GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Clearing dynamic ACL posted 01/23/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Here is the answer to your question about using a named ACL with the
clear access-template command.

Rack1R5#clear access-template ?
  <100-199>    IP extended access list
  <2000-2699>  IP extended access list (expanded range)

Rack1R5#clear access-template
Rack1R5#clear access-template MYACL MYDYNACL host 163.1.5.8 any
                              ^
% Invalid input detected at '^' marker.

Rack1R5#show ip access-list MYACL
Extended IP access list MYACL
    10 Dynamic MYDYNACL permit ip any any
       permit ip host 163.1.5.8 any (53 matches)
    20 permit tcp any any eq telnet
    30 deny ip any any log
Rack1R5#

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@xxxxxxxxxxxxxxxxxxxxxx 
 
Internetwork Expert, Inc. 
http://www.InternetworkExpert.com 
Toll Free: 877-224-8987 
Direct: 775-745-6404 (Outside the US and Canada) 
 

-----Original Message-----
From: Leigh Nash [mailto:leigh@xxxxxxxxxxxxx] 
Sent: Sunday, January 22, 2006 2:49 PM
To: Brian Dennis; 'Cisco certification'
Subject: RE: Clearing dynamic ACL

Thanks Brian,

Your example is a numbered ACL, more specifically, does this work with a
named ACL?

r5#sh access-li                                       
Extended IP access list DYN
    10 permit ospf any any (6 matches)
    20 permit tcp any any eq telnet (44 matches)
    30 Dynamic LOCKKEY permit ip any any
       permit ip host 70.0.0.6 any (10 matches) (time left 564)
    40 deny ip any any log (9 matches)
r5#clear access-template DYN LOCKKEY host 70.0.0.6 any
                         ^
% Invalid input detected at '^' marker.

Leigh

-----Original Message-----
From: Brian Dennis [mailto:bdennis@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Sunday, January 22, 2006 2:13 PM
To: Leigh Nash; Cisco certification
Subject: RE: Clearing dynamic ACL

The options in the "clear access-template" command need to match what is
in the dynamic ACL.  The "?" doesn't give you the help you would expect
with the "clear access-template" command.  Remember to just type a
command out if you think the option should take even if it doesn't show
up with the "?".  This is just one of the many commands that do not show
up properly or some at all with the "?".

Here is an example of how to clear a dynamic ACL:
 
Rack4R1#sho access-list
Extended IP access list 100
    10 permit tcp any any eq telnet (26 matches)
    20 Dynamic LOCK_KEY permit icmp any any echo
       permit icmp host 1.1.1.2 any echo
    30 deny ip any any (36 matches)
Rack4R1#
Rack4R1#clear access-template 100 LOCK_KEY host 1.1.1.2 any    
Rack4R1#sho access-list                                             
Extended IP access list 100
    10 permit tcp any any eq telnet (26 matches)
    20 Dynamic LOCK_KEY permit icmp any any echo
    30 deny ip any any (66 matches)
Rack4R1#

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@xxxxxxxxxxxxxxxxxxxxxx 
 
Internetwork Expert, Inc. 
http://www.InternetworkExpert.com 
Toll Free: 877-224-8987 
Direct: 775-745-6404 (Outside the US and Canada) 
 

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Leigh Nash
Sent: Sunday, January 22, 2006 1:21 PM
To: 'Cisco certification'
Subject: Clearing dynamic ACL

Hello all,

I've had no success clearing a dynamic ACL on a 2500/2600.
clear access-template [access-list-number | name] [dynamic-name]
[source]
[destination]

r5#clear access-template ?
   <100-199>    IP extended access list
   <2000-2699>  IP extended access list (expanded range)
r5#clear access-template LOCK
 % Invalid input detected at '^' marker.

r6#clear access-template ?
  <100-199>    IP extended access list
  <2000-2699>  IP extended access list (expanded range)
r6#clear access-template 101 ?
 % Unrecognized command

On the 3550 it seems to work. 
Is there something different I can try? Or is the solution to set the
timeout low and just wait? ;)

Thank you,

Leigh

_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html



__________ NOD32 1.1373 (20060120) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com