Extended ACL: Application Filtering at a Hardened Edge
Build a 5-node edge/DMZ topology. Implement a named extended ACL on the EDGE router to allow only TCP/80, TCP/443, and ICMP echo from the Inside LAN to a DMZ web server, deny all other traffic to that server with logging, and still permit general traffic elsewhere. Apply the ACL inbound on the EDGE inside LAN interface. Harden router SSH management with a standard ACL. Verify with wget, ping, and an intentionally denied SSH attempt that increments the deny log counter.