Answers: SCP 1
SSH config? Detailed enough to forget a few steps. But once you have that down, can you remember the two other steps to add SCP support? And have you ever tried using SCP after configuring it? Today’s post gives you the usual chance to practice on your own with the lab exercise, this time with SSH and SCP. Additionally, it walks through some useful practice steps for using SCP once configured.
Answers
Figure 1: Topology for Testing SCP
Example 1 shows the configuration to enable SSH support on router R2, with Example 2 showing the small bit of additional configuration beyond SSH configuration to support SCP on router R2.
Example 1: R2 Config Added for SSH Support
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
ip ssh version 2 ! Requirement 1 ! ip domain-name certskills.com ! Requirement 2 hostname R2 ! Requirement 3 ! crypto key generate rsa mod 768 ! Requirement 4 ! ! Next line is for requirement 5 (comment cannot be on that next line) username cs secret cs ! line vty 0 4 transport input ssh ! Requirement 6 login local ! Requirement 6 |
Example 2: R2 Config Added for SCP Support (Global Commands)
|
1 2 3 |
username cs2 privilege 15 secret cs ! ip scp server enable |
Commentary
The focus of this lab is to configure Secure Copy Protocol (SCP), but the majority of the configuration is the baseline SSH configuration. Often many Cisco devices are placed and configured to use common insecure protocols like Telnet; using SSH instead of Telnet improves security and reduces risk. For similar reasons, using older and less secure protocols like TFTP or FTP to move files in and out of network devices creates security risks, so using SCP instead of TFTP and FTP improves security and reduces risk as well. And with SCP, adding the feature doesn’t require a great deal of configuration or time if you have already configured SSH.
The first section of the requirements asked you to configure SSH as normal. Example 1 shows the specific commands that meet each of the six requirements. This lab treats that configuration as review; you can look to other SSH Config Labs and to the ICND1 Cert Guide for more details on how to configure SSH.
For the extra configuration to support SCP, first consider the requirement to create a username but give it the highest security level. Although not typically discussed as an end to itself for CCENT, the IOS CLI has several security levels available to be configured. Privileged mode is considered the highest security level by default, and is numbered as security level 15. By configuring a username command with the privilege 15 parameters, the command tells IOS that when a user connects with Telnet or SSH into that router, to place that user directly into privileged mode. SCP needs an SSH user that have privileged mode access immediately at login, so R2 needed a command like username cs2 privilege 15 secret cs.
The other bit of configuration on R2 simply enables SCP on R2: the ip scp server enable global command.
Using SCP
If you do try this lab in real gear or VIRL, take the time to try one or two SCP client commands to test your configuration. For those of you who cannot test right now, Examples 3 and 4 shows those commands in action. Example 3 shows the EXEC command copy scp://10.10.10.2/running-config flash:/temp executed on router R1, after adding the configuration shown in this lab to router R2. R1’s copy command acts as an SCP client, with the source location being the device at address 10.10.10.2 (router R2), and the file on that host being “running-config”. The destination is R1’s local file flash:/temp, which is just a filename I made up for a file in flash memory on R1.
Example 3: R1 copy Command Acting as SCP Client, Copying R2’s Running-Config File
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
R1# copy scp://10.10.10.2/running-config flash:/temp Source username [R1]? cs2 Destination filename [temp]? Password: ! 3100 bytes copied in 7.290 secs (425 bytes/sec) R1# dir flash0: Directory of flash0:/ 1 drw- 0 Jan 30 2013 00:00:00 +00:00 boot 264 drw- 0 Oct 14 2013 00:00:00 +00:00 config 267 -rw- 142648944 Nov 20 2015 00:00:00 +00:00 vios-adventerprisek9-m 268 -rw- 524288 Apr 19 2016 20:13:26 +00:00 nvram 269 -rw- 39 Apr 19 2016 20:13:32 +00:00 e1000_bia.txt 272 -rw- 3100 Apr 19 2016 20:52:06 +00:00 temp 2142715904 bytes total (1994928128 bytes free) |
Example 4 shows the Linux scp command as executed on the one host in the lab topology. This output was gathered from the Linus server as included in the sample VIRL file posted with the lab post. The command shown here does the same action as the previous example: it copies R2’s running-config file into a local temporary file.
Example 4: Linus scp Command Acting as SCP Client, Copying R2’s Running-Config File
|
1 2 3 4 5 6 7 8 9 |
cisco@server-1:~$ scp cs2@10.10.11.2:running-config local-temp-file Password: running-config 100% 3100 3.0KB/s 00:00 cisco@server-1:~$ ls -l total 4 -rw-r--r-- 1 cisco cisco 3100 Apr 19 20:55 local-temp-file cisco@server-1:~$ |
Hi, Wendell.
I’ve seen that
privilege 15 secret
is used rather than
privilege-level 15 secret
which is the form of the username configuration command mentioned on the CCENT/CCNA ICND1 100-105 Official Cert Guide, chapter 35 (page 845)
which one should we use on CCNA exam (the one with the “level” word or the other one)?
Hi Hector,
“privilege” is the correct keyword. I’ll add the fix to the errata for the book. Thanks!
Wendell