One of the most common tasks faced by Cisco network administrators is file management for various Cisco devices. This includes backing up the system image (for example, the IOS image stored in the flash memory of the router) and configuration files to a centralized location. Almost all Cisco devices offer CLI-based file-management utilities to copy files to TFTP and FTP servers. File Management Using a TFTP ServerMost Cisco devices allow saving the configuration files or flash images to a backup server using the Trivial File Transfer Protocol (TFTP), which uses UDP port 69 and is a stripped-down version of FTP protocols. TFTP aids in simplified network maintenance by allowing a quick and simple way of copying to a centralized location. In case of a device failure or configuration change resulting in network outage, the administrator can simply restore the configuration or the flash image from the TFTP server. TFTP is also used as the auto-install method for new devices. The auto-install method is designed to automatically configure a router after it connects to a WAN. For auto-install to work properly, a TFTP server must be on the remote side of the router's synchronous serial connection to the WAN. Figure 1-24 shows a WAN setup with a central TFTP server for storing configuration and flash images. Figure 1-24. WAN Setup with TFTP ServerTable 1-8 lists the popular TFTP servers categorized on the basis of operating system.
The sections that follow discuss these details of TFTP-based file management:
Configuring Windows-Based TFTP ServersSolarwind's TFTP server is a freeware utility that runs on Windows 9X/Me/2000/XP. It can be downloaded from the Solarwinds website (http://www.solarwinds.net) and is easy to run with the default configuration. It provides the following advanced security features:
To configure all these features, choose File > Configure. After the server has been configured, it is ready to use. As shown in Figure 1-25, the default root directory is c:\TFTP-Root. Figure 1-25. Solarwinds TFTP Server Configuration
Configuring Linux-Based TFTP ServersThe Linux TFTP server is called TFTP Daemon (tftpd). Tftpd is controlled through the xinetd or inetd daemon. Xinetd is used by Red Hat Linux, whereas inetd is used by Debian Linux. Hence, to restart (or stop) the TFTP server, you need to restart (or stop) the inetd server. The steps involved in deploying a Linux-based TFTP server are as follows:
Following are the details of each step:
The TFTP server is ready for use. After the files are written or copied, it is good security practice to remove the read/write permissions. (Use the chmod a-wr filename command.) Better yet, move the files to a different location. As good Netadmin practice, save the files in a directory named with the creation date of the configuration files. This way, you have a chronological record of all the changes, thus facilitating troubleshooting. If you get a Timed out error message from Cisco devices while uploading through TFTP, check the file and directory permissions. Additionally, ensure that the host firewall on the Linux server is set to allow incoming TFTP. Configuring Cisco IOS-Based TFTP ServersCisco devices running IOS can be configured as TFTP servers for sharing IOS images stored in flash memory. This feature is useful during disaster recovery because the IOS images for similar hardware platforms can be copied quickly and easily. The command to accomplish this, tftp-server, should be executed in the global configuration mode of the IOS, as shown in Example 1-10. Example 1-10. Router as TFTP ServerRouter-Dallas#show flash PCMCIA flash directory: File Length Name/status 1 10685392 /c1600-osy56i-l.121-16.bin [10685456 bytes used, 6091760 available, 16777216 total] 16384K bytes of processor board PCMCIA flash (Read ONLY) Router-Dallas#conf t Enter configuration commands, one per line. End with CNTL/Z. Router-Dallas(config)#tftp-server flash:c1600-osy56i-l.121-16.bin Router-Dallas(config)#exit Router-Dallas#exit Configuring Cisco Devices to Use TFTPNow that you have configured the TFTP server, you are ready to use it for uploading or downloading files from Cisco devices. While covering each TFTP-related command for each Cisco device is beyond the scope of this book, Table 1-9 lists common commands for saving and restoring configurations on IOS, CatOS, and PIX platforms.
The following examples, based on the commands listed in Table 1-9, illustrate several of most common TFTP-related tasks on Cisco devices:
Example 1-11. Saving Cisco IOS ConfigurationsRouter-Dallas#ping 192.168.0.100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.100, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms Router-Dallas#copy running-config tftp: Address or name of remote host []? 192.168.0.100 Destination filename [router-dallas-confg]? !! 490 bytes copied in 3.360 secs (163 bytes/sec) Router-Dallas# Example 1-12. Saving Catalyst Switch ConfigurationsConsole> (enable) copy config tftp:switch-dallas.cfg IP address or name of remote host [192.168.0.100]? y Upload configuration to tftp:switch-dallas.cfg (y/n) [n]? y ......... ......... ......... . / Configuration has been copied successfully. (10299 bytes). Console> (enable) Example 1-13. Saving PIX Configurations Pix-Dallas# write net 192.168.0.100:pix-dallas-config Building configuration... TFTP write 'pix-dallas-config' at 192.168.0.100 on interface 1 [OK] Pix-Dallas# Example 1-14. Restoring PIX ConfigurationsPix-Dallas# config term Pix-Dallas(config)# config net 192.168.0.100:pix-dallas-config Cryptochecksum(unchanged): 97814530 04080483 a1197964 d944bf56 Config OK Pix-Dallas(config)# exit Pix-Dallas# Note The preceding examples are indicative only of the most common tasks using TFTP. Refer to the Cisco product documentation home page at Cisco.com for device-specific information. The URL is as follows: http://www.cisco.com/univercd/home/home.htm Using an FTP Server for File ManagementAs discussed in the previous section, TFTP provides a handy tool for backup and recovery, but it has the following inherent weaknesses:
To overcome these limitations, the latest versions of IOS now support FTP, which is more secure and reliable. It uses TCP port 21 and allows password protection. FTP is more reliable because it depends on retransmit by TCP, whereas TFTP lacks a retransmit feature because of the underlying UDP. Cisco devices can copy images or configuration files to and from FTP servers. An FTP server should be configured to effectively use this feature. Although FTP is more secure than TFTP, FTP is still prone to eavesdropping of username and password information, which is sent in clear text. Linux and Windows 2000/NT can both act as robust FTP servers. This section covers the following topics:
Configuring Windows-Based FTP ServersWindows 2000/2003/XP offer a built-in FTP server within the Internet Information Services (IIS) framework. A Windows-based FTP server offers the following advantages:
The installation consists of installing the IIS server followed by configuring the FTP services under the IIS server. The steps discussed in this section are based on MS-Windows XP. However, the steps are similar to those for MS-Windows 2000 or 2003. Installing the IIS ServerThe steps for installing the IIS server are as follows:
Configuring FTP Services on the IIS ServerThe steps for configuring FTP services on the IIS server are as follows:
The server is now configured to accept incoming FTP read and write requests. In the preceding example, c:\inetpub\ftproot is the location of files that can be published through the FTP server. The username and password are the same as those created on this computer through the Users and Password option in the Control Panel. Configuring Linux-Based FTP ServersA command-line based FTP server can be installed in Linux. This places less demand on the hardware because CLI-based applications eliminate the overhead of running a GUI. Although many FTP servers are available, the following are some popular FTP servers for Linux:
The server vsFTP, which stands for Very Secure FTP, is one of the most popular choices because of performance and security. Additionally, ProFTP is feature rich but has been reported to have more security vulnerabilities than vsFTP. Finally, WUFTP, although older than the other two, is not as secure as vsFTP. This section covers setting up vsFTP on a Linux-based FTP server. The steps involved in deploying a vsFTP server are as follows:
Following are the details of each step:
The files, shared through the FTP server, are located in the user's home directory. In the preceding example, the files uploaded by the user ftp-user can be found in the /home/ftp-user directory. Configuring Cisco Devices to Use FTPCisco IOS Software also supports FTP for system file maintenance. Table 1-10 describes the IOS commands that perform various file maintenance operations.
Figure 1-29 illustrates a LAN with Router-Dallas and an FTP server. Figure 1-29. LAN with FTP Server
Example 1-14 shows the commands that copy the running configuration of the router (Router-Dallas with IP address 192.168.0.10) to the FTP server (IP address 192.168.0.103). The username is ftp-user and the password is cisco123. Example 1-15. Saving Router Configuration to FTP ServerRouter-Dallas#copy running ftp://ftp-user:cisco123@192.168.0.103/router-dallas- confg Address or name of remote host [192.168.0.103]? Destination filename [router-dallas-confg]? Writing router-dallas-confg ! 569 bytes copied in 3.188 secs (189 bytes/sec) Router-Dallas# Example 1-15 shows the output of the home directory on the Linux-based FTP server. The configuration file router-dallas-confg was created by ftp-user on August 31 at 20:39. Example 1-16. Contents of FTP Server [ftp-user@localhost ftp-user]$ ls -l total 4 -rw-r--r-- 1 ftp-user ftp-user 569 Aug 31 20:39 router-dallas-confg The output of the ftproot directory on a Windows-based FTP server shows the same information, as depicted in Example 1-16. Example 1-17. Contents of Windows FTP Server C:\Inetpub\ftproot>dir Volume in drive C has no label. Volume Serial Number is 2C6A-5594 Directory of C:\Inetpub\ftproot 08/31/2003 08:52p <DIR> . 08/31/2003 08:52p <DIR> .. 08/31/2003 08:51p 569 router-dallas-confg 1 File(s) 569 bytes 2 Dir(s) 8,495,082,496 bytes free Although better than TFTP, FTP suffers from a major security weakness FTP transmits passwords in clear text. To overcome this limitation, Cisco IOS Release 12.2 T and higher support Secure Copy Protocol (SCP). The global configuration command to enable SCP is ip scp server enable. While Linux provides built-in support for SCP, you can use WinSCP3 (available for download at http://winscp.sourceforge.net) as an SCP client on MS-Windows machines. The following Cisco.com URL provides more information on the IOS implementation of SCP:
|