cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
10
Helpful
8
Replies
Highlighted
Beginner

Access-list not showing on show running-config

I am a newly hired Network Engineer in our company. I don't know the history but I type "show access-list" command on one of our core switches. The output goes like this:

 

Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100

 

However, when I show the running-configuration command, the access-list configurations are not showing. What could be the problem here? Is this a bug?

 

Model: 2960-X Catalyst

IOS version: 15.2(4)E8, RELEASE SOFTWARE (fc3)

8 REPLIES 8
Highlighted
Beginner

Hi,

Do you have ISE and 802.1x authentication on the network? Because I suspect these are dynamic ACLs that are downloaded from ISE thats why you don't see them in running config.

Highlighted
Hall of Fame Expert

Hi,

If you don't run dot1.x, this is most likely an internal IOS based ACL for the control plane that does not show in the running-config but shows when you use the "show access-list" command. Nothing to be concern about.

HTH

Highlighted
Beginner

@kubn2  We don't run ISE on our network

 

@Reza Sharifi is there a way that I can show this command on running-config? How do you know where interface it is applied?

Highlighted

Hi,

These types of ACLs (internal) usually are not applied to any interface.  As for seeing it in the running-config, sometimes if you upgrade or downgrade to a different version, you can see them but your version does not show it. I would not go upgrade or downgrade just to be able to see these types of ACL. This is all internal to the device.

HTH

Highlighted
Beginner

@Reza Sharifi  Is it possible that this ACL can affect my network even if it is not applied on any interface? We have a current network issue. The core switch (where the ACL is configured) can't reach a specific server while on the firewall (uplink of core switch) can able to reach that server. Is it due to the access-list (the last statement is deny ip any any)? 

Highlighted

Hello
These are possibly embedded acl for control plane access or even a bug in the ios, Try upgrading the software of the switch?



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Rising star

The switch applies the attributes to the 802.1X port for the duration of the user session

This as cisco say,

So it apply on 802.1x interface which i think is access.

For detail about this acl please check your acs "aaa" for more detail.

Highlighted

I agree with @Reza Sharifi that this is likely something generated by the IOS. I have had similar experience multiple times (on multiple platforms and multiple versions of code) where some access list(s) appear in show access-list but do not show up in running config. It seems logical that they might be related to some control plane processing. I have not found a way to see them in show config and have come to the conclusion that it was not problematic.

 

The original poster says that there is some issue and wonders if these acl might be causing the issue. I do not understand the explanation of the problem, but believe that it is not likely that these acl are causing this issue. Perhaps if we had a better understanding of the issue and some understanding of the topology of the network we might be able to offer some suggestions.

HTH

Rick
Content for Community-Ad