HP 3500yl Series Access Security Manual page 444

IPv4 Access Control Lists (ACLs)
Overview
Notes on IPv4
Routing
Caution Regarding
the Use of Source
Routing
10-24
5. Assign the ACLs to the interfaces you want to filter, using the ACL
application (static port ACL, VACL, or RACL) appropriate for each assign-
ment. (For RADIUS-assigned ACLs, refer to the Note in the table in step
1 on page 10-23.)
6. If you are using an RACL, ensure that IPv4 routing is enabled on the switch.
7. Test for desired results.
For more details on ACL planning considerations, refer to "Planning an ACL
Application" on page 10-29.
To activate a RACL to screen inbound IPv4 traffic for routing between subnets,
assign the RACL to the statically configured VLAN on which the traffic enters
the switch. Also, ensure that IPv4 routing is enabled. Similarly, to activate a
RACL to screen routed, outbound IPv4 traffic, assign the RACL to the statically
configured VLAN on which the traffic exits from the switch. A RACL config-
ured to screen inbound IPv4 traffic with a destination address on the switch
itself does not require routing to be enabled. (ACLs do not screen outbound
IPv4 traffic generated by the switch, itself.) Refer to "ACL Screening of IPv4
Traffic Generated by the Switch" on page 10-128.)
Source routing is enabled by default on the switch and can be used to override
ACLs. For this reason, if you are using ACLs to enhance network security, the
recommended action is to use the no ip source-route command to disable
source routing on the switch. (If source routing is disabled in the running-
config file, the show running command includes "no ip source-route" in the
running-config file listing.)