There are a few important rules that a packet follows when it’s being compared with an access
list:
It’s always compared with each line of the access list in sequential order—that is, it’ll always
start with the first line of the access list, then go to line 2, then line 3, and so on.
It’s compared with lines of the access list only until a match is made. Once the packet
matches the condition on a line of the access list, the packet is acted upon and no further
comparisons take place.
There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t
match the condition on any of the lines in the access list, the packet will be discarded. Each
of these rules has some powerful implications when filtering IP packets with access lists, so
keep in mind that creating effective access lists truly takes some practice.