Abstract
Rule evaluation
ACL entries are checked top-to-bottom in the order you wrote them (not “lowest to higher number” – the sequence number just orders them, but processing is line-by-line).
First match wins → once a packet matches a rule (permit/deny), it stops checking further.
Default deny
Every ACL has a hidden final rule:
deny ip any any.If no match happens → packet is denied.
No mixed rules
You can’t mix standard and extended entries in the same ACL.
Standard ACL
Access-list 10 deny 192.168.10.50 0.0.0.0
Access-list 10 permit any
- Filter only by source IP
Place close to the destination
Only source-based, so applying them too early might block legit traffic. Maybe only some destinations don’t want traffic from this particular source. Blocking at source blocks all destination from receiving the traffic.
Extended ACL
Access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq
Access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 443
- Filter by source IP + destination IP + protocol/port
Place close to the source
To block unwanted traffic as early as possible and save bandwidth. Since you already don’t traffic to go to a particular place, just block it.