An ACL is a fundamental tool that filters out incoming and outgoing traffic on a device interface based on the Layer 3 and Layer 4 header information included in the packets.
A sequential list of rules (also known as access control statements or entries) defines a 'permit' or 'deny' action upon which the packets' processing is based. Once configured, these statements operate in sequential logical order from top to bottom.
From the image above, the packet received on the interface is examined against the ACL applied, starting with the first entry at the top of the ACL. Regardless of the conditions, only two actions are available: 'permit' or 'deny.' The configured action is applied when a match occurs, and the ACL processing stops there.
Otherwise, the process continues to the next ACL entry in the list until a match is found. When there is no match against the configured entries, the packet always gets dropped at the end. The reason is that the IOS always places the implicit deny entry as the last entry in the ACL by default.
Configuring the correct entries does not mean the ACL will operate as expected. If the order in which the entries are placed inside the ACL is wrong, you might get different results. Therefore, you should always place the most specific entries at the top of the ACL and the general ones at the bottom. This approach guarantees proper packet filtering.
However, when this approach is not followed, a more general entry might be matched first, leaving a more specific entry placed lower in the ACL not being matched because of the order in which they are used.