Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
5
Replies

Access-list Question

Go to solution
mikegrous
Level 3
Level 3

‎03-03-2009 04:52 AM - edited ‎03-06-2019 04:20 AM

How do i get the (XX) after the ACL in show access-list command. It shows up on routers but not on a 3750. Is this a limitation or a command to turn it on?

#sho access-list

Extended IP access list 100

10 permit ip 10.120.1.0 0.0.0.255 10.120.14.0 0.0.1.255

20 deny ip any any

Question #2:

I have 2 networks that are separated. There will be a link between the 2. The only traffic i want to pass will be traffic allowing PCs to authenticate to active directory servers. And exchange the necessary AD stuff down. Any idea what ports to allow for that?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mikegrous

‎03-03-2009 05:55 AM

Mike

I came across this - looks like there are a few more ports than i thought.

http://lists.sans.org/pipermail/list/2005-August/021790.html

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-03-2009 05:05 AM

Hello Mike,

this is IOS dependent also on routers.

if I take an old IOS the automatic numbering of statements is off for numbered access-lists.

see for example:

RT-TO-CRN-SNA-E-2#sh access-l

Standard IP access list 24

permit 10.98.72.0, wildcard bits 0.0.3.255 (4879758 matches)

permit 10.55.48.0, wildcard bits 0.0.3.255 (565948 matches)

permit 10.110.162.0, wildcard bits 0.0.0.255

from a device in 122-19a

at some point in IOS the behaviour has changed before the numbers were usable and shown only for named ACLs

so it is possible to don't see the line numbers in c3750

Hope to help

Giuseppe

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-03-2009 05:37 AM

Mike

Do you mean the hit count for each line ?

If so be aware that Catalyst switches process most ACL's in hardware and as such the hit count is not incremented in the way it is on a router.

You can use "show access-lists hardware counters" altho this won't show each individual line hit.

Question 2

Off the top of my head -

Port 445 - CIFS

port 389 - LDAP

port 135 - RPC (maybe)

port 88 - Kerberos

But there may well be more needed as this is Microsoft :-)

Jon

0 Helpful

Go to solution
mikegrous
Level 3
Level 3
In response to Jon Marshall

‎03-03-2009 05:51 AM

Thanks Jon. You answered the first question. I will try those ports. I was going to do it today but it appears the AD servers are not here. Oh well. Anyone have any other ports that you think should be allowed?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mikegrous

‎03-03-2009 05:55 AM

Mike

I came across this - looks like there are a few more ports than i thought.

http://lists.sans.org/pipermail/list/2005-August/021790.html

Jon

0 Helpful

Go to solution
mikegrous
Level 3
Level 3
In response to Jon Marshall

‎03-03-2009 03:13 PM

Great thanks jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card