This chapter showed you how to configure standard and extended ACLs on your router. As I have shown you throughout the chapter, ACLs, especially extended ACLs, are a very powerful tool in filtering undesirable traffic and detecting attacks. Remember, through, that extended ACLs have limitations: They cannot filter all kinds of traffic (such as P2P or IM connections, in some instances), nor are they a good solution for stateful filtering. However, you always can combine standard and extended ACLs with other solutions that I discuss in this book to create a robust, flexible, and secure firewall system.

Next up is Part IV, "Stateful and Advanced Filtering Technologies," which shows you how to protect the router itself by using stateful filtering features such as reflexive ACLs and CBAC ACLs. This next part also teaches you how to filter web traffic.


One last tip for this chapter: I typically use specific deny statements in an ACL even though the implicit deny would drop this traffic anyway. I do this so that I can see the number of matches on ACL statements with the show access-lists command. This gives me a quick view of whether certain kinds of attacks are occurring without having to create logging information, which can be a burden to the router. By comparing day-to-day numbers, I should have a good idea of what level of matches is considered normal. If I see a huge difference in matches from one day to the next, something is probably not right. If I think that I am under a specific kind of attack, or if an internal user has found a hole in my perimeter/firewall router to get around IM and P2P filtering, I add the log or log-input parameters to the ACL statement where I am getting a lot of matches. This gives me some more information about the type of attack or access.

Of course, having a good IDS system is a must in detecting and preventing attacks, but using the method I just described, you can create a "poor man's IDS" with ACLs.