ICMP are all encapusulated as IP payload. TCP and UDP are layer 4 protocol but we can treat them as IP payload as well. If we specify TCP, we can use IP access-list to match each segmentation in TCP header.
R6(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
match-all Match if all specified flags are present
match-any Match if any specified flag is present
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
reflect Create reflexive access list entry
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
urg Match on the URG bit
IP prefix-list is designed for network reachability matching. It will not analyze IP header or TCP header. It will not analyze each bit of IP prefix. It only output the whole result, which is the network. For example:
ip prefix-list LIST seq 5 permit 1.2.3.0/24
It will not match 1.2.0.0/24 or 1.2.3.4/32. It will exactly match all host in 1.2.3.1 to 1.2.3.254.