HP ProCurve Management And Configuration Manual page 594

Troubleshooting
Unusual Network Activity
Note
C-10
Figure C-1. Indication that Routing Is Enabled
If an ACL assigned to a VLAN includes an ACE referencing an IP address on
the switch itself as a packet source or destination, the ACE screens traffic to
or from this switch address regardless of whether IP routing is enabled. This
is a security measure designed to help protect the switch from unauthorized
management access.
If you need to configure IP routing, execute the ip routing command.
2. ACL filtering on the switches covered in this guide applies only to routed
packets and packets having a destination IP address (DA) on the switch
itself. Also, the switch applies assigned ACLs only at the point where
traffic enters or leaves the switch on a VLAN. Ensure that you have
correctly applied your ACLs ("in" and/or "out") to the appropriate
VLAN(s).
The switch does not allow management access from a device on the
same VLAN.
The implicit deny any function that the switch automatically applies as the last
entry in any ACL always blocks packets having the same DA as the switch's
IP address on the same VLAN. That is, bridged packets with the switch itself
as the destination are blocked as a security measure. To preempt this action,
edit the ACL to include an ACE that permits access to the switch's DA on that
VLAN from the management device.
Indicates that routing is enabled; a require­
ment for ACL operation. (There is an
exception. Refer to the Note, below.)