Access List Implementation Facts

A carefully-designed access list provides a measure of security to both the router and any connected networks. You can use an access list to prevent some forms of Internet attacks, or to restrict the devices that are allowed to send packets through a router. A router that uses access lists is a form of firewall because it allows or denies the flow of packets between networks. You can use a Cisco router with access list statements to protect your private network from the Internet, or to protect Internet servers from specific attacks.

After you have created an access list, you must apply it to an interface. In many cases, this means you will need to decide which router, with port, and which direction to apply the access list to. Keep in mind the following:

• The access list is applied to traffic with a specific direction (either in or out).
• Each interface can only have one inbound and one outbound access list for each protocol. This means that an interface can have either a standard inbound or an extended inbound IP access list, but not both.
• You can have two access lists for the same direction applied to an interface if the lists restrict different networking protocols. For example, you can have one outbound IP access list and one outbound IPX access list.
• When constructing access lists, place the most restrictive statements at the top. Traffic is matched to access list statements in the order they appear in the list. If traffic matches a statement high in the list, subsequent statements will not be applied to the traffic.
• Each access list has an implicit deny any statement at the end of the access list. Your access list must contain at least one allow statement, or no traffic will be allowed.
• As a general rule, apply extended access lists as close to the source router as possible. This keeps the packets from being sent throughout the rest of the network.
• As a general rule, apply standard access lists as close to the destination router as possible. This is because standard access lists can only filter on source address. Placing the list too close to the source will prevent any traffic from the source from getting to any other parts of the network.
• When making placement decisions, carefully read all access lists statements and requirements. Identify blocked and allowed traffic, as well as the direction that traffic will be traveling. Place the access list on the interface where a single list will block (or allow) all necessary traffic.

Credit: Testout 640-802 CCNA Notes