Example

Suppose the ACL in the following figure is assigned to filter the IPv4 traffic from an authenticated client on a given port in the switch:
Sequential comparison

As shown above, the ACL tries to apply the first ACE in the list. If there is no match it tries the second ACE, and so on. When a match is found, the ACL invokes the configured action for that entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list.

This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.

The packet-filtering process in an ACL with N entries (ACEs)
NOTE:

The order in which an ACE occurs in an ACL is significant.

For example, if an ACL contains six ACEs, but the first ACE allows Permit Any forwarding, then the ACL permits all IPv4 traffic, and the remaining

ACEs in the list do not apply, even if they specify criteria that would make a match with any of the traffic permitted by the first ACE.

For example, suppose you want to configure an ACL on the switch (with an ID of "Test-02") to invoke these policies for routed traffic entering the switch on VLAN 12:

Procedure
  1. Permit inbound IPv4 traffic from IP address 10.11.11.42.
  2. Deny only the inbound Telnet traffic from address 10.11.11.101.
  3. Permit only inbound Telnet traffic from IP address 10.11.11.33.
  4. Deny all other inbound IPv4 traffic.

The following ACL model , when assigned to inbound filtering on an interface, supports the above case:

How an ACL filters packets

It is important to remember that all IPv4 ACLs configurable on the switch include an implicit deny ip any. That is, IPv4 packets that the ACL does not explicitly permit or deny is implicitly denied, and therefore dropped instead of forwarded on the interface. If you want topreempt the implicit deny so that IPv4 packets not explicitly denied by other ACEs in the ACL are permitted, insert an explicit "permit any" as the last ACE in the ACL. Doing so permits any packet not explicitly denied by earlier entries.

NOTE:

This solution does not apply in the preceding example, where the intention is for the switch to forward only explicitly permitted IPv4 packets routed on VLAN 12.