Using the Router as a TFTP Server

Problem

You want to configure your router to act as a TFTP server.

Solution

The tftp-server command configures the router to act as a TFTP server:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin
Router1(config)#end
Router1#

 

Discussion

The ability to use a router as a TFTP server can be quite useful. We have often used this feature to upgrade several routers that are separated from the TFTP server by slow WAN connections. In situations like this, you can upgrade one of the remote routers by using TFTP over the slow WAN connection as we described in Recipe 1.6. Then you can configure the first router to act as a TFTP server, and use it to upgrade the remaining routers over high-speed local links.

The router is not a fully functional TFTP server. It can only serve files for download. You cannot use this feature to upload files into the serving router's local flash. However, the router is not limited to just serving IOS images. You can use your router's flash to store configuration files and make them available for download via TFTP as well. Moreover, you can even use it to hold configuration files for nonCisco equipment.

Security is a concern whenever you enable services on a router. Every extra service you enable provides the wily hacker with a new potential avenue to exploit against your network. Therefore, we certainly don't recommend using the TFTP server feature on routers facing the public Internet or other unfriendly networks. However, for internal use, we believe it is reasonably safe. You can increase the security of the router's TFTP server by using an access-list like this:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 99 deny any 
Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin 99
Router1(config)#end
Router1#

In this example, we defined an access-list 99 that will allow all devices on the 172.25.1.0 network to access the router's TFTP server. Then we applied the access-list to the TFTP service by specifying the access-list number at the end of the tftp-server command line. This will help to ensure that only the authorized devices permitted by the access-list may download the specified file via TFTP.

You can configure the router to serve multiple files via TFTP by simply adding more tftp-server commands. And, if security is a concern, you can configure each file to use its own access-list.

Although this feature can be useful, we recommend enabling it only when you need to do a download, and then disabling the service as soon as the download has completed. This will help to mitigate the security concerns of running extra services from your router.

See Also

Recipe 1.6





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net