Backing up and restoring Cisco IOS image files using an SCP server is one of the skills every network administrator should have. It is also a subject in the CCNA exam syllabus. In this tutorial, I will teach you how to back up and restore Cisco switch/router IOS images using an SCP server.
SCP stands for Secure Copy. SCP is based on SSH (Secure Shell). It is a tool that provides a secure way to download and upload Cisco IOS images and configuration files by ensuring encryption and authentication.
In the following sections, I will be using the subsequent network diagram. The network consists of three devices: one Cisco router and two Cisco switches. Besides, switch SW1 will be configured to act as an SCP server.
Configuring SCP Service on a Cisco Router/Switch
To set up the SCP service on a Cisco router or switch, you have to configure SSH version 2 and then enable SCP using the ip scp server enable command.
Here are the steps to configure a Cisco router/switch as an SCP server. The first steps enable SSH version 2, while the last one activates SCP.
Step 1. Set a domain name for the router/switch using the ip domain-name command.
Step 2. Activate the SSH server and generate an RSA key pair using the crypto key generate rsa general-keys modulus sz command, where sz is a number between 360 to 4096 bits representing the size of the key modulus.
Step 3. Set the SSH version to 2 using the ip ssh version command.
Step 4. Enable SSH user authentication on a per-user basis using the local user database by issuing the login local command in line configuration mode. You can also configure AAA authorization and authentication to achieve the same thing.
Step 5. Create one or more username/password pairs with privilege level 15 using the username privilege 15 password command or the username privilege 15 secret command.
Username/password combinations are credentials the network administrator should enter to connect to the SSH/SCP service via an SSH client. Additionally, the user you use to connect to the SCP server should be able to access privileged EXEC mode.
Step 6. Enable the SCP service using the ip scp server enable command.
In this example, we configure the SCP service and configure SSH on switch SW1 based on the following settings.
- Domain name: itskillbuilding.com
- RSA keys modulus: 3072
- SSH version: 2
- SSH authentication method: local user database.
- Privilege 15 user account: username is scp and password is CISCO.
SW1(config)# username scp privilege 15 password CISCO SW1(config)# SW1(config)# ip domain-name itskillbuilding.com SW1(config)# crypto key generate rsa general-keys modulus 3072 SW1(config)# ip ssh version 2 SW1(config)# SW1(config)# line vty 0 4 SW1(config-line)# login local SW1(config-line)# exit SW1(config)# SW1(config)# ip scp server enable
The show ip ssh command output states that SSH version 2 has been enabled.
SW1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
The show running-config command indicates that the ip scp server enable command has been applied successfully.
SW1# show running-config | include scp
username scp password 0 CISCO
ip scp server enable
SW1#
To monitor and troubleshoot SCP connections, issue the debug ip scp command in enable mode.
How To Backup a Cisco Router/Switch IOS Image Using an SCP Server
To back up a Cisco router/switch IOS image file using an SCP server, follow these easy steps:
Step 1. Configure an SCP server on a Cisco router/switch or on a separate machine. You can find lots of free SCP server apps on the Internet
Step 2. Connect the Cisco router/switch directly or through another network device to the SCP server.
Step 3. Configure IP addresses on both the Cisco router/switch and the SCP server.
Router> enable Router# conf t Router(config)# hostname R1 R1(config)# interface gigabitethernet 0/0 R1(config-if)# ip address 10.0.0.1 255.255.255.0 R1(config-if)# no shutdown
Step 4. Ping the SCP server from the Cisco router/switch to check the connection between these network devices.
R1# ping 10.0.0.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms
Step 5. Initiate a CLI session to the Cisco router/switch via a console cable, Telnet, or SSH.
Step 6. In privileged EXEC mode, issue the show flash: command to display the list of Cisco IOS images stored in flash memory.
R1# show flash:
System flash directory:
File Length Name/status
3 33591768 c1900-universalk9-mz.SPA.151-4.M4.bin
2 28282 sigdef-category.xml
1 227537 sigdef-default.xml
[33847587 bytes used, 221896413 available, 255744000 total]
249856K bytes of processor board System flash (Read/Write)
Step 7. In enable mode, issue the copy flash: scp command to start backing up a Cisco router/switch IOS image file. In this example, we save the c1900-universalk9-mz.SPA.151-4.M4.bin file.
The copy command would require the name of the Cisco IOS image file to send to the SCP server, the name under which to store the image file on the SCP server, the IP address of the SCP server, and the name and password of a user account.
R1# copy flash: scp Source filename []? c1900-universalk9-mz.SPA.151-4.M4.bin Address or name of remote host []? 10.0.0.10 Destination username [R1]? scp Destination filename [c1900-universalk9-mz.SPA.151-4.M4.bin]? c1900-universalk9-mz.SPA.151-4.M4-copy.bin Writing c1900-universalk9-mz.SPA.151-4.M4-copy.bin Password: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 33591768 bytes copied in 191.153 secs (175732 bytes/sec)
Step 8. Open the folder where the SCP server stores files in order to check that the router/switch’s image file is there.
How To Restore Cisco Router/Switch IOS Images Using an SCP Server
Here are the steps to restore a Cisco router/switch IOS image file from an SCP server:
Step 1. Install and set up an SCP server.
Step 2. Connect the Cisco router/switch directly or through another network device to the SCP server.
Step 3. Configure IP addresses on the router/switch and the SCP server.
Switch> enable Switch# conf t Switch(config)# hostname SW2 SW2(config)# SW2(config)# interface vlan 1 SW2(config-if)# ip address 10.0.0.20 255.255.255.0 SW2(config-if)# no shutdown
Step 5. Ping the SCP server from the router/switch to verify that both devices can communicate.
SW2# ping 10.0.0.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms
Step 6. Connect to the Cisco router/switch’s CLI interface via a console cable, Telnet, or SSH.
Step 7. In enable mode, enter the copy scp flash: command to begin restoring a Cisco IOS image file. In this example, we download the 2960-lanbasek9-mz.151-2.SE4.bin file.
The copy command would ask for the name of the Cisco IOS image file to copy from the SCP server, the name under which to store the image file in flash memory, the IP address of the SCP server, and a valid username/password pair.
SW2# copy scp flash: Address or name of remote host []? 10.0.0.10 Source username [SW2]? scp Source filename []? 2960-lanbasek9-mz.151-2.SE4.bin Destination filename [2960-lanbasek9-mz.151-2.SE4.bin]? 2960-lanbasek9-mz.151-2.SE4-restored.bin Password: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 4670455 bytes copied in 26.6069 secs (175535 bytes/sec)
Step 8. Display the content of the flash memory to verify that the Cisco IOS image file is there.
SW2# show flash:
Directory of flash:/
1 -rw- 4670455 2960-lanbasek9-mz.150-2.SE4.bin
2 -rw- 4670455 2960-lanbasek9-mz.151-2.SE4-restored.bin
64016384 bytes total (54675474 bytes free)
If you want the switch to load the new image file upon the next reboot, issue the boot system command in switch configuration mode, save the configuration, and then reload the switch, as demonstrated in this example.
SW2(config)# boot system 2960-lanbasek9-mz.151-2.SE4-restored.bin SW2(config)# end SW2# SW2# write Building configuration... [OK] SW2# reload Proceed with reload? [confirm] C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4) Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory. 2960-24TT starting... Base ethernet MAC Address: 00D0.97CB.6C64 Xmodem file system is available. Initializing Flash... flashfs[0]: 3 files, 0 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 64016384 flashfs[0]: Bytes used: 9341998 flashfs[0]: Bytes available: 54674386 flashfs[0]: flashfs fsck took 1 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 Loading "flash:/2960-lanbasek9-mz.151-2.SE4-restored.bin"... ########################################################################## [OK] Smart Init is enabled omitted output
Troubleshooting Cisco IOS Image Backup and Restore Process using an SCP Server
When you try to backup or restore a Cisco IOS image file, whether it is for a switch or router, the procedure may fail because of one of these reasons:
- The SCP service is not working.
- The SCP server is unreachable because of bad IP addressing on the client or the server side, or due to routing issues in the network.
- Bad credentials (username and password).
- Not enough user permissions.
- An ACL denies SCP packets between the SCP client and the SCP server.
Related Lessons to How To Backup and Restore Cisco Switch/Router IOS Images Using SCP Server
- How To Backup Cisco Switch/Router Images Using TFTP Server
- How To Backup/Restore Cisco Switch/Router Configuration Files Using SCP Server
- How To Backup Cisco Switch/Router Images Using FTP Server
- Memory Types Used in a Cisco Router
- How To Reset a Cisco Switch to Factory Defaults
- How to Reset a Cisco Router to Factory Defaults
- How To Backup and Restore Cisco Switch/Router IOS Images Using SCP Server
- How To Backup and Restore Cisco Switch/Router Configuration Files Using FTP
- How To Backup and Restore Cisco Switch/Router Configuration Files Using TFTP Server
- How To Erase Configuration Files on a Cisco Router or Switch
- Cisco IOS More Command
- How To Upgrade Cisco IOS via FTP/TFTP/USB Drive or Console Cable
Conclusion
I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.