Allowing for the Implied Deny function
In any ACL having one or more ACEs there will
always be a packet match. This is because the switch automatically
applies an Implicit Deny as the last ACE in any ACL. This function
is not visible in ACL listings, but is always present, see A standard ACL that permits all IPv4 traffic not implicitly denied. This means that if you configure the switch
to use an ACL for filtering either inbound or outbound IPv4 traffic
on a VLAN, any packets not specifically permitted or denied by the
explicit entries you create will be denied by the Implicit Deny action.
If you want to preempt the Implicit Deny (so that IPv4 traffic not
specifically addressed by earlier ACEs in a given ACL will be permitted),
insert an explicit permit any
(for standard ACLs)
or permit ip any any
(for extended ACLs) as the last
explicit ACE in the ACL.