In the most intuitive sense, an access list is a series of rules that instruct the router on how to select or match a route or packet. IOS uses access lists as an extremely general mechanism for controlling many kinds of router behavior, but the best way to understand how they work is to start with the simplest application: controlling the traffic that flows into or out of an interface.
Each rule in a standard access list contains three important parts:
a number that identifies the list when you refer to it in other parts of the router’s configuration
a packet identifier (such as an address)
As incoming or outgoing packets reach an interface that has an access list, the router compares the packets to each rule in the access list and decides whether the traffic should be blocked (denied) or permitted.
For IP traffic, there are two fundamental types of lists: standard and extended. Standard access lists filter based on source network addresses. A typical standard access list looks like this:
access-list 1 deny 10.10.1.0 0.0.0.255 access-list 1 deny 10.10.2.0 0.0.0.255 access-list 1 permit any
This list blocks any traffic from the 10.10.1.0 and 10.10.2.0 subnets, regardless of the packet’s destination, and permits anything that makes it past the first two lines. In other words, all traffic is permitted except for the 10.10.1.0 and 10.10.2.0 subnets. Once you have the list, you can apply it to the packets going into or out of a particular ...