I'm creating an access list where I "deny ip" to an entire subnet. However the "...1" address on that denied subnet is my next-hop router out to the Internet. (this is the way I want it since that router is not under my control). Will I still be able to get "out" to the Internet? All two routers should need to pass traffic are the MAC & IP addresses in the ARP table, and I'm pretty sure ARP is "below" the ip layer so both routers SHOULD have each other in their ARP table. Is ARP considered part of the "deny ip"? will the untrusted router show up in my router's ARP table? I know I won't be able to PING or Telnet to that router and visa-versa, but that's OK and what I want... but traffic that does not have a source or destination IP of the router's subnet should be able to pass, right?
Yes, arp is not ip. Moreover, is not routable and not controllable with acl's.
If you have an interface on an untrusted network, you can disable arp and use static entries for trusted peers. They will need to do the same with your router.
Hope this helps, please rate post if it does!