Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7369
Views
0
Helpful
4
Replies

Cisco ACL how to allow TFTP

tedauction
Level 1
Level 1

‎05-25-2017 05:47 PM - edited ‎03-08-2019 10:44 AM

Hello, can someone please confirm how to create an ACL to allow TFTP in both directions on an ACL from host 10.21.8.1 to any TFTP server in 10.0.0.0/8.

I have the following on my outbound ACL:

permit udp host 10.21.8.1 10.0.0.0 0.0.0.255 eq tftp

What would I put on my inbound ACL to allow TFTP back in ?

Thank you kindly.

Labels:
0 Helpful
4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

‎05-25-2017 07:12 PM

Hi,

The access list should apply to the source interface as inbound (in).  Also, use the exact IP of the tftp server.

permit udp 10.21.8.1 host 10.10.10.10 eq tftp

in this example 10.10.10.10. is the IP address of the tftp server.

HTH

0 Helpful

tedauction
Level 1
Level 1
In response to Reza Sharifi

‎05-25-2017 07:45 PM

Thank you.

But how about the return traffic ?

What if I only wanted to allow TFTP return traffic ?

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to tedauction

‎05-25-2017 07:45 PM

If the source is 10.21.8.1 (SVI L3) than you can apply the access list inbound to it as in

ip access-list extended test

permit udp 10.21.8.1 host 10.10.10.10 eq tftp

than apply it to interface as in

int vlan 3

ip access-group test in

and test connectivity.

HTH

0 Helpful

Julio E. Moisa
VIP
VIP

‎05-25-2017 07:50 PM

Hi

As Reza mentioned, here the sintaxis of an extended named ACL

If you are going to use named:

Ip access-list extended OUTBOUND
permit <protocol> <source host or subnet> <wildcard> <source port /ports> <destination host or subnet> <wildcard> <destination port/ports>

permit udp host 10.21.8.1 10.0.0.0 0.0.0.255 eq tftp  or 69

interface gX/Y
ip access-group OUTBOUND out

For inbound traffic, is similar

Ip access-list extended INBOUND
permit <protocol> <source host or subnet> <wildcard> <source port /ports> <destination host or subnet> <wildcard> <destination port/ports>

permit udp  10.0.0.0 0.0.0.255 eq tftp  or 69 host 10.21.8.1

interface gX/Y
ip access-group INBOUND in

at the end you will have. 

interface gX/Y or Interface vlan X
ip access-group INBOUND in
ip access-group OUTBOUND out

note: if the source or destination is going to use dynamic ports you can ommit the port on the ACL, like the example above.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card