SCP is a powerful tool introduced in IOS 12.2(2)T which allows us to securely transfer files to and from our routers. With this feature we can transfer files, images and configurations in an encrypted way, and we can also authenticate accesses on the routers.
It’s easy to deploy, easy to use and Cisco recommends to use it in the Guide to Harden Cisco IOS Devices too: why do not use it?! 🙂
It relays on SSH and AAA, so both features have to be enabled on the device:
Router(config)#hostname R1 R1(config)#crypto key generate rsa general-keys modulus 512 The name for the keys will be: R1.mydomain % The key modulus size is 512 bits % Generating 512 bit RSA keys, keys will be non-exportable...[OK] R1(config)# R1(config)#aaa new-model R1(config)#aaa authentication login default local R1(config)#aaa authorization exec default local
In order to use scp to manage configuration we must have an user account with enough privileges to access it:
R1(config)# R1(config)#username admin privilege 15 secret 0 topsecret
Finally, we can turn the scp server on:
R1(config)#ip scp server enable
On the client side we can use an utility such as pscp, from the PuTTY suite, to interact with our SCP server – the router!
C:>pscp.exe PuTTY Secure Copy client Release 0.59 Usage: pscp [options] [user@]host:source target pscp [options] source [/source] [user@]host:target pscp [options] -ls [user@]host:filespec [cut]
For example, we can download the startup-config and put it on a directory:
C:>pscp.exe firstname.lastname@example.org:nvram:startup-config C:MyConfigsR1.cfg email@example.com's password: R1.cfg | 0 kB | 0.6 kB/s | ETA: 00:00:00 | 100% C:>
Using an integrated AAA system, such as a Radius based AAA with IAS and Active Directory as backend, we can also omit the username part and use our own domain password!
Dear TFTP & Co., it’s time for retirement!
Cisco.com: Cisco Guide to Harden Cisco IOS Devices
Latest posts by Pier Carlo Chiodi (see all)
- Route server feature-rich and automatic configuration - 13 February 2017
- Large BGP Communities playground - 15 September 2016
- RFC7050 (DNS64 prefix via ipv4only.arpa) on RIPE Atlas probes - 9 March 2016