Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
177
Views
0
Helpful
2
Replies

Restricting TFTP transfers via ACL on Nexus

Doopzzy
Level 1
Level 1

‎07-05-2024 09:09 AM

Ideally on our Catalyst and ISR devices we restrict TFTP transfers via an ACL with the statement "snmp-server file-transfer access-group {ACL #} protocol tftp"

We have tried to implement this same feature recently into our Nexus devices with no success as it appears that syntax does not exist. I have done research on alternatives, but a lot of results have us apply an ACL to a specific interface with statements eq tftp.

Wanted to see if anyone knows a way to restrict TFTP transfers globally on Nexus as shown with Catalyst/ISR? 

Thank you!

Labels:
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎07-05-2024 09:35 AM

 

  - Ref : https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/security/config/cisco_nexus7000_security_config_guide_8x/configuring_ip_acls.html
  >....

  • ACLs applied on a VTY line in egress direction filter traffic without any issues. However, ACLs applied on a VTY line in ingress direction will not filter management traffic. For example, FTP, TFTP, or SFP traffic in the return direction, that is, if the FTP connection is initiated from a switch to an external server, ingress ACL on a VTY line will not be used, if ACLs are configured to block or permit this return traffic. Therefore, ACLs should be applied in the egress direction on VTY lines to block the FTP, TFTP, or SCP traffic from the switch.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to marce1000

‎07-05-2024 02:27 PM

I believe that there is some confusion about what the issue really is. The title of the OP does mention TFTP and ACL. The response by @marce1000  seems to focus on the traditional use of ACL to control access using vty. But in the content of the OP it becomes apparent that the application of acl is not for vty but is for snmp-server file-transfer. My suggestion is that the OP start on the Nexus with snmp-server ? and look for options that could produce the results that they want.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card