Unknown ACL's on 4500 series switch

Answered Question
Oct 27th, 2009

I was working at a client site of mine this morning. I was configuring some modifications to a couple of the known ACL's configured on the box.

I did a "sh access-list" command and received some very strange output. here is what I received:

bhicore#sho access-list

Extended IP access list PCI-vlan1-egress

10 permit ip 198.100.100.0 0.0.0.255 any (1168573 matches)

Extended IP access list PCI-vlan2

Extended IP access list system-cpp-all-routers-on-subnet

10 permit ip any host 224.0.0.2

Extended IP access list system-cpp-all-systems-on-subnet

10 permit ip any host 224.0.0.1

Extended IP access list system-cpp-dhcp-cs

10 permit udp any eq bootpc any eq bootps

Extended IP access list system-cpp-dhcp-sc

10 permit udp any eq bootps any eq bootpc

Extended IP access list system-cpp-dhcp-ss

10 permit udp any eq bootps any eq bootps

Extended IP access list system-cpp-igmp

10 permit igmp any 224.0.0.0 31.255.255.255

Extended IP access list system-cpp-ip-mcast-linklocal

10 permit ip any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-ospf

10 permit ospf any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-pim

10 permit pim any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-ripv2

10 permit ip any host 224.0.0.9

Extended MAC access list system-cpp-bpdu-range

permit any 0180.c200.0000 0000.0000.000c

Extended MAC access list system-cpp-cdp

permit any host 0100.0ccc.cccc

Extended MAC access list system-cpp-cgmp

permit any host 0100.0cdd.dddd

Extended MAC access list system-cpp-dot1x

permit any host 0180.c200.0003

Extended MAC access list system-cpp-lldp

permit any host 0180.c200.000e

Extended MAC access list system-cpp-mcast-cfm

permit any 0100.0ccc.ccc0 0000.0000.0007

Extended MAC access list system-cpp-sstp

permit any host 0100.0ccc.cccd

Extended MAC access list system-cpp-ucast-cfm

permit any host 001a.a11c.84bd

I do not know what the bottom 18 ACL's are. I DO know that I didnt configure them. Has anyone out here in the braintrust seem these before, and if so, what are they? Is there some configuration option that enables these ACL's??

Thx

Kevin

I have this problem too.
0 votes
Correct Answer by Lucien Avramov about 7 years 3 months ago

Those are the CoPP: Control Plane Policy ACL.

They are needed for the functioning of your switch. They are not seem in a show run, but a show access-lists displays them.

The access-lists were introduced as part of the control-plane policers

from 12.2(31)SG onwards.

The document on configuring CoPP details the access-lists for a cat4k:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/cntl_pln.html

I dont know what platform you have but if you search on cisco.com you will find a document for your switch.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Lucien Avramov Tue, 10/27/2009 - 09:48

Those are the CoPP: Control Plane Policy ACL.

They are needed for the functioning of your switch. They are not seem in a show run, but a show access-lists displays them.

The access-lists were introduced as part of the control-plane policers

from 12.2(31)SG onwards.

The document on configuring CoPP details the access-lists for a cat4k:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/cntl_pln.html

I dont know what platform you have but if you search on cisco.com you will find a document for your switch.

Actions

This Discussion