Introduction to Access Lists

At the most basic level, an access list is no more than a list of packet filters applied to a router interface. Access lists inspect network packets based on criteria such as source address, destination address, protocols, and port numbers. The rules specified in an access list are then used to either permit or deny the traffic. For example, an access list entry might specify that traffic from network should be denied. When network traffic is encountered on the interface, with the access list applied, the router will inspect the packet. If the source address is from the range listed, the packet will be denied, and dropped.

Tip: Cisco generally recommends that access lists be implemented at the distribution layer. Although they are sometimes used at the access layer as well, it is strongly recommended that you avoid implementing access lists at the core layer, since they slow down packet forwarding rates due to the inspection process that takes place.

In order to appreciate access lists, you must keep a few key things in mind. The first is that an access list is nothing more than a series of packet filtering rules. However, this list of rules does nothing until it is applied to a router interface. That’s important to remember – first you define an access list, and then apply it to an interface. Access lists can be applied to an interface to control inbound traffic, outbound traffic, or both. After being applied to an interface, an access list can still have packet-filtering rules added to it. It’s also important to keep in mind that access lists only filter traffic that moves through a router. As such, access lists do nothing to filter traffic that remains local.

While an access list that specifies a single rule may be simple, things get a little more complex as additional rules are added. An access list can be made up of many rules, each of which specifies whether certain types of traffic should be permitted or denied. In order to completely understand how access lists filter traffic, you’ll need to understand how rules are evaluated, the different types of access lists that exist, and how access lists are applied to interfaces.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.