All other Cisco networking related discussions.
kamilk
New Member
Posts:
1
Joined:
Thu Apr 27, 2017 12:13 am
Certs:
CCNA R&S, CCNA Security

ACL on Cisco 3750 to allow Active Directory Replication and

Thu Apr 27, 2017 12:22 am

Good day Everyone,
Need your advice on ACL.

I have a router, and eight switches connected directly to that router. Each switch is a separate IP subnet.

I will have one Domain Controllers per in each subnet. This would all be one logical AD domain.

The Active DIrectory site will be a HUB and Spoke design, meaning that there will be one "hub" DC and seven DCs in different subnets replicating ONLY to that "hub" DC.

Plus all users in all non-hub networks must be able to authenticate in their own subnet DC (local to them) and to "hub" DC in "main" subnet (in case local one fails).

SO I need ACL to allow two way replication between "hub" DC and each DC in subnets and one way AD authentication.from all subnets to "hub" DC. Plus the DNS replication an DNS name resolution requests should be allowed between spoke and hub site.



I googled couple of solutions (below) but not sure which one will do the job, and do the job in most secure way:



access-list 100 permit ip host x.x.x.x host y.y.y.y

access-list 200 permit ip host y.y.y.y host x.x.x.x


OR


access-list 100 permit tcp host x.x.x.x host y.y.y.y eq domain

access-list 100 permit udp host x.x.x.x host y.y.y.y eq domain

access-list 100 permit tcp host x.x.x.x host y.y.y.y eq ldap

access-list 100 permit udp host x.x.x.x host y.y.y.y eq ldap

access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 53

access-list 100 permit udp host x.x.x.x host y.y.y.y eq 53

access-list 100 permit tcp host x.x.x.x host y.y.y.y eq 88

access-list 100 permit udp host x.x.x.x host y.y.y.y eq 88 (88- Kerberos Authentication and 53 - DNS)


I would really appreciate if someone could help me with that setup and explain where should I implement the ACL on router (inbound or outbound interface facing corresponding networks).


Thanks,

Kamil.

Return to Cisco General

Who is online

Users browsing this forum: Annoboday, effessiot, Exabot [Bot], Stydaynotosse and 39 guests