Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

On a "true" L2 switch, you're correct, L3 ACLs shouldn't be supported.  But, many of Cisco's L2 switches are L2 Enhanced or L2 Plus, marketing speak for they support some L3 related features.  (Also, a L3 switch might be used without it routing, so even though it's acting in a L2 role, it still has its other L3 features.)

[edit]

PS:

BTW, unless your 4510 has a very old sup,likely its sup supports L3.  (I'm not even sure whether the really recent sups even allow you to still disable IP routing.)

Oh, and to your question whether using an ACL at the edge is normal, well if you're doing QoS, often it's good to verify and/or reclassify ingress traffic right at the edge ingress port, so if the switch supports it, an ingress policy using (L3) ACLs might be "normal".