In the most intuitive sense, an access list is a series of rules that instruct the router on how to select or match a route or packet. IOS uses access lists as an extremely general mechanism for controlling many kinds of router behavior, but the best way to understand how they work is to start with the simplest application: controlling the traffic that flows into or out of an interface.
Each rule in a standard access list contains three important parts: a
number that identifies the list when you refer to it in other parts
of the router’s configuration, a
permit instruction, and something to identify
packets (for example, an address). As incoming or outgoing packets
reach an interface that has an access list, the router compares the
packets to each rule in the access list and decides whether the
traffic should be blocked (denied) or permitted.
For IP traffic, there are two fundamental types of lists: standard and extended. Standard access lists filter based on source network addresses. A typical standard access list looks like this:
access-list 1 deny 10.10.1.0 0.0.0.255 access-list 1 deny 10.10.2.0 0.0.0.255 access-list 1 permit any
This list blocks any traffic from the 10.10.1.0 and 10.10.2.0 subnets, regardless of the packet’s destination, and permits anything that makes it past the first two lines. In other words, all traffic is permitted except for the 10.10.1.0 and 10.10.2.0 subnets. Once you have the list, you can apply it to the ...