Infrastructure Access-List

This topic is to discuss the following lesson:


There is a typo:
"R1(config-ext-nacl)#deny ip any
Let me explain these statements: /4 is the multicast range." ( I think it should be instead)

Hello sales2161

Yes you are correct, I’ll let Rene know.




is this scenario relevant int he real world, in our production network, all our routers site behind fortigate firewalls,

Hello Walter

The idea of an infrastructure access list is more of a concept than an actual implementation strategy. The idea is to ensure that there are some fundamental best practices that should be enabled at the edge of your network, to protect and secure it. Now at the very least, if you simply have a router, you must employ these as simple access lists on that router, ensuring that you are blocking the appropriate ICMP packets, private addresses, and fragments, to name a few.

Now if you have a firewall or some sort of security appliance on the edge of the network, in most cases, these restrictions are already in place thanks to the default settings on the firewall. If not, then these restrictions should be configured on the security device at the edge of your network.

The concept is described here simply as a minimum security precaution that should be ensured on any network edge device.

I hope this has been helpful!


Hi Laz,

thanks helped alot.


1 Like

Laz!! Does cisco share a guide with best practices on how to implement ACL in this kind of scenario? Very interesting lesson guys!

Hello Carlos

Yes, Cisco does have documentation that describes general guidelines and best practices in this regard. The following document describes many of these best practices:

I hope this has been helpful!