Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
1
Replies

6807 access-lists view

Infrastructure Team
Level 1
Level 1

‎03-05-2020 02:08 AM

I'm posting this in security, as it's relating to the ACL's only, even though it's not a security device.

As of today (yesterday was fine) when we show one of our ACL's, the view comes out missing the first entries and repeated.

6807 VSS pair running Version 15.5(1)SY3.  Any suggestions on if it's a bug before I rebuild the ACL and see if that fixes it?

 

Thanks

 

The Show run of the ACL is fine.

 

Central#sh run | b access-list extended medical
ip access-list extended medical
permit tcp any any established
permit udp any eq bootpc any eq bootps
deny tcp any any eq 3
deny udp any any eq 3
permit ip 192.168.20.0 0.0.0.255 any
permit tcp 192.168.8.0 0.0.7.255 host 10.132.53.20 eq 8001
permit tcp 192.168.8.0 0.0.7.255 host 10.132.53.20 eq 9240
permit udp any host 10.132.1.156 eq domain
permit udp any host 10.132.1.253 eq domain
permit ip host 10.45.13.144 host 224.0.0.252
permit ip host 10.45.13.133 host 224.0.0.252
permit udp any host 10.132.1.156 eq ntp
permit udp any host 10.132.2.253 eq ntp
permit ip host 192.168.8.1 any
permit ip host 192.168.8.15 any
permit tcp host 10.45.13.142 any
permit ip host 10.45.13.72 host 10.132.45.55
permit icmp host 10.45.13.201 any
permit icmp host 10.45.13.200 any
permit icmp 10.45.12.0 0.0.3.255 10.45.12.0 0.0.3.255
permit icmp 10.45.12.0 0.0.3.255 host 10.132.40.60
permit icmp 10.45.12.0 0.0.3.255 host 10.132.40.64
permit icmp 10.45.12.0 0.0.3.255 host 10.132.32.14
permit icmp 10.45.12.0 0.0.3.255 host 10.132.32.15
permit icmp 192.168.12.0 0.0.3.255 host 10.132.40.129
permit icmp 10.45.12.0 0.0.3.255 host 10.132.40.86
permit icmp 192.168.12.0 0.0.3.255 host 10.132.40.86
permit icmp addrgroup Omnicell-Cabinets host 10.132.40.88
permit icmp addrgroup Omnicell-Cabinets host 10.132.40.87
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.136 eq www
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.60 eq 104
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.44 eq 104 105
permit tcp 192.168.8.0 0.0.7.255 host 10.132.40.44 eq 104 105
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.4 eq 2104
permit tcp 192.168.8.0 0.0.7.255 host 10.132.40.4 eq 2104
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.64 eq 3320
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.14 eq 6004
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.15 eq 7839
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.15 eq 7833
permit tcp host 10.45.13.150 host 10.132.32.15 eq 7846
permit tcp 10.45.12.0 0.0.3.255 host 10.132.1.160 eq 104
permit tcp 192.168.8.0 0.0.7.255 host 10.132.40.60 eq 104
permit tcp 192.168.8.0 0.0.7.255 host 10.132.40.64 eq 3320
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.136 eq 4006
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.217 eq 104
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.217 range 5000 5003
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.14 eq 6007
permit tcp 10.45.12.0 0.0.3.255 host 10.45.12.11 eq 3002
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.15 eq 7826
permit ip host 10.45.13.202 any
permit ip host 10.45.13.203 any
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.129 eq ftp
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.129 eq www
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.129 eq 443
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.129 eq 1500
permit tcp 10.45.12.0 0.0.3.255 host 10.132.40.129 eq 8080
permit tcp 192.168.12.0 0.0.3.255 host 10.132.40.129 eq ftp
permit tcp 192.168.12.0 0.0.3.255 host 10.132.40.129 eq www
permit tcp 192.168.12.0 0.0.3.255 host 10.132.40.129 eq 443
permit tcp 192.168.12.0 0.0.3.255 host 10.132.40.129 eq 1500
permit tcp 192.168.12.0 0.0.3.255 host 10.132.40.129 eq 8080
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.15 range 7838 7839
permit tcp host 10.45.12.131 host 10.132.32.15 eq 7839
permit tcp host 10.45.12.197 host 10.132.1.160 eq 104
permit tcp host 10.45.13.144 host 10.132.1.160 eq 104
permit tcp host 192.168.8.8 host 10.132.2.230 eq 6666
permit tcp 10.45.12.0 0.0.3.255 addrgroup aw-server portgroup aw-server-ports
permit tcp 192.168.8.0 0.0.7.255 addrgroup aw-server portgroup aw-server-ports
permit tcp addrgroup SSD-Washers host 10.132.40.20 eq 3332
permit tcp addrgroup SSD-Washers host 23.23.218.201 eq 443
permit tcp addrgroup SSD-Washers host 209.202.167.85 eq 443
permit tcp addrgroup FIT-Analysers host 10.97.89.12 eq 443 1972 57772
permit tcp addrgroup FIT-Analysers host 155.231.117.30 eq 443 1972 57772
permit tcp addrgroup FIT-Analysers host 195.104.77.252 eq 443 1972 57772
permit tcp 10.45.12.0 0.0.3.255 host 10.132.32.15 eq 7848
permit tcp any host 209.202.186.177 eq 443
permit tcp host 10.45.13.143 host 10.132.40.60 eq 5101
permit tcp any host 62.206.156.53 eq 443
permit tcp any host 62.130.250.50 eq 443
permit tcp host 10.45.13.140 host 212.159.204.247 eq 443
permit tcp any host 40.77.226.249 eq 443
permit tcp host 10.45.13.129 host 10.132.40.64 eq 137
permit tcp host 10.45.12.197 host 10.132.1.160 eq 5101
permit tcp 10.45.12.0 0.0.3.255 10.190.64.64 0.0.0.63 portgroup GE-Support-Ports
permit tcp 10.45.12.0 0.0.3.255 10.132.25.0 0.0.0.128
permit tcp host 10.45.13.4 host 213.53.177.52 eq 443
deny tcp host 10.45.13.144 host 224.0.0.252
deny tcp host 10.45.13.133 host 224.0.0.252
deny tcp host 10.45.12.131 host 224.0.0.252
deny tcp host 10.45.13.203 host 224.0.0.252
permit tcp host 10.45.13.136 host 10.132.22.22 eq 3
permit tcp host 10.45.13.136 host 10.132.25.5 eq 3
permit tcp host 10.45.13.136 host 10.132.1.22 eq 3
permit tcp host 10.45.13.136 host 10.132.9.99 eq 3
permit tcp host 10.45.13.136 host 10.132.1.111 eq 3
permit tcp host 10.45.13.136 host 10.132.25.5 eq 445
permit tcp host 10.45.13.136 host 10.132.1.22 eq 445

 

 

But the show access-list isn't.

 

Central#sh access-list medical
Extended IP access list medical
permit tcp host 10.45.13.67 eq 1801 host 10.132.40.87 eq 60270
271 permit icmp addrgroup Omnicell-Cabinets host 10.132.40.88
272 permit icmp addrgroup Omnicell-Cabinets host 10.132.40.87
640 permit tcp 10.45.12.0 0.0.3.255 addrgroup aw-server portgroup aw-server-ports
650 permit tcp 192.168.8.0 0.0.7.255 addrgroup aw-server portgroup aw-server-ports
660 permit tcp addrgroup SSD-Washers host 10.132.40.20 eq 3332
670 permit tcp addrgroup SSD-Washers host 23.23.218.201 eq 443
680 permit tcp addrgroup SSD-Washers host 209.202.167.85 eq 443
690 permit tcp addrgroup FIT-Analysers host 10.97.89.12 eq 443 1972 57772
700 permit tcp addrgroup FIT-Analysers host 155.231.117.30 eq 443 1972 57772
710 permit tcp addrgroup FIT-Analysers host 195.104.77.252 eq 443 1972 57772
810 permit tcp 10.45.12.0 0.0.3.255 10.190.64.64 0.0.0.63 portgroup GE-Support-Ports
1070 permit tcp addrgroup Siemens-Modality addrgroup Siemens-Networks portgroup Siemens-Ports-Outbound
1360 permit tcp host 10.45.13.7 addrgroup Sectra-Support eq 443
1370 permit tcp host 10.45.13.137 addrgroup Sectra-Support eq 443
1380 permit tcp host 10.45.13.138 addrgroup Sectra-Support eq 443
1510 permit tcp 10.45.12.0 0.0.3.255 addrgroup Philips-Support portgroup Philips-Support-Ports
1520 permit tcp host 10.45.15.65 addrgroup Path-Digital-Haem-Dest portgroup Path-Digital-Haem-Ports
1530 permit tcp 10.45.12.0 0.0.3.255 addrgroup Carestream-Support eq 443
1540 permit tcp 192.168.8.0 0.0.7.255 addrgroup Carestream-Support eq 443
1599 permit tcp addrgroup Omnicell-Cabinets host 10.132.40.88 eq www
1610 permit tcp addrgroup Omnicell-Cabinets host 10.132.40.87 portgroup Omnicell-Ports log
1620 permit tcp addrgroup Omnicell-Cabinets host 10.132.40.88 portgroup Omnicell-Ports log
1630 permit tcp addrgroup Omnicell-Cabinets host 10.132.40.88 log
permit tcp host 10.45.14.3 eq 1801 host 10.132.40.87 eq 60272
271 permit icmp addrgroup Omnicell-Cabinets host 10.132.40.88
272 permit icmp addrgroup Omnicell-Cabinets host 10.132.40.87
640 permit tcp 10.45.12.0 0.0.3.255 addrgroup aw-server portgroup aw-server-ports
650 permit tcp 192.168.8.0 0.0.7.255 addrgroup aw-server portgroup aw-server-ports
660 permit tcp addrgroup SSD-Washers host 10.132.40.20 eq 3332
670 permit tcp addrgroup SSD-Washers host 23.23.218.201 eq 443
680 permit tcp addrgroup SSD-Washers host 209.202.167.85 eq 443
690 permit tcp addrgroup FIT-Analysers host 10.97.89.12 eq 443 1972 57772

 

 

This is the only ACL this incident happens with.  After it gets to the end of the ACL, it then shows the full list starting at line 10, and it shows correctly.

 

Labels:
0 Helpful
1 Reply 1

Infrastructure Team
Level 1
Level 1

‎03-05-2020 02:40 AM

Further to this, re-creating or re sequencing doesn't work.

If we remove the ACL from all 16 interfaces, and re-create the ACL it's fine. It remains fine as we add the ACL to each interface one by one, until we've added it to the 6th interface, then it goes wrong.
0 Helpful
Customers Also Viewed These Support Documents