RE: Clearing dynamic ACL

From: Leigh Nash (leigh@net-elite.org)
Date: Sun Jan 22 2006 - 19:48:46 GMT-3

• Next message: Greg Gombas: "IE LAB 7 Task 4.6 OSPF"
• Previous message: Brian Dennis: "RE: Clearing dynamic ACL"
• Maybe in reply to: Leigh Nash: "Clearing dynamic ACL"
• Next in thread: Brian Dennis: "RE: Clearing dynamic ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Brian,

Your example is a numbered ACL, more specifically, does this work with a
named ACL?

r5#sh access-li
Extended IP access list DYN
    10 permit ospf any any (6 matches)
    20 permit tcp any any eq telnet (44 matches)
    30 Dynamic LOCKKEY permit ip any any
       permit ip host 70.0.0.6 any (10 matches) (time left 564)
    40 deny ip any any log (9 matches)
r5#clear access-template DYN LOCKKEY host 70.0.0.6 any
                         ^
% Invalid input detected at '^' marker.

Leigh

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Sunday, January 22, 2006 2:13 PM
To: Leigh Nash; Cisco certification
Subject: RE: Clearing dynamic ACL

The options in the "clear access-template" command need to match what is
in the dynamic ACL. The "?" doesn't give you the help you would expect
with the "clear access-template" command. Remember to just type a
command out if you think the option should take even if it doesn't show
up with the "?". This is just one of the many commands that do not show
up properly or some at all with the "?".

Here is an example of how to clear a dynamic ACL:
 
Rack4R1#sho access-list
Extended IP access list 100
    10 permit tcp any any eq telnet (26 matches)
    20 Dynamic LOCK_KEY permit icmp any any echo
       permit icmp host 1.1.1.2 any echo
    30 deny ip any any (36 matches)
Rack4R1#
Rack4R1#clear access-template 100 LOCK_KEY host 1.1.1.2 any
Rack4R1#sho access-list
Extended IP access list 100
    10 permit tcp any any eq telnet (26 matches)
    20 Dynamic LOCK_KEY permit icmp any any echo
    30 deny ip any any (66 matches)
Rack4R1#

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Leigh Nash
Sent: Sunday, January 22, 2006 1:21 PM
To: 'Cisco certification'
Subject: Clearing dynamic ACL

Hello all,

I've had no success clearing a dynamic ACL on a 2500/2600.
clear access-template [access-list-number | name] [dynamic-name]
[source]
[destination]

r5#clear access-template ?
   <100-199> IP extended access list
   <2000-2699> IP extended access list (expanded range)
r5#clear access-template LOCK
 % Invalid input detected at '^' marker.

r6#clear access-template ?
  <100-199> IP extended access list
  <2000-2699> IP extended access list (expanded range)
r6#clear access-template 101 ?
 % Unrecognized command

On the 3550 it seems to work.
Is there something different I can try? Or is the solution to set the
timeout low and just wait? ;)

Thank you,

Leigh

• Next message: Greg Gombas: "IE LAB 7 Task 4.6 OSPF"
• Previous message: Brian Dennis: "RE: Clearing dynamic ACL"
• Maybe in reply to: Leigh Nash: "Clearing dynamic ACL"
• Next in thread: Brian Dennis: "RE: Clearing dynamic ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:50 GMT-3