cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1120
Views
0
Helpful
10
Replies

Strange one

glen.grant
VIP Alumni
VIP Alumni

Anyone ever seen something like this. 4506 SupV, when you do a show access list it shows a bunch of access lists that we do not even know what they are . The strange thing they do "not" show up at all in a "show run" or a show start" command . Nowhere to be found in either config.

10 Replies 10

lamav
Level 8
Level 8

Ive never seen such a thing... bizarre.

Sounds like your switch needs an exorcism. lol

Glen

I have seen a situation several times where 1 (or maybe 2 or 3) access lists showed up in show access list. They did not show up in show run and if you try to do no access-list ... it did not remove them. I believe that they were inserted by SDM or some similar feature.

HTH

Rick

HTH

Rick

thanks Ric , never heard that one. I have never used SDM so I don't even really know what it is used for .

Check folks who have used SDM (although that should be in show run also) or if you have dynamically downloaded ACLs from 802.1X or something along those lines... That would also influence things where they would not necessarily be in 'show run'.

HTH,

Scott

smorris@ipexpert.com

Hey Scott

Glad to see you in the forum. Long time no speak. Hope things are well with you.

The instances that I remember were certainly not related to 802.1X or anything like that. It was several releases ago when I saw it. I wonder if Glen can tell us what release he is running when he sees this symptom?

HTH

Rick

HTH

Rick

I'm doing well, thanks! You can call any time, my cell number hasn't changed in the last eight years! :)

And I suppose it could be a "feature" in a software version! I was just trying to think of other ways ACLs would be introduced to a switch and not much was coming up.....

We used to have this on routers with dialer pools and per-user downloaded ACLs at times, but 802.1X was the only thing that popped in my head for a switch to do that!

PIX Shunning may as well, but AFAIK those were predictable ACL numbers.

Scott

Don't use 802.1X , think it is a 12.2.35xxx version , not at the office at the moment . I'll check when I get there , but it definetly not something we added ourself . I guess the question is what feature would do this where it shows with a show access list but does not show up in the runn or start configs. The other bit of info I can add is that a lot of the acl's seem to be dealing with the multicast range 224.0.0.x , we don't even use multicast either.

Weird...

Could you post some sample output then from "show access list"?

224.0.0.x multicast isn't really multicast in the way we typically think of it (why you say you don't run it!).

It's link-local multicast, which means it won't go beyond the single broadcast domain that you are on. Examples:

224.0.0.2 = AllRouters

224.0.0.5 and 224.0.0.6 = OSPF

224.0.0.9 = RIPv2

224.0.0.10 = EIGRP

224.0.0.13 = PIM ('real' multicast)

But these are things not generally bothered with...

Are the ACLs you are seeing standard or extended?

Are you running IPS on the box?

I'll wait to see samples.

HTH,

Scott

smorris@ipexpert.com

I found the one that I remembered. Here it is:

Extended IP access list sl_def_acl

10 deny tcp any any eq telnet log

20 deny tcp any any eq www log

30 deny tcp any any eq 22 log

40 permit ip any any log

It is present in IOS but appears in neither running-config or startup-config.

This is from a 7206 running 12.3(8)T

sh version

Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(8)T, RELEASE SOFTWARE (fc2)

As far as I could tell it was cosmetic. I never saw any indication that it was assigned to anything. And of the times that I saw it in show access-list I do not remember any time that it had a hit count.

HTH

Rick

HTH

Rick

That's for the extra/new "login" stuff, isn't it?

login quite-mode can allow you to specify your own ACL.

At least if memory serves. :)

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: