Allowing For The Implied Deny Function; A Configured Acl Has No Effect Until You Apply It To An Interface; You Can Assign An Acl Name Or Number To An Interface Even If The Acl Does Not Exist In The Switch's Configuration - HP 3500yl Series Access Security Manual

IPv4 Access Control Lists (ACLs)
Configuring and Assigning an IPv4 ACL

Allowing for the Implied Deny Function

In any ACL having one or more ACEs there will always be a packet match.
This is because the switch automatically applies an Implicit Deny as the last
ACE in any ACL. This function is not visible in ACL listings, but is always
present. (Refer to figure 10-13.) This means that if you configure the switch to
use an ACL for filtering either inbound or outbound IPv4 traffic on a VLAN,
any packets not specifically permitted or denied by the explicit entries you
create will be denied by the Implicit Deny action. If you want to preempt the
Implicit Deny (so that IPv4 traffic not specifically addressed by earlier ACEs
in a given ACL will be permitted), insert an explicit permit any (for standard
ACLs) or permit ip any any (for extended ACLs) as the last explicit ACE in the
ACL.
A Configured ACL Has No Effect Until You Apply It
to an Interface
The switch stores ACLs in the configuration file. Thus, until you actually assign
an ACL to an interface, it is present in the configuration, but not used (and
does not use any of the monitored resources described in the appendix titled
"Monitored Resources" in the Management and Configuration Guide for
your switch.)
You Can Assign an ACL Name or Number to an Interface
Even if the ACL Does Not Exist in the Switch's Configuration
In this case, if you subsequently create an ACL with that name or number, the
switch automatically applies each ACE as soon as you enter it in the running-
config file. Similarly, if you modify an existing ACE in an ACL you already
applied to an interface, the switch automatically implements the new ACE as
soon as you enter it. (See "" on page 10-128.) The switch allows up to 2048
ACLs each for IPv4 and determines the total from the number of unique ACL
names in the configuration.For example, if you configure two ACLs, but assign
only one of them to a VLAN, the ACL total is two, for the two unique ACL
names. If you then assign the name of a nonexistent ACL to a VLAN, the new
ACL total is three, because the switch now has three unique ACL names in its
configuration. (RADIUS-based ACL resources are drawn from the IPv4 allo-
cation).
(For information on switch resource use, refer to "Monitoring Shared
Resources" on page 10-129. For a summary of ACL resource limits, refer to
the appendix covering scalability in the latest Management and Configura-
tion Guide for your switch.)
10-47