Strange one

Unanswered Question
Feb 26th, 2008

Anyone ever seen something like this. 4506 SupV, when you do a show access list it shows a bunch of access lists that we do not even know what they are . The strange thing they do "not" show up at all in a "show run" or a show start" command . Nowhere to be found in either config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lamav Tue, 02/26/2008 - 09:18

Ive never seen such a thing... bizarre.

Sounds like your switch needs an exorcism. lol

Richard Burts Tue, 02/26/2008 - 10:35


I have seen a situation several times where 1 (or maybe 2 or 3) access lists showed up in show access list. They did not show up in show run and if you try to do no access-list ... it did not remove them. I believe that they were inserted by SDM or some similar feature.



glen.grant Tue, 02/26/2008 - 16:39

thanks Ric , never heard that one. I have never used SDM so I don't even really know what it is used for .

Richard Burts Tue, 02/26/2008 - 19:21

Hey Scott

Glad to see you in the forum. Long time no speak. Hope things are well with you.

The instances that I remember were certainly not related to 802.1X or anything like that. It was several releases ago when I saw it. I wonder if Glen can tell us what release he is running when he sees this symptom?



swmorris Tue, 02/26/2008 - 19:27

I'm doing well, thanks! You can call any time, my cell number hasn't changed in the last eight years! :)

And I suppose it could be a "feature" in a software version! I was just trying to think of other ways ACLs would be introduced to a switch and not much was coming up.....

We used to have this on routers with dialer pools and per-user downloaded ACLs at times, but 802.1X was the only thing that popped in my head for a switch to do that!

PIX Shunning may as well, but AFAIK those were predictable ACL numbers.


glen.grant Wed, 02/27/2008 - 02:28

Don't use 802.1X , think it is a 12.2.35xxx version , not at the office at the moment . I'll check when I get there , but it definetly not something we added ourself . I guess the question is what feature would do this where it shows with a show access list but does not show up in the runn or start configs. The other bit of info I can add is that a lot of the acl's seem to be dealing with the multicast range 224.0.0.x , we don't even use multicast either.


swmorris Wed, 02/27/2008 - 06:42

Could you post some sample output then from "show access list"?

224.0.0.x multicast isn't really multicast in the way we typically think of it (why you say you don't run it!).

It's link-local multicast, which means it won't go beyond the single broadcast domain that you are on. Examples: = AllRouters and = OSPF = RIPv2 = EIGRP = PIM ('real' multicast)

But these are things not generally bothered with...

Are the ACLs you are seeing standard or extended?

Are you running IPS on the box?

I'll wait to see samples.



[email protected]

Richard Burts Wed, 02/27/2008 - 10:32

I found the one that I remembered. Here it is:

Extended IP access list sl_def_acl

10 deny tcp any any eq telnet log

20 deny tcp any any eq www log

30 deny tcp any any eq 22 log

40 permit ip any any log

It is present in IOS but appears in neither running-config or startup-config.

This is from a 7206 running 12.3(8)T

sh version

Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(8)T, RELEASE SOFTWARE (fc2)

As far as I could tell it was cosmetic. I never saw any indication that it was assigned to anything. And of the times that I saw it in show access-list I do not remember any time that it had a hit count.



swmorris Wed, 02/27/2008 - 10:37

That's for the extra/new "login" stuff, isn't it?

login quite-mode can allow you to specify your own ACL.

At least if memory serves. :)



This Discussion