Definition of an Access List
An access list is a sequential list consisting of at least one permit statement and possibly one or more deny statements. In the case of IP access lists, the statements can apply to IP addresses, upper-layer IP protocols, or other fields in IP packets. The access list is identified and referenced by a name or a number. Access list acts as a packet filter, filtering packets based on the criteria defined in the access list.
An access list may be configured, but it does not take effect until the access list is either applied to an interface, a virtual terminal line (vty), or referenced by some command that accepts an access list. Multiple commands can reference the same access list.
The following configuration example shows how to create an IP access list named branchoffices. The ACL is applied to serial interface 0gigabitEthernet on incoming packets. No sources other than those on the networks specified by each source address and mask pair can access this interface. The destinations for packets coming from sources on network 172.20.7.0 are unrestricted. The destination for packets coming from sources on network 172.29.2.0 must be 172.25.5.4.
ip access-list extended branchoffices 10 permit 172.20.7.0 0.0.0.3 any 20 permit 172.29.2.0 0.0.0.255 host 172.25.5.4 ! interface serial 0 ip access-group branchoffices in
ip access-list extended branchoffices 10 permit 172.20.7.0 0.0.0.3 any 20 permit 172.29.2.0 0.0.0.255 host 172.25.5.4 ! gigabitEthernet 0/1 ip access-group branchoffices in