Backing up and restoring Cisco IOS image files using an SCP server is one of the skills every network administrator should have. It is also a subject in the CCNA exam syllabus. In this tutorial, I will teach you how to back up and restore Cisco switch/router IOS images using an SCP server.

SCP stands for Secure Copy. SCP is based on SSH (Secure Shell). It is a tool that provides a secure way to download and upload Cisco IOS images and configuration files by ensuring encryption and authentication.

In the following sections, I will be using the subsequent network diagram. The network consists of three devices: one Cisco router and two Cisco switches. Besides, switch SW1 will be configured to act as an SCP server.

Configuring SCP Service on a Cisco Router/Switch

To set up the SCP service on a Cisco router or switch, you have to configure SSH version 2 and then enable SCP using the ip scp server enable command.

Here are the steps to configure a Cisco router/switch as an SCP server. The first steps enable SSH version 2, while the last one activates SCP.

Step 1. Set a domain name for the router/switch using the ip domain-name command.

Step 2. Activate the SSH server and generate an RSA key pair using the crypto key generate rsa general-keys modulus sz command, where sz is a number between 360 to 4096 bits representing the size of the key modulus.

Step 3. Set the SSH version to 2 using the ip ssh version command.

Step 4. Enable SSH user authentication on a per-user basis using the local user database by issuing the login local command in line configuration mode. You can also configure AAA authorization and authentication to achieve the same thing.

Step 5. Create one or more username/password pairs with privilege level 15 using the username privilege 15 password command or the username privilege 15 secret command.

Username/password combinations are credentials the network administrator should enter to connect to the SSH/SCP service via an SSH client. Additionally, the user you use to connect to the SCP server should be able to access privileged EXEC mode.

Step 6. Enable the SCP service using the ip scp server enable command.

In this example, we configure the SCP service and configure SSH on switch SW1 based on the following settings.

  • Domain name: itskillbuilding.com
  • RSA keys modulus: 3072
  • SSH version: 2
  • SSH authentication method: local user database.
  • Privilege 15 user account: username is scp and password is CISCO.
SW1(config)# username scp privilege 15 password CISCO
SW1(config)#
SW1(config)# ip domain-name itskillbuilding.com
SW1(config)# crypto key generate rsa general-keys modulus 3072
SW1(config)# ip ssh version 2
SW1(config)#
SW1(config)# line vty 0 4
SW1(config-line)# login local
SW1(config-line)# exit
SW1(config)#
SW1(config)# ip scp server enable

The show ip ssh command output states that SSH version 2 has been enabled.

SW1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

The show running-config command indicates that the ip scp server enable command has been applied successfully.

SW1# show running-config | include scp
username scp password 0 CISCO
ip scp server enable
SW1#

To monitor and troubleshoot SCP connections, issue the debug ip scp command in enable mode.

How To Backup a Cisco Router/Switch IOS Image Using an SCP Server

To back up a Cisco router/switch IOS image file using an SCP server, follow these easy steps:

Step 1. Configure an SCP server on a Cisco router/switch or on a separate machine. You can find lots of free SCP server apps on the Internet

Step 2. Connect the Cisco router/switch directly or through another network device to the SCP server.

Step 3. Configure IP addresses on both the Cisco router/switch and the SCP server.

Router> enable
Router# conf t
Router(config)# hostname R1
R1(config)# interface gigabitethernet 0/0
R1(config-if)# ip address 10.0.0.1 255.255.255.0
R1(config-if)# no shutdown

Step 4. Ping the SCP server from the Cisco router/switch to check the connection between these network devices.

R1# ping 10.0.0.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms

Step 5. Initiate a CLI session to the Cisco router/switch via a console cable, Telnet, or SSH.

Step 6. In privileged EXEC mode, issue the show flash: command to display the list of Cisco IOS images stored in flash memory.

R1# show flash:

System flash directory:
File  Length   Name/status
  3   33591768 c1900-universalk9-mz.SPA.151-4.M4.bin
  2   28282    sigdef-category.xml
  1   227537   sigdef-default.xml
[33847587 bytes used, 221896413 available, 255744000 total]
249856K bytes of processor board System flash (Read/Write)

Step 7. In enable mode, issue the copy flash: scp command to start backing up a Cisco router/switch IOS image file. In this example, we save the c1900-universalk9-mz.SPA.151-4.M4.bin file.

The copy command would require the name of the Cisco IOS image file to send to the SCP server, the name under which to store the image file on the SCP server, the IP address of the SCP server, and the name and password of a user account.

R1# copy flash: scp
Source filename []? c1900-universalk9-mz.SPA.151-4.M4.bin
Address or name of remote host []? 10.0.0.10
Destination username [R1]? scp
Destination filename [c1900-universalk9-mz.SPA.151-4.M4.bin]? c1900-universalk9-mz.SPA.151-4.M4-copy.bin
Writing c1900-universalk9-mz.SPA.151-4.M4-copy.bin
Password: 



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
33591768 bytes copied in 191.153 secs (175732 bytes/sec)

Step 8.  Open the folder where the SCP server stores files in order to check that the router/switch’s image file is there.

How To Restore Cisco Router/Switch IOS Images Using an SCP Server

Here are the steps to restore a Cisco router/switch IOS image file from an SCP server:

Step 1. Install and set up an SCP server.

Step 2. Connect the Cisco router/switch directly or through another network device to the SCP server.

Step 3. Configure IP addresses on the router/switch and the SCP server.

Switch> enable
Switch# conf t
Switch(config)# hostname SW2
SW2(config)#
SW2(config)# interface vlan 1
SW2(config-if)# ip address 10.0.0.20 255.255.255.0
SW2(config-if)# no shutdown

Step 5. Ping the SCP server from the router/switch to verify that both devices can communicate.

SW2# ping 10.0.0.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms

Step 6. Connect to the Cisco router/switch’s CLI interface via a console cable, Telnet, or SSH.

Step 7. In enable mode, enter the copy scp flash: command to begin restoring a Cisco IOS image file. In this example, we download the 2960-lanbasek9-mz.151-2.SE4.bin file.

The copy command would ask for the name of the Cisco IOS image file to copy from the SCP server, the name under which to store the image file in flash memory, the IP address of the SCP server, and a valid username/password pair.

SW2# copy scp flash:
Address or name of remote host []? 10.0.0.10
Source username [SW2]? scp
Source filename []? 2960-lanbasek9-mz.151-2.SE4.bin
Destination filename [2960-lanbasek9-mz.151-2.SE4.bin]? 2960-lanbasek9-mz.151-2.SE4-restored.bin

Password: 



!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
4670455 bytes copied in 26.6069 secs (175535 bytes/sec)

Step 8.  Display the content of the flash memory to verify that the Cisco IOS image file is there.

SW2# show flash:
Directory of flash:/

    1  -rw-     4670455            2960-lanbasek9-mz.150-2.SE4.bin
    2  -rw-     4670455            2960-lanbasek9-mz.151-2.SE4-restored.bin

64016384 bytes total (54675474 bytes free)

If you want the switch to load the new image file upon the next reboot, issue the boot system command in switch configuration mode, save the configuration, and then reload the switch, as demonstrated in this example.

SW2(config)# boot system 2960-lanbasek9-mz.151-2.SE4-restored.bin
SW2(config)# end
SW2# 
SW2# write
Building configuration...
[OK]
SW2# reload 
Proceed with reload? [confirm]


C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.
2960-24TT starting...
Base ethernet MAC Address: 00D0.97CB.6C64
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 3 files, 0 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 64016384
flashfs[0]: Bytes used: 9341998
flashfs[0]: Bytes available: 54674386
flashfs[0]: flashfs fsck took 1 seconds.
...done Initializing Flash.

Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4


Loading "flash:/2960-lanbasek9-mz.151-2.SE4-restored.bin"...
########################################################################## [OK]
Smart Init is enabled

omitted output

Troubleshooting Cisco IOS Image Backup and Restore Process using an SCP Server

When you try to backup or restore a Cisco IOS image file, whether it is for a switch or router, the procedure may fail because of one of these reasons:

  • The SCP service is not working.
  • The SCP server is unreachable because of bad IP addressing on the client or the server side, or due to routing issues in the network.
  • Bad credentials (username and password).
  • Not enough user permissions.
  • An ACL denies SCP packets between the SCP client and the SCP server.

Related Lessons to How To Backup and Restore Cisco Switch/Router IOS Images Using SCP Server

Conclusion

I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.

Mohamed Ouamer
Mohamed Ouamer is a computer science teacher and a self-published author. He taught networking technologies and programming for more than fifteen years. While he loves to share knowledge and write, Mohamed's best passions include spending time with his family, visiting his parents, and learning new things.