10-14-2013 07:25 AM - last edited on 03-25-2019 04:26 PM by ciscomoderator
hi guys,
i have a ghost story to share.. i had configured some access lists in my 3560 switch and after testing everything was working fine. then i had powered off the switch after saving the config. today when i powered it back on, i saw two new access lists created preauth_ipv4_acl (per user ) and
access lists created preauth_ipv6_acl (per user ). and the funny thing is that i can see them only in sh access lists cmd and not with runing config or start up config !! that sounds funny coz i was in my lab all night and nobody was here other than me.. did the switch do something by itself.
10-14-2013 07:33 AM
Hi,
Are you doing any kind of 802.1x on your switch ?
Regards
Alain
Don't forget to rate helpful posts.
10-14-2013 07:56 AM
alain hi again,
i have not set up the switch for any kind of 802.1x authentication.. i am pasting the config;
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IBLOCK-CORE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip routing
!
!
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-2184049536
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2184049536
revocation-check none
rsakeypair TP-self-signed-2184049536
!
!
crypto pki certificate chain TP-self-signed-2184049536
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 6
switchport mode access
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
switchport access vlan 12
switchport mode access
ip access-group 103 in
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
no switchport
ip address 192.168.0.1 255.255.255.252
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-12
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 172.20.0.1 255.255.255.0
ip access-group 100 in
ip helper-address 172.20.1.5
!
interface Vlan3
ip address 172.20.1.1 255.255.255.128
ip helper-address 172.20.1.5
!
interface Vlan4
ip address 172.20.1.129 255.255.255.128
!
interface Vlan5
ip address 172.20.2.1 255.255.255.128
!
interface Vlan6
ip address 172.20.2.129 255.255.255.128
ip access-group 101 in
ip helper-address 172.20.1.5
!
interface Vlan7
ip address 172.20.3.1 255.255.255.128
!
interface Vlan8
ip address 172.20.3.129 255.255.255.128
!
interface Vlan9
ip address 172.20.4.1 255.255.255.128
ip access-group 102 in
!
interface Vlan10
ip address 172.20.4.129 255.255.255.128
!
interface Vlan11
ip address 172.20.5.1 255.255.255.0
!
interface Vlan12
ip address 172.20.6.1 255.255.255.128
ip access-group 103 in
ip helper-address 172.20.1.5
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.2
!
!
ip sla enable reaction-alerts
access-list 100 permit ip any 172.20.1.0 0.0.0.127
access-list 100 permit ip host 0.0.0.0 host 255.255.255.255
access-list 100 permit ip any host 172.20.0.1
access-list 100 deny ip any any
access-list 101 permit ip any 172.20.1.0 0.0.0.127
access-list 101 permit udp any eq bootpc any
access-list 101 permit udp any eq bootps any
access-list 101 permit ip host 0.0.0.0 host 255.255.255.255
access-list 101 permit ip any host 172.20.2.129
access-list 101 deny ip any any
access-list 102 permit ip any 172.20.4.0 0.0.0.127
access-list 102 deny ip any any
access-list 103 permit ip host 0.0.0.0 host 255.255.255.255
access-list 103 permit ip any any
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
but when i do sh access-lists, it shows all the acls that are above in the config. and also it shows;
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
10-14-2013 11:59 AM
has anyone come across this before . has it something to do with the ip helper!!!
10-14-2013 09:00 PM
Perhaps related to
authentication mac-move permit???
10-14-2013 09:55 PM
Anirudh,
This appears to me to be a cosmetical bug - you are using some very recent IOS according to the version number, and that IOS obviously uses some hardwired internal ACLs for its own internal purposes. These internal ACLs are most probably not properly hidden and accidentally show up in the show access-lists command output. There has been a similar cosmetical glitch on some older 800 series routers a few years ago.
If you have a support contract with Cisco then I suggest reporting this but otherwise, I would not be worried about it.
Best regards,
Peter
10-15-2013 01:13 PM
hi peter,
i contacted cisco support. but they are saying that its not bug . still they wanted to analyze the sh tech output so i have anyways mailed it to them. lets wait and see what it is. they are thinking that i created these but i am sure that i am the only person here and nobody has access. and ofcourse i never did that!!
10-15-2013 01:23 PM
Hi Anirudh,
Well - they say it's not a bug only because they haven't found it yet in their database Seriously, though, ACLs that are visible in show access-list but not in running-config are either dynamically learned (often via AAA as Alain originally suggested) or they are hardwired into IOS for internal purposes, and in that case, they should not be visible at all.
Let's see what the TAC has to say after they analyze your configuration. Please keep us posted!
Best regards,
Peter
10-16-2013 03:22 AM
Hi,
Do you have an ACS in your LAN environment? It could be downloadable ACL was enabled.
Sent from Cisco Technical Support iPhone App
10-24-2015 12:01 AM
VITCCCORENEW#sh ip access-lists
Extended IP access list WEBSENSE
60 deny ip host 172.16.49.4 any (7665 matches)
70 deny ip host 172.16.49.10 any
80 deny ip host 172.16.49.80 any (26790 matches)
81 deny ip host 172.16.17.218 any
110 deny ip 172.16.5.0 0.0.0.255 any (72390 matches)
111 deny ip 172.16.40.0 0.0.3.255 any (16537 matches)
120 deny ip 172.16.68.0 0.0.1.255 any (62959 matches)
130 permit tcp 172.16.0.0 0.0.255.255 any eq www (268 matches)
140 permit tcp 172.16.0.0 0.0.255.255 any eq 443 (2306 matches)
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
hi peter
me also found same probl
so we are facing the problem for CPU utilization very high.
pls give any solution.
10-17-2017 01:42 PM
These are ACL created by default but not applied by default to any interface.
they should be used for example to protect the Control plane.
this my opinion, but i'm not 100% sure.
01-10-2018 12:26 AM
Hi,
Cisco switches 3560 supports many types of ACLs (port ACL, Extended ACL and VLAN ACL which controls data bridged From and To same VLANs on the device). As far as I know, (sh ip access-list) command shows access lists that are configured manually in the device while (sh access-list) shows all access lists that the device needed to work.
addition to that there is (sh ipv6 access-list) and (sh ipx access-list).
Hope that could help
03-02-2022 07:25 AM
A week Before we have a new cisco 1000 catalyst, while configuring i found the same ACLS and i can not ping any device on this VLAN, nor print but internet is working for the devices
03-02-2022 09:36 AM
As others have stated these access lists are generated by the switch itself and not the result of your configuration statements. So they do not show up in the output of show run. But they do show up in the output of show access-list. I am not clear what they are doing but am confident that they are not the cause of your problem with ping or with print. Are you doing anything like private vlan in your config? Perhaps posting your config (with disguise of any passwords or Public IP) might provide some insight?
03-03-2022 02:57 AM
Actually my Core switch is Juniper4600 where all the Vlans are configured here and i ma using juniper 2300 as access switches.
i have started changing the access layer (juniper2003) switches with cisco 1000 cat. this is the first deployment.
my config
L2#sh running-config
Building configuration...
Current configuration : 6015 bytes
!
! Last configuration change at 09:42:21 UTC Wed Mar 2 2022
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname T-650-L21
!
boot-start-marker
boot-end-marker
!
enable password xxxxxxx
!
no aaa new-model
switch 1 provision c1000-24t-4x-l
system mtu routing 1500
ip routing
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1889645696
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1889645696
revocation-check none
rsakeypair TP-self-signed-1889645696
!
!
crypto pki certificate chain TP-self-signed-1889645696
certificate self-signed 01
058377D3065E4 48BE4ECE 1FCF74B4 C51947
quit
!
spanning-tree mode mst
spanning-tree portfast edge default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/2
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/3
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/4
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/5
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/6
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/7
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/8
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/9
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/10
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/11
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/12
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/13
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/14
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/15
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/16
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/17
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/18
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/19
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/20
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/21
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/22
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/23
switchport access vlan 700
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/24
switchport access vlan 700
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface TenGigabitEthernet1/0/1
switchport trunk allowed vlan 1,110,700
switchport mode trunk
spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/2
switchport mode trunk
spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/3
switchport trunk allowed vlan 1,110,700
switchport mode trunk
spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/4
switchport trunk allowed vlan 1,110,700
switchport mode trunk
spanning-tree portfast edge
!
interface Vlan1
ip address x.x.x.x 255.255.0.0
!
interface Vlan110
description 110
ip address x.x.x.x 255.255.0.0
!
interface Vlan700
description 700-test
no ip address
!
ip default-gateway my l3 switch
ip http server
ip http banner
ip http secure-server
!
access-list dynamic-extended
!
!
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide