Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1277
Views
0
Helpful
1
Replies

Access-list question for device WS-C4500X-16

billmacmillan
Level 1
Level 1

‎09-26-2017 10:53 AM - edited ‎03-08-2019 12:10 PM

I have dual 4500's (WS-C4500X-16) running VSS and Ios-XE Version 03.05.00.E

On deployment there appears to be a number of access-lists that are pre-configured on the device that I have not been able discern the purpose of and I was hoping that someone her would be kind enough to assist. The following access-lists are what my security team is asking me about:

Extended Internet Protocol version 4 (IPv4) ACL VSL-BFD

Extended IPv4 ACL VSL-DHCP-CLIENT-TO-SERVER

Extended IPv4 ACL VSL-DHCP-SERVER-TO-CLIENT

Extended IPv4 ACL VSL-DHCP-SERVER-TO-SERVER

Extended IPv4 ACL VSL-IPV4-ROUTING

Internet Protocol version 6 (IPv6) Access List VSL-IPV6-ROUTING

I can't see anywhere indicating thess ACLs are being ssigned to a purpose. I have tried searcing for some reference for these ACLs on the internet with no luck. Does anyone have any idea the purpose or a link to a document that might enlighten me on these particular ACLs.

Labels:
0 Helpful
1 Reply 1

Meheretab Mengistu
Level 7
Level 7

‎09-26-2017 11:38 AM

Hi,

If you look at the details of those ACLs, you will see that those ACLS are for VSL and BFD control signals.
ip access-list extended VSL-BFD
permit udp any any eq 3784
ip access-list extended VSL-DHCP-CLIENT-TO-SERVER
permit udp any eq bootpc any eq bootps
ip access-list extended VSL-DHCP-SERVER-TO-CLIENT
permit udp any eq bootps any eq bootpc
ip access-list extended VSL-DHCP-SERVER-TO-SERVER
permit udp any eq bootps any eq bootps
ip access-list extended VSL-IPV4-ROUTING
permit ip any 224.0.0.0 0.0.0.255
!
ipv6 access-list VSL-IPV6-ROUTING
permit ipv6 any FF02::/124

You might also have mac access-lists:
mac access-list extended VSL-BPDU
permit any 0180.c200.0000 0000.0000.0003
mac access-list extended VSL-CDP
permit any host 0100.0ccc.cccc
mac access-list extended VSL-DOT1x
permit any any 0x888E
mac access-list extended VSL-GARP
permit any host 0180.c200.0020
mac access-list extended VSL-LLDP
permit any host 0180.c200.000e
mac access-list extended VSL-SSTP
permit any host 0100.0ccc.cccd

You can use them with policy-maps to allocate bandwidth.

HTH,
Meheretab
HTH,
Meheretab
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card