IP Access List

Unanswered Question
Feb 1st, 2008
User Badges:

We can't TFTP or FTP out config from the switches to our FTP server. We have IP Access List setup allowing certain protocols. What would I have to add to the Access List to alllow the switches to TFTP or FTP their config?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sadbulali Thu, 02/07/2008 - 07:16
User Badges:
  • Bronze, 100 points or more

The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was not a way to specify the position of an entry within an access list.

A Cisco platform can unexpectedly reload while it attemps to resequence an access list. This symptom is observed when a few Access Control Entries (ACE) are deleted and then immediately enters the ip access-list resequence access-list-name starting-sequence-number increment command.

Richard Burts Sat, 02/16/2008 - 10:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


TFTP uses UDP port 69 and FTP uses TCP ports 20 and 21. To allow these protocols you would need permit statements in your access list for these protocols.



mkoch Sun, 02/17/2008 - 05:42
User Badges:

But please note TFTP uses UDP port 69 for the first packet only and uses high port numbers (>1023) for all subsequent packets... which makes TFTP hard to catch with ACLs.

Also FTP sometimes uses the so-called "passive mode" which uses a TCP connection between two high port numbers.

Where is that ACL located, any chance to use a real firewall which can handle TFP/FTP (like the Cisco IOS firewall) ???




This Discussion



Trending Topics: Storage Networking