For a packet to be permitted, it must have a match with a "permit" ACE in all applicable ACLs assigned to an interface

On a given interface where multiple ACLs apply to the same traffic, a packet having a match with a deny ACE in any applicable ACL on the interface (including an implicit deny any) will be dropped.

For example, suppose the following is true:
  • Port A10 belongs to VLAN 100.

  • A static port ACL is configured on port A10.

  • A VACL is configured on VLAN 100.

An inbound, switched packet entering on port A10, with a destination on port A12, will be screened by the static port ACL and the VACL, regardless of a match with any permit or deny action. A match with a deny action (including an implicit deny) in either ACL will cause the switch to drop the packet. (If the packet has a match with explicit deny ACEs in multiple ACLs and the log option is included in these ACEs, then a separate log event will occur for each match.)