Chapter 9: Security Configuration Guide9 - 12SSR User Reference ManualAlthough the implicit deny rule seems obvious in the above example, this is not alwaysthe case. For example, consider the following ACL rule:acl 102 deny ip 10.1.20.0/24 any any anyIf a packet comes in from a network other than 10.1.20.0/24, one might expect thepacket to go through because it doesn't match the first rule. However, that is not thecase because of the implicit deny rule. With the implicit deny rule attached, the rulelooks like this:acl 102 deny ip 10.1.20.0/24 any any anyacl 102 deny any any any any anyA packet coming from 10.1.20.0/24 will not match the first rule, but will match theimplicit deny rule. As a result, no packets will be allowed to go through. Rule 1 issimply a subset of Rule 2. To allow packets from subnets other than 10.1.20.0/24 to gothrough, the administrator must explicitly define a rule to permit other packets to gothrough.To fix the above example and let packets from other subnets enter the router, one mustadd a new rule to permit packets to go through:acl 101 deny ip 10.1.20.0/24 any any anyacl 101 permit ipacl 101 deny any any any any anyThe second rule will forward all packets that are not denied by the first rule.Due to the nature of the implicit deny rule, when creating an ACL, one should take theapproach where a firewall is elected to deny all traffic. “Holes” are then punched intothe firewall to permit specific types of traffic, for example, traffic from a specificsubnet or traffic from a specific application.Applying ACLs to InterfacesDefining an ACL specifies what sort of traffic to permit or deny. However, an ACL hasno effect unless it is applied to an interface. An ACL can be applied to examine eitherinbound or outbound traffic. Inbound traffic is traffic coming into the router. Outboundtraffic is traffic going out of the router. For each interface, only one ACL can be appliedfor the same protocol in the same direction. For example, you cannot apply two ormore IP ACLs to the same interface in the inbound direction. You can apply two ACLsto the same interface if one is for inbound traffic and one is for outbound trafic, but notin the same direction. However, this restriction does not prevent you from specifying