Difference between invisible deny all and implicit deny all

Hi

what is the difference between

ip prefix-list test-100 permit 10.0.0.100/32

(invisible deny all)

ip prefix-list test-101 permit 10.0.0.101/32

(invisible deny all)

ip prefix-list test-102 permit 10.0.0.102/32

(invisible deny all)

ip prefix-list test-103 permit 10.0.0.103/32

(invisible deny all)

route-map ine permit 10

match ip address prefix-list test-100

set local preference 1000

route-map ine permit 20

match ip address prefix-list test-101

set local preference 1001

route-map ine permit 30

match ip address prefix-list test-102

set local preference 1002

route-map ine permit 40

match ip address prefix-list test-103

set local preference 1003

(invisible deny all)

vs.

ip prefix-list test-100 permit 10.0.0.100/32

ip prefix-list test-100 deny 0.0.0.0/0 le 32

ip prefix-list test-101 permit 10.0.0.101/32

ip prefix-list test-101 deny 0.0.0.0/0 le 32

ip prefix-list test-102 permit 10.0.0.102/32

ip prefix-list test-102 deny 0.0.0.0/0 le 32

ip prefix-list test-103 permit 10.0.0.103/32

ip prefix-list test-103 deny 0.0.0.0/0 le 32

route-map ine permit 10

match ip address prefix-list test-100

set local preference 1000

route-map ine permit 20

match ip address prefix-list test-101

set local preference 1001

route-map ine permit 30

match ip address prefix-list test-102

set local preference 1002

route-map ine permit 40

match ip address prefix-list test-103

set local preference 1003

route-map ine deny 50
@Network_Eric

Hey Major,

There is no actual difference between and implicit and explicit deny all, within the context of a route-map or a prefix-list when applied at the end of the statement. They function the same, one just calls out the action so you are less likely to forget the behavior.

If you were to apply it earlier on, you would invalidate any of the rules following the explicit deny, but not have to remove them from the route-map or prefix-list. This could be useful for testing specific things in your environment, but I don’t think it would be very common.

Having said that, there is a difference on the deny any any under an access-list. This is because we can apply modifiers to our deny statement, specifially the “log” keyword. This can be useful when to want to explicitly log each deny entry, either to detect behavior that shouldn’t be happening, or just to figure out if your ACL is blocking traffic it shouldn’t that you had not thought of. I have used this many times where someone told me a piece of software only needs https, but it was failing to connect. Enable the log on the explicit deny quickly, search the logs for the source IP and see it’s actually also using SMB, etc.