We have multiple 3845 running CCME. We have been hit by our audit committee that TFTP is open on these devices. I know that tftp has to be open for the Cisco phones to function, but is there a way to lock the router down globally where no network can get to it except for the voice segment?
You could put an ACL on the other interfaces denying TFTP.
access-list 100 deny udp any any eq 69
access-list 100 permit ip any any
Hope that helps.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: