Unknown ACL's on 4500 series switch

Answered Question
Oct 27th, 2009
User Badges:

I was working at a client site of mine this morning. I was configuring some modifications to a couple of the known ACL's configured on the box.

I did a "sh access-list" command and received some very strange output. here is what I received:

bhicore#sho access-list

Extended IP access list PCI-vlan1-egress

10 permit ip 198.100.100.0 0.0.0.255 any (1168573 matches)

Extended IP access list PCI-vlan2

Extended IP access list system-cpp-all-routers-on-subnet

10 permit ip any host 224.0.0.2

Extended IP access list system-cpp-all-systems-on-subnet

10 permit ip any host 224.0.0.1

Extended IP access list system-cpp-dhcp-cs

10 permit udp any eq bootpc any eq bootps

Extended IP access list system-cpp-dhcp-sc

10 permit udp any eq bootps any eq bootpc

Extended IP access list system-cpp-dhcp-ss

10 permit udp any eq bootps any eq bootps

Extended IP access list system-cpp-igmp

10 permit igmp any 224.0.0.0 31.255.255.255

Extended IP access list system-cpp-ip-mcast-linklocal

10 permit ip any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-ospf

10 permit ospf any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-pim

10 permit pim any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-ripv2

10 permit ip any host 224.0.0.9

Extended MAC access list system-cpp-bpdu-range

permit any 0180.c200.0000 0000.0000.000c

Extended MAC access list system-cpp-cdp

permit any host 0100.0ccc.cccc

Extended MAC access list system-cpp-cgmp

permit any host 0100.0cdd.dddd

Extended MAC access list system-cpp-dot1x

permit any host 0180.c200.0003

Extended MAC access list system-cpp-lldp

permit any host 0180.c200.000e

Extended MAC access list system-cpp-mcast-cfm

permit any 0100.0ccc.ccc0 0000.0000.0007

Extended MAC access list system-cpp-sstp

permit any host 0100.0ccc.cccd

Extended MAC access list system-cpp-ucast-cfm

permit any host 001a.a11c.84bd



I do not know what the bottom 18 ACL's are. I DO know that I didnt configure them. Has anyone out here in the braintrust seem these before, and if so, what are they? Is there some configuration option that enables these ACL's??

Thx

Kevin

Correct Answer by Lucien Avramov about 7 years 7 months ago

Those are the CoPP: Control Plane Policy ACL.

They are needed for the functioning of your switch. They are not seem in a show run, but a show access-lists displays them.


The access-lists were introduced as part of the control-plane policers

from 12.2(31)SG onwards.

The document on configuring CoPP details the access-lists for a cat4k:


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/cntl_pln.html

I dont know what platform you have but if you search on cisco.com you will find a document for your switch.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Lucien Avramov Tue, 10/27/2009 - 09:48
User Badges:
  • Red, 2250 points or more

Those are the CoPP: Control Plane Policy ACL.

They are needed for the functioning of your switch. They are not seem in a show run, but a show access-lists displays them.


The access-lists were introduced as part of the control-plane policers

from 12.2(31)SG onwards.

The document on configuring CoPP details the access-lists for a cat4k:


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/cntl_pln.html

I dont know what platform you have but if you search on cisco.com you will find a document for your switch.


Actions

This Discussion