Access List....TFTP

Unanswered Question
Sep 4th, 2007
User Badges:

When a server starts sending the file, i see a random port being used. Now how are we supposed to write a proper ACL for this...accept everything from the host? Modify the tftp server source code?

Please help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lgijssel Tue, 09/04/2007 - 22:53
User Badges:
  • Red, 2250 points or more

Session initiation will use the well-known ports (69 for tftp). You should check for that in your acl and only permit the hosts you want. When you can deny the request you also have control over the session, even when all other udp ports are permitted on the last line of your acl.



Richard Burts Wed, 09/05/2007 - 04:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


When a client initiates TFTP to a server it will use the well known port UDP 69 as the destination port and will choose some high number port as the source port. So to write a proper access list you can examine for the TFTP server address and can examine for port 69 (it will be source port or destination port depending on where the access list is applied and its direction). I would suggest not attempting to examine the other port since it is not predictable.




This Discussion