if you have bought a L3 MPLS VPN service you shouldn't receive unwanted traffic on the WAN MPLS unless the service provider makes mistakes and add some other company's site to your VPN or there is some worm/virus that has taken control of some PCs at remote sites.
these ACls looks like to be anti-spoofing ACLs you should accept on the serial links only the expected source addresses:
the ip addresses of the subnets of your remote site(s).
This allows to block infected PCs that are using spoofed addresses out of your address block to be able to reach the internet or your intranet and it is seen as good practice.
I am not sure of the requirements for this scenario. Hoping to help, I will write down my thoughts on this so far. As far as I know:
1) The term "infrastructure" ACLs is typically used to refer to ACLs intended to protect your networking infrastructure in particular (e.g. make sure that someone from the internet cannot connect to your CE device or some other of your network devices). "Infrastructure" typically does not include end user PCs. Also, have in mind that a direct connection to your network device does not have to happen for someone to perform a DoS attack towards it (all that is needed is the capability to somehow use a destination IP address to send packets directly to the device from the internet, so the device IP's should be protected in advance. Post-measures are typically too late, while puting those ACLs in place is not too difficult).
2) L3 MPLS VPNs as a specification do not have an inherent security vulnerability. However, overall "security" depends more on the implementation of the specification and the configuration rather than the specification itself. Since you opened your VPN to the internet, it is good practice to cover your back with additional measures, such as infrastructure ACLs (if one part of the security chain breaks, there still exist other mechanisms to prevent total breaking in).
3) The same point mentioned in 2) holds for the firewall argument as well. Infrastructure ACLs are a good thing to have in place.
4) I think protecting the branches from the cloud might include protecting those from the internet (since branches connect to main and main connects to the internet). I think the protection from the internet is the most important issue (but it can include both directions of traffic to eliminate any possibilities).
p.s. For more on infrastructure ACLs, you can have a look at the following document:
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...