ACLs are properly configured and assigned to VLANs, but the switch is not using the ACLs to filter IP layer 3 packets
-
The switch may be running with IP routing disabled. To ensure that IP routing is enabled, execute
show runningand look for the IP routing statement in the resulting listing. For Example:Indication that routing is enabledswitch(config)# show running Running configuration: ; J9091A Configuration Editor; Created on release #XX.15.06 hostname "Switch" ip default-gateway 10.33.248.1 ip routing 1 logging 10.28.227.2 snmp-server community "public" Unrestricted ip access-list extended "Controls for VLAN 20" permit tcp 0.0.0.0 255.255.255.255 10.10.20.98 0.0.0.0 eq 80 permit tcp 0.0.0.0 255.255.255.255 10.10.20.21 0.0.0.0 eq 80 deny tcp 0.0.0.0 255.255.255.255 10.10.20.1 0.0.0.255 eq 80 deny tcp 10.10.20.1? 0.0.0.0 10.10.10.100 0.0.0.0 eq 20 log deny tcp 10.10.20.20 0.0.0.0 10.10.10.100 0.0.0.0 eq 20 log deny tcp 10.10.20.43 0.0.0.0 10.10.10.100 0.0.0.0 eq 20 log permit ip 10.10.20.1 0.0.0.255 10.10.10.100 0.0.0.0 deny ip 10.10.30.1 0.0.0.255 10.10.10.100 0.0.0.0 permit ip 10.10.30.1 0.0.0.255 10.10.10.1 0.0.0.255 exit
- 1
Indicates that routing is enabled, a requirement for ACL operation. (There is an exception. Refer to the Note, below.)
NOTE:If an ACL assigned to a VLAN includes an ACE referencing an IP address on the switch itself as a packet source or destination, the ACE screens traffic to or from this switch address regardless of whether IP routing is enabled. This is a security measure designed to help protect the switch from unauthorized management access.
If you need to configure IP routing, execute the
ip routingcommand. - 1
-
ACL filtering on the switches applies only to routed packets and packets having a destination IP address (DA) on the switch itself.
Also, the switch applies assigned ACLs only at the point where traffic enters or leaves the switch on a VLAN. Ensure that you have correctly applied your ACLs ("in" and/or "out") to the appropriate VLANs.