diff --git a/roles/helper/pci/tasks/query.yml b/roles/helper/pci/tasks/query.yml
index 83be18b..7ca7d52 100644
--- a/roles/helper/pci/tasks/query.yml
+++ b/roles/helper/pci/tasks/query.yml
@@ -141,3 +141,49 @@
         {%- endif -%}
       {%- endfor -%}
       {{- output -}}
+
+- when:
+    - pci_forbidden_addresses is undefined
+    - _default is defined
+    - _interfaces | count > 0
+  vars:
+    _facts: >-
+      {{ ansible_facts }}
+    _default: >-
+      {{ _facts.default_ipv4.interface }}
+    # NOTE: It also handles nested bridge/bond interfaces..
+    _interfaces: >-
+      {%- set output = [] -%}
+      {%- for v in _facts[_default].interfaces | d(_facts[_default].slaves) | d([_facts[_default].device | d(omit)]) -%}
+        {{- output.append(_facts[v].slaves | d([_facts[v].device | d(omit)])) -}}
+      {%- endfor -%}
+      {{- output | flatten -}}
+  block:
+    - name: Query udev for device info
+      ansible.builtin.command:
+        cmd: "udevadm info --query=property --property=ID_PATH --value {{ _paths | join(' ') }}"
+      vars:
+        _paths: >-
+          {{ _interfaces | map('regex_replace', '^(.*)$', "-p '/sys/class/net/\g<1>'") }}
+      register: command_udevadm_info
+      changed_when: false
+
+    - name: Gather forbidden PCI addresses
+      ansible.builtin.set_fact:
+        pci_forbidden_addresses: >-
+          {{ command_udevadm_info.stdout_lines | select
+                                               | map('regex_replace', '^pci-', '') }}
+
+- name: Assert 'lspci_devices' contains no forbidden PCI addresses
+  ansible.builtin.assert:
+    that: (pci_forbidden_addresses is undefined)
+          or
+          (pci_forbidden_addresses | count == 0)
+          or
+          (_detected | count == 0)
+    fail_msg: >-
+      Forbidden PCI addresses {{ _detected }} detected, aborting!
+      Please adjust 'pci_devices' to exclude forbidden PCI addresses.
+  vars:
+    _detected: >-
+      {{ lspci_devices | map(attribute='Slot') | intersect(pci_forbidden_addresses) }}