Disabling TFTP on a Cisco 2960 Switch
How do I disable TFTP services on a Cisco C2960S-24TS switch? The IOS version is 12.2 (55). This switch sits on the outside of our network and needs to be 'hardened' for security purposes. I ran the 'no tftp' command for Flash, null, nvram, system and tmpsys file load requests but it's still showing as available. (We are using an outside vendor to run pen tests on it and they are reporting this.) Should I have rebooted the switch after running this? Any help would be much appreciated.
Thanks,
Jana
Thanks,
Jana
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HI jking1005 ,
let say that i can reach this switch via interface g0/0 ( outside )
the config will be as below
1# configure acl to deny tftp and permit all aother traffic
2# apply on interface ( outside ) direction ( incoming )
Switch ( config-if ) # ip access-group 100 in
let say that i can reach this switch via interface g0/0 ( outside )
the config will be as below
1# configure acl to deny tftp and permit all aother traffic
switch(config)# access-list 100 deny udp any any eq 69
switch(config)# access-list 100 permit ip any any
2# apply on interface ( outside ) direction ( incoming )
Switch ( config-if ) # ip access-group 100 in
ASKER
Thank you...I'll try this out tomorrow and report back. Appreciate the help.
ASKER
I didn't get a chance to try the ACL on Friday so will do that today. I'll keep you posted. Thank you for checking in on me.
Jana
Jana
ASKER
I just tried the command, but got an error when applying to the interface. It says "Port-based ACLs are not supported with this image". Is there a global command that I can use to apply this access list to the switch?
Thanks,
Jana
Thanks,
Jana
Tell me what is type of your ios (ipbase, enterprise.. etc)
To know you can use command
Switch#dir flash
And add full name of ios
To know you can use command
Switch#dir flash
And add full name of ios
ASKER
flash:/c2960s-universalk9-mz.122-55.SE7
I think it's just standard, not ipbase or enterprise
Since it let me build the ACL, is there a way to apply it globally?
I think it's just standard, not ipbase or enterprise
Since it let me build the ACL, is there a way to apply it globally?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried applying the ACL the the VTY lines?
line vty 0 15
access-class 100 in (where "100" is the ACL number)
line vty 0 15
access-class 100 in (where "100" is the ACL number)
ASKER
Thank you for the info! I won't be able to test today, but will update as soon as I can.
j
j
ASKER
Don, so I'd use 'access-class' instead of 'access-list'? I've already define the access-list, using the instructions that Mohammad gave earlier. Just want to make sure that I use the right commands.
Mohammad, I'm sure your right and that we have the LAN Lite version of the IOS. I will attempt to apply it to that VLAN and see what happens.
Thanks!
j
Mohammad, I'm sure your right and that we have the LAN Lite version of the IOS. I will attempt to apply it to that VLAN and see what happens.
Thanks!
j
Good luck and keep us updated :)
Don, so I'd use 'access-class' instead of 'access-list'? I've already define the access-list, using the instructions that Mohammad gave earlier. Just want to make sure that I use the right commands.Correct. "access-list" is used when creating the ACL. "access-group" is used when applying it to an interface. "access-class" is used when applying it to a line (vty, console or aux).
The ACL mentioned earlier will work in this scenario.
ASKER
I applied the ACL to the VTY lines, but our security vendor is saying they can still TFTP to that switch. I just applied the ACL to the VLAN and am waiting to hear if that secured it. I'll update as soon as I hear from them.
Thanks!
Thanks!
Good luck and we hope to hear good news from you soon
ASKER
Great news...creating the ACL and applying it to the VLAN worked great. Do the experts still get points for answering questions?
I am very happy because me and Don helping you with solving this issue :)
Yes we get points for every solution and helpful comments
Yes we get points for every solution and helpful comments
ASKER