07-05-2024 09:09 AM
Ideally on our Catalyst and ISR devices we restrict TFTP transfers via an ACL with the statement "snmp-server file-transfer access-group {ACL #} protocol tftp"
We have tried to implement this same feature recently into our Nexus devices with no success as it appears that syntax does not exist. I have done research on alternatives, but a lot of results have us apply an ACL to a specific interface with statements eq tftp.
Wanted to see if anyone knows a way to restrict TFTP transfers globally on Nexus as shown with Catalyst/ISR?
Thank you!
07-05-2024 09:35 AM
ACLs applied on a VTY line in egress direction filter traffic without any issues. However, ACLs applied on a VTY line in ingress direction will not filter management traffic. For example, FTP, TFTP, or SFP traffic in the return direction, that is, if the FTP connection is initiated from a switch to an external server, ingress ACL on a VTY line will not be used, if ACLs are configured to block or permit this return traffic. Therefore, ACLs should be applied in the egress direction on VTY lines to block the FTP, TFTP, or SCP traffic from the switch.
M.
07-05-2024 02:27 PM
I believe that there is some confusion about what the issue really is. The title of the OP does mention TFTP and ACL. The response by @marce1000 seems to focus on the traditional use of ACL to control access using vty. But in the content of the OP it becomes apparent that the application of acl is not for vty but is for snmp-server file-transfer. My suggestion is that the OP start on the Nexus with snmp-server ? and look for options that could produce the results that they want.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide