ACLs

list of Permit and Deny statements:
--from top to bottom until first match
--implicit Deny All at bottom
--per interface: inbound or outbound 
1-99,1300-1999    Standard: source IP     
100-199,2000-2699 Extended: source/destination IP, protocol, port

Standard ACL:
(config)# access-list N deny|permit   IP WILDCARD | any | host IP

show access-list

(config-if)#  ip access-group N in|out
Apply Standard ACL close to destination.


#control telnet/ssh to router:  access-list N permit host myTelnetClient
line vty 0 4
(config-line)#  access-class N in|out       #usually In


Extended ACL:
access-list N Permit|Deny  PROTOCOL  SOURCE DESTINATION
Protocol: ip  tcp  udp  icmp
Tcp/Udp:  eq PORT
Source/Destination: Any   Host IPADDR   IPADDR WILDCARD
Apply Extended ACL close to source.


Named ACL:
(config)# ip access-list standard|extended  NAME  
(config-ext-nacl)# permit|deny PROTOCOL ...
Editable: 
no SEQNUM
newSEQNUM ...


Reflexive ACL: inbound on border router (to/from ISP)
permit tcp any any established