We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Cisco Access Control Lists

Bob Conklin
Bob Conklin asked
on
Medium Priority
34 Views
Last Modified: 2020-05-15
Greetings experts...
I have a Cisco WS-C4503 switch that currently has ip multicast-routing enabled along with the following in the Access Control List:

Extended IP access list system-cpp-all-routers-on-subnet
    10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
    10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
    10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
    10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
    10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
    10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
    10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
    10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
    10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
    10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
    10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
    10 permit ip any host 224.0.0.9
Extended MAC access list system-cpp-bpdu-range
    permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
    permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
    permit any host 0180.c200.0003
Extended MAC access list system-cpp-mcast-cfm
    permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-sstp
    permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
    permit any host 44d3.ca40.a83d

Open in new window


We wish to disable the routing and delete the entries from the ACL.
I believe that by using the command: no ip multicast-routing will turn off the routing. I am not at all clear on how to remove the entries in the ACL.
A different router is going to be installed upstream of this switch so the routing and ACLs on the switch will no longer be needed.

What is the most efficient and proper way of going about cleaning up the ACLs an this switch?

Thanks!

-Bob
Comment
Watch Question

Timothy EstesSr. Voice Engineer
CERTIFIED EXPERT

Commented:
Disabling multicast routing on a router (or a switch that is routing) will not disable IP Routing. It WILL disable IP Multicast Routing.
Also,
Un-applying an ACL will effectively disable it. Also, removing each list in this case would disable them. I would see where the ACLs are applied.
Bob ConklinConfiguration/TEST Technician

Author

Commented:
Hi Timothy
Ok, I understand my error with the IP routing and the IP multicast routing. Here is the IP routing command that is currently on the switch:  ip route 0.0.0.0 0.0.0.0 172.16.254.254

​​I am not sure how to verify where the ACLs are applied. ​​​

-Bob
Timothy EstesSr. Voice Engineer
CERTIFIED EXPERT

Commented:
ACLs are typically applied to interfaces (either physical or virtual) with the access-group command.
Bob ConklinConfiguration/TEST Technician

Author

Commented:
Here is a snippet from the switch:

Svr-SW4503#show access-group mode
Interface TenGigabitEthernet1/1:
   Access group mode is: Prefer Port
Interface TenGigabitEthernet1/2:
   Access group mode is: Prefer Port


-Bob
Timothy EstesSr. Voice Engineer
CERTIFIED EXPERT

Commented:
That output isn't related to ACLs.
Try show run | i access-group

Bob ConklinConfiguration/TEST Technician

Author

Commented:
Svr-SW4503#show run | i access-group
Svr-SW4503#

Looks like the ACL's are not applied?

-Bob
Timothy EstesSr. Voice Engineer
CERTIFIED EXPERT

Commented:
It would appear that you are correct and the ACLs exist but they are not applied. 
Bob ConklinConfiguration/TEST Technician

Author

Commented:
Timothy..
In that case, might I presume that leaving the ACL's in place will not do any harm?
We just want to make sure that when the new router is put into service there is nothing lurking on this switch that might rear its ugly head to make our life miserable.
The original folks that set up this section of the network up no longer exist here and there are no notes or bread crumbs left to figure out what was going on when this switch was put into service.

-Bob


Timothy EstesSr. Voice Engineer
CERTIFIED EXPERT

Commented:
Make sure you have a backup of your config. Not just in this case, in every case.
If the ACLs are not applied, they will have NO effect. Leaving them will only have the effect of annoying you everytime you do a "show run". :D
Bob ConklinConfiguration/TEST Technician

Author

Commented:
That I can assure you I have....
Been making copies of the configs on all our Cisco switches now.
I can learn to live with the ACL's in place...
As for the IP routing...leave that alone as well or would I be better off turning that off?

-Bob

Sr. Voice Engineer
CERTIFIED EXPERT
Commented:
This is a design question, expect some "art" when talking about design, along with differing opinions.
If you're going to use a router (or another upstream switch) for routing, you'll probably want to disable IP Routing on the switch. The only time where you want the a switch to route in this case is where there is lots of VLAN1 to VLAN2 traffic. Ex, if you have PCs on VLAN1 and Servers on VLAN2, and the PCs talk to the servers a LOT, sending the inter-VLAN traffic to the router is inefficient. Keeping it on the switch will reduce traffic on your uplink to the router and CPU usage on the router. 

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Bob ConklinConfiguration/TEST Technician

Author

Commented:
I understand, in this instance I believe that I will be able to turn off IP routing with out any negative issues popping up. All the devices, servers, PCs, semi-intelligent controls, in this install use only one VLAN to communicate among themselves. The new router will handle any communications between this VLAN and the back office VLAN.
Thank you for the assistance and the new commands.
As always I learned something new!

-Bob
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.