Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP Access List

We can't TFTP or FTP out config from the switches to our FTP server. We have IP Access List setup allowing certain protocols. What would I have to add to the Access List to alllow the switches to TFTP or FTP their config?

Thanks.

3 REPLIES
New Member

Re: IP Access List

The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was not a way to specify the position of an entry within an access list.

A Cisco platform can unexpectedly reload while it attemps to resequence an access list. This symptom is observed when a few Access Control Entries (ACE) are deleted and then immediately enters the ip access-list resequence access-list-name starting-sequence-number increment command.

Hall of Fame Super Silver

Re: IP Access List

Roy

TFTP uses UDP port 69 and FTP uses TCP ports 20 and 21. To allow these protocols you would need permit statements in your access list for these protocols.

HTH

Rick

New Member

Re: IP Access List

But please note TFTP uses UDP port 69 for the first packet only and uses high port numbers (>1023) for all subsequent packets... which makes TFTP hard to catch with ACLs.

Also FTP sometimes uses the so-called "passive mode" which uses a TCP connection between two high port numbers.

Where is that ACL located, any chance to use a real firewall which can handle TFP/FTP (like the Cisco IOS firewall) ???

regards,

Michael

217
Views
0
Helpful
3
Replies
CreatePlease to create content