Infrastructure ACLs are an important tool for securing a network infrastructure and protecting against unauthorized access and malicious traffic. They are used to restrict access to network resources, such as servers or applications, to only authorized users and devices.
Infrastructure ACLs are typically applied in the inbound direction on the device interfaces that connect to external networks. Just like any other ACL, they are used to filter traffic based on a set of predefined rules.
Once applied, they deny and log all traffic destined for the IP addresses of network infrastructure devices, such as routers and firewalls, as well as other sensitive internal resources.
As you can see in the image above, infrastructure ACLs protect all edge and internal devices that deny traffic destined for their IP addresses and internal resources. However, the rest of the transit traffic is permitted and is not filtered out by the same ACLs.
In addition, infrastructure ACLs also use some very basic protection, such as denying packets from outside networks with a source in the private IP address range or IPs that are internal to the local network.
You can implement infrastructure ACLs using the traditional Cisco IOS ACLs approach or Flexible Packet Matching (FPM). FPM is a special ACL pattern-matching tool that provides more complete and customized packet filtering.