4.5 TFTP/FTP and Remote Access
Key Takeaways
- TFTP (Trivial File Transfer Protocol) uses UDP port 69 — simple, no authentication, used for IOS upgrades.
- FTP (File Transfer Protocol) uses TCP ports 20 (data) and 21 (control) — supports authentication and directory listing.
- SSH (port 22) is the secure replacement for Telnet (port 23) for remote device management.
- Always configure SSH instead of Telnet — Telnet sends credentials in plain text.
- SCP (Secure Copy Protocol) provides encrypted file transfer over SSH.
Last updated: March 2026
TFTP/FTP and Remote Access
File Transfer Protocols
TFTP (Trivial File Transfer Protocol)
| Feature | Detail |
|---|---|
| Port | UDP 69 |
| Authentication | None |
| Features | Very simple — read/write files only |
| Use case | IOS image upgrades, config backup on trusted networks |
| Security | None — use only on management networks |
! Copy running config to TFTP server
Router# copy running-config tftp:
Address or name of remote host? 10.0.0.200
Destination filename? router1-config
! Copy IOS image from TFTP server
Router# copy tftp: flash:
Address or name of remote host? 10.0.0.200
Source filename? c2900-universalk9-mz.SPA.bin
FTP (File Transfer Protocol)
| Feature | Detail |
|---|---|
| Ports | TCP 21 (control), TCP 20 (data) |
| Authentication | Username/password |
| Features | Directory listing, file management |
| Use case | Large file transfers, IOS image management |
| Security | Credentials sent in clear text (use SFTP/SCP for security) |
Router(config)# ip ftp username admin
Router(config)# ip ftp password Secure123
Router# copy ftp: flash:
SCP (Secure Copy Protocol)
SCP provides encrypted file transfer over SSH (TCP port 22). It is the most secure option.
Router(config)# ip scp server enable
! Copy from PC to router using SCP
Router# copy scp: flash:
Remote Access — SSH Configuration
SSH (Secure Shell) provides encrypted remote access to network devices. It should always be used instead of Telnet.
Configuring SSH on a Cisco Device
! Step 1: Set hostname and domain name (required for RSA key generation)
Router(config)# hostname R1
R1(config)# ip domain-name example.com
! Step 2: Generate RSA key pair
R1(config)# crypto key generate rsa modulus 2048
! Step 3: Configure SSH version 2
R1(config)# ip ssh version 2
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 3
! Step 4: Configure VTY lines for SSH only
R1(config)# line vty 0 15
R1(config-line)# transport input ssh ! SSH only (block Telnet)
R1(config-line)# login local ! Use local username/password
! Step 5: Create local user account
R1(config)# username admin privilege 15 secret SecurePass123
SSH vs. Telnet
| Feature | SSH | Telnet |
|---|---|---|
| Port | TCP 22 | TCP 23 |
| Encryption | Yes (full session) | None (plain text) |
| Authentication | Username/password + key | Username/password |
| Security | Strong | Insecure — avoid |
On the Exam: Know how to configure SSH: hostname + domain name → generate RSA keys → configure VTY lines for SSH. The "transport input ssh" command restricts VTY lines to SSH only. If Telnet is allowed, it is a security vulnerability.
Test Your Knowledge
Which protocol uses UDP port 69 and provides no authentication?
A
B
C
D
Test Your Knowledge
What is the first step when configuring SSH on a Cisco router?
A
B
C
D