Chapter 9: Security Configuration GuideSSR User Reference Manual9 - 13many rules in an ACL. You just have to put all of these rules into one ACL and applyit to an interface.When a packet comes into a router at an interface where an inbound ACL is applied,the router compares the packet with the rules specified by that ACL. If it is permitted,the packet is allowed into the router. If not, the packet is dropped. If that packet is tobe forwarded to go out of another interface (that is, the packet is to be routed) then asecond ACL check is possible. At the output interface, if an outbound ACL is applied,the packet will be compared with the rules specified in this outbound ACL.Consequently, it is possible for a packet to go through two separate checks, once at theinbound interface and once more at the outbound interface.In general, you should try to apply ACLs at the inbound interfaces instead of theoutbound interfaces. If a packet is to be denied, you want to drop the packet as early aspossible, at the inbound interface. Otherwise, the router will have to process the packet,determine where the packet should go only to find out that the packet should bedropped at the outbound interface. In some cases, however, it may not be simple orpossible for the administrator to know ahead of time that a packet should be droppedat the inbound interface. Nonetheless, for performance reason, whenever possible, oneshould create and apply an ACL to the inbound interface.Applying ACLs to ServicesACLs can also be created to permit or deny access to system services provided by therouter; for example, HTTP server or Telnet server. This type of ACL is known as aService ACL. By definition, a Service ACL is for controlling inbound packets to aservice on the router. For example, you can grant Telnet server access from a fewspecific hosts or deny Web server access from a particular subnet. It is true that one cando the same thing with ordinary ACLs and apply them to all interfaces. However, theService ACL is created specifically to control access to some of the services on therouter. As a result, the syntax of a Service ACL is much simpler than that of theordinary ACL.Note: If a service does not have an ACL applied then that service is accessible toeveryone. To control access to a service, an ACL must be used.ACL LoggingTo see whether incoming packets are permitted or denied because of an ACL, one canenable ACL Logging when applying the ACL. When ACL Logging is turned on, therouter prints out a message on the console about whether a packet is forwarded ordropped. If you have a Syslog server configured for the SSR then the same informationwill also be sent to the Syslog server.