Guidelines for Implementing ACLs
Following are some general guidelines to consider when implementing ACLs:
ACLs can be applied to multiple interfaces on a device.
Only one ACL is allowed per protocol per interface per direction. This means that you can have two ACLs
per interface—one inbound and one outbound.
ACLs are processed from the top down. The order of the access-list entries needs to be planned carefully.
More specific entries must appear first.
When entering the ACL, the router appends the access control entries (ACEs) at the bottom. In newer IOS
versions that have sequencing function, it is possible to insert ACE entries between current entries.
There is an "implicit deny" for traffic that is not permitted. A single-entry ACL with only one deny
statement has the effect of denying all traffic. An ACL must have at least one permit statement;
otherwise, all traffic is blocked.
Always create an ACL before applying it to the interface. When modifying or editing an ACL, always
remove the ACL from the interface, make the changes, and then reapply the ACL to the interface.
An outbound (egress) ACL applied to a router interface checks only for traffic traversing through the
router—that is, traffic going through the router and not traffic originating from the router.