Standard IP Access Control Lists
Filtering logic could be configured on any router and on any of its interfaces. Cisco IOS software applies the filtering logic of an ACL either as a packet enters an interface or as it exits the interface. In other words, IOS associates an ACL with an interface, and specifically for traffic either entering or exiting the interface. After you have chosen the router on which you want to place the access list, you must choose the interface on which to apply the access logic, as well as whether to apply the logic for inbound or outbound packets.
The key features of Cisco ACLs are:
• Packets can be filtered as they enter an interface, before the routing decision.
• Packets can be filtered before they exit an interface, after the routing decision.
• Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
• Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
• The filtering logic is configured in the access list.
• If a packet does not match any of your access list statements, it is blocked.
Access lists have two major steps in their logic: matching, which determines whether it matches the access-list statement; and action, which can be either deny or permit. Deny means to discard the packet, and permit implies that the packet should be allowed. However, the logic that IOS uses with a multiple-entry ACL can be much more complex. Generally, the logic can be summarized as follows:
Step 1: The matching parameters of the access-list statement are compared to the packet.
Step 2: If a match is made, the action defined in this access-list statement (permit or deny) is performed.
Step 3: If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made.
Step 4: If no match is made with an entry in the access list, the deny action is performed.