ACLs are properly configured and assigned to VLANs, but the switch is not using the ACLs to filter IP layer 3 packets

  1. The switch may be running with IP routing disabled. To ensure that IP routing is enabled, execute show running and look for the IP routing statement in the resulting listing. For Example:
    Indication that routing is enabled
    switch(config)# show running
    Running configuration:
    ; J9091A Configuration Editor; Created on release #XX.15.06
    hostname "Switch"
    ip default-gateway
    ip routing 1
    snmp-server community "public" Unrestricted
    ip access-list extended "Controls for VLAN 20"
    permit tcp eq 80
    permit tcp eq 80
    deny tcp eq 80
    deny tcp eq 20 log
    deny tcp eq 20 log
    deny tcp eq 20 log
    permit ip
    deny ip
    permit ip
    • 1

      Indicates that routing is enabled, a requirement for ACL operation. (There is an exception. Refer to the Note, below.)


    If an ACL assigned to a VLAN includes an ACE referencing an IP address on the switch itself as a packet source or destination, the ACE screens traffic to or from this switch address regardless of whether IP routing is enabled. This is a security measure designed to help protect the switch from unauthorized management access.

    If you need to configure IP routing, execute the ip routing command.

  2. ACL filtering on the switches applies only to routed packets and packets having a destination IP address (DA) on the switch itself.

    Also, the switch applies assigned ACLs only at the point where traffic enters or leaves the switch on a VLAN. Ensure that you have correctly applied your ACLs ("in" and/or "out") to the appropriate VLANs.