Welcome to Dell Technologies Connectrix Cisco MDS-Series — How-to Videos. How to block FTP or TFTP access to an MDS switch.
Reference Dell Knowledge Article Number 11992.
This video was created to: Demonstrate how to block FTP or TFTP access to an MDS switch through CLI. This can be achieved by configuring Access Control Lists (ACLs). This video presents the following: Access Control Lists can be used for two purposes on Cisco devices: to filter traffic and to identify traffic.
Access lists are a set of rules, organized in a rule table. Each rule or line in an access list provides a condition, either permit or deny. When using an access list to filter traffic, a permit statement is used to “allow” traffic while a deny statement is used to “block” traffic.
Similarly, when using an access list to identify traffic a permit statement is used to “include” traffic while a deny statement states that the traffic should “not” be included. It is thus interpreted as a true or false statement. Below are the TCP and UDP Port Numbers to be blocked to restrict the traffic for FTP and TFTP.
When to do this: When administrator wants to block FTP or TFTP access to MDS switch by configuring the access list according to the needs and deny the unwanted traffic from entering the network.
Step 1: Creating the IP access list. Enter into configuration mode. “ip access-list disableftpandtftp deny udp any any eq port 69” This command configures an IP ACL called “disableftpandtftp” and denies UDP traffic from any source address to any destination address eq port 69. “ip access-list disableftpandtftp deny tcp any any eq port 20” updates the list to deny TCP traffic from any source address to any destination address eq port 20. “ip access-list disableftpandtftp deny tcp any any eq port 21” updates the list to deny TCP traffic from any source address to any destination address eq port 21. “ip access-list disableftpandtftp permit UDP any any” This command permits UDP traffic from any source address to any destination address. “ip access-list disableftpandtftp permit tcp any any” permits TCP traffic from any source address to any destination address. “ip access-list disableftpandtftp permit ip any any” permits IP traffic from any source address to any destination address.
Step 2: Apply the access-list to the management port. “interface mgmt0” “ip access-group disableftpandtftp” “end” Now, copy running-configuration to startup-configuration.
Step 3: Verify the access list is applied correctly. Copy the startup-configuration to an external FTP server and save the file with the name “configbackup”. You can see that FTP is blocked and the copy failed. You can now revert back the changes. Remove the access list.
Enter into configuration mode. “interface mgmt0” “no ip-access group disableftpandtftp” “end” Now, copy running-config to startup-config works again after reverting back the changes. Important notes: The order in which access list conditions or match criteria are configured is important.
While deciding whether to forward or block the traffic Cisco software tests the traffic against each criteria statement in the order in which these statements are created. After a match is found, no more criteria statements are checked.
Hence, do not make your first access list entry “permit any any” because all traffic will get through. No data will reach the subsequent testing. Refer to the following for more information.
Thank you for watching.
