[c-nsp] Ambiguous ACL "log" in 12.2(58)SE2?

Chuck Church chuckchurch at gmail.com
Wed Jan 18 18:15:02 EST 2012 

Nice.  What if you enter 'log' twice?  Wondering if you can do something
like this:

> Grote-Uplink(config-ext-nacl)#100 deny tcp any host 192.168.128.74 eq log
> Grote-Uplink(config-ext-nacl)#101 permit tcp any host 192.168.128.74 eq
smtp syslog log log

Corny, but if they're going to botch up a maintenance release like that...

Chuck


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell
Sent: Wednesday, January 18, 2012 4:47 PM
To: cisco-nsp
Subject: Re: [c-nsp] Ambiguous ACL "log" in 12.2(58)SE2?

Hrmm... looks like this release is attempting to take multiple services:

> Grote-Uplink(config-ext-nacl)#101 permit tcp any host 192.168.128.74 eq
smtp syslog ftp

That was *accepted*.  So a trailing "log" on a "tcp" permit is ambiguous
with "login"
(rlogin/513), and it's impossible to make it unambiguous (apparently).

What's going on here?  TCP ACLs  on existing switches with trailing "log"
are having
those statements removed at startup and causing a bit of havoc...

Anyone else seeing this?

Running c3560e-universalk9-mz.122-58.SE2.bin on a WS-C3560X-24T-S with an IP
services
license.

Jeff


On 1/18/2012 10:14 AM, Jeff Kell wrote:
> Running into this on a 3560X IP Services (context is accepted by
everything else...)
>
>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log
>> % Ambiguous command: "85 permit tcp any any eq 9100 log"
>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log ! log
>> % Ambiguous command: "85 permit tcp any any eq 9100 log ! log"
>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log
>> % Ambiguous command: "85 permit tcp any any eq 9100 log "
>> Grote-Uplink(config-ext-nacl)#
> What's up with that?
>
> Jeff
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list