05-20-2023 09:08 PM - edited 05-20-2023 09:57 PM
Hello!
I recently purchased a CISCO WS-C4948E switch and it was not completely cleaned before the sale and I have some ACLs that I cannot delete.
This is the list of acls:
Switch#show access-list
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
--More--
Translating "pool.ntp.org"...domain server (255.25Extended IP access list system-cpp-hsrpv2
--More-- [OK] 10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any any
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
IPv6 access list DHCP Sever
permit udp any eq 546 any eq 547 sequence 10
permit udp any eq 547 any eq 546 sequence 20
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
IPv6 access list system-cpp-dhcpv6-cs
permit udp any eq 546 any eq 547 sequence 10
IPv6 access list system-cpp-dhcpv6-sc
permit udp any eq 547 any eq 546 sequence 10
IPv6 access list system-cpp-icmpv6-na
permit icmp any any nd-na sequence 10
IPv6 access list system-cpp-icmpv6-ns
permit icmp any any nd-ns sequence 10
IPv6 access list system-cpp-icmpv6-ra
permit icmp any any router-advertisement sequence 10
IPv6 access list system-cpp-icmpv6-rr
permit icmp any any redirect sequence 10
IPv6 access list system-cpp-icmpv6-rs
permit icmp any any router-solicitation sequence 10
Extended MAC access list system-cpp-bpdu-range
permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
permit any any 0x888E
Extended MAC access list system-cpp-mcast-cfm
permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-sstp
permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
permit any host c471.fe8c.7d3d
I can successfully delete the first ACL, but then any other I try to delete, I can't. Although I get no response when I make the call, the ACLs continue to remain there.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended preauth_ipv4_acl
Switch(config)#exit
Switch#show access-list
*May 21 04:06:05.491: %SYS-5-CONFIG_I: Configured from console by console
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended
Switch#conf
*May 21 04:06:27.491: %SYS-5-CONFIG_I: Configured from console by console t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended CISCO-CWA-URL-REDIRECT-ACL
Switch(config)#exit
Switch#show access-list
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
--More--
Any suggestions?
Thank you!
EDIT: I also discovered a problem related to the fact that even the ACL that is going to be deleted (the first in the list) reappears after reload even if I write the `write memory' command.
Solved! Go to Solution.
05-22-2023 07:11 AM
What you set in ROMMON is only used by ROMMON.
Once the switch/router is running IOS all your config must be in the IOS running-config.
Cisco devices initiate the TFTP connection, not the server. So if the device is .250 then pumpkin must be something else. And if you're running it on Windows then make sure it's allowed on Windows firewall.
For example: copy tftp://192.168.1.251/filename.bin bootflash:
05-21-2023 12:17 AM
@florinmarian those are systems ACLs and are used by other functions, such as Control Plane Policing (cpp). I don't think you can delete them, they are safe to be left.
05-21-2023 12:24 AM - edited 05-21-2023 12:24 AM
Thanks for the answer, but if this is not where the problem comes from, why can't I communicate with the management interface or the LAN I'm connected to with the reset switch?
Punctually, with the settings below set in rommon, the switch sees my laptop on which I run the tftp server (ping works), but my laptop does not recognize the IP address of the switch:
set interface fa1 192.168.1.9 255.255.255.0 192.168.1.255
set ip route default 192.168.1.1
set TftpServer 192.168.1.10
The ports GigabitEthernet1/1 and GigabitEthernet1/2 respectively are connected in the same router of the ISP with number 1 and GigabitEthernet1/3 in the router of the second ISP and the idea was to do load balancing.
I'm missing something?
vlan 10
name Orange
exit
vlan 20
name RCSRDS
exit
interface GigabitEthernet1/1
switchport mode access
switchport access vlan 10
exit
interface GigabitEthernet1/2
switchport mode access
switchport access vlan 10
exit
interface GigabitEthernet1/3
switchport mode access
switchport access vlan 20
exit
interface Vlan1
ip address 10.0.0.1 255.255.255.0
no shutdown
exit
interface Vlan10
description Conexiune Orange
ip address 192.168.1.2 255.255.255.0
no shutdown
exit
interface Vlan20
description Conexiune RCSRDS
ip address 192.168.2.2 255.255.255.0
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.2.1
05-21-2023 12:37 AM
@florinmarian is IP routing enabled with "ip routing"? Are the VLANs in an up state "show ip int br"?
05-21-2023 12:47 AM
Switch#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet1 unassigned YES unset up up
GigabitEthernet1/1 unassigned YES unset up up
GigabitEthernet1/2 unassigned YES unset up up
GigabitEthernet1/3 unassigned YES unset down down
GigabitEthernet1/4 unassigned YES unset down down
GigabitEthernet1/5 unassigned YES unset down down
GigabitEthernet1/6 unassigned YES unset down down
GigabitEthernet1/7 unassigned YES unset down down
GigabitEthernet1/8 unassigned YES unset down down
GigabitEthernet1/9 unassigned YES unset down down
GigabitEthernet1/10 unassigned YES unset down down
GigabitEthernet1/11 unassigned YES unset down down
GigabitEthernet1/12 unassigned YES unset down down
GigabitEthernet1/13 unassigned YES unset down down
GigabitEthernet1/14 unassigned YES unset down down
GigabitEthernet1/15 unassigned YES unset down down
GigabitEthernet1/16 unassigned YES unset down down
GigabitEthernet1/17 unassigned YES unset down down
GigabitEthernet1/18 unassigned YES unset down down
GigabitEthernet1/19 unassigned YES unset down down
GigabitEthernet1/20 unassigned YES unset down down
GigabitEthernet1/21 unassigned YES unset down down
GigabitEthernet1/22 unassigned YES unset down down
GigabitEthernet1/23 unassigned YES unset down down
GigabitEthernet1/24 unassigned YES unset down down
GigabitEthernet1/25 unassigned YES unset down down
GigabitEthernet1/26 unassigned YES unset down down
GigabitEthernet1/27 unassigned YES unset down down
GigabitEthernet1/28 unassigned YES unset down down
GigabitEthernet1/29 unassigned YES unset down down
GigabitEthernet1/30 unassigned YES unset down down
GigabitEthernet1/31 unassigned YES unset down down
GigabitEthernet1/32 unassigned YES unset down down
GigabitEthernet1/33 unassigned YES unset down down
GigabitEthernet1/34 unassigned YES unset down down
GigabitEthernet1/35 unassigned YES unset down down
GigabitEthernet1/36 unassigned YES unset down down
GigabitEthernet1/37 unassigned YES unset down down
GigabitEthernet1/38 unassigned YES unset down down
GigabitEthernet1/39 unassigned YES unset down down
GigabitEthernet1/40 unassigned YES unset down down
GigabitEthernet1/41 unassigned YES unset down down
GigabitEthernet1/42 unassigned YES unset down down
GigabitEthernet1/43 unassigned YES unset down down
GigabitEthernet1/44 unassigned YES unset down down
GigabitEthernet1/45 unassigned YES unset down down
GigabitEthernet1/46 unassigned YES unset down down
GigabitEthernet1/47 unassigned YES unset down down
GigabitEthernet1/48 unassigned YES unset down down
TenGigabitEthernet1/49 unassigned YES unset down down
TenGigabitEthernet1/50 unassigned YES unset down down
TenGigabitEthernet1/51 unassigned YES unset down down
TenGigabitEthernet1/52 unassigned YES unset down down
Vlan1 unassigned YES manual administratively down down
Vlan10 192.168.1.2 YES NVRAM up up
Vlan20 192.168.2.2 YES NVRAM down down
Switch#
Switch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan10
L 192.168.1.2/32 is directly connected, Vlan10
It is fine to have 192.168.2.0/24 not in use yet since I'm using currently just GigabitEthernet1/1-2 and Vlan10
Thank you for your help!
05-21-2023 01:05 AM
@florinmarian ok, just to confirm....so your laptop is connected to VLAN10 and you cannot ping the VLAN 10 SVI? And vice versa?
Can the router (192.168.1.1) connected to VLAN10 and switch (192.168.1.2) ping each other?
05-21-2023 01:07 AM
Switch: 192.168.1.2
Laptop: 192.168.1.10
Gateway: 192.168.1.1
Laptop can ping gateway
Switch can ping gateway
Laptop can't ping Switch and vice versa.
05-21-2023 01:32 AM
@florinmarian ok understood. CPP seems to be enabled on that switch, run "show policy-map control-plane" (or a variation of that command) to determine whether there are any matches. Provide the output.
05-21-2023 01:38 AM
No output..
Switch#show policy-map control-plane
Switch#
05-21-2023 01:42 AM
there are many issue here let start solve one by one
first remove the ACL from under the interface
then delete the ACL
05-21-2023 01:48 AM
Thank you for your support!
I think there wasn't any ACL attached to those interfaces:
Switch#show ip access-lists interface GigabitEthernet1/1
Switch#show ip access-lists interface GigabitEthernet1/2
Switch#show ip access-lists interface Vlan10
Switch#show ip access-lists
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any any
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
05-21-2023 01:57 AM - edited 05-21-2023 01:57 AM
ACL redirect and ACL preauth is used by dot1x,
so
no dot1x system-auth-control
then delete the ACL
NOTE:- check other interface to see if it use the ACL, I see only two port
05-21-2023 02:07 AM
Just two ports are used currently.
I tried the above command and then to delete ACL but the ACL will just stay, no error or change when I check the output before/after ACL deletion.
05-21-2023 02:10 AM
remove all dot1x in global and interface
05-21-2023 03:17 AM - edited 05-21-2023 03:18 AM
Hi
Did you try perform device wipe out?
conf t
write erase
reload
Dont save config if it ask.
About the connectivity issue, if you run show ip arp vlan 10
Do you see the laptop Mac address?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide