Access Control Lists (ACLs) allow a router to permit or deny packets based on a variety of criteria. The ACL is configured in global mode, but is applied at the interface level. An ACL does not take effect until it is expressly applied to an interface with the ip access-group command. Packets can be filtered as they enter or exit an interface.\nIf a packet enters or exits an interface with an ACL applied, the packet is compared against the criteria of the ACL. If the packet matches the first line of the ACL, the appropriate “permit” or “deny” action is taken. If there is no match, the second line’s criterion is examined. Again, if there is a match, the appropriate action is taken; if there is no match, the third line of the ACL is compared to the packet.\nThis process continues until a match is found, at which time the ACL stops running. If no match is found, a default “deny” takes place, and the packet will not be processed. When an ACL is configured, if a packet is not expressly permitted, it will be subject to the implicit deny at the end of every ACL. This is the default behavior of an ACL and cannot be changed.\nA standard ACL is concerned with only one factor, the source IP address of the packet. The destination is not considered. Extended ACLs consider both the source and destination of the packet, and can consider the port number as well. The numerical range used for each is different: standard ACLs use the ranges 1-99 and 1300-1399; extended lists use 100-199 and 2000 to 2699.\nThere are several points worth repeating before beginning to configure standard ACLs.\nStandard ACLs consider only the source IP address for matches.\nThe ACL lines are run from top to bottom. If there is no match on the first line, the second is run; if no match on the second, the third is run, and so on until there is a match, or the end of the ACL is reached. This top-to-bottom process places special importance on the order of the lines.\nThere is an implicit deny at the end of every ACL. If packets are not expressly permitted, they are implicitly denied.\nIf Router 3’s Ethernet interface should only accept packets with a source network of 126.96.36.199, the ACL will be configured like this:\nR3#conf t\nR3(config)#access-list 5 permit 188.8.131.52 0.0.0.255\nThe ACL consists of only one explicit line, one that permits packets from source IP address 184.108.40.206 \/24. The implicit deny, which is not configured or seen in the running configuration, will deny all packets not matching the first line.\nThe ACL is then applied to the Ethernet0 interface:\nR3#conf t\nR3(config)#interface e0\nR3(config-if)#ip access-group 5 in\nBut before you write any ACLs, it’s a really good idea to see what other ACLs are already running on the router! To see the ACLs running on the router, use the command show access-list.\nR1#show access-list\nStandard IP access list 1\npermit 0.0.0.0\nStandard IP access list 5\npermit 220.127.116.11\nStandard IP access list 7\npermit 18.104.22.168\nExtended IP access list 100\npermit tcp any any lt www (26 matches)\npermit tcp any any neq telnet (12 matches)\ndeny ip any any\nExtended IP access list 105\ndeny tcp any any eq www\ndeny tcp any any eq telnet\nYou’re going to use ACLs all the way up the Cisco certification ladder, and throughout your career. The importance of knowing how to write and apply ACLs is paramount, and it all starts with mastering the fundamentals!