I've just applied an ACL to a VLAN interface across 3 switches and have observed some very strange behaviour.
The ACL I've applied is:
access-list 101 permit ip 192.168.1.0 0.0.0.7 192.168.1.0 0.0.0.7
Effectively I'm just trying to restrict communication between these 3 switches on 192.168.1.1, .2, .3 and 2 routers on .4 & .5 address.
As soon as I apply this ACL to the VLAN interface (inbound):
interface vlan 101
ip access-group 101 in
Traffic bound for these addresses on .1 and .3 stops working (as expected) but miraculously traffic bound for the .2 address continues to pass!
I've modified the list on the .2 address to this:
access-list 101 permit ip 192.168.1.0 0.0.0.7 192.168.1.0 0.0.0.7 log
access-list 101 deny ip any any log
..to attempt to understand better what is going on. I can see the hit count incrementing on the first entry when I ping from another 192.168.1.x address so this indicates to me that the ACL is infact being hit but the deny any any statment is not being hit and traffic from any other address is still being allowed through.
The only difference between the 3 switches that I have applied this list to is that 192.168.1.1 and .3 both have physical interfaces assigned to VLAN 101 where as 192.168.1.2 does not.
Doe's anyone know what might be causing this behaviour?