I am trying the below Extended ACLs to restrict TFTP but still I am able to upload files to the router using tftp. Not sure, what is wrong, can you all help?
Approach 1:
permit udp host <ip> any eq 69
deny udp any any eq 69
permit ip any any
Interface:
ip access-group <ACL name> out
Even deny udp host any any eq 69 does not work.
With registering with inbound (in), I lose access to SSH with the follwoing error:packet_write_wait: Connection to port 22: Broken pipe
Best Answer
Your Approach 1 should work, provided it is applied to the interface towards the server (allow only host IP to use TFTP).
If you apply that ACL on the ingress interfaces, towards the clients, it should work as well. Applying ACL for ingress traffic should always be preferred.
Note that you do need a
permit ip any anyat the end for an ACL to not drop all traffic (but the explicitly permitted) when applied - do not apply an empty or halfway done ACL to a live interface.