TFTP





TFTP

Many networking equipment manufacturers allow you to back up live configurations of their devices to centralized servers via the TFTP protocol. TFTP can be used with great versatility as a network management tool and not just for saving files. TFTP servers can be used to upload new configurations to replacement devices after serious hardware failures. They also can be used for uploading new versions of software to be run as network devices. Finally, they can be used to upload even partial configurations, such as files containing updated access control lists (ACLs) that restrict access to networks and even the regular application of new passwords.

TFTP may not be an application used regularly in a home, but it will become increasingly important in an expanding small office/home office (SOHO) environment, which is why the topic is covered here. The provided TFTP examples use equipment from Cisco Systems, a leading networking hardware manufacturer.

Installing the TFTP Server Software

Most Red Hat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, see Chapter 6.

When searching for the file, remember that the TFTP server RPM's filename usually starts with word tftp-server and is followed by a version number, as in: tftp-server-0.33-3.i386.rpm.

Configuring the TFTP Server

The procedure to set up a TFTP Server is straightforward.

By default, the TFTP application expects files to be located in the /tftpboot directory. Change this in the /etc/xinetd.d/tftp file via the server_args option, or create your own directory just for this purpose and create a /tftpboot symbolic link to it.

It is usually best to place the TFTP files in a partition other than the root partition. TFTP files of increasing size could eventually fill the partition, affecting your ability to install new software or even the overall performance of your system. This example creates a new tftpboot directory in the /var partition, and then creates a symbolic link that makes this directory appear to also be the /tftpboot directory:

     [[email protected] tmp]# mv /tftpboot /var
     [[email protected] tmp]# ln -s /var/tftpboot /tftpboot

You must restart xinetd for the new configuration to take effect:

     [[email protected] tmp]# chkconfig tftp on

Each device must have a configuration file in the /tftpboot directory. Here's an example of what to do for a SOHO firewall named pixfw and a configuration filename that matches Cisco's standard naming scheme of device-name-config:

     [[email protected] tmp]# touch /tftpboot/pixfw-config
     [[email protected] tmp]# chmod 666 /tftpboot/pixfw-config
     [[email protected] tmp]# ll /tftpboot/
     total 1631
     -rw-rw-rw- 1 root root 3011 Oct 29 14:09 pixfw-config
     [[email protected] tmp]#

You can test whether the TFTP process is running with the netstat command, which is used to check the TCP/UDP ports on which your server is listening. If it isn't running then there will be no response.

     [[email protected] tmp]# netstat -a | grep tftp
     udp        0      0 *:tftp                  *:*
     [[email protected] tmp]#

Saving Cisco Configurations to the TFTP Server

You'll now have to configure your Cisco router/firewall to use the TFTP server. The examples assume that the TFTP server's IP address is 192.168.1.100.

Cisco PIX Firewall

Follow these steps on a PIX firewall:

1.
Log onto the device, get into Enable mode, and then enter the TFTP commands to initially configure TFTP:

pixfw> enable
Password: ********
pixfw# configure terminal
pixfw(config)# tftp-server inside 192.168.1.100 /pixfw-config
pixfw(config)# exit

2.
Save the configuration to non-volatile memory:

pixfw# write memory
Building configuration...
Cryptochecksum: 3af43873 d35d6f06 51f8c999 180c2342
[OK]
pixfw#

3.
Save the configuration to the TFTP server:

pixfw# write network
Building configuration...
TFTP write '/pixfw-config' at 192.168.1.100 on interface 1
[OK]
pixfw#

Your firewall configuration has now been successfully saved for later use in the event of unrecoverable human error or hardware failure.

Cisco Switch Running CATOS

To save the configuration of a Catalyst-series switch running CATOS, you need to log onto the device, get into Enable mode, and then enter the write net TFTP command:

     ciscoswitch> (enable) wr net
     This command shows non-default configurations only.
     Use 'write network all' to show both default and non-default
     configurations.
     IP address or name of remote host? [192.168.1.100]
     Name of configuration file?[ciscoswitch-config]
     Upload configuration to ciscoswitch-config on 192.168.1.100 (y/n) [n]?
     y
     .........
     Finished network upload. (30907 bytes)
     ciscoswitch> (enable)

Cisco Router

To save the configuration of a router, log onto the device, get into Enable mode, switch to Configure mode, and then enter the TFTP commands:

     ciscorouter> enable
     ciscorouter# write net
     Remote host [192.168.1.100]? 192.168.1.100
     Name of configuration file to write [ciscorouter-config]? ciscorouter-
     config
     Write file ciscorouter-config on host 192.168.1.100? [confirm] y
     ciscorouter# exit

Cisco CSS 11000 Arrowpoints

To save the configuration of a Cisco CSS-series load balancer, log onto the device and enter the TFTP commands as seen below:

     ciscocss# copy running-config tftp 192.168.1.100 ciscocss-config
     Working..(\) 100%
     Connecting (/)
     Completed successfully.

     ciscocss# exit

Cisco Local Director

To save the configuration of a Cisco Local Director load balancer, log onto the device, get into Enable mode, switch to Configure mode, and then enter the TFTP commands:

     ciscold> ena
     Password:
     ciscold# write net 192.168.1.100 ciscold-config
     Building configuration...

     writing configuration to //ciscold-config on 192.168.1.100:69 ...
     [OK]
     ciscold# exit

Uploading Cisco Configurations from the TFTP Server

From time to time you may have to upload configurations from your TFTP server to your network equipment. In this example, a small file containing a new encrypted password and access control list is uploaded from the TFTP server and inserted into a router configuration.

Sample Upload Configuration File

The configuration file is named config.file, and it looks like this:

     !
     ! Set the console password
     !
     line con 0
      password 7 $1$qDwqJEjunK$tuff0HE/g31/b7G/IZ
     !
     ! Delete and recreate access list #10
     !
     no access-list 10
     access-list 10 permit 192.168.1.0  0.0.0.255
     access-list 10 permit 192.168.10.0 0.0.0.255

Procedure to Upload Configuration File

Uploading the file can be done using either the copy tftp: running-config or the older configure network commands. In both cases, you are prompted for the IP address of the TFTP server and the name of the file with the configuration commands. The filename provided is always relative to the /tftpboot directory. So if the file was located in the /tftpboot directory, it would be referred to as config.file, but if it were in the /tftboot/configs directory, it would be referred to as /tftboot/configs/config.file.

Consider this sample configure network command:

     ciscorouter>ena
     Password:
     ciscorouter#configure network
     Host or network configuration file [host]?
     This command has been replaced by the command:
              'copy <url> system:/running-config'
     Address or name of remote host []? 192.168.1.100
     Source filename []? config.file
     Configure using tftp://192.168.1.100/config.file? [confirm]
     Loading config.file from 192.168.1.100 (via FastEthernet0/0): !!!!!!
     [OK - 26521/52224 bytes]

     ciscorouter#

Here's a sample copy tftp: running-config command:

     ciscorouter#copy tftp: running-config
     Address or name of remote host []? 192.168.1.100
     Source filename []? config.file
     Destination filename [running-config]?
     Accessing tftp://192.168.1.100/config.file...
     Loading config.file from 192.168.1.100 (via FastEthernet0/0): !!!!!!
     [OK - 26521/52224 bytes]

     26521 bytes copied in 1.912 secs (26521 bytes/sec)
     ciscorouter#

Always remember to permanently save your configurations to nonvolatile RAM (NVRAM) afterwards with the write memory or copy running-config startup-config.

Using TFTP to Restore Your Router Configuration

In disastrous cases, where you have to replace a router completely, you can use TFTP to completely restore the configuration to the replacement device. If the replacement unit is identical, then you need to do very little editing of the saved configuration file, but expect to edit it if the interface names and software versions are different.

The procedure for restoring your configuration is simple:

1.
Connect your router to the local network of the TFTP server.

2.
Give your router the bare minimum configuration that allows it to ping your TFTP server (no access controls or routing protocols).

3.
Use the copy command to copy the backup configuration from the TFTP server to your startup configuration in NVRAM.

4.
Disconnect the router from the network.

5.
Reload the router without saving the live running configuration to overwrite the startup configuration. On rebooting, the router will copy the startup configuration stored in NVRAM into a clean running configuration environment.

6.
Log into the router via the console and verify the configuration is OK.

7.
Reconnect the router to the networks on which it was originally connected.

The commands you need are:

ciscorouter> enable
Password: ********
ciscorouter# write erase
...
...
! Enter the commands to provide a bare minimum of connectivity to
! your TFTP server here. This includes IP addresses, a default route
! and the TFTP setup commands.
...
...
ciscorouter# copy tftp:file-name startup-config
ciscorouter# reload

Please be aware that the write erase command erases your NVRAM startup configuration; always use it with great care.


     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows