diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
index 284f532090..714e1c6d34 100644
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@@ -1049,7 +1049,14 @@ func (s *k8sStore) GetService(key string) (*corev1.Service, error) {
 
 func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.Configuration) (string, error) {
 	// First we try ingressClassName
-	if !icConfig.IgnoreIngressClass && ing.Spec.IngressClassName != nil {
+	if ing.Spec.IngressClassName != nil {
+		if icConfig.IgnoreIngressClass {
+			if icConfig.AnnotationValue == *ing.Spec.IngressClassName {
+				return *ing.Spec.IngressClassName, nil
+			}
+
+			return "", errors.Errorf("lack of permission on cluster IngressClass: %s, %s", *ing.Spec.IngressClassName, icConfig.AnnotationValue)
+		}
 		iclass, err := s.listers.IngressClass.ByKey(*ing.Spec.IngressClassName)
 		if err != nil {
 			return "", err
diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go
index 80c09f80c3..f8c950e472 100644
--- a/test/e2e/settings/ingress_class.go
+++ b/test/e2e/settings/ingress_class.go
@@ -645,14 +645,35 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() {
 				Status(http.StatusOK)
 		})
 
+		ginkgo.It("should watch Ingress with matched Ingress.Spec.IngressClassName and CLI parameter --ingress-class", func() {
+			validHost := "validhostnameforingressclassname"
+			testIngressClassName := "testclass"
+
+			ing := framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = &testIngressClassName
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxConfiguration(func(cfg string) bool {
+				return strings.Contains(cfg, "server_name "+validHost)
+			})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", validHost).
+				Expect().
+				Status(http.StatusOK)
+		})
+
 		ginkgo.It("should ignore Ingress with only IngressClassName", func() {
 			invalidHost := "noclassforyou"
+			unmatchedIngressClassName := "testclass-unmatched"
 
 			ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil)
+			ing.Spec.IngressClassName = &unmatchedIngressClassName
 			f.EnsureIngress(ing)
 
 			f.WaitForNginxConfiguration(func(cfg string) bool {
-				return !strings.Contains(cfg, "server_name noclassforyou")
+				return !strings.Contains(cfg, "server_name "+invalidHost)
 			})
 
 			f.HTTPTestClient().