:: MArX'' Frustrated communist, card-carrying geek.

Cisco IOS configuration management using SCP

SCP is a powerfull featured introduced in IOS 12.2(2)T which allows administrators to securely transfer files to and from routers. Beside the file transfering through encrypted connections we can also authenticate accesses on the router.

It's easy to deploy, easy to use and Cisco recommends to use in the Guide to Harden Cisco IOS Devices, so why do not use it?

It relays on SSH and AAA, so both features have to be enabled on the device:

Router(config)#hostname MRXROUTER
MRXROUTER(config)#crypto key generate rsa general-keys modulus 512

% The key modulus size is 512 bits % Generating 512 bit RSA keys, keys will be non-exportable...[OK]
MRXROUTER(config)#
MRXROUTER(config)#aaa new-model
MRXROUTER(config)#aaa authentication login default local
MRXROUTER(config)#aaa authorization exec default local

In order to use scp to manage configuration we must have an user account with enough privileges to access it:

MRXROUTER(config)#
MRXROUTER(config)#username admin privilege 15 secret 0 topsecret

Finally, we can turn the scp server on:

MRXROUTER(config)#ip scp server enable

On the client side we can use an utility such as pscp from PuTTY suite (windows) or the native scp client on Linux, to interact with our SCP server – the router!

C:\>pscp.exe PuTTY Secure Copy client Release 0.59
Usage: pscp [options] [user@]host:source target
pscp [options] source [/source] [user@]host:target
pscp [options] -ls [user@]host:filespec

For example, we can download the startup-config and put it on a directory (a backup?):

C:\>pscp.exe admin@192.168.0.42:nvram:startup-config C:\MyConfigs\MRXROUTER.cfg
admin@192.168.0.42's password: MRXROUTER.cfg                    | 0 kB |   0.6 kB/s | ETA: 00:00:00 | 100%

C:\>

It's already time to left tftp rest in peace

References
Cisco.com: Cisco Guide to Harden Cisco IOS Devices
Cisco.com: Cisco Secure Copy (SCP) Feature Guide – 12.2T
 PuTTY: A Free Telnet/SSH Client