Monday, July 16, 2012

Simple Tutorial on Configuring SSH and SCP on a Cisco Router or Cisco Switch

Many beginners may be not very clear at what is SSH and what is SCP. Now we'll explain their concepts, their connections and how to configure SSH and SCP on a Cisco Router or Cisco Switch detailedly. We are all aware of the traditional way of transferring IOS files from and to Cisco Catalyst Switches, Cisco Routers and Cisco PIX/ASA firewall devices using TFPT, FTP and lately https. However there is also one more way to copy the IOS files, which is known as Secure Copy (SCP). The Secure Copy (SCP) is a secure and authenticated method of copying a configuration file or transferring an Image files to Cisco Catalyst Switches, Cisco Routers and Cisco PIX/ASA firewall devices. The Secure Copy (SCP) works on SSH protocol on port 22 which is like an encrypted tunnel. This tool is very useful especially to transfer files for upgrades or to perform safe backups.

To make things more clear, Cisco Systems introduced the Secure Copy (SCP) feature in the following IOS releases

Release
Modification
12.2(2)T
This feature was introduced.
12.0(21)S
This feature was integrated into Cisco IOS 12.0(21)S.
12.2(25)S
This feature was integrated into Cisco IOS 12.2(25)S.


Now, let's share the details step by step:
1. In order to configure Secure Copy (SCP) in a Cisco Router make sure the SSH is enabled and its working.
Let's enable the SSH and AAA features in the Cisco Device:
ITKE-AS1(config)#ip domain-name itke.com
ITKE-AS1(config)#crypto key generate rsa general-keys modulus 512
The name for the keys will be: ITKE-AS1.itke.com

% The key modulus size is 512 bits
% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

ITKE-AS1(config)#
ITKE-AS1(config)#aaa new-model
ITKE-AS1(config)#aaa authentication login default local
ITKE-AS1(config)#aaa authentication exec default local

2. In order to use the SCP feature to manage configuration we must have at least once user account with enough privilege to access it. Log in to the Cisco router when prompted for your user name and password.
ITKE-AS1(config)#
ITKE-AS1(config)#username itke privilege 15 password secret itkeleads



3. Type the following text into the command line and replace "retries" with the number of times you want to allow users to try to connect after typing the wrong username and password:
ip ssh retries

4. Now you are ready to enable the SCP server on:
ITKE-AS1(config)#ip scp server enable
Type "configure terminal" to configure the settings for the SCP connection.

5. Type "aaa authentication login" and press "Enter." And then, type the username you want to use for SCP access. Lastly, type "ip scp server enable" to enable the SCP protocol.
With these five simple steps, you'll make things done!

The material is originally from: http://itknowledgeexchange.techtarget.com/network-technologies/how-to-configure-secure-copy-scp-in-cisco-devices/
Posted by at

1 comment:

  1. dJanuary 18, 2013 at 2:36 PM

    Just tried this on my 4948 with ios 15 and it didn't work...ill bounce it with 12 and try again.

    It would be helpful if you explained that all scp operations (uploade/dowload) must be executed from the Cisco device. And that you can NOT scp to a Cisco device. For example, if I downloaded the latest iso to a Linux box, I can not scp the ios FROM the linux box to the Cisco device by executing the following command, FROM the Linux box:

    [david@hammer ~]$ scp latestIOS admin@ciscoDevice:/bootflash

    ReplyDelete

Subscribe to: Post Comments (Atom)