Manualshelf

Management and Configuration Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
371372373374375376377378379380
The switch does not allow management access from a device on the same VLAN
The implicit deny any function that the switch automatically applies as the last entry in any ACL
always blocks packets having the same DA as the switch's IP address on the same VLAN. That is,
bridged packets with the switch itself as the destination are blocked as a security measure.
To preempt this action, edit the ACL to include an ACE that permits access to the switch's DA on
that VLAN from the management device.
Error (Invalid input) when entering an IP address
When using the "host" option in the Command syntax, ensure that you are not including a mask
in either dotted decimal or CIDR format. Using the "host" option implies a specific host device and
therefore does not permit any mask entry.
Figure 195 Examples of correctly and incorrectly specifying a single host
Apparent failure to log all "deny" matches
Where the log statement is included in multiple ACEs configured with a "deny" option, a large
volume of "deny" matches generating logging messages in a short period of time can impact switch
performance. If it appears that the switch is not consistently logging all "deny" matches, try reducing
the number of logging actions by removing the log statement from some ACEs configured with
the "deny" action.
The switch does not allow any routed access from a specific host, group of hosts, or subnet
The implicit deny any function that the switch automatically applies as the last entry in any ACL
may be blocking all access by devices not specifically permitted by an entry in an ACL affecting
those sources. If you are using the ACL to block specific hosts, a group of hosts, or a subnet, but
want to allow any access not specifically permitted, insert permit any as the last explicit entry
in the ACL.
The switch is not performing routing functions on a VLAN
Two possible causes of this problem are:
Routing is not enabled. If show running indicates that routing is not enabled, use the ip
routing command to enable routing.
An ACL may be blocking access to the VLAN (on a switch covered in this guide.) Ensure that
the switch's IP address on the VLAN is not blocked by one of the ACE entries in an ACL applied
to that VLAN. A common mistake is to either not explicitly permit the switch's IP address as a
DA or to use a wildcard ACL mask in a deny statement that happens to include the switch's
IP address.
Routing through a gateway on the switch fails
Configuring a "deny" ACE that includes a gateway address can block traffic attempting to use the
gateway as a next-hop.
372 Troubleshooting