We help IT Professionals succeed at work.

Disabling TFTP on a Cisco 2960 Switch

jking1005
jking1005 asked
on
76 Views
Last Modified: 2020-06-11
How do I disable TFTP services on a Cisco C2960S-24TS switch?  The IOS version is 12.2 (55).  This switch sits on the outside of our network and needs to be 'hardened' for security purposes.  I ran the 'no tftp' command for Flash, null, nvram, system and tmpsys file load requests but it's still showing as available.  (We are using an outside vendor to run pen tests on it and they are reporting this.)  Should I have rebooted the switch after running this?  Any help would be much appreciated.  

Thanks,

Jana
Comment
Watch Question

Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for the input, Don.  I've not ever used ACLs on a Layer 2 switch before.  Can you give me some direction on how to go about doing that?  I googled it, but came up with a ton of answers.  If you happen to have a link to some easy to follow instructions that would be great!
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
HI jking1005  ,

let say that  i can reach this switch via interface g0/0 ( outside )

the config will be as below

1# configure acl to deny tftp and permit all aother traffic

switch(config)# access-list 100 deny udp any any eq 69
switch(config)# access-list 100 permit ip any any  

2# apply on interface ( outside ) direction ( incoming )

Switch ( config-if ) # ip access-group 100 in

Author

Commented:
Thank you...I'll try this out tomorrow and report back.  Appreciate the help.

Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Hi  jking1005  

did you need any further help ?


Author

Commented:
I didn't get a chance to try the ACL on Friday so will do that today.  I'll keep you posted.  Thank you for checking in on me.

Jana

Author

Commented:
I just tried the command, but got an error when applying to the interface.  It says "Port-based ACLs are not supported with this image".  Is there a global command that I can use to apply this access list to the switch?  

Thanks,

Jana
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Tell me what is type of your ios (ipbase, enterprise.. etc)
To know you can use command
Switch#dir flash
And add full name of ios 

Author

Commented:
flash:/c2960s-universalk9-mz.122-55.SE7

I think it's just standard, not ipbase or enterprise

Since it let me build the ACL, is there a way to apply it globally?

Sr.Network & Security Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
Have you tried applying the ACL the the VTY lines?

line vty 0 15
 access-class 100 in (where "100" is the ACL number)


Author

Commented:
Thank you for the info!  I won't be able to test today, but will update as soon as I can.

j

Author

Commented:
Don, so I'd use 'access-class' instead of 'access-list'?  I've already define the access-list, using the instructions that Mohammad gave earlier.  Just want to make sure that I use the right commands.

Mohammad, I'm sure your right and that we have the LAN Lite version of the IOS.  I will attempt to apply it to that VLAN and see what happens. 

Thanks!

j
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Good luck and keep us updated :) 
Don JohnstonInstructor
CERTIFIED EXPERT
Top Expert 2015

Commented:
Don, so I'd use 'access-class' instead of 'access-list'?  I've already define the access-list, using the instructions that Mohammad gave earlier.  Just want to make sure that I use the right commands.
Correct.  "access-list" is used when creating the ACL.  "access-group" is used when applying it to an interface.  "access-class" is used when applying it to a line (vty, console or aux).

The ACL mentioned earlier will work in this scenario.

Author

Commented:
I applied the ACL to the VTY lines, but our security vendor is saying they can still TFTP to that switch.  I just applied the ACL to the VLAN and am waiting to hear if that secured it.  I'll update as soon as I hear from them.

Thanks!
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
Good luck and we hope to hear good news from you soon 

Author

Commented:
Great news...creating the ACL and applying it to the VLAN worked great.  Do the experts still get points for answering questions?  
Mohammad RummanehSr.Network & Security Engineer
CERTIFIED EXPERT

Commented:
I am very happy because me and Don helping you with solving this issue :)
Yes we get points for every solution and helpful comments 
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.