The Switch Does Not Allow Management Access From A Device On The Same Vlan; Error (Invalid Input) When Entering An Ip Address; Apparent Failure To Log All "Deny" Matches - HP Aruba JL253A Management And Configuration Manual

Indicates that routing is enabled, a requirement for ACL operation. (There is an exception. Refer to the Note,
below.)
If you need to configure IP routing, execute the ip routing command.
2. ACL filtering on the switches applies only to routed packets and packets having a destination IP address (DA)
on the switch itself.
Also, the switch applies assigned ACLs only at the point where traffic enters or leaves the switch on a VLAN.
Ensure that you have correctly applied your ACLs ("in" and/or "out") to the appropriate VLANs.

The switch does not allow management access from a device on the same VLAN

The implicit deny any function that the switch automatically applies as the last entry in any ACL always blocks
packets having the same DA as the switch's IP address on the same VLAN. That is, bridged packets with the
switch itself as the destination are blocked as a security measure.
To preempt this action, edit the ACL to include an ACE that permits access to the switch's DA on that VLAN from
the management device.

Error (Invalid input) when entering an IP address

When using the "host" option in the Command syntax, ensure that you are not including a mask in either dotted
decimal or CIDR format. Using the "host" option implies a specific host device and therefore does not permit any
mask entry.
Correctly and incorrectly specifying a single host
Switch(config)# access-list 6 permit host 10.28.100.100
Switch(config)# access-list 6 permit host 10.28.100.100 255.255.255.255
Invalid input: 255.255.255.255
Switch(config)# access-list 6 permit host 10.28.100.100/32
Invalid input: 10.28.100.100/32
1
• Correct.
2
• Incorrect. No mask needed to specify a single host.
3
• Incorrect. No mask needed to specify a single host.

Apparent failure to log all "deny" matches

Where the log statement is included in multiple ACEs configured with a "deny" option, a large volume of "deny"
matches generating logging messages in a short period of time can impact switch performance. If it appears that
the switch is not consistently logging all "deny" matches, try reducing the number of logging actions by removing
the log statement from some ACEs configured with the "deny" action.
462
NOTE: If an ACL assigned to a VLAN includes an ACE referencing an IP address on the switch
itself as a packet source or destination, the ACE screens traffic to or from this switch address
regardless of whether IP routing is enabled. This is a security measure designed to help protect
the switch from unauthorized management access.
Aruba 2930F / 2930M Management and Configuration Guide
1
2
3
for ArubaOS-Switch 16.08