what does the "ip" mean in ACLs?

I saw an ACLs command which is :

deny ip 10.0.0.0 0.255.255.255 any

I am confused does this "ip" mean ip address or the "TCP/IP" traffic ? Is this command mean it will drop any packet that is not ip traffic of source address 10.0.0.0 with wildcard mask 0.255.255.255 ?

Thank you.


Think looks like an ACL from a Cisco router or switch. Let's break it down:

  1. deny vs. permit is the action to take when the rest of the rule matches. In this case you want to block or drop the packets that match.
  2. ip means all IP packets. This includes TCP, UDP, GRE, IPsec... However, it does not include e.g. IS-IS packets as they do not use IP.
  3. 10.0.0.0 0.255.255.255 is the source address range consisting of a network address (10.0.0.0) and a wildcard mask (0.255.255.255). Think of the wildcard mask as the inverse of a subnet mask. In effect this means packets with their source IP address in the 10.0.0.0/8 network.
  4. any indicates the destination IP address: anything goes here so it is not checked.

For example, to permit HTTP (TCP/80) traffic from 10.1.0.0/16 to 203.0.113.80 you get this rule:

permit  tcp  10.1.0.0  0.0.255.255  203.0.113.80  0.0.0.0  80

IP does indeed stand for IP address range. The range is defined using the network that you define + the wildcard that you set.

In your case it will be a range between 10.0.0.0 to 10.255.255.255.

So it will drop all network traffic that has a source IP address between the range above defined.

IP is needed to be declared as previously there were different kind of network traffic that could have been filtered. Nowadays though most traffic is considered to be IP traffic. It is just kept there as a traditional indicator of the type of traffic that is meant to be filtered.

ACLs are very low level implementations of "firewalls". They look at network packet's header information and match them based on the rules defined.