Ah, VLAN ACL’s. You have been my nemesis for days! Ok, here’s the trick to get them to work. Perhaps it will be obvious for others but it wasn’t to me.
The ACL’s must use wildcard masks! That’s right, the CatOS tab help only says something about regular masks and nothing about wildcards. So use wildcards. For instance:
set security acl ip acl_name permit arp
set security acl ip acl_name deny tcp any 172.16.2.0 0.0.0.255 eq 23
set security acl ip acl_name permit ip any any
set security acl map acl_name 100 statistics enable
Then you can see what’s happening with:
sh sec acl tcam interface 100
CatOS will happily accept a non-wildcard mask and then do absolutely nothing. No indication things aren’t working right. I got this suggestion from the cisco engnenineer working on this project with me but I then did find some reference to a wildcard mask in a show output. Thanks Cisco CatOS dev team!