1.5 Access List Overview
1.5.3 A list of tests: deny or permit
Access list statements operate in sequential, logical order. They evaluate packets from the top down. If a packet header and access list statement match, the packet skips the rest of the statements. If a condition match is true, the packet is permitted or denied. There can be only one access list per protocol, per interface, per direction.

In the figure, for instance, by matching the first test, a packet is denied access to destination interfaces. It will be discarded and dropped into the bit bucket. The packet is not exposed to any access list tests that follow.

Only if the packet does not match conditions of the first test will it drop to the next access list statement. Assume a different packet's parameters match the next test, a permit statement; the permitted packet proceeds to the destination interface. If another packet does not match the conditions of the first or second test, but does match conditions of the next access list statement, a permit results.

NOTE: For logical completeness, an access list must have conditions that test true for all packets using the access list. A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets. It results in a deny. Instead of proceeding in or out an interface, all these remaining packets are dropped.