July 15, 2011, 11:36 p.m.
posted by whitehat
Many networking equipment manufacturers allow you to back up live configurations of their devices to centralized servers via the TFTP protocol. TFTP can be used with great versatility as a network management tool and not just for saving files. TFTP servers can be used to upload new configurations to replacement devices after serious hardware failures. They also can be used for uploading new versions of software to be run as network devices. Finally, they can be used to upload even partial configurations, such as files containing updated access control lists (ACLs) that restrict access to networks and even the regular application of new passwords.
TFTP may not be an application used regularly in a home, but it will become increasingly important in an expanding small office/home office (SOHO) environment, which is why the topic is covered here. The provided TFTP examples use equipment from Cisco Systems, a leading networking hardware manufacturer.
Installing the TFTP Server Software
When searching for the file, remember that the TFTP server RPM's filename usually starts with word tftp-server and is followed by a version number, as in: tftp-server-0.33-3.i386.rpm.
Configuring the TFTP Server
By default, the TFTP application expects files to be located in the /tftpboot directory. Change this in the /etc/xinetd.d/tftp file via the server_args option, or create your own directory just for this purpose and create a /tftpboot symbolic link to it.
It is usually best to place the TFTP files in a partition other than the root partition. TFTP files of increasing size could eventually fill the partition, affecting your ability to install new software or even the overall performance of your system. This example creates a new tftpboot directory in the /var partition, and then creates a symbolic link that makes this directory appear to also be the /tftpboot directory:
[[email protected] tmp]# mv /tftpboot /var [[email protected] tmp]# ln -s /var/tftpboot /tftpboot
You must restart xinetd for the new configuration to take effect:
[[email protected] tmp]# chkconfig tftp on
Each device must have a configuration file in the /tftpboot directory. Here's an example of what to do for a SOHO firewall named pixfw and a configuration filename that matches Cisco's standard naming scheme of device-name-config:
[[email protected] tmp]# touch /tftpboot/pixfw-config [[email protected] tmp]# chmod 666 /tftpboot/pixfw-config [[email protected] tmp]# ll /tftpboot/ total 1631 -rw-rw-rw- 1 root root 3011 Oct 29 14:09 pixfw-config [[email protected] tmp]#
You can test whether the TFTP process is running with the netstat command, which is used to check the TCP/UDP ports on which your server is listening. If it isn't running then there will be no response.
[[email protected] tmp]# netstat -a | grep tftp udp 0 0 *:tftp *:* [[email protected] tmp]#
Saving Cisco Configurations to the TFTP Server
Cisco PIX Firewall
Cisco Switch Running CATOS
ciscoswitch> (enable) wr net This command shows non-default configurations only. Use 'write network all' to show both default and non-default configurations. IP address or name of remote host? [192.168.1.100] Name of configuration file?[ciscoswitch-config] Upload configuration to ciscoswitch-config on 192.168.1.100 (y/n) [n]? y ......... Finished network upload. (30907 bytes) ciscoswitch> (enable)
ciscorouter> enable ciscorouter# write net Remote host [192.168.1.100]? 192.168.1.100 Name of configuration file to write [ciscorouter-config]? ciscorouter- config Write file ciscorouter-config on host 192.168.1.100? [confirm] y ciscorouter# exit
Cisco CSS 11000 Arrowpoints
ciscocss# copy running-config tftp 192.168.1.100 ciscocss-config Working..(\) 100% Connecting (/) Completed successfully. ciscocss# exit
Cisco Local Director
ciscold> ena Password: ciscold# write net 192.168.1.100 ciscold-config Building configuration... writing configuration to //ciscold-config on 192.168.1.100:69 ... [OK] ciscold# exit
Uploading Cisco Configurations from the TFTP Server
From time to time you may have to upload configurations from your TFTP server to your network equipment. In this example, a small file containing a new encrypted password and access control list is uploaded from the TFTP server and inserted into a router configuration.
Sample Upload Configuration File
The configuration file is named config.file, and it looks like this:
! ! Set the console password ! line con 0 password 7 $1$qDwqJEjunK$tuff0HE/g31/b7G/IZ ! ! Delete and recreate access list #10 ! no access-list 10 access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit 192.168.10.0 0.0.0.255
Procedure to Upload Configuration File
Uploading the file can be done using either the copy tftp: running-config or the older configure network commands. In both cases, you are prompted for the IP address of the TFTP server and the name of the file with the configuration commands. The filename provided is always relative to the /tftpboot directory. So if the file was located in the /tftpboot directory, it would be referred to as config.file, but if it were in the /tftboot/configs directory, it would be referred to as /tftboot/configs/config.file.
Consider this sample configure network command:
ciscorouter>ena Password: ciscorouter#configure network Host or network configuration file [host]? This command has been replaced by the command: 'copy <url> system:/running-config' Address or name of remote host ? 192.168.1.100 Source filename ? config.file Configure using tftp://192.168.1.100/config.file? [confirm] Loading config.file from 192.168.1.100 (via FastEthernet0/0): !!!!!! [OK - 26521/52224 bytes] ciscorouter#
Here's a sample copy tftp: running-config command:
ciscorouter#copy tftp: running-config Address or name of remote host ? 192.168.1.100 Source filename ? config.file Destination filename [running-config]? Accessing tftp://192.168.1.100/config.file... Loading config.file from 192.168.1.100 (via FastEthernet0/0): !!!!!! [OK - 26521/52224 bytes] 26521 bytes copied in 1.912 secs (26521 bytes/sec) ciscorouter#
Using TFTP to Restore Your Router Configuration
In disastrous cases, where you have to replace a router completely, you can use TFTP to completely restore the configuration to the replacement device. If the replacement unit is identical, then you need to do very little editing of the saved configuration file, but expect to edit it if the interface names and software versions are different.
The procedure for restoring your configuration is simple: