HP ProCurve 5300xl Series Management Manual page 357

Notes on IP Routing
Caution Regarding
the Use of Source
Routing
6. Assign the ACLs to filter the inbound and/or outbound traffic on static
VLAN interfaces configured on the switch.
7. Enable IP routing on the switch. (Except for an ACL configured to filter
traffic having the switch itself as the destination IP address, IP routing
must be enabled before ACLs will operate.)
8. Test for desired results.
For more details on ACL planning considerations, refer to "Planning an ACL
Application" on page 9-16.
To activate an ACL to screen inbound traffic for routing between subnets,
assign the ACL to the statically configured VLAN on which the traffic enters
the switch. Also, ensure that IP routing is enabled. Similarly, to activate an
ACL to screen routed, outbound traffic, assign the ACL to the statically
configured VLAN on which the traffic exits from the switch. The only excep­
tion to these rules is for an ACL configured to screen inbound traffic with a
destination IP address on the switch. In this case, an ACL assigned to a VLAN
screens traffic addressed to an IP address on the switch, regardless of whether
IP routing is also enabled. (ACLs do not screen outbound traffic generated by
the switch, itself. Refer to "ACL Screening of Traffic Generated by the Switch"
on page 9-63.)
Source routing is enabled by default on the switch and can be used to override
ACLs. For this reason, if you are using ACLs to enhance network security, the
recommended action is to use the no ip source-route command to disable
source routing on the switch. (If source routing is disabled in the running­
config file, the show running command includes "no ip source-route" in the
running-config file listing.)
Access Control Lists (ACLs) for the Series 5300xl Switches
Overview
9-11