The tftp-server command configures the router to act as a TFTP server:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#tftp-serverRouter1(config)#flash:c2600-ik9o3s-mz.122-12a.binendRouter1#
The ability to use a router as a TFTP server can be quite useful. We have often used this feature to upgrade several routers that are separated from the TFTP server by slow WAN connections. In situations like this, you can upgrade one of the remote routers by using TFTP over the slow WAN connection as we described in Recipe 1.6. Then you can configure the first router to act as a TFTP server, and use it to upgrade the remaining routers over high-speed local links.
The router is not a fully functional TFTP server. It can only serve files for download. You cannot use this feature to upload files into the serving router’s local flash. However, the router is not limited to just serving IOS images. You can use your router’s flash to store configuration files and make them available for download via TFTP as well. Moreover, you can even use it to hold configuration files for nonCisco equipment.
Security is a concern whenever you enable services on a router. Every extra service you enable provides the wily hacker with a new potential avenue to exploit against your network. Therefore, we certainly don’t recommend using the TFTP server feature on routers facing the public Internet or other unfriendly networks. However, for internal use, we believe it is reasonably safe. You can increase the security of the router’s TFTP server by using an access-list like this:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list99permitRouter1(config)#172.25.1.0 0.0.0.255access-list99deny anyRouter1(config)#tftp-serverRouter1(config)#flash:c2600-ik9o3s-mz.122-12a.bin 99endRouter1#
In this example, we defined an access-list 99 that will allow all devices on the
172.25.1.0 network to access the
router’s TFTP server. Then we applied the access-list to the TFTP
service by specifying the access-list number at the end of the
tftp-server command line. This
will help to ensure that only the authorized devices permitted by the
access-list may download the specified file via TFTP.
You can configure the router to serve multiple files via TFTP by simply adding more tftp-server commands. And, if security is a concern, you can configure each file to use its own access-list.
Although this feature can be useful, we recommend enabling it only when you need to do a download, and then disabling the service as soon as the download has completed. This will help to mitigate the security concerns of running extra services from your router.
Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
