TFTP: Uploading an ACL command file from a TFTP server (CLI)

Syntax:


copy tftp command-file <ip-addr> <filename.txt> {<unix | pc>}

Copies and executes the named text file from the specified TFTP server address and executes the ACL commands in the file.

<ip-addr>

The IP address of a TFTP server available to the switch

<filename.txt>

A text file containing ACL commands and stored in the TFTP directory of the server identified by ip-addr

{<unix | pc>}

The type of workstation used for serial, Telnet, or SSH access to the switch CLI

Depending on the ACL commands used, this action does one of the following in the running-config file:
  • Creates a new ACL.

  • Replaces an existing ACL. (See "Creating an ACL Offline" in the "Access Control Lists (ACLs)" in the latest access security guide for your switch.)

  • Adds to an existing ACL

Example:

Suppose you:

  • Created an ACL command file named vlan10_in.txt to update an existing ACL.

  • Copied the file to a TFTP server at 18.38.124.16.

Using a PC workstation, you then execute the following from the CLI to upload the file to the switch and implement the ACL commands it contains:

switch(config)# copy tftp command-file 18.38.124.16
vlan10_in.txt pc

The switch displays this message:

Running configuration may change, do you want to continue
[y/n]?

To continue with the upload, press the [Y] key. To abort the upload, press the [N] key. Note that if the switch detects an illegal (non-ACL) command in the file, it bypasses the illegal command, displays a notice (as shown in Using the copy command to download and configure an ACL ), and continues to implement the remaining ACL commands in the file.

Using the copy command to download and configure an ACL
switch(config)# copy tftp command-file 10.38.124.18 v1an10_in.txt pc
Running configuration may change, do you want to continue [y/n]? y
  1. ip access-list extended "155"
  2. deny tcp 0.0.0.0 255.255.255.255 10.10.10.2 0.0.0.0 eq 23 1og
  3. permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
  4. show running
Command files are limited to access-list commands. 1
  5. exit
switch(config)# show running 2
Running configuration:

; J9091A Configuration Editor; Created on release #W.15.05.0000x
; Ver #01:01:00

hostname "Switch"
cdp run
ip default-gateway 10.38.248.1
logging 10.38.227.2
snmp-server community "public" unrestricted
ip access-list extended "155"
deny tcp 0.0.0.0 255.255.255.255 10.10.10.2 0.0.0.0 eq 23 1og
permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

1This message indicates that the show running command just above it is not an ACL command and will be ignored by the switch.

2Manually executing the show running from the CLI indicates that the file was implemented, creating ACL 155 in the switch’s running configuration.