Using the Router as a TFTP Server

Problem

You want to configure your router to act as a TFTP server.

Solution

The tftp-server command configures the router to act as a TFTP server:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin
Router1(config)#end
Router1#

 

Discussion

The ability to use a router as a TFTP server can be quite useful. We have often used this feature to upgrade several routers that are separated from the TFTP server by slow WAN connections. In situations like this, you can upgrade one of the remote routers by using TFTP over the slow WAN connection as we described in Recipe 1.6. Then you can configure the first router to act as a TFTP server, and use it to upgrade the remaining routers over high-speed local links.

The router is not a fully functional TFTP server. It can only serve files for download. You cannot use this feature to upload files into the serving router's local flash. However, the router is not limited to just serving IOS images. You can use your router's flash to store configuration files and make them available for download via TFTP as well. Moreover, you can even use it to hold configuration files for nonCisco equipment.

Security is a concern whenever you enable services on a router. Every extra service you enable provides the wily hacker with a new potential avenue to exploit against your network. Therefore, we certainly don't recommend using the TFTP server feature on routers facing the public Internet or other unfriendly networks. However, for internal use, we believe it is reasonably safe. You can increase the security of the router's TFTP server by using an access-list like this:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 99 deny any 
Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin 99
Router1(config)#end
Router1#

In this example, we defined an access-list 99 that will allow all devices on the 172.25.1.0 network to access the router's TFTP server. Then we applied the access-list to the TFTP service by specifying the access-list number at the end of the tftp-server command line. This will help to ensure that only the authorized devices permitted by the access-list may download the specified file via TFTP.

You can configure the router to serve multiple files via TFTP by simply adding more tftp-server commands. And, if security is a concern, you can configure each file to use its own access-list.

Although this feature can be useful, we recommend enabling it only when you need to do a download, and then disabling the service as soon as the download has completed. This will help to mitigate the security concerns of running extra services from your router.

See Also

Recipe 1.6

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net