cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

weired acls showing up

anirudh.wna
Beginner
Beginner

hi guys,

       i have a ghost story to share..  i had configured some access lists in my 3560 switch and after testing  everything was working fine. then i had powered off the switch after saving the config. today when i powered it back on, i saw two new access lists created preauth_ipv4_acl (per user ) and 

access lists created preauth_ipv6_acl (per user ). and the funny thing is that  i can see them only in sh access lists cmd and not with runing config or start up config !!  that sounds funny coz i was in my lab all night and nobody was here other than me..  did the switch do something by itself.

17 REPLIES 17

cadet alain
Mentor
Mentor

Hi,

Are you doing any kind of 802.1x on your switch ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

alain hi again,

                     i have not set up the switch for any kind of 802.1x authentication..  i am pasting the config;

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname IBLOCK-CORE

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

system mtu routing 1500

authentication mac-move permit

ip routing

!

!

ip device tracking

!

!

crypto pki trustpoint TP-self-signed-2184049536

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2184049536

revocation-check none

rsakeypair TP-self-signed-2184049536

!

!

crypto pki certificate chain TP-self-signed-2184049536

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

!

!

!

!

!

vlan internal allocation policy ascending

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface GigabitEthernet0/3

!

interface GigabitEthernet0/4

!

interface GigabitEthernet0/5

switchport access vlan 3

switchport mode access

!

interface GigabitEthernet0/6

switchport access vlan 6

switchport mode access

!

interface GigabitEthernet0/7

!

interface GigabitEthernet0/8

!

interface GigabitEthernet0/9

!

interface GigabitEthernet0/10

!

interface GigabitEthernet0/11

!

interface GigabitEthernet0/12

switchport access vlan 12

switchport mode access

ip access-group 103 in

!

interface GigabitEthernet0/13

!

interface GigabitEthernet0/14

!

interface GigabitEthernet0/15

!

interface GigabitEthernet0/16

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

!

interface GigabitEthernet0/22

!

interface GigabitEthernet0/23

no switchport

ip address 192.168.0.1 255.255.255.252

!

interface GigabitEthernet0/24

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2-12

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet1/3

!

interface GigabitEthernet1/4

!

interface TenGigabitEthernet1/1

!

interface TenGigabitEthernet1/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

ip address 172.20.0.1 255.255.255.0

ip access-group 100 in

ip helper-address 172.20.1.5

!

interface Vlan3

ip address 172.20.1.1 255.255.255.128

ip helper-address 172.20.1.5

!

interface Vlan4

ip address 172.20.1.129 255.255.255.128

!

interface Vlan5

ip address 172.20.2.1 255.255.255.128

!

interface Vlan6

ip address 172.20.2.129 255.255.255.128

ip access-group 101 in

ip helper-address 172.20.1.5

!

interface Vlan7

ip address 172.20.3.1 255.255.255.128

!

interface Vlan8

ip address 172.20.3.129 255.255.255.128

!

interface Vlan9

ip address 172.20.4.1 255.255.255.128

ip access-group 102 in

!

interface Vlan10

ip address 172.20.4.129 255.255.255.128

!

interface Vlan11

ip address 172.20.5.1 255.255.255.0

!

interface Vlan12

ip address 172.20.6.1 255.255.255.128

ip access-group 103 in

ip helper-address 172.20.1.5

!

ip forward-protocol nd

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.0.2

!

!

ip sla enable reaction-alerts

access-list 100 permit ip any 172.20.1.0 0.0.0.127

access-list 100 permit ip host 0.0.0.0 host 255.255.255.255

access-list 100 permit ip any host 172.20.0.1

access-list 100 deny   ip any any

access-list 101 permit ip any 172.20.1.0 0.0.0.127

access-list 101 permit udp any eq bootpc any

access-list 101 permit udp any eq bootps any

access-list 101 permit ip host 0.0.0.0 host 255.255.255.255

access-list 101 permit ip any host 172.20.2.129

access-list 101 deny   ip any any

access-list 102 permit ip any 172.20.4.0 0.0.0.127

access-list 102 deny   ip any any

access-list 103 permit ip host 0.0.0.0 host 255.255.255.255

access-list 103 permit ip any any

!

!

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

but when i do sh access-lists, it shows all the acls that are above in the config. and also it shows;

Extended IP access list preauth_ipv4_acl (per-user)

    10 permit udp any any eq domain

    20 permit tcp any any eq domain

    30 permit udp any eq bootps any

    40 permit udp any any eq bootpc

    50 permit udp any eq bootpc any

    60 deny ip any any

IPv6 access list preauth_ipv6_acl (per-user)

    permit udp any any eq domain sequence 10

    permit tcp any any eq domain sequence 20

    permit icmp any any nd-ns sequence 30

    permit icmp any any nd-na sequence 40

    permit icmp any any router-solicitation sequence 50

    permit icmp any any router-advertisement sequence 60

    permit icmp any any redirect sequence 70

    permit udp any eq 547 any eq 546 sequence 80

    permit udp any eq 546 any eq 547 sequence 90

    deny ipv6 any any sequence 100

has anyone come across this before .  has it something to do with the ip helper!!!

Terryn Barbarich
Beginner
Beginner

Perhaps related to

authentication mac-move permit???

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Anirudh,

This appears to me to be a cosmetical bug - you are using some very recent IOS according to the version number, and that IOS obviously uses some hardwired internal ACLs for its own internal purposes. These internal ACLs are most probably not properly hidden and accidentally show up in the show access-lists command output. There has been a similar cosmetical glitch on some older 800 series routers a few years ago.

If you have a support contract with Cisco then I suggest reporting this but otherwise, I would not be worried about it.

Best regards,

Peter

hi peter,

              i contacted cisco support. but they are saying that its not bug . still they wanted to analyze the sh tech output so i have anyways mailed it to them. lets wait and see what it is.  they are thinking  that i created these but i am sure that i am the only person here and nobody has access. and ofcourse i never did that!!

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi Anirudh,

Well - they say it's not a bug only because they haven't found it yet in their database Seriously, though, ACLs that are visible in show access-list but not in running-config are either dynamically learned (often via AAA as Alain originally suggested) or they are hardwired into IOS for internal purposes, and in that case, they should not be visible at all.

Let's see what the TAC has to say after they analyze your configuration. Please keep us posted!

Best regards,

Peter

Hi,

Do you have an ACS in your LAN environment? It could be downloadable ACL was enabled.

Sent from Cisco Technical Support iPhone App

sivagnanam1986
Beginner
Beginner

 

VITCCCORENEW#sh ip access-lists

Extended IP access list WEBSENSE

    60 deny ip host 172.16.49.4 any (7665 matches)

    70 deny ip host 172.16.49.10 any

    80 deny ip host 172.16.49.80 any (26790 matches)

    81 deny ip host 172.16.17.218 any

    110 deny ip 172.16.5.0 0.0.0.255 any (72390 matches)

    111 deny ip 172.16.40.0 0.0.3.255 any (16537 matches)

    120 deny ip 172.16.68.0 0.0.1.255 any (62959 matches)

    130 permit tcp 172.16.0.0 0.0.255.255 any eq www (268 matches)

    140 permit tcp 172.16.0.0 0.0.255.255 any eq 443 (2306 matches)

Extended IP access list preauth_ipv4_acl (per-user)

    10 permit udp any any eq domain

    20 permit tcp any any eq domain

    30 permit udp any eq bootps any

    40 permit udp any any eq bootpc

    50 permit udp any eq bootpc any

    60 deny ip any any

hi peter 

me also found same probl

so we are facing the problem for CPU utilization very high.

pls give any solution.

 

 

 

These are ACL created by default but not applied by default to any interface.

 

they should be used for example to protect the Control plane.

 

this my opinion, but i'm not 100% sure.

saif musa
Enthusiast
Enthusiast

Hi,

 

Cisco switches 3560 supports many types of ACLs (port ACL, Extended ACL and VLAN ACL which controls data bridged From and To same VLANs on the device). As far as I know, (sh ip access-list) command shows access lists that are configured manually in the device while (sh access-list) shows all access lists that the device needed to work.

addition to that there is (sh ipv6 access-list) and (sh ipx access-list).

Hope that could help

 

 

rabbanisyed
Beginner
Beginner

A week Before we have a new cisco 1000 catalyst, while configuring i found the same ACLS and i can not ping any device on this VLAN, nor print but internet is working for the devices

As others have stated these access lists are generated by the switch itself and not the result of your configuration statements. So they do not show up in the output of show run. But they do show up in the output of show access-list. I am not clear what they are doing but am confident that they are not the cause of your problem with ping or with print. Are you doing anything like private vlan in your config? Perhaps posting your config (with disguise of any passwords or Public IP) might provide some insight?

HTH

Rick

Actually my Core switch is Juniper4600 where all the Vlans are configured here and i ma using juniper 2300 as access switches.

i have started changing the access layer (juniper2003) switches with cisco 1000 cat. this is the first deployment.

my config

L2#sh running-config
Building configuration...

Current configuration : 6015 bytes
!
! Last configuration change at 09:42:21 UTC Wed Mar 2 2022
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname T-650-L21
!
boot-start-marker
boot-end-marker
!
enable password xxxxxxx
!
no aaa new-model
switch 1 provision c1000-24t-4x-l
system mtu routing 1500
ip routing
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1889645696
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1889645696
revocation-check none
rsakeypair TP-self-signed-1889645696
!
!
crypto pki certificate chain TP-self-signed-1889645696
certificate self-signed 01
 058377D3065E4 48BE4ECE 1FCF74B4 C51947
quit
!
spanning-tree mode mst
spanning-tree portfast edge default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/2
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/3
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/4
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/5
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/6
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/7
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/8
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/9
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/10
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/11
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/12
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/13
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/14
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/15
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/16
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/17
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/18
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/19
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/20
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/21
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/22
switchport access vlan 110
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/23
switchport access vlan 700
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/24
switchport access vlan 700
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface TenGigabitEthernet1/0/1
switchport trunk allowed vlan 1,110,700
switchport mode trunk
spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/2
switchport mode trunk
spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/3
switchport trunk allowed vlan 1,110,700
switchport mode trunk
spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/4
switchport trunk allowed vlan 1,110,700
switchport mode trunk
spanning-tree portfast edge
!
interface Vlan1
ip address x.x.x.x 255.255.0.0
!
interface Vlan110
description 110
ip address x.x.x.x 255.255.0.0
!
interface Vlan700
description 700-test
no ip address
!
ip default-gateway my l3 switch
ip http server
ip http banner
ip http secure-server
!
access-list dynamic-extended
!
!
!

 

 

cisco-acl.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: