Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TFTP server and port 69 UDP or TCP or Both

If I want to write an access list (inbound)on a router to prevent users on the Ethernet LAN connected to e0 from accessing a TFTP server (10.1.1.15) located on the LAN connected to e1.

The extended access list on the Ethernet interface e0 (inbound), will be:

Access-list 101 deny udp (not tcp) 0.0.0.0 255.255.255.255 10.1.1.15 0.0.0.0 eq 69

Access-list 101 permit ip any any.

Do I need to add this line as well to the deny statement above?

Access-list 101 deny tcp (not udp) 0.0.0.0 255.255.255.255 10.1.1.15 0.0.0.0 eq 69

See the link below for that.

Under : “The following incoming access list will block these ports on your router”:

http://www.ibiblio.org/security/articles/ports.html

8 REPLIES
Cisco Employee

Re: TFTP server and port 69 UDP or TCP or Both

TFTP is udp based so there is no need for the deny tcp statement.

Let me know if I answered your question,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: TFTP server and port 69 UDP or TCP or Both

Thanks hritter

Could you please comment the link that I sent, because it has used udp as well as tcp!!!.

I have read a question for CCIE written preparation and they had used the udp and tcp as well.

Cisco Employee

Re: TFTP server and port 69 UDP or TCP or Both

I think the document you included blindly denies both TCP and UDP ports for all protocols as defined in the following document:

http://www.iana.org/assignments/port-numbers

You see for instance protocols such as FTP and telnet reserve both TCP and UDP ports but are currently only implemented using TCP.

There is no implementation of TFTP using TCP port 69 that I know of. Specifying both UDP and TCP for TFTP in your ACL doesn't make a big difference if you only block a couple of protocols but could easily become a nightmare as your ACL grows.

Let me know if I answered your question,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: TFTP server and port 69 UDP or TCP or Both

((There is no implementation of TFTP using TCP port 69 that I know of.))

Do not you think the above is similar to one of the configuration that I found it in the Cisco Lab about DNS server:

Vista(config)# access-list 112 permit udp any host 172.16.1.2 eq domain.

Vista(config)# access-list 112 permit tcp any host 172.16.1.2 eq 53.

As you can see that for the DNS server in the first row he used udp and in the second row he used tcp ?

New Member

Re: TFTP server and port 69 UDP or TCP or Both

zillah2004, I think your example is different, as DNS works on UDP for client queries and TCP for zone transfert between servers.

So it uses the same port, but has got different function on different layer 4 protocol.

Regards

New Member

Re: TFTP server and port 69 UDP or TCP or Both

Thanks for that

New Member

Re: TFTP server and port 69 UDP or TCP or Both

((as DNS works on UDP for client queries and TCP for zone transfert between servers)).

Does it make any difference if the explaination syas:

(( Use the following

a- protocol udp to allow hosts to use the server for lookup requests on port 53.

b- protocol tcp to allow zone transfer on port 53 {my understanding is form server to client , not between servers} ))

New Member

This is a rather old post

This is a rather old post however it keeps coming up in google so just in case someone else was wondering...

 

DNS port 53 (udp) is for a client to query a server.  This is the standard method of pulling down a single query from a DNS server and is by far the most commonly used form of DNS

 

DNS port 53 (tcp) is used for server-to-server communications (typ) when one server is requesting a zone transfer of the entire zone.  Typically this is seen from slave servers to their masters (or hidden masters depending on how the org is set up).

 

Note that (tcp) is typically denied with a white list of servers that are allowed to make queries whereas (udp) is typically allowed with potentially a black list of servers that are "bad guys".

36457
Views
10
Helpful
8
Replies