We help IT Professionals succeed at work.
Troubleshooting Question

IP access-lists from factory by default????? Can they be deleted?

81 Views
Last Modified: 2020-09-24
I just checked two of my cisco 3850 switches,  and they both have this IP access-list listed in the config, and I never created or added these IP access lists?
Do they need to be here, or can I delete them?
How do I delete them?

It would seem to me that these access lists is restricting the flow of data on my switches, so it seems to be it's best I delete them.


ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
 permit tcp any any eq 22
 permit tcp any any eq 465
 permit tcp any any eq 143
 permit tcp any any eq 993
 permit tcp any any eq 995
 permit tcp any any eq 1914
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq smtp
 permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
 permit udp any any range 16384 32767
 permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
 permit tcp any any range 2300 2400
 permit udp any any range 2300 2400
 permit tcp any any range 6881 6999
 permit tcp any any range 28800 29100
 permit tcp any any eq 1214
 permit udp any any eq 1214
 permit tcp any any eq 3689
 permit udp any any eq 3689
 permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
 permit tcp any any range 2000 2002
 permit tcp any any range 5060 5061
 permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
 permit tcp any any eq 443
 permit tcp any any eq 1521
 permit udp any any eq 1521
 permit tcp any any eq 1526
 permit udp any any eq 1526
 permit tcp any any eq 1575
 permit udp any any eq 1575
 permit tcp any any eq 1630
 permit udp any any eq 1630
 permit tcp any any eq 1527
 permit tcp any any eq 6200
 permit tcp any any eq 3389
 permit tcp any any eq 5985
 permit tcp any any eq 8080


Comment
Watch Question

Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
These ACLs are not bound to any VLAN or port, and hence not applied. There is no need to do anything with them.
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
would you please to share full switch configuration before deleting your acl

To delete them you can use below commands : 

switch(config)#no ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
switch(config)#no ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
switch(config)#no ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
switch(config)#no ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
switch(config)#no ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data





DanNetwork Engineer

Author

Commented:
Mohammad, here's my entire config.  There's a lot in there that I didn't add, so that's why I wanted to delete the ACLs and the map-class entries, as I didn't add those.

 
s8-midf-a#show run
Building configuration...
 
Current configuration : 11153 bytes
!
! Last configuration change at 22:17:38 pst Mon Sep 21 2020
! NVRAM config last updated at 17:21:43 pst Thu Sep 3 2020
!
version 16.6
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname s8-midf-a
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!         
logging buffered 40960
enable secret 5 $1$Es3/$jeAdQ3PSmTab.f48FFguiwf/
!
no aaa new-model
boot system switch all flash:cat3k_caa-universalk9.16.06.05.SPA.bin
clock timezone pst -7 0
switch 1 provision ws-c3850-24xu
switch 2 provision ws-c3850-24xu
!
!
!
!
!
no ip domain lookup
ip domain name s8-midf-a.com
!
!
!
!
!
!
!
!         
!
crypto pki trustpoint TP-self-signed-3335269162
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3335269162
 revocation-check none
 rsakeypair TP-self-signed-3335269162
!
!
crypto pki certificate chain TP-self-signed-3335269162
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333335 32363931 3632301E 170D3139 31303130 31373132
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33333532
  36393136 32308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 01009DB8 9A873AA6 1E46A8F9 B98FA0D8 02B5920A 863C617E F18039A2
  014B1C01 1A683C35 DB10B4D7 FF51FC36 2F8ACC82 C11BFC54 CC00655B FFC847ED
  8E40200D 47BF4BD5 9257F006 CD4286FE 2C164572 D95C5100 62528CB0 93C9847C
  E7549476 448F68BB F151B24A EF7E6E3D B0528985 FDDDD22D A7A9E02D D1BE6D51
  E0CC7F76 5FB22537 A13FCB21 9DEF4881 9D90C79E 685EB639 AFF35D10 A90D9610
  5D698389 BBA1A498 EABECA3E FBE3EFED 1B5C5B35 1976BA9F 91FCC7AC B18D1ECD
  7A2E8507 61E3EE7A 8C18A9AF F95A0C38 C5C35B24 D98809D8 60EC8C5A C0ED6925
  59CB736C 4BA45C60 8F42E5E7 46096836 91DDCEE2 1B8D2AA9 002541AA D543A5AF
  43A2B458 55E90203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
  301F0603 551D2304 18301680 14F69CB7 B02F7939 6C3D4003 A60597BF 0C6EAE04
  29301D06 03551D0E 04160414 F69CB7B0 2F79396C 3D4003A6 0597BF0C 6EAE0429
  300D0609 2A864886 F70D0101 05050003 82010100 3454CB23 CAC638B3 19283DE2
  E683A439 704E49F7 4B6181DB 6BA3B496 2B184F90 4700C429 483E7CEA A4B81E4B
  F4F2C050 CDDA793D A3C32030 2744EF8E B77B7359 82001D8C FF1A142C 33685557
  BB07B842 7C79CE78 70842718 07149CAC BECC29A3 95F2079B 7A774ADC 7B3F9A4F
  E8E75DE6 441D390D 785E4164 B74531E1 2D4B3A31 FD7BBD2E 76AB77E1 5D59F0C5
  00D0B87F 67344898 9C2B98E0 9DD3C544 F159D31F 81E25696 86D8D8DB 11126DF9
  FA08E0D6 AF77F6AC DF7B7496 08B3578D D1536C90 856D1D8A D0EA5E59 9B05617A
  F01D032D 29D80C2D 1F8FB409 C5D7A494 804CE2BD CA5AEC0F 021611C6 68FC588E
  1D8C82E9 0DAF39F3 3898C0C0 A45FCB14 80A39879
        quit
!
!
!
diagnostic bootup level minimal
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
username cisco privilege 15 password 7 0322783C545F721578945F22
username admin privilege 15 secret 5 $1$wv31$UWIDlpSDa2tV485F4/fee32
!
redundancy
 mode sso
!
!
transceiver type all
 monitoring
!
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description DHCP Snooping, EWLC control, EWCL data
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any system-cpp-police-control-low-priority
  description ICMP redirect and general punt
class-map match-any system-cpp-police-wireless-priority1
  description Wireless priority 1
class-map match-any system-cpp-police-wireless-priority2
  description Wireless priority 2
class-map match-any system-cpp-police-wireless-priority3-4-5
  description Wireless priority 3,4 and 5
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold
!
policy-map system-cpp-policy
 class system-cpp-police-data
  police rate 200 pps
 class system-cpp-police-routing-control
  police rate 1800 pps
 class system-cpp-police-control-low-priority
 class system-cpp-police-wireless-priority1
 class system-cpp-police-wireless-priority2
 class system-cpp-police-wireless-priority3-4-5
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
!
!
!
!
!         
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 speed 1000
 negotiation auto
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface TenGigabitEthernet1/0/3
!
interface TenGigabitEthernet1/0/4
!         
interface TenGigabitEthernet1/0/5
!
interface TenGigabitEthernet1/0/6
!
interface TenGigabitEthernet1/0/7
!
interface TenGigabitEthernet1/0/8
!
interface TenGigabitEthernet1/0/9
!
interface TenGigabitEthernet1/0/10
!
interface TenGigabitEthernet1/0/11
!
interface TenGigabitEthernet1/0/12
!
interface TenGigabitEthernet1/0/13
!
interface TenGigabitEthernet1/0/14
!
interface TenGigabitEthernet1/0/15
!
interface TenGigabitEthernet1/0/16
!
interface TenGigabitEthernet1/0/17
!
interface TenGigabitEthernet1/0/18
!
interface TenGigabitEthernet1/0/19
!
interface TenGigabitEthernet1/0/20
!
interface TenGigabitEthernet1/0/21
!
interface TenGigabitEthernet1/0/22
!
interface TenGigabitEthernet1/0/23
!
interface TenGigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!         
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
 switchport mode trunk
!
interface TenGigabitEthernet1/1/5
!
interface TenGigabitEthernet1/1/6
!
interface TenGigabitEthernet1/1/7
!
interface TenGigabitEthernet1/1/8
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!         
interface TenGigabitEthernet2/0/1
!
interface TenGigabitEthernet2/0/2
!
interface TenGigabitEthernet2/0/3
!
interface TenGigabitEthernet2/0/4
!
interface TenGigabitEthernet2/0/5
!
interface TenGigabitEthernet2/0/6
!
interface TenGigabitEthernet2/0/7
!
interface TenGigabitEthernet2/0/8
!
interface TenGigabitEthernet2/0/9
!
interface TenGigabitEthernet2/0/10
!
interface TenGigabitEthernet2/0/11
!
interface TenGigabitEthernet2/0/12
!
interface TenGigabitEthernet2/0/13
!
interface TenGigabitEthernet2/0/14
!
interface TenGigabitEthernet2/0/15
!
interface TenGigabitEthernet2/0/16
!
interface TenGigabitEthernet2/0/17
!
interface TenGigabitEthernet2/0/18
!
interface TenGigabitEthernet2/0/19
!
interface TenGigabitEthernet2/0/20
!
interface TenGigabitEthernet2/0/21
!
interface TenGigabitEthernet2/0/22
!
interface TenGigabitEthernet2/0/23
!         
interface TenGigabitEthernet2/0/24
!
interface GigabitEthernet2/1/1
!
interface GigabitEthernet2/1/2
!
interface GigabitEthernet2/1/3
!
interface GigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/1
!
interface TenGigabitEthernet2/1/2
!
interface TenGigabitEthernet2/1/3
!
interface TenGigabitEthernet2/1/4
!
interface TenGigabitEthernet2/1/5
!
interface TenGigabitEthernet2/1/6
!
interface TenGigabitEthernet2/1/7
!
interface TenGigabitEthernet2/1/8
!
interface FortyGigabitEthernet2/1/1
!
interface FortyGigabitEthernet2/1/2
!
interface Vlan1
 ip address 192.168.101.140 255.255.252.0
!
ip default-gateway 192.168.100.1
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip ssh version 2
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
 permit tcp any any eq 22
 permit tcp any any eq 465
 permit tcp any any eq 143
 permit tcp any any eq 993
 permit tcp any any eq 995
 permit tcp any any eq 1914
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq smtp
 permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
 permit udp any any range 16384 32767
 permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
 permit tcp any any range 2300 2400
 permit udp any any range 2300 2400
 permit tcp any any range 6881 6999
 permit tcp any any range 28800 29100
 permit tcp any any eq 1214
 permit udp any any eq 1214
 permit tcp any any eq 3689
 permit udp any any eq 3689
 permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
 permit tcp any any range 2000 2002
 permit tcp any any range 5060 5061
 permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
 permit tcp any any eq 443
 permit tcp any any eq 1521
 permit udp any any eq 1521
 permit tcp any any eq 1526
 permit udp any any eq 1526
 permit tcp any any eq 1575
 permit udp any any eq 1575
 permit tcp any any eq 1630
 permit udp any any eq 1630
 permit tcp any any eq 1527
 permit tcp any any eq 6200
 permit tcp any any eq 3389
 permit tcp any any eq 5985
 permit tcp any any eq 8080
!
logging host 192.168.100.135
logging host 192.168.100.158
!
!
snmp-server community publicplease RO
!
ipv6 access-list preauth_v6
 permit udp any any eq domain
 permit tcp any any eq domain
 permit icmp any any nd-ns
 permit icmp any any nd-na
 permit icmp any any router-solicitation
 permit icmp any any router-advertisement
 permit icmp any any redirect
 permit udp any eq 547 any eq 546
 permit udp any eq 546 any eq 547
 deny ipv6 any any
!
control-plane
 service-policy input system-cpp-policy
!
!
line con 0
 exec-timeout 60 0
 password 7 15210E0F11382E292D3354
 logging synchronous
 login
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 60 0
 password 7 03375E08131D2441478908
 login local
 transport preferred ssh
 transport input ssh
line vty 5 15
 exec-timeout 60 0
 password 7 03375E08131D2448879098
 login local
 transport preferred ssh
 transport input ssh
!
ntp server 216.239.35.0
!
mac address-table notification mac-move
!
!
!
!
!
end
 
s8-midf-a#  
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
ok you can delete them easily by adding ( no ) before any command for example

switch(config)#class-map match-any system-cpp-police-topology-control

to delete the command , you can use

switch(config)#no class-map match-any system-cpp-police-topology-control

and so on 



DanNetwork Engineer

Author

Commented:
so should I delete all of those entries and also the ACL's?
I'm assuming I should as that could be restricting internal traffic, and I don't need all those ACL's
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
yes , you can delete them all without any effect on internal traffic because these configuration it is not applied on any interface .


DanNetwork Engineer

Author

Commented:
I tried to delete the class maps, but I keep on getting this error: "is being used"


Switch(config)#no class-map match-any system-cpp-policy-topology-control
Switch(config)#no class-map match-any system-cpp-police-sw-forward
% Class-map system-cpp-police-sw-forward is being used
Switch(config)#no class-map match-any system-cpp-default
% Class-map system-cpp-default is being used
Switch(config)#no class-map match-any system-cpp-default
% Class-map system-cpp-default is being used
Switch(config)#no class-map match-any system-cpp-policy-sys-data
Switch(config)#no class-map match-any system-cpp-police-12lvx-control
Switch(config)#no class-map match-any system-cpp-police-punt-webauth
% Class-map system-cpp-police-punt-webauth is being used
Switch(config)#no class-map match-any system-cpp-police-forus
% Class-map system-cpp-police-forus is being used
Switch(config)#no class-map match-any system-cpp-police-multicast-end-station
% Class-map system-cpp-police-multicast-end-station is being used
Switch(config)#no class-map match-any system-cpp-police-multicast
% Class-map system-cpp-police-multicast is being used
Switch(config)#no class-map match-any system-cpp-police-l2-control
% Class-map system-cpp-police-l2-control is being used
Switch(config)#no class-map match-any system-cpp-police-dotlx-auth
Switch(config)#no class-map match-any system-cpp-police-data
% Class-map system-cpp-police-data is being used
Switch(config)#$p match-any system-cpp-police-stackwise-virt-control
% Class-map system-cpp-police-stackwise-virt-control is being used
Switch(config)#$p match-any non-client-nrt-class
Switch(config)#no class-map match-any system-cpp-police-routing-control
% Class-map system-cpp-police-routing-control is being used
Switch(config)#no class-map match-any system-cpp-police-protocol-snooping
% Class-map system-cpp-police-protocol-snooping is being used
Switch(config)#no class-map match-any system-cpp-police-system-critical
% Class-map system-cpp-police-system-critical is being used


Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
try to remove  no service-policy input system-cpp-policy first then remove all other configuration
DanNetwork Engineer

Author

Commented:
I get this error message:


DanNetwork Engineer

Author

Commented:
then I tried this:


Sr.Network & Security Engineer
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
DanNetwork Engineer

Author

Commented:
Mohammad, thanks for your help, I guess I will leave all those entries there.

What's strange is, on one of the switches, I did a factory reset and it did get rid of them.  On the other switch, did a factory reset, and it did not get rid of them, so that's strange.
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Did both switches have same ios version? 
DanNetwork Engineer

Author

Commented:
I'll double check, I have already installed them in production, they are not powered on, but are in a different building.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions