IP Access Control Lists filter packets in two ways, to prevent or allow packets to be forwarded to their respective destinations. ACLs can be applied in two was inbound and outbound on any given router interface.
ACLs must be used on interfaces processing the packets in the same direction that the packet flows through a given interface. If a packet is traveling outbound on an interface the ACL needs to be applied to outbound traffic to be effective.
Matching packets - is the method of configuring an ACL command to look at each packet, listing how to identify which packet should be discarded and which should be allowed.
ACLs have only two actions deny and permit
Types of ACLs
Standard Numbered ACLs - ( 1 - 99 )
Extended Numbered ACLs - ( 100 -199 )
Additional ACLs Number - ( 1300 -1999 Standard ) and ( 2000 - 2999 Extended )
Improved editing with sequence Numbers
Standard ACLs only match source IP
Extended ACLs match source and destination IP or source and destination port numbers.
ACLs use first-match logic, meaning when a packet matches an ACL in descending order lowest to highest in stops going down the line and executes the first matching ACL. This happens for all IOS ACL lists, standard, extended, named, or numbered.
Decimal 0: the router must compare as normal
Decimal 255: the router treats it as a wild card and all values match
Matching a subnet with an ACL
Subtract the wild card mask from the value of the subnet mask of the source in the ACL
Wild card mask 255.255.255.255
subnet mask 255.255.252.0
Wild card value = 0.0.3.255
Matching any\all addresses
access-list 1 permit any ( can place this at the end of all ACLs to overwrite the implicit deny all behavior )
access-list deny any ( does the same thing as the implicit deny default, but this keeps counters of policy violations. )