Bob Conklin
asked on
Cisco Access Control Lists
Greetings experts...
I have a Cisco WS-C4503 switch that currently has ip multicast-routing enabled along with the following in the Access Control List:
We wish to disable the routing and delete the entries from the ACL.
I believe that by using the command: no ip multicast-routing will turn off the routing. I am not at all clear on how to remove the entries in the ACL.
A different router is going to be installed upstream of this switch so the routing and ACLs on the switch will no longer be needed.
What is the most efficient and proper way of going about cleaning up the ACLs an this switch?
Thanks!
-Bob
I have a Cisco WS-C4503 switch that currently has ip multicast-routing enabled along with the following in the Access Control List:
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
Extended MAC access list system-cpp-bpdu-range
permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
permit any host 0180.c200.0003
Extended MAC access list system-cpp-mcast-cfm
permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-sstp
permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
permit any host 44d3.ca40.a83d
We wish to disable the routing and delete the entries from the ACL.
I believe that by using the command: no ip multicast-routing will turn off the routing. I am not at all clear on how to remove the entries in the ACL.
A different router is going to be installed upstream of this switch so the routing and ACLs on the switch will no longer be needed.
What is the most efficient and proper way of going about cleaning up the ACLs an this switch?
Thanks!
-Bob
ASKER
Hi Timothy
Ok, I understand my error with the IP routing and the IP multicast routing. Here is the IP routing command that is currently on the switch: ip route 0.0.0.0 0.0.0.0 172.16.254.254
I am not sure how to verify where the ACLs are applied.
-Bob
Ok, I understand my error with the IP routing and the IP multicast routing. Here is the IP routing command that is currently on the switch: ip route 0.0.0.0 0.0.0.0 172.16.254.254
I am not sure how to verify where the ACLs are applied.
-Bob
ACLs are typically applied to interfaces (either physical or virtual) with the access-group command.
ASKER
Here is a snippet from the switch:
Svr-SW4503#show access-group mode
Interface TenGigabitEthernet1/1:
Access group mode is: Prefer Port
Interface TenGigabitEthernet1/2:
Access group mode is: Prefer Port
-Bob
Svr-SW4503#show access-group mode
Interface TenGigabitEthernet1/1:
Access group mode is: Prefer Port
Interface TenGigabitEthernet1/2:
Access group mode is: Prefer Port
-Bob
That output isn't related to ACLs.
Try show run | i access-group
Try show run | i access-group
ASKER
Svr-SW4503#show run | i access-group
Svr-SW4503#
Looks like the ACL's are not applied?
-Bob
Svr-SW4503#
Looks like the ACL's are not applied?
-Bob
It would appear that you are correct and the ACLs exist but they are not applied.
ASKER
Timothy..
In that case, might I presume that leaving the ACL's in place will not do any harm?
We just want to make sure that when the new router is put into service there is nothing lurking on this switch that might rear its ugly head to make our life miserable.
The original folks that set up this section of the network up no longer exist here and there are no notes or bread crumbs left to figure out what was going on when this switch was put into service.
-Bob
In that case, might I presume that leaving the ACL's in place will not do any harm?
We just want to make sure that when the new router is put into service there is nothing lurking on this switch that might rear its ugly head to make our life miserable.
The original folks that set up this section of the network up no longer exist here and there are no notes or bread crumbs left to figure out what was going on when this switch was put into service.
-Bob
Make sure you have a backup of your config. Not just in this case, in every case.
If the ACLs are not applied, they will have NO effect. Leaving them will only have the effect of annoying you everytime you do a "show run". :D
If the ACLs are not applied, they will have NO effect. Leaving them will only have the effect of annoying you everytime you do a "show run". :D
ASKER
That I can assure you I have....
Been making copies of the configs on all our Cisco switches now.
I can learn to live with the ACL's in place...
As for the IP routing...leave that alone as well or would I be better off turning that off?
-Bob
Been making copies of the configs on all our Cisco switches now.
I can learn to live with the ACL's in place...
As for the IP routing...leave that alone as well or would I be better off turning that off?
-Bob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I understand, in this instance I believe that I will be able to turn off IP routing with out any negative issues popping up. All the devices, servers, PCs, semi-intelligent controls, in this install use only one VLAN to communicate among themselves. The new router will handle any communications between this VLAN and the back office VLAN.
Thank you for the assistance and the new commands.
As always I learned something new!
-Bob
Thank you for the assistance and the new commands.
As always I learned something new!
-Bob
Also,
Un-applying an ACL will effectively disable it. Also, removing each list in this case would disable them. I would see where the ACLs are applied.