Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2806
Views
10
Helpful
9
Replies

Access-list not showing on show running-config

jlbbaluyut
Level 1
Level 1

‎11-06-2020 01:22 PM

I am a newly hired Network Engineer in our company. I don't know the history but I type "show access-list" command on one of our core switches. The output goes like this:

 

Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100

 

However, when I show the running-configuration command, the access-list configurations are not showing. What could be the problem here? Is this a bug?

 

Model: 2960-X Catalyst

IOS version: 15.2(4)E8, RELEASE SOFTWARE (fc3)

0 Helpful
9 Replies 9

kubn2
Level 1
Level 1

‎11-06-2020 02:27 PM

Hi,

Do you have ISE and 802.1x authentication on the network? Because I suspect these are dynamic ACLs that are downloaded from ISE thats why you don't see them in running config.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame

‎11-06-2020 02:55 PM - edited ‎11-06-2020 02:56 PM

Hi,

If you don't run dot1.x, this is most likely an internal IOS based ACL for the control plane that does not show in the running-config but shows when you use the "show access-list" command. Nothing to be concern about.

HTH

0 Helpful

jlbbaluyut
Level 1
Level 1

‎11-06-2020 03:03 PM

@kubn2  We don't run ISE on our network

 

@Reza Sharifi is there a way that I can show this command on running-config? How do you know where interface it is applied?

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to jlbbaluyut

‎11-06-2020 03:30 PM

Hi,

These types of ACLs (internal) usually are not applied to any interface.  As for seeing it in the running-config, sometimes if you upgrade or downgrade to a different version, you can see them but your version does not show it. I would not go upgrade or downgrade just to be able to see these types of ACL. This is all internal to the device.

HTH

0 Helpful

jlbbaluyut
Level 1
Level 1

‎11-06-2020 03:42 PM

@Reza Sharifi  Is it possible that this ACL can affect my network even if it is not applied on any interface? We have a current network issue. The core switch (where the ACL is configured) can't reach a specific server while on the firewall (uplink of core switch) can able to reach that server. Is it due to the access-list (the last statement is deny ip any any)? 

0 Helpful

paul driver
VIP
VIP
In response to jlbbaluyut

‎11-06-2020 04:48 PM

Hello
These are possibly embedded acl for control plane access or even a bug in the ios, Try upgrading the software of the switch?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World
VIP
VIP

‎11-06-2020 06:00 PM

The switch applies the attributes to the 802.1X port for the duration of the user session

This as cisco say,

So it apply on 802.1x interface which i think is access.

For detail about this acl please check your acs "aaa" for more detail.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎11-08-2020 08:26 AM

I agree with @Reza Sharifi that this is likely something generated by the IOS. I have had similar experience multiple times (on multiple platforms and multiple versions of code) where some access list(s) appear in show access-list but do not show up in running config. It seems logical that they might be related to some control plane processing. I have not found a way to see them in show config and have come to the conclusion that it was not problematic.

 

The original poster says that there is some issue and wonders if these acl might be causing the issue. I do not understand the explanation of the problem, but believe that it is not likely that these acl are causing this issue. Perhaps if we had a better understanding of the issue and some understanding of the topology of the network we might be able to offer some suggestions.

HTH

Rick

abdelwahabglm33863
Level 1
Level 1
In response to Richard Burts

‎03-12-2021 06:55 AM

i havethe same problem .i can ping between machines but not run a simulation on linnux.need help plz

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card