SCP 1

Secure Copy Protocol (SCP) can be used to copy files to/from a router. It can be a little difficult to understand because of its different model compared to the traditional use of the IOS copy EXEC command. With SCP, you first set up the router as an SCP server, and then copy files to/from the router. However, from an exam prep perspective, SCP has a great advantage: most of the configuration comes from SSH. Basically, you configure the router to support SSH, and then add a few more commands to support SCP. This lab asks you to do both.

Requirements

Of all the configuration needed to support SCP, most of it is to support SSH. So this lab is a great review of SSH configuration as well. This lab also breaks down the configuration requirements first to support SSH, and then the additional requirements to then support SCP. First, for SSH:

1. Enable SSH on router R2 using SSH Version 2.
2. To prepare to create the SSH key, define a domain name of example.com.
3. To prepare to create the SSH key, set the hostname to R2.
4. Create the SSH key with the crypto key global configuration command, with a 768-bit key.
5. Create a username ‘cs’ with a password of ‘cs’ and use the strongest possible method to store the password
6. Configure router R2 to allow inbound SSH but not Telnet, and for users to use locally configured usernames and passwords to login.

• Assumptions:
  • All the interfaces shown in the figure are up and working
  • The IP addresses shown in the figure (and in the initial configuration examples in this post) are complete as shown

If you configure the above in a lab, you might want to test SSH before moving on by connecting to router R1’s console and using SSH to connect to R2. Then move on to adding the SCP configuration as follows:

• On R2, create another username of ‘cs2’, with a password of ‘cs’, and the highest privilege level (required for SCP)
• On R2, enable SCP server functionality

Figure 1: Dual Router Topology

Initial Configuration

Examples 1 and 2 show the beginning configuration state of R1 and R2.

Example 1: R1 Config

Example 2: R2 Config

Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with CML/VIRL or real gear, you can verify that SSH works by attempting to connect from R1 to R2 using the ssh -l cs 10.10.10.2 command. If successful you can move on to test SCP, attempt to transfer a file. For instance, from R1, the command copy scp://10.10.10.2/running-config flash:/temp would make R1 act as an SCP client. The user at R1 would be prompted for a few items, like the username and password to use (cs2/cs). The answer post will show an example of that process.

Do this Lab with Cisco’s CML (Formerly VIRL)

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for Cisco Modeling Lab – Personal (CML-P). CML-P replaces Cisco Virtual Internet Routing Lab (VIRL) software, in effect serving as VIRL Version 2.

Below, find two files: a file useful with CML-P and another useful with VIRL. (Note that the CML-P file has a .yaml filetype, while the older VIRL file has a VIRL filetype.) Once the file is loaded, CML-P or VIRL will create a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well.

This lab’s CML file!

This lab’s VIRL file!

All interfaces in topology match the lab figure.

Host device info:

This table lists host information pre-configured in CML/VIRL, information that might not be required by the lab but may be useful to you.

Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4 10.1.1.1

Trace example: tracepath 10.1.1.1

To connect to another node within the topology: ssh cs@10.10.10.2

To copy R2’s configuration to the PC: scp cs2@10.10.11.2:running-config local-temp-file