TFTP server and port 69 UDP or TCP or Both

Unanswered Question
Sep 29th, 2005
User Badges:

If I want to write an access list (inbound)on a router to prevent users on the Ethernet LAN connected to e0 from accessing a TFTP server ( located on the LAN connected to e1.

The extended access list on the Ethernet interface e0 (inbound), will be:

Access-list 101 deny udp (not tcp) eq 69

Access-list 101 permit ip any any.

Do I need to add this line as well to the deny statement above?

Access-list 101 deny tcp (not udp) eq 69

See the link below for that.

Under : “The following incoming access list will block these ports on your router”:

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Harold Ritter Thu, 09/29/2005 - 06:04
User Badges:
  • Cisco Employee,

TFTP is udp based so there is no need for the deny tcp statement.

Let me know if I answered your question,

zillah2004 Thu, 09/29/2005 - 09:50
User Badges:

Thanks hritter

Could you please comment the link that I sent, because it has used udp as well as tcp!!!.

I have read a question for CCIE written preparation and they had used the udp and tcp as well.

Harold Ritter Thu, 09/29/2005 - 10:29
User Badges:
  • Cisco Employee,

I think the document you included blindly denies both TCP and UDP ports for all protocols as defined in the following document:

You see for instance protocols such as FTP and telnet reserve both TCP and UDP ports but are currently only implemented using TCP.

There is no implementation of TFTP using TCP port 69 that I know of. Specifying both UDP and TCP for TFTP in your ACL doesn't make a big difference if you only block a couple of protocols but could easily become a nightmare as your ACL grows.

Let me know if I answered your question,

zillah2004 Tue, 11/01/2005 - 02:12
User Badges:

((There is no implementation of TFTP using TCP port 69 that I know of.))

Do not you think the above is similar to one of the configuration that I found it in the Cisco Lab about DNS server:

Vista(config)# access-list 112 permit udp any host eq domain.

Vista(config)# access-list 112 permit tcp any host eq 53.

As you can see that for the DNS server in the first row he used udp and in the second row he used tcp ?

bellocarico Tue, 11/01/2005 - 02:55
User Badges:

zillah2004, I think your example is different, as DNS works on UDP for client queries and TCP for zone transfert between servers.

So it uses the same port, but has got different function on different layer 4 protocol.


zillah2004 Tue, 01/31/2006 - 00:36
User Badges:

((as DNS works on UDP for client queries and TCP for zone transfert between servers)).

Does it make any difference if the explaination syas:

(( Use the following

a- protocol udp to allow hosts to use the server for lookup requests on port 53.

b- protocol tcp to allow zone transfer on port 53 {my understanding is form server to client , not between servers} ))

mdella000 Thu, 10/08/2015 - 22:50
User Badges:

This is a rather old post however it keeps coming up in google so just in case someone else was wondering...


DNS port 53 (udp) is for a client to query a server.  This is the standard method of pulling down a single query from a DNS server and is by far the most commonly used form of DNS


DNS port 53 (tcp) is used for server-to-server communications (typ) when one server is requesting a zone transfer of the entire zone.  Typically this is seen from slave servers to their masters (or hidden masters depending on how the org is set up).


Note that (tcp) is typically denied with a white list of servers that are allowed to make queries whereas (udp) is typically allowed with potentially a black list of servers that are "bad guys".


This Discussion