The Secure Copy feature provides a secure and authenticated method for copying switch configurations or switch image files.
The Secure Copy Protocol (SCP) relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement
for the Berkeley r-tools.
The behavior of SCP is similar to that of Remote Copy Protocol (RCP), which comes from the Berkeley r-tools suite (Berkeley
university’s own set of networking applications), except that SCP relies on SSH for security. In addition, SCP requires authentication,
authorization, and accounting (AAA) to be configured to ensure that the device can determine whether a user has the correct
privilege level.
SCP allows only users with a privilege level of 15 to copy a file in the Cisco IOS File System (Cisco IFS) to and from a
device by using the copy command. An authorized administrator can also perform this action from a workstation.
Note
|
|
Similar to SCP, SSH File Transfer Protocol (SFTP) can be used to copy switch configuration or image files. For more information,
refer the Configuring SSH File Transfer Protocol chapter of the Security Configuration Guide.
Secure Copy Performance Improvements
SSH bulk data transfer mode can be used to enhance the throughput performance of SCP that is operating in the capacity of
a client or a server. This mode is disabled by default, but can be enabled by using the ip ssh bulk-mode global configuration command. TCP selective acknowledgement (SACK) is enabled by default if the bulk mode window size is
configured.
Note
|
We recommend that you enable this command only for transferring large files, and disable it after the file transfer is complete.
|
The default bulk mode window size of 128 KB is optimal to copy large files in most network settings. However, in long big
networks where the round-trip time (RTT) is high, 128 KB is not enough. You can enable the most optimal SCP throughput performance
by configuring the bulk mode window size using the ip ssh bulk-mode
window-size command. For example, in an ideal lab testing environment, a window size of 2 MB in a 200-milliseconds round-trip time setting
can give around 500 percent improved throughput performance when compared to the default 128-KB window size.
The bulk mode window size must be configured as per the network bandwidth-delay product, that is, a multiple of total available
bandwidth in bits per second and the round-trip time in seconds. Because the CPU usage may increase with the increased window
size, make sure to balance this by choosing the right window size.