[c-nsp] Ambiguous ACL "log" in 12.2(58)SE2?

Chuck Church chuckchurch at gmail.com
Wed Jan 18 22:25:45 EST 2012 

Wow.  I think you can include precedence between the ports and the log.  Can
you put that in to maybe match all precedences?  Otherwise, I think I'd hold
off on this release, sounds like it needs a good deferral.

Chuck

-----Original Message-----
From: Jeff Kell [mailto:jeff-kell at utc.edu] 
Sent: Wednesday, January 18, 2012 8:20 PM
To: Chuck Church
Cc: 'cisco-nsp'
Subject: Re: [c-nsp] Ambiguous ACL "log" in 12.2(58)SE2?

Nope, it's still ambiguous.

> Grote-Uplink(config-ext-nacl)#$st 192.168.128.74 eq www smtp log log ?
> % Ambiguous command:  "101 permit tcp any host 192.168.128.74 eq www 
> smtp log log "

The "scary part" of this is that simply updating your IOS removes some of
your ACL lines (when startup-config is loaded they also error)

Jeff


On 1/18/2012 6:15 PM, Chuck Church wrote:
> Nice.  What if you enter 'log' twice?  Wondering if you can do 
> something like this:
>
>> Grote-Uplink(config-ext-nacl)#100 deny tcp any host 192.168.128.74 eq 
>> log
>> Grote-Uplink(config-ext-nacl)#101 permit tcp any host 192.168.128.74 
>> eq
> smtp syslog log log
>
> Corny, but if they're going to botch up a maintenance release like that...
>
> Chuck
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Kell
> Sent: Wednesday, January 18, 2012 4:47 PM
> To: cisco-nsp
> Subject: Re: [c-nsp] Ambiguous ACL "log" in 12.2(58)SE2?
>
> Hrmm... looks like this release is attempting to take multiple services:
>
>> Grote-Uplink(config-ext-nacl)#101 permit tcp any host 192.168.128.74 
>> eq
> smtp syslog ftp
>
> That was *accepted*.  So a trailing "log" on a "tcp" permit is 
> ambiguous with "login"
> (rlogin/513), and it's impossible to make it unambiguous (apparently).
>
> What's going on here?  TCP ACLs  on existing switches with trailing "log"
> are having
> those statements removed at startup and causing a bit of havoc...
>
> Anyone else seeing this?
>
> Running c3560e-universalk9-mz.122-58.SE2.bin on a WS-C3560X-24T-S with 
> an IP services license.
>
> Jeff
>
>
> On 1/18/2012 10:14 AM, Jeff Kell wrote:
>> Running into this on a 3560X IP Services (context is accepted by
> everything else...)
>>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log % 
>>> Ambiguous command: "85 permit tcp any any eq 9100 log"
>>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log ! 
>>> log % Ambiguous command: "85 permit tcp any any eq 9100 log ! log"
>>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log % 
>>> Ambiguous command: "85 permit tcp any any eq 9100 log "
>>> Grote-Uplink(config-ext-nacl)#
>> What's up with that?
>>
>> Jeff
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list