Solved: Re: Cannot delete ACL - Page 2

florinmarian · ‎05-20-2023

Hello!
I recently purchased a CISCO WS-C4948E switch and it was not completely cleaned before the sale and I have some ACLs that I cannot delete.
This is the list of acls:

Switch#show access-list
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
--More--
Translating "pool.ntp.org"...domain server (255.25Extended IP access list system-cpp-hsrpv2
--More-- [OK] 10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any any
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
IPv6 access list DHCP Sever
permit udp any eq 546 any eq 547 sequence 10
permit udp any eq 547 any eq 546 sequence 20
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
IPv6 access list system-cpp-dhcpv6-cs
permit udp any eq 546 any eq 547 sequence 10
IPv6 access list system-cpp-dhcpv6-sc
permit udp any eq 547 any eq 546 sequence 10
IPv6 access list system-cpp-icmpv6-na
permit icmp any any nd-na sequence 10
IPv6 access list system-cpp-icmpv6-ns
permit icmp any any nd-ns sequence 10
IPv6 access list system-cpp-icmpv6-ra
permit icmp any any router-advertisement sequence 10
IPv6 access list system-cpp-icmpv6-rr
permit icmp any any redirect sequence 10
IPv6 access list system-cpp-icmpv6-rs
permit icmp any any router-solicitation sequence 10
Extended MAC access list system-cpp-bpdu-range
permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
permit any any 0x888E
Extended MAC access list system-cpp-mcast-cfm
permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-sstp
permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
permit any host c471.fe8c.7d3d

I can successfully delete the first ACL, but then any other I try to delete, I can't. Although I get no response when I make the call, the ACLs continue to remain there.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended preauth_ipv4_acl
Switch(config)#exit
Switch#show access-list
*May 21 04:06:05.491: %SYS-5-CONFIG_I: Configured from console by console
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended
Switch#conf
*May 21 04:06:27.491: %SYS-5-CONFIG_I: Configured from console by console t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip access-list extended CISCO-CWA-URL-REDIRECT-ACL
Switch(config)#exit
Switch#show access-list
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
--More--

Any suggestions?
Thank you!

EDIT: I also discovered a problem related to the fact that even the ACL that is going to be deleted (the first in the list) reappears after reload even if I write the `write memory' command.

florinmarian · ‎05-21-2023

Thank you, guys!

I managed to solve the problem with recognizing the devices on Vlan1. The solution was to call the ISP because I don't have full access to the management of the router. At their level, they had blocked the recognition between devices, but now I continue to face this problem on the management interface.
Laptop IP: 192.168.1.10
Management IP: 192.168.1.3
Gateway: 192.168.1.1

Both from the laptop and the switch I can ping the gateway, but the connection does not work either from the laptop to the switch or vice versa.

Flavio Miranda · ‎05-21-2023

It is vlan 10, right?

Can you see arp on this vlan for laptop?

show ip arp vlan 10?

MHM Cisco World · ‎05-21-2023

all same subnet the traffic never hit the GW
this traffic need L2 connectivity not l3
make sure you assign correct vlan to port

and sure the CoPP can drop this connection.

ping 100 repeat and check

show policy-map interface control <<- see which ACL drop the connection

florinmarian · ‎05-21-2023

I just discovered that things work differently from how I interpreted them.
I had configured the IP address in rommon as follows:

MAC Address: c4-71-fe-8c-7d-3f
IP Address: 192.168.1.3
Netmask: 255.255.255.0
Gateway: 192.168.1.1

TftpServer : 192.168.1.10

However, the ping did not work and I let the server boot normally, but what I saw, it had obtained the IP address 192.168.1.38 through DHCP.

I configured the interface with the ip 192.168.1.250 and now everything works normally on the ping side.
Interface IP-Address OK? Method Status Protocol
FastEthernet1 192.168.1.250 YES manual up up
GigabitEthernet1/1 unassigned YES unset up up
GigabitEthernet1/2 unassigned YES unset up up

What I would like to do now is to send via PumpKin (TFTP) a new firmware version, but pumpkin fails to connect to 192.168.1.250 even if the ping works.
Are there any additional settings that need to be made?

MHM Cisco World · ‎05-21-2023

https://community.cisco.com/t5/other-network-architecture-subjects/c2960x-get-socket-error-when-trying-to-update-using-pumpkin/td-p/3850179

check this

Rich R · ‎05-22-2023

What you set in ROMMON is only used by ROMMON.
Once the switch/router is running IOS all your config must be in the IOS running-config.

Cisco devices initiate the TFTP connection, not the server. So if the device is .250 then pumpkin must be something else. And if you're running it on Windows then make sure it's allowed on Windows firewall.
For example: copy tftp://192.168.1.251/filename.bin bootflash:

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs