Anycast IPs like 8.8.4.4 or 8.8.8.8, shows different countries with different Spack releases

Modified on: Mon, 22 Sep, 2025 at 8:42 PM

If an IP address is ANYCAST, then the recommendation is not to use Country based matching to Block traffic, as the country of origin may get dynamically updated when newer spacks are installed.

This also includes IP-filtering-based profiles, where we do not recommend mapping anycast IPs with IP-filtering in the Action. There can be chances that new spack's may have a db where an Anycast IP triggers a false positive. Consider bypassing Anycast for IP-Filtering please.

admin@Branch-cli> request orgs org-services Snehal_Parent_Org security ip-filtering geo-location lookup ip-address 8.8.8.8
status Success
country US
state Texas-US
city San Marcos-TX-US
latitude 29.8832
longitude -97.9413
anycast true                 ####Please check if the IP is anycast True or False

Recommendation is to have a separate security access policy with a check "Destination Address Anycast" and perform required security action with no country based check in the destination match.

Please note that this feature is only supported from 22.1.4 and above Director releases. VOS yang support is starting from 22.1.1 and above.

Did you find it helpful? Yes No

Anycast IPs like 8.8.4.4 or 8.8.8.8, shows different countries with different Spack releases

Modified on: Mon, 22 Sep, 2025 at 8:42 PM

More articles in Troubleshooting (SDWAN)