As mentioned in Chapter 3, if you need to move configuration files between a router and a host, it is preferable that they are encrypted. One solution mentioned in Chapter 3 was secure copy (SCP). SCP relies on SSH. Therefore, before you can set up and use SCP, you must configure SSH. SCP is also relatively new to the Cisco IOS; you need Cisco IOS 12.2(2)T to use it.
It seems that SCP is out of place in this chapter and really should be covered in Chapter 3. However, SCP requires the configuration of AAA to use it, so I have decided to cover it here instead of Chapter 3.
The configuration of SSH was discussed in Chapter 3. You need to configure at least three things:
A hostname: hostname.
A domain name: ip domain-name.
RSA encryption keys: crypto key generate rsa. (Your router must have the crypto-enabled feature set of the Cisco IOS to execute this command.)
SCP also requires the use of AAA authorization. Therefore, you need to use some of the commands discussed in this chapter to implement SCP.
Note that not all routers support SCP. Here is a list of currently supported routers: 1700, 2600, 3600, 7200, 7500, and 12000 series models.
After you have set up SSH, you need to configure AAA for SCP:
The last step is to set up the router as an SCP server:
Router(config)# ip scp server enable
After you have set up SCP, you can test it by copying files to and from the router. From the router, use the following syntax:
Router# copy source_file scp://user_name@IP_address_of_server/ Address or name of remote host [x.x.x.x]? Destination username [username]? Destination filename [file_name] Writing file_name Password: Router#
As you can see, you need to use the scp keyword in the destination filename.
If you are having problems, use the following debug commands:
debug ip ssh
debug ip ssh client
debug ip scp
Example 5-11 shows an example of the debug ip scp command and a successful copy.
Router# debug ip scp 2d01h:SCP:[22 -> 10.0.0.100:1019] send <OK> 2d01h:SCP:[22 <- 10.0.0.100:1019] recv C0648 21 router.cfg 2d01h:SCP:[22 -> 10.0.0.100:1019] send <OK> 2d01h:SCP:[22 <- 10.0.0.100:1019] recv 21 bytes 2d01h:SCP:[22 <- 10.0.0.100:1019] recv <OK> 2d01h:SCP:[22 -> 10.0.0.100:1019] send <OK> 2d01h:SCP:[22 <- 10.0.0.100:1019] recv <EOF>
Example 5-12 shows a simple example of setting up SCP to use local authentication.
Router(config)# hostname bullmastiff bullmastiff(config)# ip domain-name quizware.com bullmastiff(config)# crypto key generate rsa The name for the keys will be: bullmastiff.quizware.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 2048 % Generating 1024 bit RSA keys ...[OK] 00:02:25: %SSH-5-ENABLED: SSH 1.5 has been enabled bullmastiff(config)# access-list 1 permit 10.0.0.50 bullmastiff(config)# line vty 0 4 bullmastiff(config-line)# login local bullmastiff(config-line)# transport input ssh bullmastiff(config-line)# transport output ssh bullmastiff(config-line)# access-class 1 in bullmastiff(config-line)# end bullmastiff(config)# aaa new-model bullmastiff(config)# aaa authentication login default local bullmastiff(config)# aaa authorization exec default local bullmastiff(config)# username admin1 privilege 15 secret cisco bullmastiff(config)# ip scp server enable
In this example, the first part sets up SSH and restricts Telnet/SSH access to only one device: 10.0.0.50. Following this is the AAA configuration to allow SCP operations. In this example, local authentication/authorization is used, and one account has been created on the router: admin1.