Which statement is true about the implicit deny any at the end of an IPv4 ACL?
The implicit deny any is a fundamental property of Cisco ACLs.
Why this answer
Option D is correct because every IPv4 ACL has an implicit deny any statement at the end that denies all traffic not explicitly permitted by earlier entries. This implicit rule is always present and cannot be removed, ensuring that only traffic matching a permit entry is allowed through the ACL.
Exam trap
Cisco often tests the misconception that the implicit deny any can be removed or that it only applies to specific protocols, when in fact it is a permanent, protocol-agnostic rule that denies all unmatched traffic.
How to eliminate wrong answers
Option A is wrong because the implicit deny any cannot be overridden; adding a permit any at the end explicitly permits all traffic, effectively negating the implicit deny, but the implicit rule itself remains in the ACL logic. Option B is wrong because the implicit deny any applies to all IP traffic, not just TCP; it covers UDP, ICMP, and any other IP protocol. Option C is wrong because while the implicit deny any is always present and cannot be removed, it can be overridden by a permit any statement placed before it in the ACL; the statement 'cannot be overridden' is incorrect.