SmartSwitch Router User Reference Manual 263Chapter 17: Access Control List Configuration Guideinterface. Nonetheless, for performance reasons, whenever possible, you should createand apply an ACL to the inbound interface.To apply an ACL to an interface, enter the following command in Configure mode:Applying ACLs to ServicesACLs can also be created to permit or deny access to system services provided by the SSR;for example, HTTP or Telnet servers. This type of ACL is known as a Service ACL. Bydefinition, a Service ACL is for controlling inbound packets to a service on the router. Forexample, you can grant Telnet server access from a few specific hosts or deny Web serveraccess from a particular subnet. It is true that you can do the same thing with ordinaryACLs and apply them to all interfaces. However, the Service ACL is created specifically tocontrol access to some of the services on the SSR. As a result, only inbound traffic to theSSR is checked. Destination address and port information is ignored; therefore if you aredefining a Service ACL, you do not need to specify destination information.Note: If a service does not have an ACL applied, that service is accessible to everyone.To control access to a service, an ACL must be used.To apply an ACL to a service, enter the following command in Configure mode:Using ACLs as ProfilesYou can use the acl command to define a profile. A profile specifies the criteria thataddresses, flows, hosts, or packets must meet to be relevant to certain SSR features. Onceyou have defined an ACL profile, you can use the profile with the configuration commandfor that feature. For example, the Network Address Translation (NAT) feature on the SSRallows you to create address pools for dynamic bindings. You use ACL profiles torepresent the appropriate pools of IP addresses.Apply ACL to an interface. acl apply interface input|output [logging on|off|deny-only|permit-only][policy local|external]Apply ACL to a service. acl apply service [logging [on|off]]