There are many reasons to configure access lists; for example, you can use access lists to restrict contents of routing updates
or to provide traffic flow control. One of the most important reasons to configure access lists is to provide a basic level
of security for your network by controlling access to it. If you do not configure access lists on your router, all packets
passing through the router could be allowed onto all parts of your network.
An access list can allow one host to access a part of your network and prevent another host from accessing the same area.
In the figure below, by applying an appropriate access list to the interfaces of the router, Host A is allowed to access the
Human Resources network and Host B is prevented from accessing the Human Resources network.
Access lists should be used in firewall routers, which are often positioned between your internal network and an external
network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control
traffic entering or exiting a specific part of your internal network.
To provide some security benefits of access lists, you should at least configure access lists on border routers--routers
located at the edges of your networks. Such an access list provides a basic buffer from the outside network or from a less
controlled area of your own network into a more sensitive area of your network. On these border routers, you should configure
access lists for each network protocol configured on the router interfaces. You can configure access lists so that inbound
traffic or outbound traffic or both are filtered on an interface.
Access lists are defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled
on an interface if you want to control traffic flow for that protocol.