02-01-2008 04:56 AM
We can't TFTP or FTP out config from the switches to our FTP server. We have IP Access List setup allowing certain protocols. What would I have to add to the Access List to alllow the switches to TFTP or FTP their config?
Thanks.
02-07-2008 07:16 AM
The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was not a way to specify the position of an entry within an access list.
A Cisco platform can unexpectedly reload while it attemps to resequence an access list. This symptom is observed when a few Access Control Entries (ACE) are deleted and then immediately enters the ip access-list resequence access-list-name starting-sequence-number increment command.
02-16-2008 10:06 AM
Roy
TFTP uses UDP port 69 and FTP uses TCP ports 20 and 21. To allow these protocols you would need permit statements in your access list for these protocols.
HTH
Rick
02-17-2008 05:42 AM
But please note TFTP uses UDP port 69 for the first packet only and uses high port numbers (>1023) for all subsequent packets... which makes TFTP hard to catch with ACLs.
Also FTP sometimes uses the so-called "passive mode" which uses a TCP connection between two high port numbers.
Where is that ACL located, any chance to use a real firewall which can handle TFP/FTP (like the Cisco IOS firewall) ???
regards,
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide