Bug in SAN-OS 3.3(5) with tftp access-list entries

As an update to this, it appears it only happens when you use tftp in the destination part of an access-control list entry. If used in the source part, everything can be added as well as removed. So to summarize, the CLI does not seem to be aware of the tftp keyword in the destination part of the ACL while in config mode, however it correctly transposes UDP eq port 69 when displaying the configuration. This is also an issue when you try to remove the said ACL in configuration mode, as it will error if you use the tftp keyword in the destination part of the ACL.

This has been confirmed as bug id CSCsz63848

This is a relatively small bug that I just found. Here is the bulk of what I sent to TAC:

Problem Details: when creating access-lists, the contextual help lists tftp as a guided option:

MDS3(config)# ip access-list MGMT permit udp 172.16.3.0 0.0.0.255 eq port ?
<0-65535> Enter source port number
dns Domain name server (UDP port 53)
ftp File transfer control (TCP port 21)
ftp-data File transfer data (TCP port 20)
http World wide web HTTP (TCP port 443)
ntp Network time protocol (UDP port 123)
radius Radius (TCP port 1812)
sftp Simple file transfer protocol (TCP port 115)
smtp Simple mail transfer protocol (TCP port 25)
snmp SNMP (UDP port 161)
snmp-trap SNMP trap (UDP port 162)
ssh SSH remote login protocol (TCP port 22)
syslog Syslog (UDP port 514)
tacacs-ds TACACS-database service (TCP port 65)
telnet Telnet (TCP port 23)
tftp Trivial file transfer protocol (UDP port 69)
wbem-http WBEM HTTP (TCP port 5988)
wbem-https WBEM HTTPS (TCP port 5989)
www World wide web HTTP (TCP port 80)

Whether you configure the access-list using the keyword “tftp”, or just specify “eq port 69” for a UDP entry, it is transposed into the keyword “tftp”:

MDS3(config)#ip access-list MGMT permit udp any 172.16.3.153 0.0.0.0 eq port 69
MDS3(config)#exit
MDS3#show run | inc tftp
ip access-list MGMT permit udp any 172.16.3.153 0.0.0.0 eq port tftp

When you try to remove the ACL entry, using the tftp keyword, as its displayed (essentially cut-and-paste) it fails:

MDS3# show run | inc MGMT
ip access-list MGMT permit tcp any 172.16.3.153 0.0.0.0 eq port telnet
ip access-list MGMT permit tcp any 172.16.3.153 0.0.0.0 eq port ssh
ip access-list MGMT permit tcp any 172.16.3.153 0.0.0.0 eq port http
ip access-list MGMT permit udp 172.16.3.240 0.0.0.0 eq port radius 172.16.3.153 0.0.0.0
ip access-list MGMT permit udp 172.16.3.0 0.0.0.255 172.16.3.153 0.0.0.0 eq port snmp
ip access-list MGMT permit tcp 172.16.3.241 0.0.0.0 eq port 49 172.16.3.153 0.0.0.0
ip access-list MGMT permit udp 172.16.3.0 0.0.0.255 172.16.3.153 0.0.0.0 eq port tftp
ip access-group MGMT in
MDS3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
MDS3(config)# no ip access-list MGMT permit udp 172.16.3.0 0.0.0.255 172.16.3.153 0.0.0.0 eq port tftp
^
% invalid parameter detected at ‘^’ marker.

MDS3(config)#
MDS3(config)# no ip access-list MGMT permit udp 172.16.3.0 0.0.0.255 172.16.3.153 0.0.0.0 eq port 69
MDS3(config)# exit

This is tested on a lab MDS, SAN-OS version 3.3(5). Should be easy for you all to create an ACL with tftp in it and observe you cannot delete it with cut and paste (prefixed with “no”).

As usual I will post the bugID once I get it back from TAC, I am not sure if this is an already logged bug or not, but it may be marked “internal only” as many seem to be. I am not sure if this effects any other versions of SAN-OS/NX-OS as I have only tested 3.3(5) at this time.

This entry was posted in CCIE Storage, CLI and tagged , , , . Bookmark the permalink.

Leave a Reply