Answers: SCP 1

SSH config? Detailed enough to forget a few steps. But once you have that down, can you remember the two other steps to add SCP support? And have you ever tried using SCP after configuring it? Today’s post gives you the usual chance to practice on your own with the lab exercise, this time with SSH and SCP. Additionally, it walks through some useful practice steps for using SCP once configured.

Answers

Figure 1: Topology for Testing SCP

Example 1 shows the configuration to enable SSH support on router R2, with Example 2 showing the small bit of additional configuration beyond SSH configuration to support SCP on router R2.

Example 1: R2 Config Added for SSH Support

Example 2: R2 Config Added for SCP Support (Global Commands)

Commentary

The focus of this lab is to configure Secure Copy Protocol (SCP), but the majority of the configuration is the baseline SSH configuration. Often many Cisco devices are placed and configured to use common insecure protocols like Telnet; using SSH instead of Telnet improves security and reduces risk. For similar reasons, using older and less secure protocols like TFTP or FTP to move files in and out of network devices creates security risks, so using SCP instead of TFTP and FTP improves security and reduces risk as well. And with SCP, adding the feature doesn’t require a great deal of configuration or time if you have already configured SSH.

The first section of the requirements asked you to configure SSH as normal. Example 1 shows the specific commands that meet each of the six requirements. This lab treats that configuration as review; you can look to other SSH Config Labs and to the ICND1 Cert Guide for more details on how to configure SSH.

For the extra configuration to support SCP, first consider the requirement to create a username but give it the highest security level. Although not typically discussed as an end to itself for CCENT, the IOS CLI has several security levels available to be configured. Privileged mode is considered the highest security level by default, and is numbered as security level 15. By configuring a username command with the privilege 15 parameters, the command tells IOS that when a user connects with Telnet or SSH into that router, to place that user directly into privileged mode. SCP needs an SSH user that have privileged mode access immediately at login, so R2 needed a command like username cs2 privilege 15 secret cs.

The other bit of configuration on R2 simply enables SCP on R2: the ip scp server enable global command.

Using SCP

If you do try this lab in real gear or VIRL, take the time to try one or two SCP client commands to test your configuration. For those of you who cannot test right now, Examples 3 and 4 shows those commands in action. Example 3 shows the EXEC command copy scp://10.10.10.2/running-config flash:/temp executed on router R1, after adding the configuration shown in this lab to router R2. R1’s copy command acts as an SCP client, with the source location being the device at address 10.10.10.2 (router R2), and the file on that host being “running-config”. The destination is R1’s local file flash:/temp, which is just a filename I made up for a file in flash memory on R1.

Example 3: R1 copy Command Acting as SCP Client, Copying R2’s Running-Config File

Example 4 shows the Linux scp command as executed on the one host in the lab topology. This output was gathered from the Linus server as included in the sample VIRL file posted with the lab post. The command shown here does the same action as the previous example: it copies R2’s running-config file into a local temporary file.

Example 4: Linus scp Command Acting as SCP Client, Copying R2’s Running-Config File