An Access Control Lists (ACLs) is a collection of sequential permit and deny conditions that applies to packets. It let you control whether network traffic is forwarded or blocked at interfaces on a router or switch. Typical criteria are the packet source address, the packet destination address, or the upper-layer protocol in the packet. For example, network users are allowed to access the Internet except using the Telnet program; ACLs allow you to do this.
Basically the ACL definitions provide criteria that are applied to packets that enter or exit a network interface. It provides a mechanism for defining security policies by grouping various access control entries (ACEs) together to form a set of rules. Access and security permission that one network device has to another network device are affected by the entries that make up the ACL. ACEs are not necessarily a negative restriction; in some cases, an ACE is a method of granting a person or device access to something.
Most of the Security Software, for example, Cisco IOS, tests a packet against each ACE in the order they are defined until a match is found. Thus, if a network packet matches the criteria of the first ACE, the switch will apply the specified action to the packet. Otherwise, the switch continues to compare the packet to subsequent ACEs. If there is no match in any of the ACEs, the switch will drop the packet. However, if there are no restrictions, the switch forwards the packet. Since switches process ACEs in order and stops testing conditions after the first match, ACLs should be designed with care to provide good performance. By studying traffic flow, you can design the list so that the most commonly matched conditions be listed first to minimize processing time. Fewer conditions to check per packet means better throughput. As such it is advisable to order the list with the most general statements at the top and the most specific statements at the bottom, with the last statement being the general, implicit deny-all statement.
