Hello, can someone please confirm how to create an ACL to allow TFTP in both directions on an ACL from host 10.21.8.1 to any TFTP server in 10.0.0.0/8.
I have the following on my outbound ACL:
permit udp host 10.21.8.1 10.0.0.0 0.0.0.255 eq tftp
What would I put on my inbound ACL to allow TFTP back in ?
Thank you kindly.
The access list should apply to the source interface as inbound (in). Also, use the exact IP of the tftp server.
permit udp 10.21.8.1 host 10.10.10.10 eq tftp
in this example 10.10.10.10. is the IP address of the tftp server.
But how about the return traffic ?
What if I only wanted to allow TFTP return traffic ?
If the source is 10.21.8.1 (SVI L3) than you can apply the access list inbound to it as in
ip access-list extended test
than apply it to interface as in
int vlan 3
ip access-group test in
and test connectivity.
As Reza mentioned, here the sintaxis of an extended named ACL
If you are going to use named:
Ip access-list extended OUTBOUNDpermit <protocol> <source host or subnet> <wildcard> <source port /ports> <destination host or subnet> <wildcard> <destination port/ports>
permit udp host 10.21.8.1 10.0.0.0 0.0.0.255 eq tftp or 69
interface gX/Yip access-group OUTBOUND out
For inbound traffic, is similar
Ip access-list extended INBOUNDpermit <protocol> <source host or subnet> <wildcard> <source port /ports> <destination host or subnet> <wildcard> <destination port/ports>
permit udp 10.0.0.0 0.0.0.255 eq tftp or 69 host 10.21.8.1
interface gX/Yip access-group INBOUND in
at the end you will have.
interface gX/Y or Interface vlan Xip access-group INBOUND inip access-group OUTBOUND out
note: if the source or destination is going to use dynamic ports you can ommit the port on the ACL, like the example above.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: