Allowing for the Implied Deny function
In any ACL having one or more ACEs, there is
always a packet match. This is because the switch automatically applies
an Implicit Deny as the last ACE in any ACL. This function is not
visible in ACL listings, but is always present, see A standard ACL that permits all IPv4 traffic not implicitly denied. This means that if you configure the switch
to use an ACL for filtering either inbound or outbound IPv4 traffic
on a VLAN, any packets not specifically permitted or denied by the
explicit entries you create are denied by the Implicit Deny action.
If you want to preempt the Implicit Deny (so that IPv4 traffic not
specifically addressed by earlier ACEs in a given ACL are permitted),
insert an explicit permit any
(for standard ACLs)
or permit ip any any
(for extended ACLs) as the last
explicit ACE in the ACL.