Access-list Question

Answered Question
Mar 3rd, 2009

How do i get the (XX) after the ACL in show access-list command. It shows up on routers but not on a 3750. Is this a limitation or a command to turn it on?

#sho access-list

Extended IP access list 100

10 permit ip 10.120.1.0 0.0.0.255 10.120.14.0 0.0.1.255

20 deny ip any any

Question #2:

I have 2 networks that are separated. There will be a link between the 2. The only traffic i want to pass will be traffic allowing PCs to authenticate to active directory servers. And exchange the necessary AD stuff down. Any idea what ports to allow for that?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 10 months ago

Mike

I came across this - looks like there are a few more ports than i thought.

http://lists.sans.org/pipermail/list/2005-August/021790.html

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Tue, 03/03/2009 - 05:05

Hello Mike,

this is IOS dependent also on routers.

if I take an old IOS the automatic numbering of statements is off for numbered access-lists.

see for example:

RT-TO-CRN-SNA-E-2#sh access-l

Standard IP access list 24

permit 10.98.72.0, wildcard bits 0.0.3.255 (4879758 matches)

permit 10.55.48.0, wildcard bits 0.0.3.255 (565948 matches)

permit 10.110.162.0, wildcard bits 0.0.0.255

from a device in 122-19a

at some point in IOS the behaviour has changed before the numbers were usable and shown only for named ACLs

so it is possible to don't see the line numbers in c3750

Hope to help

Giuseppe

Jon Marshall Tue, 03/03/2009 - 05:37

Mike

Do you mean the hit count for each line ?

If so be aware that Catalyst switches process most ACL's in hardware and as such the hit count is not incremented in the way it is on a router.

You can use "show access-lists hardware counters" altho this won't show each individual line hit.

Question 2

Off the top of my head -

Port 445 - CIFS

port 389 - LDAP

port 135 - RPC (maybe)

port 88 - Kerberos

But there may well be more needed as this is Microsoft :-)

Jon

mikegrous Tue, 03/03/2009 - 05:51

Thanks Jon. You answered the first question. I will try those ports. I was going to do it today but it appears the AD servers are not here. Oh well. Anyone have any other ports that you think should be allowed?

Actions

This Discussion