10.2 Configuring IP Standard Access Lists
10.2.2 Inbound access list processing
An access list is a sequential collection of permit and deny conditions that applies to IP addresses. The router tests addresses against the conditions in an access list one by one. The first match determines whether the router accepts or rejects the packet. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the packet.

Note that in the main figure when no more entries are found in the access list, the packet is denied, illustrating an important concept to remember when creating access lists. The last entry in an access list is what is known as an "implicit deny any." All traffic not explicitly permitted will be implicitly denied.

For inbound standard access lists, after receiving a packet, the router checks the source address of the packet against the access list. If the access list permits the address, the router exits the access list and continues to process the packet. If the access list rejects the address, the router discards the packet and returns an Internet Control Message Protocol (ICMP) "Admin Denied" message.

Note: When configuring access lists, order is important. Make sure that you list the entries in order from specific to general. To filter a specific host address and then permit all other addresses, for example, make sure your entry about the specific host appears first.