I am a newly hired Network Engineer in our company. I don't know the history but I type "show access-list" command on one of our core switches. The output goes like this:
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
However, when I show the running-configuration command, the access-list configurations are not showing. What could be the problem here? Is this a bug?
Model: 2960-X Catalyst
IOS version: 15.2(4)E8, RELEASE SOFTWARE (fc3)
Do you have ISE and 802.1x authentication on the network? Because I suspect these are dynamic ACLs that are downloaded from ISE thats why you don't see them in running config.
If you don't run dot1.x, this is most likely an internal IOS based ACL for the control plane that does not show in the running-config but shows when you use the "show access-list" command. Nothing to be concern about.
These types of ACLs (internal) usually are not applied to any interface. As for seeing it in the running-config, sometimes if you upgrade or downgrade to a different version, you can see them but your version does not show it. I would not go upgrade or downgrade just to be able to see these types of ACL. This is all internal to the device.
@Reza Sharifi Is it possible that this ACL can affect my network even if it is not applied on any interface? We have a current network issue. The core switch (where the ACL is configured) can't reach a specific server while on the firewall (uplink of core switch) can able to reach that server. Is it due to the access-list (the last statement is deny ip any any)?
These are possibly embedded acl for control plane access or even a bug in the ios, Try upgrading the software of the switch?
The switch applies the attributes to the 802.1X port for the duration of the user session
This as cisco say,
So it apply on 802.1x interface which i think is access.
For detail about this acl please check your acs "aaa" for more detail.
I agree with @Reza Sharifi that this is likely something generated by the IOS. I have had similar experience multiple times (on multiple platforms and multiple versions of code) where some access list(s) appear in show access-list but do not show up in running config. It seems logical that they might be related to some control plane processing. I have not found a way to see them in show config and have come to the conclusion that it was not problematic.
The original poster says that there is some issue and wonders if these acl might be causing the issue. I do not understand the explanation of the problem, but believe that it is not likely that these acl are causing this issue. Perhaps if we had a better understanding of the issue and some understanding of the topology of the network we might be able to offer some suggestions.