HP ProCurve Series 3400cl Release Notes page 62

Enhancements
Release M.10.02 Enhancements
Figure 4. The Packet-Filtering Process in an ACL with N Entries (ACEs)
Note
The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs,
but the first ACE is a "permit IP any", then the ACL permits all IP traffic from the authenticated client,
and the remaining ACEs in the list do not apply, even if they specify criteria that would make a match
with any of the traffic permitted by the first ACE.
52
Test packet against
criteria in first ACE.
Yes
Is there a
match?
No
Test the packet against
criteria in second ACE.
Yes
Is there a
match?
No
Test packet against
criteria in Nth ACE.
Yes
Is there a
match?
No
Deny the packet
End
(invoke implicit
deny any).
Perform action
End
(permit or deny).
Perform action
End
(permit or deny).
Perform action
End
(permit or deny).
1. If a match is not found with
the first ACE in an ACL, the
switch proceeds to the next
ACE and so on.
2. If a match with an explicit
ACE is subsequently found,
the packet is either permit-
ted (forwarded) or denied
(dropped), depending on
the action specified in the
matching ACE. In this case
the switch ignores all sub-
sequent ACEs in the ACL.
3. If a match is not found with
any explicit ACE in the ACL,
the switch invokes the
implicit deny IP any at the
end of every ACL, and
drops the packet.
Note: If the list includes a
permit IP any entry, no
packets can reach the
implicit deny IP any at the
end of the list. Also, a
permit IP any ACE at any
point in an ACL defeats the
purpose of any subsequent
ACEs in the list.