Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.
- Access lists describe the traffic type that will be controlled.
- Access list entries describe the traffic characteristics.
- Access list entries identify either permitted or denied traffic.
- Access list entries can describe a specific traffic type, or allow or restrict all traffic.
- When created, an access list contains an implicit “deny all” entry at the end of the access list.
- Each access list applies only to a specific protocol.
- Each router interface can have up to two access lists for each protocol, one for incoming traffic and one for outgoing traffic.
- When an access list is applied to an interface, it identifies whether the list restricts incoming or outgoing traffic.
- Access lists exist globally on the router, but filter traffic only for the interfaces to which they have been applied.
- Each access list can be applied to more than one interface. However, each interface can only have one incoming and one outgoing list.
- Access lists can be used to log traffic that matches the list statements.
When you create an access list, it automatically contains a “deny any” statement, although this statement does not appear in the list itself. For a list to allow any traffic, it must have at least one permit statement, either permitting a specific traffic type or permitting all traffic not specifically restricted.
There are two general types of access lists: basic and extended.