KB.15.15

Figure 230 How an ACL filters packets

It is important to remember that all IPv4 ACLs configurable on the switch include an implicit deny

ip any. That is, IPv4 packets that the ACL does not explicitly permit or deny will be implicitly

denied, and therefore dropped instead of forwarded on the interface. If you want topreempt the

implicit deny so that IPv4 packets not explicitly denied by other ACEs in the ACL will be permitted,

insert an explicit "permit any" as the last ACE in the ACL. Doing so permits any packet not explicitly

denied by earlier entries.

NOTE: This solution does not apply in the preceding example, where the intention is for the

switch to forward only explicitly permitted IPv4 packets routed on VLAN 12.

Operating notes for remarks

• The resequence command ignores "orphan" remarks that do not have an ACE counterpart

with the same sequence number. For example, if:

• a remark numbered "55" exists in an ACE

• there is no ACE numbered "55" in the same ACL

• resequence is executed on an ACL

then the remark retains "55" as its sequence number and will be placed in the renumbered

version of the ACL according to that sequence number.

• Entering an unnumbered remark followed by a numbered ACE, or the reverse, creates an

"orphan" remark. The unnumbered entry will be assigned a sequence number that is an

increment from the last ACE in the list. The numbered entry will then be placed sequentially

in the list according to the sequence number used.

• Configuring two remarks without either sequence numbers or an intervening, unnumbered

ACE results in the second remark overwriting the first.

Figure 231 Overwriting one remark with another

Planning an ACL application

Before creating and implementing ACLs, you need todefine the policies you want your ACLs to

enforce, and understand how the ACL assignments will impact your network users.

316 IPv4 Access Control Lists (ACLs)