1.5 Access List Overview
1.5.2 How access lists work
Access lists express the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. Access lists do not act on packets that originate in the router itself.

The beginning of the process is the same regardless of whether access lists are used: As a packet enters an interface, the router checks to see whether it is routable (or bridgeable). If either situation is false, the packet will be dropped. A routing table entry indicates a destination network, some routing metric or state, and the interface to use.

Next the router checks to see whether the destination interface is grouped to an access list. If it is not, the packet can be sent to the output buffer; for example, if it will use To0, which has no access lists in effect, the packet uses To0 directly.

Interface E0 has been grouped to an extended access list. The administrator used precise, logical expressions to set the access list. Before a packet can proceed to that interface, it is tested by a combination of access list statements associated with that interface.

Based on the extended access list tests, the packet can be permitted. For inbound lists, this means continue to process the packet after receiving it on an inbound interface. For outbound lists, this means send it to the output buffer for E0; otherwise test results can deny permission. This means discard the packet. The router's access list provides firewall control to deny use of the E0 interface. When discarding packets, some protocols return a special packet to the sender. This notifies the sender of the unreachable destination.