File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP). Both exist as TCP/IP protocols defined in RFCs. Both use a client and server model, in which the client connects to a server and then the client can copy files to the server or from the server. Both exist as a myriad of implementations of both client and server code, from command-line clients to apps with graphical interfaces, using the respective FTP or TFTP protocols behind the scenes.
Managing Cisco IOS Images with FTP/TFTP
IOS exists as a file—a single file—that the router then loads into RAM to use as its operating system. To better understand the process, you must understand a few more details about how IOS works. In particular, you need to understand the IO file system (IFS), which defines how IOS stores files (including the IOS file). The IOS image upgrade process occurs by copying new IOS files into the router and then booting the router with that new IOS.
The IOS File System
Every OS creates file systems to store files. A computer needs some type of permanent storage, but it needs more than just a place to store bytes. The OS organizes the storage into a file system, which includes directories, structure, and filenames, with the associated rules. By using a file system, the OS can keep data organized so the user and the applications can find the data later. Every OS defines its own file system conventions. Windows OSs, for instance, use a left leaning slash (\) in directory structures, like \Desktop\Applications. Linux and macOS use a right-leaning slash, for example, /Desktop. Each OS refers to physical disks slightly differently as well, and IOS is no different.
As for the physical storage, Cisco routers typically use flash memory, with no hard disk drive. Flash memory is rewriteable, permanent storage, which is ideal for storing files that need to be retained when the router loses power. Cisco purposefully uses flash memory rather than hard disk drives in its products because there are no moving parts in flash memory, so there is a smaller chance of failure as compared with disk drives. Some routers have flash memory on the motherboard. Others have flash memory slots that allow easy removal and replacement of the flash card, but with the intent that the card remain in the device most of the time. Also, many devices have USB slots that support USB flash drives.
For each physical memory device in the router, IOS creates a simple IOS file system and gives that device a name. Note that entries of type disk and usbflash are the physical storage devices in that router. In this case, the router has one of two of the 2901’s compact flash slots populated with a 256-MB flash card and one of the two USB flash slots populated with an 8-GB USB flash drive. Look at the size column and prefixes column in the output to find these devices, based on their types as disk and usbflash.
The example lists 20 different IOS file systems in this case, but the router does not have 20 different physical storage devices. Instead, IOS uses these file systems for other purposes as well, with these types :
- Opaque: To represent logical internal file systems for the convenience of internal functions and commands
- Network: To represent external file systems found on different types of servers for the convenience of reference in different IOS commands
- Disk: For flash
- Usbflash: For USB flash
- NVRAM: A special type for NVRAM memory, the default location of the startup-config file
Many IOS commands refer to files in an IFS, but only some commands refer directly to the files by their formal names. The formal names use the prefix as seen in the far right column of Example 12-1. For instance, the command more flash0:/wotemp/fred would display the contents of file fred in directory /wotemp in the first flash memory slot in the router. (The more command itself displays the contents of a file.) However, many commands use a keyword that indirectly refers to a formal filename, to reduce typing. For example:
show running-configcommand: Refers to file system:running-config
show startup-configcommand: Refers to file nvram:startup-config
show flashcommand: Refers to default flash IFS (usually flash0:)
Upgrading IOS Images
One of the first steps to upgrade a router’s IOS to a new version is to obtain the new IOS image and put it in the right location. Typically, Cisco routers have their IOS in one of the local physical file systems, most often in permanent flash. The only requirement is that the IOS be in some reachable file system—even if the file sits on an external server and the device loads the OS over the network. However, the best practice is to store each device’s IOS file in flash that will remain with the device permanently.
Let’s find the process to upgrade an IOS image into flash memory, using the following steps:
- Step 1. Obtain the IOS image from Cisco, usually by downloading the IOS image from Cisco.com using HTTP or FTP.
- Step 2. Place the IOS image someplace that the router can reach. Locations include TFTP or FTP servers in the network or a USB flash drive that is then inserted into the router.
- Step 3. Issue the copy command from the router, copying the file into the flash memory that usually remains with the router on a permanent basis. (Routers usually cannot boot from the IOS image in a USB flash drive.)
Copying a New IOS Image to a Local IOS File System Using TFTP
Copying the IOS image into flash memory. In this case, router R2, a 2901, copies an IOS image from a TFTP server at IP address 18.104.22.168.
The copy command does a simple task—copy a file—but the command also has several small items to check. It needs a few pieces of information from the user, so the command prompts the user for that information by showing the user some text and waiting for the user’s input. The bold items in the example show the user’s input. The router then has to check to make sure the copy will work. The command works through these kinds of questions: What is the IP address or hostname of TFTP server, What is file name, Ask the server to learn file size, Does the server actually have a file by that name and Do you want the router to erase any old files in flash?
The router prompts you for answers to some of these questions, as necessary. For each question, you should either type an answer or press Enter if the default answer (shown in square brackets at the end of the question) is acceptable. Afterward, the router erases flash memory if directed, copies the file, and then verifies that the checksum for the file shows that no errors occurred in transmission.
You can view the contents of the flash file system to see the IOS file that was just copied by using a couple of commands. The
show flash command shows the files in the default flash file system (flash0:), the more general
dir flash0: command lists the contents of that same file system, with similar information. (You can use the dir command to display the contents of any local IFS.)
Verifying IOS Code Integrity with MD5
You download the IOS from Cisco, copy it to your router, and run it. Is it really the code from Cisco? Or did some nefarious attacker somehow get you to download a fake IOS that has a virus? Cisco provides a means to check the integrity of the IOS file to prevent this type of problem. First, when Cisco builds a new IOS image, it calculates and publishes an MD5 hash value for that specific IOS file. That is, Cisco uses as input the IOS file itself, runs the MD5 math algorithm against that file, producing a hex code. Cisco places that code at the download site for all to see. Then, you run that same MD5 math on your router against the IOS file on the router, using the IOS verify command. That command will list the MD5 hash as recalculated on your router. If both MD5 hashes are equal, the file has not changed.
The verify /md5 command generates the MD5 hash on your router, Note that you can include the hash value computed by Cisco as the last parameter or leave it off. If you include it, IOS will tell you if the locally computed value matches what you copied into the command. If you leave it out, the verify command lists the locally computed MD5 hash, and you have to do the picky character-bycharacter check of the values yourself.
Copying Images with FTP
The networking world has many options for file transfer, several of which IOS supports for the transfer of files into and out of the IOS file systems that reside on the router. TFTP and FTP have been supported for the longest time, with more recent support added for protocols like Secure Copy Protocol (SCP), which uses the SSH File Transfer Protocol (SFTP). Table lists some of the names of file transfer protocols that you might come across when working with routers.
|Method||Method (Full Name)||Encrypted?|
|Trivial File Transfer Protocol||File Transfer Protocol||Secure Copy Protocol|
To copy files with FTP, you follow the same kind of process you use with TFTP, You can follow the interactive prompts after using an EXEC command like
copy ftp flash. However, the
copy command allows you to use a URI for the source and/ or destination, which lets you put most or all of the information in the command line itself. Each URI refers to the formal name of a file in the IFS.
The FTP and TFTP Protocols
copy command, when using the
tftp or ftp keyword, makes the command act as a client. The client connects to a TFTP or FTP server and then attempts to transfer the file. In the examples from the IOS, that
copy command copied the file from the server into the client device (a router). The rest of this section examines what happens behind the scenes in that process, with a closer look at both FTP and TFTP as protocols and tools.
FTP Protocol Basics
FTP has long been a core Internet protocol, serving as the primary file transfer protocol for several decades. FTP uses TCP as its transport protocol, relying on TCP to provide an error-free in-order deliver of data so that the FTP application knows that each file transfer creates an exact copy of the file with no omissions. FTP uses well-known TCP port 21 and in some cases also well-known port 20.
As for normal operation, FTP uses a client/server model for file transfer, For instance,
Step 1 shows host A creating a TCP connection to the server (which takes the usual three TCP messages).
Step 2 represents the exchange that allows the server to authenticate the client.
Step 3 shows the idea that, once authenticated, the client and server can send FTP commands over the connection to tell the other device what to do.
The commands that flow over this initial TCP connection—called the FTP control connection—define the kinds of functions supported by FTP. Those commands allow the client to navigate around the directory structures of the server, list files, and then transfer files from the server (FTP GET) or to the server (FTP PUT). Following is a summary of some of the FTP actions:
- Navigate directories: List the current directory, change the current directory to a new directory, go back to the home directory, all on both the server and client side of the connection.
- Add/remove directories: Create new directories and remove existing directories on both the client and server.
- List files: List files on both the client and server.
- File transfer: Get (client gets a copy of the file from the server), Put (client takes a file that exists on the client and puts a copy of the FTP server).
While many OSs support command-line FTP clients, which require you to learn the various FTP commands and use those from the command line, most users instead use an FTP client app that issues the FTP commands behind the scenes. Clients typically display files on the local system as well as the server with a user interface similar to a typical file browser on a desktop OS (for instance, Windows Explorer, macOS Finder). Let see sample user interface from the Filezilla FTP client (Filezilla-project.org).
FTP Active and Passive Modes
FTP can operate in either active or passive mode. The choice of mode may impact whether the TCP client can or cannot connect to the server and perform normal functions. The user at the FTP client can choose which mode to use, so this section works through the underlying details to explain why FTP passive mode may be the more likely option to work.
First, note that FTP uses two types of TCP connections:
- Control Connection: Used to exchange FTP commands
- Data Connection: Used for sending and receiving data, both for file transfers and for output to display to a user
Given the two roles, when a client connects to an FTP server, the client first creates the FTP control connection. The server listens for new control connections on its well-known port 21; the client allocates any new dynamic port (49222 in this case) and creates a TCP connection to the server.
After creating the TCP connection, the user authenticates to the FTP server and takes some actions. Some of those actions require only the control connection, but eventually the user will take an action (like getting a file) that requires a data connection. When that happens, to create the FTP data connection, the client will either use active mode or passive mode.
- The FTP client allocates a currently unused dynamic port and starts listening on that port.
- The client identifies that port (and its IP address) to the FTP server by sending an FTP PORT command to the server.
- The server, because it also operates in active mode, expects the PORT command; the server reacts and initiates the FTP data connection to the client’s address (192.168.1.102) and port (49333).
Active mode works well with both the FTP client and server sitting inside the same enterprise network. When within the same network, typically no NAT function and no firewall sits between the two. However, if the FTP client sits in an enterprise network, and the FTP server resides somewhere in the Internet, an active mode connection typically fails. Most firewalls do not allow Internet-based hosts to initiate TCP connections to hosts inside the enterprise without a specific firewall rule allowing connections to a known port, and in this case, the FTP client allocates any available port number.
Passive mode helps solve the firewall restrictions by having the FTP client initiate the FTP data connection to the server. However, passive mode does not simply cause the FTP client to connect to a well-known port on the server; it requires more exchanges of port numbers to use between the server and client.
- The FTP client changes to use FTP passive mode, notifying the server using the FTP PASV command .
- The server chooses a port to listen on for the upcoming new TCP connection, in this case TCP port 49444.
- The FTP notifies the FTP client of its IP address and chosen port with the FTP PORT command .
- The FTP client opens the TCP data connection to the IP address and port learned at the previous step.
FTP over TLS (FTP Secure)
Over the years, several RFCs defined security improvements for FTP. Those new features include using digital certificates for authentication as well as using Transport Layer Security (TLS) to encrypt all data (including usernames/passwords). Fast forward to today and many of those features converge into what most FTP clients and servers support as FTP over TLS or as FTP Secure (FTPS). With FTPS, the client and server still use FTP commands and still use both a control and data connection. However, FTPS encrypts both the control and data connections with TLS, including the exchange of the usernames and passwords. FTPS includes a few variations, including the FTPS explicit mode.
- The client creates the FTP control TCP connection to server well-known port 21.
- The client initiates the use of TLS in the control connection with the FTP AUTH command .
- When the user takes an action that requires an FTP data connection, the client creates an FTP data TCP connection to server well-known port 21.
- The client initiates the use of TLS in the data connection with the FTP AUTH command.
The implicit mode process begins with a required TLS connection, with no need for an FTP AUTH command, using well-known ports 990 (for the control connection) and 989 (for the data connection).
NOTE SSH File Transfer Protocol (SFTP) is a different protocol than FTPS. SFTP uses SSH to encrypt file transfers over an SSH connection. However, the acronym SFTP does not refer to a secure version of FTP.
TFTP Protocol Basics
FTP has a role as a general file transfer tool for any user, with a good number of FTP client application options available. TFTP plays a much smaller role as a tool for the average user, but it does play a more useful role for IT support staff. For the basics, Trivial File Transfer Protocol uses UDP well-known port 69. Because it uses UDP, TFTP adds a feature to check each file for transmission errors by using a checksum process on each file after the transfer completes.
The word trivial in the name refers to its relatively small number of features, meant to be an advantage by making the tool lightweight. For instance, it supports far fewer commands than FTP (fewer functions), meaning that the code requires less space to install, which can be useful for devices with limited memory. TFTP can Get and Put files, but it includes no commands to change directories, create/remove directories, or even to list files on the server. TFTP does not support even simple clear-text authentication. In effect, if a TFTP server is running, it should accept requests from any TFTP client.
Ideally, TFTP has its best use as a temporary tool for quick file transfers in a controlled environment, particularly when the data itself does not have to be secure. For instance, imagine this scenario:
- A network engineer keeps all router and switch IOS images in a folder.
- The engineer enables a TFTP server on her laptop as needed; otherwise, the TFTP server remains disabled.
- The engineer connects her laptop to a LAN and enables the TFTP server long enough to transfer IOS images into or out of a few devices.
- If the engineer forgets to disable TFTP, the only risk is that someone may copy an IOS image—an image that is already available from Cisco.com to any customer.