[c-nsp] Ambiguous ACL "log" in 12.2(58)SE2?

Jiri Prochazka jiri.prochazka at superhosting.cz
Thu Jan 19 06:40:32 EST 2012


Jeff,


Dne 18.1.2012 22:46, Jeff Kell napsal(a):
> Hrmm... looks like this release is attempting to take multiple services:
>
>> Grote-Uplink(config-ext-nacl)#101 permit tcp any host 192.168.128.74 eq smtp syslog ftp
> That was *accepted*.  So a trailing "log" on a "tcp" permit is ambiguous with "login"
> (rlogin/513), and it's impossible to make it unambiguous (apparently).
>
> What's going on here?  TCP ACLs  on existing switches with trailing "log" are having
> those statements removed at startup and causing a bit of havoc...
>
> Anyone else seeing this?
>
> Running c3560e-universalk9-mz.122-58.SE2.bin on a WS-C3560X-24T-S with an IP services
> license.

I just tried this on one of our 2960's running 12.2(58)SE1 and it's 
impacted as well.

2960, 12.2(58)SE1
switchX(config-ext-nacl)#permit tcp any any eq 80 log
% Ambiguous command:  "permit tcp any any eq 80 log"


Version 15.0(1)SE is affected by this too.

2960S, 15.0(1)SE
switchY(config-ext-nacl)#permit tcp any any eq 80 log
% Ambiguous command:  "permit tcp any any eq 80 log"


Last version which can handle 'log' append on 2960 I have found is 
12.2(55)SE2



Jiri

> Jeff
>
>
> On 1/18/2012 10:14 AM, Jeff Kell wrote:
>> Running into this on a 3560X IP Services (context is accepted by everything else...)
>>
>>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log
>>> % Ambiguous command: "85 permit tcp any any eq 9100 log"
>>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log ! log
>>> % Ambiguous command: "85 permit tcp any any eq 9100 log ! log"
>>> Grote-Uplink(config-ext-nacl)#85 permit tcp any any eq 9100 log
>>> % Ambiguous command: "85 permit tcp any any eq 9100 log "
>>> Grote-Uplink(config-ext-nacl)#
>> What's up with that?
>>
>> Jeff
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list