Access-list Question

Answered Question
Mar 3rd, 2009
User Badges:

How do i get the (XX) after the ACL in show access-list command. It shows up on routers but not on a 3750. Is this a limitation or a command to turn it on?

#sho access-list

Extended IP access list 100

10 permit ip

20 deny ip any any

Question #2:

I have 2 networks that are separated. There will be a link between the 2. The only traffic i want to pass will be traffic allowing PCs to authenticate to active directory servers. And exchange the necessary AD stuff down. Any idea what ports to allow for that?

Correct Answer by Jon Marshall about 8 years 4 months ago


I came across this - looks like there are a few more ports than i thought.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Tue, 03/03/2009 - 05:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mike,

this is IOS dependent also on routers.

if I take an old IOS the automatic numbering of statements is off for numbered access-lists.

see for example:

RT-TO-CRN-SNA-E-2#sh access-l

Standard IP access list 24

permit, wildcard bits (4879758 matches)

permit, wildcard bits (565948 matches)

permit, wildcard bits

from a device in 122-19a

at some point in IOS the behaviour has changed before the numbers were usable and shown only for named ACLs

so it is possible to don't see the line numbers in c3750

Hope to help


Jon Marshall Tue, 03/03/2009 - 05:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Do you mean the hit count for each line ?

If so be aware that Catalyst switches process most ACL's in hardware and as such the hit count is not incremented in the way it is on a router.

You can use "show access-lists hardware counters" altho this won't show each individual line hit.

Question 2

Off the top of my head -

Port 445 - CIFS

port 389 - LDAP

port 135 - RPC (maybe)

port 88 - Kerberos

But there may well be more needed as this is Microsoft :-)


mikegrous Tue, 03/03/2009 - 05:51
User Badges:

Thanks Jon. You answered the first question. I will try those ports. I was going to do it today but it appears the AD servers are not here. Oh well. Anyone have any other ports that you think should be allowed?


This Discussion