Cisco IOS configuration management using SCP and pscp

SCP is a powerful tool introduced in IOS 12.2(2)T which allows us to securely transfer files to and from our routers. With this feature we can transfer files, images and configurations in an encrypted way, and we can also authenticate accesses on the routers.

It’s easy to deploy, easy to use and Cisco recommends to use it in the Guide to Harden Cisco IOS Devices too: why do not use it?! 🙂

It relays on SSH and AAA, so both features have to be enabled on the device:

Router(config)#hostname R1
R1(config)#crypto key generate rsa general-keys modulus 512
The name for the keys will be: R1.mydomain

% The key modulus size is 512 bits
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#aaa authorization exec default local

In order to use scp to manage configuration we must have an user account with enough privileges to access it:

R1(config)#
R1(config)#username admin privilege 15 secret 0 topsecret

Finally, we can turn the scp server on:

R1(config)#ip scp server enable

On the client side we can use an utility such as pscp, from the PuTTY suite, to interact with our SCP server – the router!

C:>pscp.exe
PuTTY Secure Copy client
Release 0.59
Usage: pscp [options] [user@]host:source target
       pscp [options] source [/source] [user@]host:target
       pscp [options] -ls [user@]host:filespec
[cut]

For example, we can download the startup-config and put it on a directory:

C:>pscp.exe admin@192.168.0.42:nvram:startup-config C:MyConfigsR1.cfg
admin@192.168.0.42's password:
R1.cfg                    | 0 kB |   0.6 kB/s | ETA: 00:00:00 | 100%

C:>

Using an integrated AAA system, such as a Radius based AAA with IAS and Active Directory as backend, we can also omit the username part and use our own domain password!

Dear TFTP & Co., it’s time for retirement!

References

Cisco.com: Cisco Guide to Harden Cisco IOS Devices

Cisco.com: Cisco Secure Copy (SCP) Feature Guide – 12.2T

PuTTY: PuTTY: A Free Telnet/SSH Client

The following two tabs change content below.
Italian, born in 1980, I started working in the IT area in the late '90s; I'm now a system and network administrator with a deep knowledge of the global Internet and its core architectures.

7 Comments

  1. shivlu jain says:

    nice explanation 🙂

  2. […] Cisco IOS configuration management using SCP and pscp « Pierky's Blog […]

  3. Joel’s Individual Task/Project Tracking…

    Viewing this page is locked to IT-Internal staff o…

  4. INFORMATION COLLECTION…

    Higher Level Stuff SFO Asterisk Server Create new…

  5. INFORMATION COLLECTION…

    Higher Level Stuff SFO Asterisk Server Create new…

  6. Jack says:

    I followed all the instructions and can upload files (using the -scp option) but I can’t seem to get it to download files. I enter the password and get “unable to initialise SFTP: could not connect”

    • Jack says:

      Disregard, I had a typo when I had attempted the -scp option for downloading that I overlooked. Once I fixed that it was fine.

Leave a Reply