Chapter 19: Access Control List Configuration Guide266 SmartSwitch Router User Reference ManualIf you edit and save changes to an ACL that is currently being used or applied to aninterface, the changes will take effect immediately. There is no need to remove the ACLfrom the interface before making changes and reapply it after changes are made. Theprocess is automatic.Using ACLsIt is important to understand that an ACL is simply a definition of packet characteristicsspecified in a set of rules. An ACL must be enabled in one of the following ways:• Applying an ACL to an interface, which permits or denies traffic to or from the SSR.ACLs used in this way are known as Interface ACLs.• Applying an ACL to a service, which permits or denies access to system servicesprovided by the SSR. ACLs used in this way are known as Service ACLs.• Applying an ACL to ports operating in Layer-4 bridging mode, which permits ordenies bridged traffic. ACLs used in this way are known as Layer-4 Bridging ACLs.• Associating an ACL with ip-policy, nat, port mirroring, rate-limit, or web-cachecommands, which specifies the criteria that packets, addresses, or flows must meet inorder to be relevant to these SSR features. ACLs used in this way are known as ProfileACLs.These uses of ACLs are described in the following sections.Applying ACLs to InterfacesAn ACL can be applied to an interface to examine either inbound or outbound traffic.Inbound traffic is traffic coming into the SSR. Outbound traffic is traffic going out of theSSR. For each interface, only one ACL can be applied for the same protocol in the samedirection. For example, you cannot apply two or more IP ACLs to the same interface in theinbound direction. You can apply two ACLs to the same interface if one is for inboundtraffic and one is for outbound traffic, but not in the same direction. However, thisrestriction does not prevent you from specifying many rules in an ACL. You just have toput all of these rules into one ACL and apply it to an interface.When a packet comes into the SSR at an interface where an inbound ACL is applied, theSSR compares the packet to the rules specified by that ACL. If it is permitted, the packet isallowed into the SSR. If not, the packet is dropped. If that packet is to be forwarded to goout of another interface (that is, the packet is to be routed) then a second ACL check ispossible. At the output interface, if an outbound ACL is applied, the packet will becompared to the rules specified in this outbound ACL. Consequently, it is possible for apacket to go through two separate checks, once at the inbound interface and once more atthe outbound interface.When you apply an ACL to an interface, you can also specify whether the ACL can bemodified or removed from the interface by an external agent (such as the Policy Manager