FQDN in ip access-list?

  • 1
  • Question
  • Updated 3 months ago
Hi, Seems I have found a bug in 8.0.7d where if I use an extended acl with a fully qualified domain name the switch will reboot. I looked at the command reference for this version and it does not say whether or not you can, but when I look at the same doc for 8.0.92 they give an example for a standard ACL, i.e., "IPHost1" as shown below.

device# configure terminal
device(config)# ip access-list standard 1
device(config-std-nacl)# deny host 10.157.22.26 log
device(config-std-nacl)# deny 10.157.29.12 log
device(config-std-nacl)# deny host IPHost1 log

As the device is in production I'm wondering if it is safe to use a standard ACL on 8.0.7d or do I need to upgrade, and if so, what is the next version which support ip access-list with FQDN.

Thanks!
Photo of Bob Heathote

Bob Heathote

  • 1 Post
  • 0 Reply Likes

Posted 3 months ago

  • 1
Photo of Simon

Simon, Employee

  • 88 Posts
  • 48 Reply Likes
Hi Bob

The difference between the documents reflects a correction that was made in the 8.0.80 guide when the commands syntax was updated.

If you have a support contract I would recommend opening a case so that TAC can investigate the issue and recommend the best course of action.

If you don't have a support contract you should consider upgrading to 8.0.90f, ideally test the configuration on a switch before putting it into production if at all possible.

Note that the upgrade to 8.0.90 is a two step process, you should upgrade to 8.0.80e first and then to .90f. Refer to the 8.0.90 upgrade guide for more details.