IP Access List

user_4444 · ‎02-01-2008

We can't TFTP or FTP out config from the switches to our FTP server. We have IP Access List setup allowing certain protocols. What would I have to add to the Access List to alllow the switches to TFTP or FTP their config?

Thanks.

sadbulali · ‎02-07-2008

The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was not a way to specify the position of an entry within an access list.

A Cisco platform can unexpectedly reload while it attemps to resequence an access list. This symptom is observed when a few Access Control Entries (ACE) are deleted and then immediately enters the ip access-list resequence access-list-name starting-sequence-number increment command.

Richard Burts · ‎02-16-2008

Roy

TFTP uses UDP port 69 and FTP uses TCP ports 20 and 21. To allow these protocols you would need permit statements in your access list for these protocols.

HTH

Rick

HTH

Rick

mkoch · ‎02-17-2008

But please note TFTP uses UDP port 69 for the first packet only and uses high port numbers (>1023) for all subsequent packets... which makes TFTP hard to catch with ACLs.

Also FTP sometimes uses the so-called "passive mode" which uses a TCP connection between two high port numbers.

Where is that ACL located, any chance to use a real firewall which can handle TFP/FTP (like the Cisco IOS firewall) ???

regards,

Michael