Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

weired acls showing up

hi guys,

       i have a ghost story to share..  i had configured some access lists in my 3560 switch and after testing  everything was working fine. then i had powered off the switch after saving the config. today when i powered it back on, i saw two new access lists created preauth_ipv4_acl (per user ) and 

access lists created preauth_ipv6_acl (per user ). and the funny thing is that  i can see them only in sh access lists cmd and not with runing config or start up config !!  that sounds funny coz i was in my lab all night and nobody was here other than me..  did the switch do something by itself.

9 REPLIES
Purple

weired acls showing up

Hi,

Are you doing any kind of 802.1x on your switch ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

weired acls showing up

alain hi again,

                     i have not set up the switch for any kind of 802.1x authentication..  i am pasting the config;

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname IBLOCK-CORE

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

system mtu routing 1500

authentication mac-move permit

ip routing

!

!

ip device tracking

!

!

crypto pki trustpoint TP-self-signed-2184049536

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2184049536

revocation-check none

rsakeypair TP-self-signed-2184049536

!

!

crypto pki certificate chain TP-self-signed-2184049536

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

!

!

!

!

!

vlan internal allocation policy ascending

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/3

!

interface GigabitEthernet0/4

!

interface GigabitEthernet0/5

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/6

switchport access vlan 6

switchport mode access

!

interface GigabitEthernet0/7

!

interface GigabitEthernet0/8

!

interface GigabitEthernet0/9

!

interface GigabitEthernet0/10

!

interface GigabitEthernet0/11

!

interface GigabitEthernet0/12

switchport access vlan 12

switchport mode access

ip access-group 103 in

!

interface GigabitEthernet0/13

!

interface GigabitEthernet0/14

!

interface GigabitEthernet0/15

!

interface GigabitEthernet0/16

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

!

interface GigabitEthernet0/22

!

interface GigabitEthernet0/23

no switchport

ip address 192.168.0.1 255.255.255.252

!

interface GigabitEthernet0/24

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2-12

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet1/3

!

interface GigabitEthernet1/4

!

interface TenGigabitEthernet1/1

!

interface TenGigabitEthernet1/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 172.20.0.1 255.255.255.0

ip access-group 100 in

ip helper-address 172.20.1.5

!

interface Vlan3

ip address 172.20.1.1 255.255.255.128

ip helper-address 172.20.1.5

!

interface Vlan4

ip address 172.20.1.129 255.255.255.128

!

interface Vlan5

ip address 172.20.2.1 255.255.255.128

!

interface Vlan6

ip address 172.20.2.129 255.255.255.128

ip access-group 101 in

ip helper-address 172.20.1.5

!

interface Vlan7

ip address 172.20.3.1 255.255.255.128

!

interface Vlan8

ip address 172.20.3.129 255.255.255.128

!

interface Vlan9

ip address 172.20.4.1 255.255.255.128

ip access-group 102 in

!

interface Vlan10

ip address 172.20.4.129 255.255.255.128

!

interface Vlan11

ip address 172.20.5.1 255.255.255.0

!

interface Vlan12

ip address 172.20.6.1 255.255.255.128

ip access-group 103 in

ip helper-address 172.20.1.5

!

ip forward-protocol nd

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.0.2

!

!

ip sla enable reaction-alerts

access-list 100 permit ip any 172.20.1.0 0.0.0.127

access-list 100 permit ip host 0.0.0.0 host 255.255.255.255

access-list 100 permit ip any host 172.20.0.1

access-list 100 deny   ip any any

access-list 101 permit ip any 172.20.1.0 0.0.0.127

access-list 101 permit udp any eq bootpc any

access-list 101 permit udp any eq bootps any

access-list 101 permit ip host 0.0.0.0 host 255.255.255.255

access-list 101 permit ip any host 172.20.2.129

access-list 101 deny   ip any any

access-list 102 permit ip any 172.20.4.0 0.0.0.127

access-list 102 deny   ip any any

access-list 103 permit ip host 0.0.0.0 host 255.255.255.255

access-list 103 permit ip any any

!

!

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

but when i do sh access-lists, it shows all the acls that are above in the config. and also it shows;

Extended IP access list preauth_ipv4_acl (per-user)

    10 permit udp any any eq domain

    20 permit tcp any any eq domain

    30 permit udp any eq bootps any

    40 permit udp any any eq bootpc

    50 permit udp any eq bootpc any

    60 deny ip any any

IPv6 access list preauth_ipv6_acl (per-user)

    permit udp any any eq domain sequence 10

    permit tcp any any eq domain sequence 20

    permit icmp any any nd-ns sequence 30

    permit icmp any any nd-na sequence 40

    permit icmp any any router-solicitation sequence 50

    permit icmp any any router-advertisement sequence 60

    permit icmp any any redirect sequence 70

    permit udp any eq 547 any eq 546 sequence 80

    permit udp any eq 546 any eq 547 sequence 90

    deny ipv6 any any sequence 100

New Member

weired acls showing up

has anyone come across this before .  has it something to do with the ip helper!!!

New Member

weired acls showing up

Perhaps related to

authentication mac-move permit???

Cisco Employee

weired acls showing up

Anirudh,

This appears to me to be a cosmetical bug - you are using some very recent IOS according to the version number, and that IOS obviously uses some hardwired internal ACLs for its own internal purposes. These internal ACLs are most probably not properly hidden and accidentally show up in the show access-lists command output. There has been a similar cosmetical glitch on some older 800 series routers a few years ago.

If you have a support contract with Cisco then I suggest reporting this but otherwise, I would not be worried about it.

Best regards,

Peter

New Member

weired acls showing up

hi peter,

              i contacted cisco support. but they are saying that its not bug . still they wanted to analyze the sh tech output so i have anyways mailed it to them. lets wait and see what it is.  they are thinking  that i created these but i am sure that i am the only person here and nobody has access. and ofcourse i never did that!!

Cisco Employee

weired acls showing up

Hi Anirudh,

Well - they say it's not a bug only because they haven't found it yet in their database Seriously, though, ACLs that are visible in show access-list but not in running-config are either dynamically learned (often via AAA as Alain originally suggested) or they are hardwired into IOS for internal purposes, and in that case, they should not be visible at all.

Let's see what the TAC has to say after they analyze your configuration. Please keep us posted!

Best regards,

Peter

Re: weired acls showing up

Hi,

Do you have an ACS in your LAN environment? It could be downloadable ACL was enabled.

Sent from Cisco Technical Support iPhone App

New Member

Ws-3850VITCCCORENEW#sh

 

VITCCCORENEW#sh ip access-lists

Extended IP access list WEBSENSE

    60 deny ip host 172.16.49.4 any (7665 matches)

    70 deny ip host 172.16.49.10 any

    80 deny ip host 172.16.49.80 any (26790 matches)

    81 deny ip host 172.16.17.218 any

    110 deny ip 172.16.5.0 0.0.0.255 any (72390 matches)

    111 deny ip 172.16.40.0 0.0.3.255 any (16537 matches)

    120 deny ip 172.16.68.0 0.0.1.255 any (62959 matches)

    130 permit tcp 172.16.0.0 0.0.255.255 any eq www (268 matches)

    140 permit tcp 172.16.0.0 0.0.255.255 any eq 443 (2306 matches)

Extended IP access list preauth_ipv4_acl (per-user)

    10 permit udp any any eq domain

    20 permit tcp any any eq domain

    30 permit udp any eq bootps any

    40 permit udp any any eq bootpc

    50 permit udp any eq bootpc any

    60 deny ip any any

hi peter 

me also found same probl

so we are facing the problem for CPU utilization very high.

pls give any solution.

 

 

 

1828
Views
0
Helpful
9
Replies