SmartSwitch Router User Reference Manual 267Chapter 19: Access Control List Configuration Guideapplication). Note that for an external agent to modify or remove an applied ACL from aninterface, the acl-policy enable external command must be in the configuration.In general, you should try to apply ACLs at the inbound interfaces instead of theoutbound interfaces. If a packet is to be denied, you want to drop the packet as early aspossible, at the inbound interface. Otherwise, the SSR will have to process the packet,determine where the packet should go only to find out that the packet should be droppedat the outbound interface. In some cases, however, it may not be simple or possible for theadministrator to know ahead of time that a packet should be dropped at the inboundinterface. Nonetheless, for performance reasons, whenever possible, you should createand apply an ACL to the inbound interface.To apply an ACL to an interface, enter the following command in Configure mode:Applying ACLs to ServicesACLs can also be created to permit or deny access to system services provided by the SSR;for example, HTTP or Telnet servers. This type of ACL is known as a Service ACL. Bydefinition, a Service ACL is for controlling inbound packets to a service on the router. Forexample, you can grant Telnet server access from a few specific hosts or deny Web serveraccess from a particular subnet. It is true that you can do the same thing with ordinaryACLs and apply them to all interfaces. However, the Service ACL is created specifically tocontrol access to some of the services on the SSR. As a result, only inbound traffic to theSSR is checked. Destination address and port information is ignored; therefore if you aredefining a Service ACL, you do not need to specify destination information.Note: If a service does not have an ACL applied, that service is accessible to everyone.To control access to a service, an ACL must be used.To apply an ACL to a service, enter the following command in Configure mode:Applying ACLs to Layer-4 Bridging PortsACLs can also be created to permit or deny access to one or more ports operating in Layer-4 bridging mode. Traffic that is switched at Layer 2 through the SSR can have ACLsapplied on the Layer 3/4 information contained in the packet. The ACLs that are appliedto Layer-4 Bridging ports are only used with bridged traffic. The ACLs that are applied tothe interface are still used for routed traffic.Apply ACL to an interface. acl apply interface input|output [logging on|off|deny-only|permit-only][policy local|external]Apply ACL to a service. acl apply service [logging [on|off]]