I am scratching my head about how to secure our management network (ie the one with our switches on it). We want to route all traffic via the management firewall not through the 3560. Since the central routing 3560 has an IP on the management network I assume that we need an ACL to prevent other switch traffic routing into the VLAN.
We have done this and it seems to work, but I am confused by the ACL direction. At present (with it working, I think) we are using an inbound ACL (see attachment). Is this correct? Why isn't it outbound from the switch into the VLAN?
Also, is there a better way of isolating the management VLAN? Ideally, I would be happier if the management subnet did not even appear in the routing table for the central switch.