The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document provides the procedure to configure a Cisco device for Secure Copy (SCP) server-side functionality.
Configure Secure Shell (SSH), authentication, and authorization on the device.
Because the Secure Copy Protocol (SCP) relies on SSH for its secure transport, the device must have a Rivest, Shamir, and Adelman (RSA) key pair.
The Secure Copy feature provides a secure and authenticated method for copying switch configurations or switch image files. The Secure Copy Protocol (SCP) relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement for the Berkeley r-tools.
The behavior of SCP is similar to that of Remote Copy Protocol (RCP), which comes from the Berkeley r-tools suite (Berkeley university’s own set of networking applications), except that SCP relies on SSH for security. In addition, SCP requires authentication, authorization, and accounting (AAA) to be configured to ensure that the device can determine whether a user has the correct privilege level.
SCP allows only users with a privilege level of 15 to copy a file in the Cisco IOS File System (Cisco IFS) to and from a device by using the copy command. An authorized administrator can also perform this action from a workstation.
 Note |
|
SSH bulk data transfer mode can be used to enhance the throughput performance of SCP that is operating in the capacity of a client or a server. Before Cisco IOS XE Dublin 17.10.1, this mode is disabled by default, but can be enabled by using the ip ssh bulk-mode global configuration command. Beginning from Cisco IOS XE Dublin 17.10.1, SSH bulk data transfer mode is enabled by default with a default window size of 128 KB. TCP selective acknowledgment (SACK) is enabled by default if the bulk mode window size is configured.
The default bulk mode window size of 128 KB is optimal to copy large files in most network settings. However, in long haul networks where the round-trip time (RTT) is high, 128 KB is not enough. You can enable the most optimal SCP throughput performance by configuring the bulk mode window size using the ip ssh bulk-mode window-size command. For example, in an ideal lab testing environment, a window size of 2 MB in a 200-milliseconds round-trip time (RTT) setting can give around 500 percent improved throughput performance when compared to the default 128 KB window size.
The bulk mode window size must be configured as per the network bandwidth-delay product, that is, a multiple of total available bandwidth in bits per second and the round-trip time (RTT) in seconds. Because the CPU usage may increase with the increased window size, make sure to balance this by choosing the right window size.
The following sections provide information about the Secure Copy configuration tasks.
To configure a Cisco device for SCP server-side functionality, perform the following steps.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
||
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 3 |
aaa new-model Example: |
Sets AAA authentication at login. |
||
|
Step 4 |
aaa authentication login {default | list-name } method1 [ method2... ] Example: |
Enables the AAA access control system. |
||
|
Step 5 |
username name [privilege level ] password encryption-type encrypted-password Example: |
Establishes a username-based authentication system.
|
||
|
Step 6 |
ip scp server enable Example: |
Enables SCP server-side functionality. |
||
|
Step 7 |
exit Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
||
|
Step 8 |
debug ip scp Example: |
(Optional) Troubleshoots SCP authentication problems. |
The following task shows how to configure the server-side functionality for SCP. This task shows a typical configuration that allows a device to securely copy files from a remote workstation.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password, if prompted. |
||
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 3 |
aaa new-model Example: |
Enables the Authentication, Authorization, and Accounting (AAA) access control model. |
||
|
Step 4 |
aaa authentication login default local Example: |
Sets AAA authentication to use the local username database for authentication at login. |
||
|
Step 5 |
aaa authorization exec default local Example: |
Sets the parameters that restrict user access to a network, runs the authorization to determine if the user ID is allowed to run an privileged EXEC shell, and specifies that the system must use the local database for authorization. |
||
|
Step 6 |
username name privilege privilege-level password password Example: |
Establishes a username-based authentication system, and specifies the username, privilege level, and an unencrypted password.
|
||
|
Step 7 |
ip ssh time-out seconds Example: |
Sets the time interval (in seconds) that the device waits for the SSH client to respond. |
||
|
Step 8 |
ip ssh authentication-retries integer Example: |
Sets the number of authentication attempts after which the interface is reset. |
||
|
Step 9 |
ip scp server enable Example: |
Enables the device to securely copy files from a remote workstation. |
||
|
Step 10 |
ip ssh bulk-mode Example: |
(Optional) Enables SSH bulk data transfer mode to enhance the throughput performance of SCP. |
||
|
Step 11 |
exit Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
||
|
Step 12 |
debug ip scp Example: |
(Optional) Provides diagnostic information about SCP authentication problems. |
The following are examples of the Secure Copy configuration.
The following example shows how to configure the server-side functionality of Secure Copy. This example uses a locally defined username and password.
! AAA authentication and authorization must be configured properly in order for SCP to work.
Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication login default local
Device(config)# aaa authorization exec default local
Device(config)# username user1 privilege 15 password 0 lab
! SSH must be configured and functioning properly.
Device(config)# ip scp server enable
Device(config)# end
The following example shows how to configure the server-side functionality of Secure Copy using a network-based authentication mechanism:
! AAA authentication and authorization must be configured properly for SCP to work.
Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication login default group tacacs+
Device(config)# aaa authorization exec default group tacacs+
! SSH must be configured and functioning properly.
Device(config)# ip ssh time-out 120
Device(config)# ip ssh authentication-retries 3
Device(config)# ip scp server enable
Device(config)# end
Feedback