02-26-2008 09:06 AM - edited 03-05-2019 09:23 PM
Anyone ever seen something like this. 4506 SupV, when you do a show access list it shows a bunch of access lists that we do not even know what they are . The strange thing they do "not" show up at all in a "show run" or a show start" command . Nowhere to be found in either config.
02-26-2008 09:18 AM
Ive never seen such a thing... bizarre.
Sounds like your switch needs an exorcism. lol
02-26-2008 10:35 AM
Glen
I have seen a situation several times where 1 (or maybe 2 or 3) access lists showed up in show access list. They did not show up in show run and if you try to do no access-list ... it did not remove them. I believe that they were inserted by SDM or some similar feature.
HTH
Rick
02-26-2008 04:39 PM
thanks Ric , never heard that one. I have never used SDM so I don't even really know what it is used for .
02-26-2008 07:07 PM
Check folks who have used SDM (although that should be in show run also) or if you have dynamically downloaded ACLs from 802.1X or something along those lines... That would also influence things where they would not necessarily be in 'show run'.
HTH,
Scott
02-26-2008 07:21 PM
Hey Scott
Glad to see you in the forum. Long time no speak. Hope things are well with you.
The instances that I remember were certainly not related to 802.1X or anything like that. It was several releases ago when I saw it. I wonder if Glen can tell us what release he is running when he sees this symptom?
HTH
Rick
02-26-2008 07:27 PM
I'm doing well, thanks! You can call any time, my cell number hasn't changed in the last eight years! :)
And I suppose it could be a "feature" in a software version! I was just trying to think of other ways ACLs would be introduced to a switch and not much was coming up.....
We used to have this on routers with dialer pools and per-user downloaded ACLs at times, but 802.1X was the only thing that popped in my head for a switch to do that!
PIX Shunning may as well, but AFAIK those were predictable ACL numbers.
Scott
02-27-2008 02:28 AM
Don't use 802.1X , think it is a 12.2.35xxx version , not at the office at the moment . I'll check when I get there , but it definetly not something we added ourself . I guess the question is what feature would do this where it shows with a show access list but does not show up in the runn or start configs. The other bit of info I can add is that a lot of the acl's seem to be dealing with the multicast range 224.0.0.x , we don't even use multicast either.
Weird...
02-27-2008 06:42 AM
Could you post some sample output then from "show access list"?
224.0.0.x multicast isn't really multicast in the way we typically think of it (why you say you don't run it!).
It's link-local multicast, which means it won't go beyond the single broadcast domain that you are on. Examples:
224.0.0.2 = AllRouters
224.0.0.5 and 224.0.0.6 = OSPF
224.0.0.9 = RIPv2
224.0.0.10 = EIGRP
224.0.0.13 = PIM ('real' multicast)
But these are things not generally bothered with...
Are the ACLs you are seeing standard or extended?
Are you running IPS on the box?
I'll wait to see samples.
HTH,
Scott
02-27-2008 10:32 AM
I found the one that I remembered. Here it is:
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit ip any any log
It is present in IOS but appears in neither running-config or startup-config.
This is from a 7206 running 12.3(8)T
sh version
Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(8)T, RELEASE SOFTWARE (fc2)
As far as I could tell it was cosmetic. I never saw any indication that it was assigned to anything. And of the times that I saw it in show access-list I do not remember any time that it had a hit count.
HTH
Rick
02-27-2008 10:37 AM
That's for the extra/new "login" stuff, isn't it?
login quite-mode can allow you to specify your own ACL.
At least if memory serves. :)
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: