A funny thing with ACLs on a Cisco Router

I recently experienced a strange issue with an access list on a Cisco router which took me a while to fix so I thought it was worth sharing (as obscure as it is!)

As I have been pretty much working from home for the last few weeks (like everyone else) I needed to make some adjustments to my home network to make sure my work laptop wasn’t accessible from any of the many other devices that live there. Easy done, a new VLAN and some ACLs on my trusty Cisco 891F and all was good. Over the weekend I was working on a new project with one of my Raspberry Pis and some new mail order goodies and I needed to allow SSH access from my “Work from Home” VLAN. Easy done, just add some new ACL entries and off we go. Nope.

Raspberry Pi was on and I was accessing from subnet

The lines in question were as below (this was for the return traffic), everything looked OK but I couldn’t connect via SSH.

60 permit tcp eq 22

61 deny ip any

I spent a VERY long time troubleshooting this issue, adding logging and testing various scenarios.

To cut a long story short all I needed to do to fix it was run a resequence on the access list.

ip access-list resequence 100 10 10

Straight after running this, the ACL started behaving and I was able to connect to my Pi. I dont quite know what was wrong, maybe the ACL became corrupted somehow?

IOS was c800-universalk9-mz.SPA.157-3.M3.bin running on a C891F-K9

Leave a Reply

Your email address will not be published. Required fields are marked *