See That Last Line In The Access List? Yeah, That Means You Don't Have An Access List

On Call Just one more day to go – the weekend is creeping into a view. Unless, of course, you're one of those brave souls cursed to be forever On Call.

It seems an awful lot of you have had a run in with Cisco hardware at one time or another. The company is, after all, almost a byword for networking infrastructure and some interesting approaches to licensing.

"Will" (not his name) was no exception and one day was called to exercise his Cisco skills. "Do you," went the question, "know how to do a 'show tech' in a Cisco router?"

We're pretty sure this was a reference to the show tech-support command which spits out information on the features of the relevant box. Unfiltered, it tends to be rather verbose and so its output is best redirected to a file for later perusal.

Will had spent a good few years at the Cisco coalface and so, of course, he knew about this command. Exactly why the customer wanted it, however, was open to question.

"There seems to be a problem with the firewall rules," explained the customer. "We are getting a lot of spam…"

Further investigation revealed that a new router had recently been installed on site by a crack team of contractors. Of course it had been set up correctly. After all, going near the precious hardware requires all manner of certifications and qualifications, right? Right?

• Breaking Bad or just a bad breakpoint? That feeling when your predecessor is BASIC
• Malware and Trojans, but there's only one horse the boss man wants to hear about
• Exsparko-destructus! What happens when wand waving meets extremely poor wiring
• Try placing a pot plant directly above your CRT monitor – it really ties the desk together

Will pondered the problem. "Let me take a look at the filter list first," he said.

Ah.

Sure enough, there was a filter list in place. The good config fairy had been! However, it appeared the bad config fairy had also paid a visit. The contractors had been unable to make things work and so rendered the list worthless with a simple command at the end of the access list: "permit any any".

It's been a while since we last ventured into the world of Cisco configuration, but that looks pretty… bad. Sure, everything would work. But also, everything would work.

"The contractors actually didn't know how to program Cisco access lists," Will told us.

"See the last line in the access list?" he told the customer. "That means you don't have one."

A quick call to run show tech-support had expanded into multiple days to fix the rules. "In particular," he said, "email was meant to be channelled through a filtering company and not directly exposed."

Whoops!

Still, justice was swift.

"The contractors were fired."

Sometimes it seems every call-out is to fix somebody else's screw-up. Have you ever found a customer with its trousers so completely round its ankles thanks to a contractor error? Or were you that contractor? Let us know how that call went with an email to On Call. ®