Managing System Files

One of the most common tasks faced by Cisco network administrators is file management for various Cisco devices. This includes backing up the system image (for example, the IOS image stored in the flash memory of the router) and configuration files to a centralized location. Almost all Cisco devices offer CLI-based file-management utilities to copy files to TFTP and FTP servers.

File Management Using a TFTP Server

Most Cisco devices allow saving the configuration files or flash images to a backup server using the Trivial File Transfer Protocol (TFTP), which uses UDP port 69 and is a stripped-down version of FTP protocols. TFTP aids in simplified network maintenance by allowing a quick and simple way of copying to a centralized location. In case of a device failure or configuration change resulting in network outage, the administrator can simply restore the configuration or the flash image from the TFTP server. TFTP is also used as the auto-install method for new devices. The auto-install method is designed to automatically configure a router after it connects to a WAN. For auto-install to work properly, a TFTP server must be on the remote side of the router's synchronous serial connection to the WAN.

Figure 1-24 shows a WAN setup with a central TFTP server for storing configuration and flash images.

Figure 1-24. WAN Setup with TFTP Server

Table 1-8 lists the popular TFTP servers categorized on the basis of operating system.

The sections that follow discuss these details of TFTP-based file management:

• Configuring Windows-based TFTP servers

• Configuring Linux-based TFTP servers

• Configuring Cisco devices to use TFTP

Configuring Windows-Based TFTP Servers

Solarwind's TFTP server is a freeware utility that runs on Windows 9X/Me/2000/XP. It can be downloaded from the Solarwinds website (http://www.solarwinds.net) and is easy to run with the default configuration. It provides the following advanced security features:

• Runs the TFTP server in transmit-only mode

• Runs the TFTP server in receive-only mode

• Allows only a range of IP addresses to access the server

• Provides auto-shutoff after a specified time period

• Provides logging capability

• Allows the TFTP root directory to be redirected to a network share for easy maintenance and backup

To configure all these features, choose File > Configure. After the server has been configured, it is ready to use. As shown in Figure 1-25, the default root directory is c:\TFTP-Root.

Configuring Linux-Based TFTP Servers

The Linux TFTP server is called TFTP Daemon (tftpd). Tftpd is controlled through the xinetd or inetd daemon. Xinetd is used by Red Hat Linux, whereas inetd is used by Debian Linux. Hence, to restart (or stop) the TFTP server, you need to restart (or stop) the inetd server. The steps involved in deploying a Linux-based TFTP server are as follows:

• Install the TFTP server.

• Edit the /etc/inetd.conf file.

• Create the tftpboot directory.

• Create the configuration files.

• Restart the inetd server.

Following are the details of each step:

 root@linuxbox:~# cat /etc/inetd.conf | grep tftp tftp            dgram   udp     wait    nobody  /usr/sbin/tcpd  /usr/sbin/   in.tftpd /tftpboot 

 # create the /tftpboot directory                       root@linuxbox:~# mkdir /tftpboot # change the permission for the /tftpboot directory    root@linuxbox:~# chmod 666 /tftpboot # change the owner for the /tftpboot directory         root@linuxbox:~# chown nobody /tftpboot root@linuxbox:~# ls -l / | grep tftpboot drw-rw-rw-    2  nobody root   4096 Feb 12 18:49 tftpboot 

 root@linuxbox:~# cd /tftpboot # create empty directories                                   root@linuxbox:/tftpboot# touch router-dallas-config root@linuxbox:/tftpboot# touch switch-dallas.cfg root@linuxbox:/tftpboot# touch pix-dallas-config # change the file permissions                                root@linuxbox:/tftpboot# chmod a+wr * root@linuxbox:/tftpboot# ls -l -rw-rw-rw-  1 root root 0 Feb 12 19:24 pix-dallas-config -rw-rw-rw-  1 root root 0 Feb 12 19:24 router-dallas-config -rw-rw-rw-  1 root root 0 Feb 12 19:24 switch-dallas.cfg root@linuxbox:/tftpboot# 

   root@linuxbox:~# /etc/init.d/inetd restart   Restarting internet superserver: inetd. 

The TFTP server is ready for use. After the files are written or copied, it is good security practice to remove the read/write permissions. (Use the chmod a-wr filename command.) Better yet, move the files to a different location. As good Netadmin practice, save the files in a directory named with the creation date of the configuration files. This way, you have a chronological record of all the changes, thus facilitating troubleshooting.

If you get a Timed out error message from Cisco devices while uploading through TFTP, check the file and directory permissions. Additionally, ensure that the host firewall on the Linux server is set to allow incoming TFTP.

Configuring Cisco IOS-Based TFTP Servers

Cisco devices running IOS can be configured as TFTP servers for sharing IOS images stored in flash memory. This feature is useful during disaster recovery because the IOS images for similar hardware platforms can be copied quickly and easily. The command to accomplish this, tftp-server, should be executed in the global configuration mode of the IOS, as shown in Example 1-10.

Example 1-10. Router as TFTP Server

 Router-Dallas#show flash PCMCIA flash directory: File  Length   Name/status   1   10685392  /c1600-osy56i-l.121-16.bin [10685456 bytes used, 6091760 available, 16777216 total] 16384K bytes of processor board PCMCIA flash (Read ONLY) Router-Dallas#conf t Enter configuration commands, one per line. End with CNTL/Z. Router-Dallas(config)#tftp-server flash:c1600-osy56i-l.121-16.bin Router-Dallas(config)#exit Router-Dallas#exit 

Configuring Cisco Devices to Use TFTP

Now that you have configured the TFTP server, you are ready to use it for uploading or downloading files from Cisco devices. While covering each TFTP-related command for each Cisco device is beyond the scope of this book, Table 1-9 lists common commands for saving and restoring configurations on IOS, CatOS, and PIX platforms.

The following examples, based on the commands listed in Table 1-9, illustrate several of most common TFTP-related tasks on Cisco devices:

• Example 1-11: Saving IOS configurations

• Example 1-12: Saving CatOS configurations

• Example 1-13: Saving PIX configurations

• Example 1-14: Restoring PIX configurations

Example 1-11. Saving Cisco IOS Configurations

 Router-Dallas#ping 192.168.0.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms Router-Dallas#copy running-config tftp: Address or name of remote host []? 192.168.0.100 Destination filename [router-dallas-confg]? !! 490 bytes copied in 3.360 secs (163 bytes/sec) Router-Dallas# 

Example 1-12. Saving Catalyst Switch Configurations

 Console> (enable) copy config tftp:switch-dallas.cfg IP address or name of remote host [192.168.0.100]? y Upload configuration to tftp:switch-dallas.cfg (y/n) [n]? y ......... ......... ......... . / Configuration has been copied successfully. (10299 bytes). Console> (enable) 

Example 1-13. Saving PIX Configurations

 Pix-Dallas# write net 192.168.0.100:pix-dallas-config Building configuration... TFTP write 'pix-dallas-config' at 192.168.0.100 on interface 1 [OK] Pix-Dallas# 

Example 1-14. Restoring PIX Configurations

 Pix-Dallas# config term Pix-Dallas(config)# config net 192.168.0.100:pix-dallas-config Cryptochecksum(unchanged): 97814530 04080483 a1197964 d944bf56 Config OK Pix-Dallas(config)# exit Pix-Dallas# 

Note

The preceding examples are indicative only of the most common tasks using TFTP. Refer to the Cisco product documentation home page at Cisco.com for device-specific information. The URL is as follows:

http://www.cisco.com/univercd/home/home.htm

Using an FTP Server for File Management

As discussed in the previous section, TFTP provides a handy tool for backup and recovery, but it has the following inherent weaknesses:

• Absence of a built-in security mechanism

• 16-MB file size limitation

• Uses User Datagram Protocol (UDP)

To overcome these limitations, the latest versions of IOS now support FTP, which is more secure and reliable. It uses TCP port 21 and allows password protection. FTP is more reliable because it depends on retransmit by TCP, whereas TFTP lacks a retransmit feature because of the underlying UDP. Cisco devices can copy images or configuration files to and from FTP servers. An FTP server should be configured to effectively use this feature. Although FTP is more secure than TFTP, FTP is still prone to eavesdropping of username and password information, which is sent in clear text.

Linux and Windows 2000/NT can both act as robust FTP servers.

This section covers the following topics:

• Configuring Windows-based FTP servers

• Configuring Linux-based FTP servers

• Configuring Cisco devices to use FTP

Configuring Windows-Based FTP Servers

Windows 2000/2003/XP offer a built-in FTP server within the Internet Information Services (IIS) framework. A Windows-based FTP server offers the following advantages:

• Integrated authentication with the domain controller

• Simple to install and administer using the Computer Management Console

The installation consists of installing the IIS server followed by configuring the FTP services under the IIS server. The steps discussed in this section are based on MS-Windows XP. However, the steps are similar to those for MS-Windows 2000 or 2003.

Installing the IIS Server

The steps for installing the IIS server are as follows:

Configuring FTP Services on the IIS Server

The steps for configuring FTP services on the IIS server are as follows:

Step 1.	Open the Computer Management Console by right-clicking the My Computer icon and selecting the Manage option.
Step 2.	Click the plus sign (+) next to Services and Applications to expand the menu.
Step 3.	Click the plus sign (+) next to Internet Information Services to expand the menu.
Step 4.	Right-click Default FTP Site and then click Properties, as shown in Figure 1-26. Some versions of MS-Windows have Default FTP Site listed under FTP Sites, as shown in Figure 1-26. Figure 1-26. Computer Management Console for IIS
Step 5.	In the Default FTP Site Properties window that appears, click the Security Accounts tab, as shown in Figure 1-27. Figure 1-27. FTP Server Security Accounts
Step 6.	Deselect the Allow Anonymous Connections check box. This prevents unauthorized users from accessing FTP files.
Step 7.	Click the Home Directory tab, as shown in Figure 1-28. In the FTP Site Directory section, the Local Path field defines the location of files for sharing through FTP. The default location is c:\inetpub\ftproot. Figure 1-28. FTP Server Home Directory Warning The default path for the location of files for sharing is c:\inetpub\ftproot. However, users are strongly encouraged to change the default path to a different drive, such as d:\ftproot. Also, this drive should not contain system files such as command.com. This prevents unicode traversal exploits on the FTP server.
Step 8.	Select the Read, Write, and Log visits check boxes.
Step 9.	Click the OK button to save these settings.

The server is now configured to accept incoming FTP read and write requests. In the preceding example, c:\inetpub\ftproot is the location of files that can be published through the FTP server. The username and password are the same as those created on this computer through the Users and Password option in the Control Panel.

Configuring Linux-Based FTP Servers

A command-line based FTP server can be installed in Linux. This places less demand on the hardware because CLI-based applications eliminate the overhead of running a GUI. Although many FTP servers are available, the following are some popular FTP servers for Linux:

• vsFTP Available at http://vsftpd.beasts.org/

• ProFTP Available at http://www.proftpd.org/

• WUFTP Available at http://www.wu-ftpd.org/

The server vsFTP, which stands for Very Secure FTP, is one of the most popular choices because of performance and security. Additionally, ProFTP is feature rich but has been reported to have more security vulnerabilities than vsFTP. Finally, WUFTP, although older than the other two, is not as secure as vsFTP. This section covers setting up vsFTP on a Linux-based FTP server.

The steps involved in deploying a vsFTP server are as follows:

• Install the vsFTP daemon.
  
  
• Edit the vsftpd.conf file.
  
  
• Create an FTP user.
  
  
• Restart the vsFTP server.
  
  

Following are the details of each step:

   # disable anonymous login   anonymous_enable=NO   # enable local user to login   local_enable=YES   write_enable=YES   local_umask=022   dirmessage_enable=YES   xferlog_enable=YES   connect_from_port_20=YES   ftpd_banner=UNAUTHORIZED ACCESS PROHIBITED, PLEASE EXIT NOW 

   [root@localhost root]# /usr/sbin/useradd ftp-user   [root@localhost root]# passwd ftp-user   Changing password for user ftp-user.   New password:   Retype new password:   passwd: all authentication tokens updated successfully.   [root@localhost root]# 

    [root@localhost root]# /etc/init.d/vsftpd restart 

The files, shared through the FTP server, are located in the user's home directory. In the preceding example, the files uploaded by the user ftp-user can be found in the /home/ftp-user directory.

Configuring Cisco Devices to Use FTP

Cisco IOS Software also supports FTP for system file maintenance. Table 1-10 describes the IOS commands that perform various file maintenance operations.

Figure 1-29 illustrates a LAN with Router-Dallas and an FTP server.

Example 1-14 shows the commands that copy the running configuration of the router (Router-Dallas with IP address 192.168.0.10) to the FTP server (IP address 192.168.0.103). The username is ftp-user and the password is cisco123.

Example 1-15. Saving Router Configuration to FTP Server

 Router-Dallas#copy running ftp://ftp-user:cisco123@192.168.0.103/router-dallas-   confg Address or name of remote host [192.168.0.103]? Destination filename [router-dallas-confg]? Writing router-dallas-confg ! 569 bytes copied in 3.188 secs (189 bytes/sec) Router-Dallas# 

Example 1-15 shows the output of the home directory on the Linux-based FTP server. The configuration file router-dallas-confg was created by ftp-user on August 31 at 20:39.

Example 1-16. Contents of FTP Server

  [ftp-user@localhost ftp-user]$ ls -l total 4 -rw-r--r--    1 ftp-user ftp-user      569 Aug 31 20:39 router-dallas-confg 

The output of the ftproot directory on a Windows-based FTP server shows the same information, as depicted in Example 1-16.

Example 1-17. Contents of Windows FTP Server

 C:\Inetpub\ftproot>dir  Volume in drive C has no label.  Volume Serial Number is 2C6A-5594  Directory of C:\Inetpub\ftproot 08/31/2003 08:52p       <DIR>           . 08/31/2003 08:52p       <DIR>           .. 08/31/2003 08:51p                   569 router-dallas-confg               1 File(s)              569 bytes               2 Dir(s)     8,495,082,496 bytes free 

Although better than TFTP, FTP suffers from a major security weakness FTP transmits passwords in clear text. To overcome this limitation, Cisco IOS Release 12.2 T and higher support Secure Copy Protocol (SCP). The global configuration command to enable SCP is ip scp server enable. While Linux provides built-in support for SCP, you can use WinSCP3 (available for download at http://winscp.sourceforge.net) as an SCP client on MS-Windows machines.

The following Cisco.com URL provides more information on the IOS implementation of SCP:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087b18.html#wp1043332