Okay, I have the same problem as in this thread on a 2930f with 16.11.0005:
VACL filtering within same VLAN So I have this ACL
ip access-list extended "notworking"
10 deny ip 0.0.0.0 255.255.255.255 10.13.222.0 0.0.0.255 log
11 deny ip 10.13.222.0 0.0.0.255 10.13.222.0 0.0.0.255 log
20 deny ip 0.0.0.0 255.255.255.255 10.13.222.100 0.0.0.0 log
30 deny ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255 log
31 deny ip 0.0.0.0 255.255.255.255 172.16.0.0 0.15.255.255 log
32 deny ip 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255 log
99 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
and its applied to the vlan with 10.13.222.0/24 scope
vlan 22
ip access-group "notworking" in
I even added row 20 for sh*ts and giggles (I have a client on that vlan on the switch with ip 10.13.222.100), but I still can ping between clients on that vlan,
Without the ACL the clients on that switch in that vlan can ping everything freely. With the ACL they can no longer ping anything else on the other vlans now (nor the other internal addresses in the ACL, as intended), They can't even ping the gateway for that vlan (10.13.222.1), which is also fine, becuase everything seems to work anyway. But what has me totally boggled is that the clients can still freely ping each other, including to and from the client on 10.13.222.100.
Same result when I apply the ACL to out, and both in/out.
So what am I missing?
The switch has routing enabled and routes all other traffic the to ISP router (so just the one row "ip route 0.0.0.0 0.0.0.0 [isp router ip]").