Infrastructure Access-List

This topic is to discuss the following lesson:


There is a typo:
"R1(config-ext-nacl)#deny ip any
Let me explain these statements: /4 is the multicast range." ( I think it should be instead)

Hello sales2161

Yes you are correct, I’ll let Rene know.




is this scenario relevant int he real world, in our production network, all our routers site behind fortigate firewalls,

Hello Walter

The idea of an infrastructure access list is more of a concept than an actual implementation strategy. The idea is to ensure that there are some fundamental best practices that should be enabled at the edge of your network, to protect and secure it. Now at the very least, if you simply have a router, you must employ these as simple access lists on that router, ensuring that you are blocking the appropriate ICMP packets, private addresses, and fragments, to name a few.

Now if you have a firewall or some sort of security appliance on the edge of the network, in most cases, these restrictions are already in place thanks to the default settings on the firewall. If not, then these restrictions should be configured on the security device at the edge of your network.

The concept is described here simply as a minimum security precaution that should be ensured on any network edge device.

I hope this has been helpful!


Hi Laz,

thanks helped alot.


1 Like