Secure Copy

As mentioned in Chapter 3, if you need to move configuration files between a router and a host, it is preferable that they are encrypted. One solution mentioned in Chapter 3 was secure copy (SCP). SCP relies on SSH. Therefore, before you can set up and use SCP, you must configure SSH. SCP is also relatively new to the Cisco IOS; you need Cisco IOS 12.2(2)T to use it.

It seems that SCP is out of place in this chapter and really should be covered in Chapter 3. However, SCP requires the configuration of AAA to use it, so I have decided to cover it here instead of Chapter 3.

Preparation for SCP

The configuration of SSH was discussed in Chapter 3. You need to configure at least three things:

  • A hostname: hostname.

  • A domain name: ip domain-name.

  • RSA encryption keys: crypto key generate rsa. (Your router must have the crypto-enabled feature set of the Cisco IOS to execute this command.)

SCP also requires the use of AAA authorization. Therefore, you need to use some of the commands discussed in this chapter to implement SCP.


Note that not all routers support SCP. Here is a list of currently supported routers: 1700, 2600, 3600, 7200, 7500, and 12000 series models.

SCP Configuration

After you have set up SSH, you need to configure AAA for SCP:

Step 1. Enable AAA: aaa new-model.

Step 2. Specify security servers, if used: tacacs-server and radius-server.

Step 3. Specify local accounts, if used: username.

Step 4. Configure login authentication: aaa authentication login.

Step 5. Configure authorization for EXEC access: aaa authorization exec.

The last step is to set up the router as an SCP server:

Router(config)# ip scp server enable

SCP Troubleshooting

After you have set up SCP, you can test it by copying files to and from the router. From the router, use the following syntax:

Router# copy source_file scp://user_name@IP_address_of_server/

Address or name of remote host [x.x.x.x]?

Destination username [username]?

Destination filename [file_name]

Writing file_name



As you can see, you need to use the scp keyword in the destination filename.

If you are having problems, use the following debug commands:

  • debug ip ssh

  • debug ip ssh client

  • debug ip scp

Example 5-11 shows an example of the debug ip scp command and a successful copy.

Example 5-11. Troubleshooting SCP Connections

Router# debug ip scp

2d01h:SCP:[22 ->] send <OK>

2d01h:SCP:[22 <-] recv C0648 21 router.cfg

2d01h:SCP:[22 ->] send <OK>

2d01h:SCP:[22 <-] recv 21 bytes

2d01h:SCP:[22 <-] recv <OK>

2d01h:SCP:[22 ->] send <OK>

2d01h:SCP:[22 <-] recv <EOF>

SCP Example

Example 5-12 shows a simple example of setting up SCP to use local authentication.

Example 5-12. Setting up SCP

Router(config)# hostname bullmastiff

bullmastiff(config)# ip domain-name

bullmastiff(config)# crypto key generate rsa

The name for the keys will be:

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

How many bits in the modulus [512]: 2048

% Generating 1024 bit RSA keys ...[OK]

00:02:25: %SSH-5-ENABLED: SSH 1.5 has been enabled

bullmastiff(config)# access-list 1 permit

bullmastiff(config)# line vty 0 4

bullmastiff(config-line)# login local

bullmastiff(config-line)# transport input ssh

bullmastiff(config-line)# transport output ssh

bullmastiff(config-line)# access-class 1 in

bullmastiff(config-line)# end

bullmastiff(config)# aaa new-model

bullmastiff(config)# aaa authentication login default local

bullmastiff(config)# aaa authorization exec default local

bullmastiff(config)# username admin1 privilege 15 secret cisco

bullmastiff(config)# ip scp server enable

In this example, the first part sets up SSH and restricts Telnet/SSH access to only one device: Following this is the AAA configuration to allow SCP operations. In this example, local authentication/authorization is used, and one account has been created on the router: admin1.