I agree with konigl's response, it is really thorough and gives you great information to get you started!
I would like to add though that if you are running a newer IOS version.. 12.2 or 12.3 (I think it was realeased in 12.2) that you can actually "actively" change your access-lists without having to completely delete and recreate them (or tftp them). Use ip access-list extended [name or number]. This will allow you to add comments to the middle of your ACL. So..
Do a "sho ip access-lists" (or if you're already at the config t prompt.. "do sho ip access-lists"). This should give you an output such as:
Extended IP access list all-traffic-log
10 permit tcp any any gt 0 log
20 permit udp any any gt 0 log
30 permit ip any any log
So, if I wanted to deny tcp port 80 to all hosts because I really hate them.. I can do the following:
router(config)#ip access-list extended all-traffic-log
9 deny tcp any any eq 80
This will insert deny tcp any any eq 80 above permit tcp any any gt 0 log. A show ip access-lists now reads:
Extended IP access list all-traffic-log
9 deny tcp any any gt 80
10 permit tcp any any gt 0 log
20 permit udp any any gt 0 log
30 permit ip any any log
If you ended up using 1 - 9 and you still wanted to add another rule, you can resequence this by doing the following:
router(config)#ip access-list resequence [name or number] 10 10
This sets the ACL to no start at the number 10 and increment each statement by 10.
I really like this feature, but I do recommend that you remove the ACL from the interface first unless you're truly sure that you can apply this without disconnecting yourself.
Also, put your most accessed statements at the top. The longer your ACLs get, the longer it takes a packet to get through it. This isn't a big concern when your ACLs are small or if you have more power in your router than you reasonably use, but if your router is in need of an upgrade or you have a large amount of packets passing through the router, then you should do this for efficiency sake.
