Anyone ever seen something like this. 4506 SupV, when you do a show access list it shows a bunch of access lists that we do not even know what they are . The strange thing they do "not" show up at all in a "show run" or a show start" command . Nowhere to be found in either config.
I have seen a situation several times where 1 (or maybe 2 or 3) access lists showed up in show access list. They did not show up in show run and if you try to do no access-list ... it did not remove them. I believe that they were inserted by SDM or some similar feature.
Check folks who have used SDM (although that should be in show run also) or if you have dynamically downloaded ACLs from 802.1X or something along those lines... That would also influence things where they would not necessarily be in 'show run'.
Glad to see you in the forum. Long time no speak. Hope things are well with you.
The instances that I remember were certainly not related to 802.1X or anything like that. It was several releases ago when I saw it. I wonder if Glen can tell us what release he is running when he sees this symptom?
I'm doing well, thanks! You can call any time, my cell number hasn't changed in the last eight years! :)
And I suppose it could be a "feature" in a software version! I was just trying to think of other ways ACLs would be introduced to a switch and not much was coming up.....
We used to have this on routers with dialer pools and per-user downloaded ACLs at times, but 802.1X was the only thing that popped in my head for a switch to do that!
PIX Shunning may as well, but AFAIK those were predictable ACL numbers.
Don't use 802.1X , think it is a 12.2.35xxx version , not at the office at the moment . I'll check when I get there , but it definetly not something we added ourself . I guess the question is what feature would do this where it shows with a show access list but does not show up in the runn or start configs. The other bit of info I can add is that a lot of the acl's seem to be dealing with the multicast range 224.0.0.x , we don't even use multicast either.
Could you post some sample output then from "show access list"?
224.0.0.x multicast isn't really multicast in the way we typically think of it (why you say you don't run it!).
It's link-local multicast, which means it won't go beyond the single broadcast domain that you are on. Examples:
220.127.116.11 = AllRouters
18.104.22.168 and 22.214.171.124 = OSPF
126.96.36.199 = RIPv2
188.8.131.52 = EIGRP
184.108.40.206 = PIM ('real' multicast)
But these are things not generally bothered with...
Are the ACLs you are seeing standard or extended?
Are you running IPS on the box?
I'll wait to see samples.
I found the one that I remembered. Here it is:
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit ip any any log
It is present in IOS but appears in neither running-config or startup-config.
This is from a 7206 running 12.3(8)T
Cisco IOS Software, 7200 Software (C7200-IK9S-M), Version 12.3(8)T, RELEASE SOFTWARE (fc2)
As far as I could tell it was cosmetic. I never saw any indication that it was assigned to anything. And of the times that I saw it in show access-list I do not remember any time that it had a hit count.