07-08-2013 01:52 PM - edited 03-07-2019 02:17 PM
I have three very large object groups that I'm trying to deny in an access-list. If I create the object groups and then attempt to deny them in an ACL I get a "% Duplicate ACE present after expansion.Aborting ACE addition!" error. However, if I create the object groups with just the first couple objects in each group, deny the groups in the ACL and then finish building the object groups I do not get a duplicate error. Am I correct in understanding the error as saying that there is a duplicated network between the groups? If so, why do I not see them when adding the networks to the object groups after they are already applied to the ACL?
Solved! Go to Solution.
07-08-2013 05:25 PM
Nathan,
CSCto56118 | Symptom: A duplicate ACE can be introduced in an ACL if the duplicate entry is added via an object-group. The parser will not detect/reject this dplicate ACE configuration. When the 6500 is reloaded and the ACL gets configured again during bootup, the duplicate ACE does get detected as expected. This can lead to a different access-list behavior before and after the reload of the 6500. Conditions: Platform: 6500 Software: 12.2(33)SXI Example: # Configure object-group Cat6500(config)#object-group ip address GRPTEST Cat6500(config-ipaddr-ogroup)# host-info 10.10.10.10 # Configure an ACL that uses this object-group Cat6500(config)#ip access-list extended GRPTEST Cat6500(config-ext-nacl)# permit tcp host 10.11.11.11 host 10.12.12.12 eq 22 Cat6500(config-ext-nacl)# permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22 # Update the object-group with an entry which already exists in the ACL # This config change to the object-group is accepted (should not) Cat6500(config)#object-group ip address GRPTEST Cat6500(config-ipaddr-ogroup)# host-info 10.11.11.11 Cat6500#show access-lists GRPTEST Extended IP access list GRPTEST 10 permit tcp host 10.11.11.11 host 10.12.12.12 eq 22 20 permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22 # When reconfiguring the same ACL again, the duplicate ACE does get detected # The config is not accepted as expected dr1.sto1.int(config)#no ip access-list extended GRPTEST dr1.sto1.int(config)#ip access-list extended GRPTEST dr1.sto1.int(config-ext-nacl)# permit tcp host 10.11.11.11 host 10.12.12.12 eq 22 dr1.sto1.int(config-ext-nacl)# permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22 % Duplicate ACE present after expansion.Aborting ACE addition! Workaround: Check your ACLs to make sure you are not adding duplicate entries via an object-group |
HTH
Regards
Inayath
*Plz rate all the usefull posts.
07-08-2013 05:25 PM
Nathan,
CSCto56118 | Symptom: A duplicate ACE can be introduced in an ACL if the duplicate entry is added via an object-group. The parser will not detect/reject this dplicate ACE configuration. When the 6500 is reloaded and the ACL gets configured again during bootup, the duplicate ACE does get detected as expected. This can lead to a different access-list behavior before and after the reload of the 6500. Conditions: Platform: 6500 Software: 12.2(33)SXI Example: # Configure object-group Cat6500(config)#object-group ip address GRPTEST Cat6500(config-ipaddr-ogroup)# host-info 10.10.10.10 # Configure an ACL that uses this object-group Cat6500(config)#ip access-list extended GRPTEST Cat6500(config-ext-nacl)# permit tcp host 10.11.11.11 host 10.12.12.12 eq 22 Cat6500(config-ext-nacl)# permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22 # Update the object-group with an entry which already exists in the ACL # This config change to the object-group is accepted (should not) Cat6500(config)#object-group ip address GRPTEST Cat6500(config-ipaddr-ogroup)# host-info 10.11.11.11 Cat6500#show access-lists GRPTEST Extended IP access list GRPTEST 10 permit tcp host 10.11.11.11 host 10.12.12.12 eq 22 20 permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22 # When reconfiguring the same ACL again, the duplicate ACE does get detected # The config is not accepted as expected dr1.sto1.int(config)#no ip access-list extended GRPTEST dr1.sto1.int(config)#ip access-list extended GRPTEST dr1.sto1.int(config-ext-nacl)# permit tcp host 10.11.11.11 host 10.12.12.12 eq 22 dr1.sto1.int(config-ext-nacl)# permit tcp addrgroup GRPTEST host 10.12.12.12 eq 22 % Duplicate ACE present after expansion.Aborting ACE addition! Workaround: Check your ACLs to make sure you are not adding duplicate entries via an object-group |
HTH
Regards
Inayath
*Plz rate all the usefull posts.
07-09-2013 05:11 AM
Right on InayathUlla!
Thanks,
Nate
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: