Solved: Cannot delete ACL

florinmarian · ‎05-20-2023

Hello!
I recently purchased a CISCO WS-C4948E switch and it was not completely cleaned before the sale and I have some ACLs that I cannot delete.
This is the list of acls:

Switch#show access-list
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
--More--
Translating "pool.ntp.org"...domain server (255.25Extended IP access list system-cpp-hsrpv2
--More-- [OK] 10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any any
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
IPv6 access list DHCP Sever
permit udp any eq 546 any eq 547 sequence 10
permit udp any eq 547 any eq 546 sequence 20
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
IPv6 access list system-cpp-dhcpv6-cs
permit udp any eq 546 any eq 547 sequence 10
IPv6 access list system-cpp-dhcpv6-sc
permit udp any eq 547 any eq 546 sequence 10
IPv6 access list system-cpp-icmpv6-na
permit icmp any any nd-na sequence 10
IPv6 access list system-cpp-icmpv6-ns
permit icmp any any nd-ns sequence 10
IPv6 access list system-cpp-icmpv6-ra
permit icmp any any router-advertisement sequence 10
IPv6 access list system-cpp-icmpv6-rr
permit icmp any any redirect sequence 10
IPv6 access list system-cpp-icmpv6-rs
permit icmp any any router-solicitation sequence 10
Extended MAC access list system-cpp-bpdu-range
permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
permit any any 0x888E
Extended MAC access list system-cpp-mcast-cfm
permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-sstp
permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
permit any host c471.fe8c.7d3d

I can successfully delete the first ACL, but then any other I try to delete, I can't. Although I get no response when I make the call, the ACLs continue to remain there.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended preauth_ipv4_acl
Switch(config)#exit
Switch#show access-list
*May 21 04:06:05.491: %SYS-5-CONFIG_I: Configured from console by console
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended
Switch#conf
*May 21 04:06:27.491: %SYS-5-CONFIG_I: Configured from console by console t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended CISCO-CWA-URL-REDIRECT-ACL
Switch(config)#exit
Switch#show access-list
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
--More--

Any suggestions?
Thank you!

EDIT: I also discovered a problem related to the fact that even the ACL that is going to be deleted (the first in the list) reappears after reload even if I write the `write memory' command.

Rich R · ‎05-22-2023

What you set in ROMMON is only used by ROMMON.
Once the switch/router is running IOS all your config must be in the IOS running-config.

Cisco devices initiate the TFTP connection, not the server. So if the device is .250 then pumpkin must be something else. And if you're running it on Windows then make sure it's allowed on Windows firewall.
For example: copy tftp://192.168.1.251/filename.bin bootflash:

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

Rob Ingram · ‎05-21-2023

@florinmarian those are systems ACLs and are used by other functions, such as Control Plane Policing (cpp). I don't think you can delete them, they are safe to be left.

florinmarian · ‎05-21-2023

Thanks for the answer, but if this is not where the problem comes from, why can't I communicate with the management interface or the LAN I'm connected to with the reset switch?
Punctually, with the settings below set in rommon, the switch sees my laptop on which I run the tftp server (ping works), but my laptop does not recognize the IP address of the switch:

set interface fa1 192.168.1.9 255.255.255.0 192.168.1.255
set ip route default 192.168.1.1
set TftpServer 192.168.1.10

The ports GigabitEthernet1/1 and GigabitEthernet1/2 respectively are connected in the same router of the ISP with number 1 and GigabitEthernet1/3 in the router of the second ISP and the idea was to do load balancing.
I'm missing something?

vlan 10
name Orange
exit

vlan 20
name RCSRDS
exit

interface GigabitEthernet1/1
switchport mode access
switchport access vlan 10
exit

interface GigabitEthernet1/2
switchport mode access
switchport access vlan 10
exit

interface GigabitEthernet1/3
switchport mode access
switchport access vlan 20
exit

interface Vlan1
ip address 10.0.0.1 255.255.255.0
no shutdown
exit

interface Vlan10
description Conexiune Orange
ip address 192.168.1.2 255.255.255.0
no shutdown
exit

interface Vlan20
description Conexiune RCSRDS
ip address 192.168.2.2 255.255.255.0
no shutdown
exit


ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.2.1

Rob Ingram · ‎05-21-2023

@florinmarian is IP routing enabled with "ip routing"? Are the VLANs in an up state "show ip int br"?

florinmarian · ‎05-21-2023

Switch#show ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet1          unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  down                  down
GigabitEthernet1/4     unassigned      YES unset  down                  down
GigabitEthernet1/5     unassigned      YES unset  down                  down
GigabitEthernet1/6     unassigned      YES unset  down                  down
GigabitEthernet1/7     unassigned      YES unset  down                  down
GigabitEthernet1/8     unassigned      YES unset  down                  down
GigabitEthernet1/9     unassigned      YES unset  down                  down
GigabitEthernet1/10    unassigned      YES unset  down                  down
GigabitEthernet1/11    unassigned      YES unset  down                  down
GigabitEthernet1/12    unassigned      YES unset  down                  down
GigabitEthernet1/13    unassigned      YES unset  down                  down
GigabitEthernet1/14    unassigned      YES unset  down                  down
GigabitEthernet1/15    unassigned      YES unset  down                  down
GigabitEthernet1/16    unassigned      YES unset  down                  down
GigabitEthernet1/17    unassigned      YES unset  down                  down
GigabitEthernet1/18    unassigned      YES unset  down                  down
GigabitEthernet1/19    unassigned      YES unset  down                  down
GigabitEthernet1/20    unassigned      YES unset  down                  down
GigabitEthernet1/21    unassigned      YES unset  down                  down
GigabitEthernet1/22    unassigned      YES unset  down                  down
GigabitEthernet1/23    unassigned      YES unset  down                  down
GigabitEthernet1/24    unassigned      YES unset  down                  down
GigabitEthernet1/25    unassigned      YES unset  down                  down
GigabitEthernet1/26    unassigned      YES unset  down                  down
GigabitEthernet1/27    unassigned      YES unset  down                  down
GigabitEthernet1/28    unassigned      YES unset  down                  down
GigabitEthernet1/29    unassigned      YES unset  down                  down
GigabitEthernet1/30    unassigned      YES unset  down                  down
GigabitEthernet1/31    unassigned      YES unset  down                  down
GigabitEthernet1/32    unassigned      YES unset  down                  down
GigabitEthernet1/33    unassigned      YES unset  down                  down
GigabitEthernet1/34    unassigned      YES unset  down                  down
GigabitEthernet1/35    unassigned      YES unset  down                  down
GigabitEthernet1/36    unassigned      YES unset  down                  down
GigabitEthernet1/37    unassigned      YES unset  down                  down
GigabitEthernet1/38    unassigned      YES unset  down                  down
GigabitEthernet1/39    unassigned      YES unset  down                  down
GigabitEthernet1/40    unassigned      YES unset  down                  down
GigabitEthernet1/41    unassigned      YES unset  down                  down
GigabitEthernet1/42    unassigned      YES unset  down                  down
GigabitEthernet1/43    unassigned      YES unset  down                  down
GigabitEthernet1/44    unassigned      YES unset  down                  down
GigabitEthernet1/45    unassigned      YES unset  down                  down
GigabitEthernet1/46    unassigned      YES unset  down                  down
GigabitEthernet1/47    unassigned      YES unset  down                  down
GigabitEthernet1/48    unassigned      YES unset  down                  down
TenGigabitEthernet1/49 unassigned      YES unset  down                  down
TenGigabitEthernet1/50 unassigned      YES unset  down                  down
TenGigabitEthernet1/51 unassigned      YES unset  down                  down
TenGigabitEthernet1/52 unassigned      YES unset  down                  down
Vlan1                  unassigned      YES manual administratively down down
Vlan10                 192.168.1.2     YES NVRAM  up                    up
Vlan20                 192.168.2.2     YES NVRAM  down                  down
Switch#

Switch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan10
L        192.168.1.2/32 is directly connected, Vlan10

It is fine to have 192.168.2.0/24 not in use yet since I'm using currently just GigabitEthernet1/1-2 and Vlan10

Thank you for your help!

Rob Ingram · ‎05-21-2023

@florinmarian ok, just to confirm....so your laptop is connected to VLAN10 and you cannot ping the VLAN 10 SVI? And vice versa?

Can the router (192.168.1.1) connected to VLAN10 and switch (192.168.1.2) ping each other?

florinmarian · ‎05-21-2023

Switch: 192.168.1.2

Laptop: 192.168.1.10

Gateway: 192.168.1.1

Laptop can ping gateway

Switch can ping gateway

Laptop can't ping Switch and vice versa.

Rob Ingram · ‎05-21-2023

@florinmarian ok understood. CPP seems to be enabled on that switch, run "show policy-map control-plane" (or a variation of that command) to determine whether there are any matches. Provide the output.

florinmarian · ‎05-21-2023

No output..

Switch#show policy-map control-plane
Switch#

MHM Cisco World · ‎05-21-2023

there are many issue here let start solve one by one
first remove the ACL from under the interface
then delete the ACL

florinmarian · ‎05-21-2023

Thank you for your support!

I think there wasn't any ACL attached to those interfaces:

Switch#show ip access-lists interface GigabitEthernet1/1
Switch#show ip access-lists interface GigabitEthernet1/2
Switch#show ip access-lists interface Vlan10
Switch#show ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
    100 deny udp any any eq domain
    101 deny tcp any any eq domain
    102 deny udp any eq bootps any
    103 deny udp any any eq bootpc
    104 deny udp any eq bootpc any
    105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
    10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
    10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
    10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
    10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
    10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
    10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
    10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
    10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
    10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
    10 permit ospf any any
Extended IP access list system-cpp-pim
    10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
    10 permit ip any host 224.0.0.9

MHM Cisco World · ‎05-21-2023

ACL redirect and ACL preauth is used by dot1x,
so

no dot1x system-auth-control
then delete the ACL

NOTE:- check other interface to see if it use the ACL, I see only two port

florinmarian · ‎05-21-2023

Just two ports are used currently.

I tried the above command and then to delete ACL but the ACL will just stay, no error or change when I check the output before/after ACL deletion.

MHM Cisco World · ‎05-21-2023

remove all dot1x in global and interface

Flavio Miranda · ‎05-21-2023

Hi

Did you try perform device wipe out?

conf t

write erase

reload

Dont save config if it ask.

About the connectivity issue, if you run show ip arp vlan 10

Do you see the laptop Mac address?