For a packet to be permitted, it must have a match with a "permit" ACE in all applicable ACLs assigned to an interface
On a given interface where multiple ACLs apply
to the same traffic, a packet having a match with a deny
ACE
in any applicable ACL on the interface (including an implicit deny
any
) will be dropped.
Port A10 belongs to VLAN 100.
A static port ACL is configured on port A10.
A VACL is configured on VLAN 100.
An inbound, switched packet entering on port
A10, with a destination on port A12, will be screened by the static
port ACL and the VACL, regardless of a match with any permit
or deny
action.
A match with a deny
action (including an implicit
deny) in either ACL will cause the switch to drop the packet. (If
the packet has a match with explicit deny
ACEs
in multiple ACLs and the log
option is included
in these ACEs, then a separate log event will occur for each match.)