Solved: Question about deny "ip" any any ACL

hfakoor222 · ‎08-16-2023

What does the ip mean? IP addresses? What is the difference between

deny ip any any   and    deny  any  any

?

Thanks

M02@rt37 · ‎08-16-2023

Hello @hfakoor222,

deny ip any any

This ACL rule denies all IP traffic from any source IP address to any destination IP address. In other words, it blocks all IP packets, regardless of the source or destination. It effectively prevents any communication using IP-based protocols.

deny any any

This ACL rule is more generic. It denies all traffic, not just IP traffic. It blocks all types of communication, including IP, non-IP, and other layer 4 and above protocols. This rule is often used as a catch-all to deny all traffic when a more specific rule doesn't match.

deny ip any any

is used when you specifically want to block IP-based communication while allowing other non-IP protocols to pass through.

Deny any any

is used when you want to block all types of communication, regardless of protocol.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎08-16-2023

Hello @hfakoor222,

deny ip any any

This ACL rule denies all IP traffic from any source IP address to any destination IP address. In other words, it blocks all IP packets, regardless of the source or destination. It effectively prevents any communication using IP-based protocols.

deny any any

This ACL rule is more generic. It denies all traffic, not just IP traffic. It blocks all types of communication, including IP, non-IP, and other layer 4 and above protocols. This rule is often used as a catch-all to deny all traffic when a more specific rule doesn't match.

deny ip any any

is used when you specifically want to block IP-based communication while allowing other non-IP protocols to pass through.

Deny any any

is used when you want to block all types of communication, regardless of protocol.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi · ‎08-16-2023

yes IP address -

deny ip any any

explicit deny all (generally we use end of the line once we allowed the list on the top)

deny any any - default deny all

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎08-16-2023

deny IP any any

ACE (not an ACL, but in an ACL), means block anything using IP (Internet Protocol).

Practically, today, any network traffic that's using L3, will use IP, but since IP is L3, it wouldn't block just L2 protocols or other L3 protocols, like Novell's IPX.

What might be a bit confusing, there are other ACE types, that are sub protocol types, which you can define on an ACE, like

permit/deny tcp

Usually these variants provide extra options, on the ACE, that only apply to that kind of ACE, like

tcp/udp

would allow you to also specify port numbers, which don't exist in other IP sub protocols. But, any IP packet, would have IP addresses.

As the other posters have already described,

deny any any

would block more than IP, but it might not block lower L2 protocols, e.g. like, perhaps, CDP, or LLDP.

hfakoor222 · ‎08-18-2023

Thanks