Transferring Files
You may need to transfer files between the following locations:
There are two ways of transferring files: using the copy command and using the system's FTP server. Table 4-5 shows the types of files that you can transfer between the locations using the copy command, which activates a hidden FTP client on the ERX system.
The system's FTP server allows the transfer of files between a network host and the user space. When a firewall separates the ERX system from the network host, you must use the FTP server to transfer files to the user space. You can then install the files from the user space to the system space using the copy command. However, if there is no firewall between the ERX system and the network host, you can use the copy command or the FTP server to transfer files.
For example, you can transfer a file from a network host to an ERX system through FTP, and then transfer the file through the copy command from the ERX system to other ERX systems. See Figure 4-1.
Using the copy Command
Table 4-5 shows the types of files that you can transfer between the locations by using the copy command.
To transfer files using the copy command between the system space and a network host:
- Check whether there is a route to the network host, and create one if necessary. See ERX Routing Protocols Configuration Guide, Vol. 1, Chapter 2, Configuring IP.
- Configure the network host as an FTP server.
|
- Add the FTP server to the static host table, so that the ERX system can access the network host.
- (Optional) Specify a source interface to use in FTP packets leaving the router.
- Copy the files.
copy
|
- See Table 4-1 for the types of files you can copy.
- Specify a network path to copy to or from another device on the network.
- Specify the incoming or outgoing directory to copy to or from the user space.
- Specify a subdirectory name to create a subdirectory within the incoming or outgoing directory in the user space.
- You cannot use wildcards.
- You cannot create or copy over files generated by the system; however, you can copy such files to an unreserved filename.
- Examples
host1#copy host1:westford.cnf boston.cnf
host1#copy /incoming/releases/2-8-0a3-7.rel 2-8-0a3-7.rel
host
- Use to add or modify an entry to the host table.
- Specify the number 8 before the user name and before the password to encrypt these values. By default, the user name and password are not encrypted.
- This command allows network files to be accessible from a host.
- Example
host1(config)#host westford 10.10.8.7 ftp 8 user25 8 kxu83m41
ip ftp source-address
- Use to specify an operational interface by IP address as the source interface for FTP packets sent by the system's FTP client.
- This command overrides a setting you configured previously with the ip ftp source-interface command.
- If you issue this command, the output of the show configuration command includes an entry of the following format:
ip ftp source-address ipAddress
This entry also appears in the output if you delete an interface or change its IP address after issuing the ip ftp source-interface command, in which case the IP address is the one that was configured on the interface before you issued the ip ftp source-interface command
host1(config)#ip ftp source-address 10.10.5.21
- Use the no version to restore the default, in which the source address in the FTP packets is that of the interface where the FTP connection is made.
ip ftp source-interface
- Use to specify an operational interface by interface type and location as the source interface for FTP packets sent by the system's FTP client.
- The interface you specify must have an IP address.
- This command overrides a setting you configured previously with the ip ftp source-address command.
- If you issue this command and the interface is valid, the output of the show configuration command includes an entry of the following format:
ip ftp source-interface interfaceType interfaceSpecifier
For information about interface types and specifiers, see ERX Command Reference Guide, About This Guide.
- If you delete the interface or change its IP address, the output of the show configuration command appears as if you had entered the ip ftp source-address command:
ip ftp source-address ipAddress
host1(config)#ip ftp source-interface loopback1
- Use the no version to restore the default, in which the source address in the FTP packets is that of the interface where the FTP connection is made.
Configuring the FTP Server
To transfer files by the system's FTP server, you must configure the FTP server and ensure that FTP client software is installed on the network host.
Although you can transfer any type of file by FTP to the ERX system, the principal aim of this feature is to allow the transfer of system files to NVS. You can transfer files by FTP to the user space. You can then install files from the user space onto the system using the copy command. It is not possible to access the system files directly through FTP operations.
FTP sessions on the ERX system use the vty lines. The ERX system divides its vty resources between Telnet, SSH, and FTP services. Each FTP session requires one vty line. The FTP service uses the authentication method configured for the vty lines.
Features
The system supports the following FTP features:
- Compliance with RFC 959 - File Transfer Protocol (FTP) (October 1985)
- FTP passive mode
- Efficient NVS organization
- User authentication by RADIUS or password checking
FTP Passive Mode
Normally, when a client connects to an FTP server, the client establishes the control channel with the server, and the server responds by opening a data channel to the client. However, when the FTP client and server are on opposite sides of a firewall that prohibits inbound FTP connections, the server cannot open a data channel to the client.
FTP passive mode overcomes this connection limitation. In passive mode, the client opens a control channel to the server, tells the server it wants to operate in passive mode, and opens the data channel to the server. This method of establishing the FTP connection allows both the control channel and the data channel to pass through the firewall in the allowed direction.
Configuring Authentication
Before you enable the FTP server, configure the authentication procedure for the vty lines, as follows:
- Configure host access lists.
- Configure user authentication methods.
- Configure the vty lines to use the host access lists and user authentication methods.
You can specify authentication by a RADIUS server or by password checking. If you choose no authentication service, any client can access the FTP server. For information about authentication on vty lines, see
Chapter 6, Passwords and Security.
Configuration Tasks
FTP is disabled by default. You must enable the FTP server with the ftp-server enable command before the system allows FTP clients to connect.
ftp-server enable
- Use to enable the FTP server and to monitor the FTP port for attempts to connect to the FTP server.
- You can enable the FTP server on the default virtual router only.
- Example
host1(config)#ftp-server enable
Configuration Example
Figure 4-2 shows the scenario for this configuration example.
In this example, two FTP lines are required for administrators on the data center subnet, and two more lines are required for users on the POP subnet. The system verifies passwords of administrators on the data center subnet through either a RADIUS server or through simple line authentication if the RADIUS server is unreachable. However, the system verifies passwords of users on the POP subnet only through the RADIUS server.
The following example shows all steps for configuring this scenario, from specifying a RADIUS server to enabling the FTP line:
host1(config)#radius authentication server 10.6.131.51
host1(config-radius)#key abc123
host1(config-radius)#udp-port 1645
- Configure two access lists; one named "DataCenter," permitting only the data center subnet, and one named "Pops," permitting only the POP subnet.
host1(config)#access-list DataCenter permit 10.6.128.0 255.255.128.0
host1(config)#access-list DataCenter deny any
host1(config)#access-list Pops permit 199.125.128.0 255.255.128.0
host1(config)#access-list Pops deny any
host1(config)#aaa new-model
host1(config)#aaa authentication login RadiusAndLine radius line
host1(config)#aaa authentication login RadiusOnly radius
host1(config)#line vty 0 1
host1(config-line)#password foobar
host1(config-line)#access-class DataCenter in
host1(config-line)#login authentication RadiusAndLine
host1(config)#line vty 2 4
host1(config-line)#password foobar
host1(config-line)#access-class Pops in
host1(config-line)#login authentication RadiusOnly
host1(config)#ftp-server enable
Monitoring the FTP Server
Use the dir command to monitor files on the FTP server. Use the show ftp-server and show users commands to monitor settings of the FTP server.
show ftp-server
- FTP Server state - status of the FTP server: enabled or disabled
- Open connections - number of open connections to the FTP server
- Statistics since server was last started - data about the connection attempts since you enabled the FTP server
- Statistics since last system reload - data about the connection attempts since you last booted the system
- attempts - number of attempts to connect
- failed hosts - number of connection attempts that failed because of disallowed host addresses
- failed users - number of connection attempts that failed because users were not authenticated
host1#show ftp-server
FTP Server state: enabled, 0 open connections
Statistics since server was last started:
attempts: 32
failed hosts: 5
failed users: 7
Statistics since last system reload:
attempts: 35
failed hosts: 5
failed users: 8
show users
- Use to display information about users of the vty lines.
- Specify the detail keyword to view detailed information.
- Field descriptions
- line number - number of the line to which the user is connected
- line name - name of the line and the service the line offers
- user - name of the user
- connected from - location or IP address of the user
- connected since - date and time that the user connected to the line
host1#show users
line connected
number line name user from connected since
------ -------------- ----- ---------- ----------------
0* console 0 console 02/12/2001 19:57
4 vty 3 (ftp) fred 10.10.0.64 02/12/2001 20:04
5 vty 4 (telnet) 10.10.0.64 02/12/2001 20:04
Note: '*' indicates current user.
Copying Partial Releases
You can shorten the time it takes to copy a release from a server and reduce the amount of storage needed for a release. At the default setting, all subsystems are included when you copy a release from a server. Use the exclude-subsystem command to specify subsystems that you do not want to copy from the server. Use the show subsystems command to verify which files are included and excluded when you copy a release from a server. Follow this example:
host1#show subsystems file m:/x/images/x-y-z.rel
host1#(config)#exclude-subsystem ct1
host1#(config)#exclude-subsystem coc12
host1#(config)#exclude-subsystem oc12s
host1#(config)#no exclude-subsystem oc12s
host1#show subsystems file x8.rel
host1#show configuration
...
exclude-subsystem ct1
exclude-subsystem coc12
- (Optional) Determine whether the currently running software is a result of a copy with excluded subsystems. The word "Partial" indicates that subsystems were excluded.
host1#show version
Juniper Networks, Inc. Operating System Software
Copyright (c) 200X Juniper Networks, Inc. All rights reserved.
System Release: x-y-z.rel Partial
exclude-subsystem
- Use to exclude any subsystems that are in a release that you do not need for the system configuration.
- Example
host1(config)#exclude-subsystem ct1
- The subsystems that you indicate are added to the "exclude list." All subsequent release copies will exclude the images for these subsystems from the release copy.
- Example
host1(config)#no exclude-subsystem ct1
- Use the no version of this command with the subsystem name to remove a subsystem from the exclude list. Use the no version of this command without a subsystem name to remove all subsystems from the exclude list.
show subsystems
- Use to determine which subsystems are included in the current software release on the system or in a specified software release file.
- Specify either a local filename or remote path and filename to view the subsystems that are included in a software release file other than the current software release on the system.
- Field descriptions
- Required - number of bytes of data for the required portion of the release
- Included Subsystems - number of bytes of data for the included subsystems listed. All included subsystems in the release are listed.
- Excluded Subsystems - number of bytes of data for the excluded subsystems listed. All excluded subsystems in the release are listed.
- Use the command before you copy a release to verify which subsystems are present in the release.
- Example
host1#show subsystems file m:/x/images/x-y-z.rel
oc3
ct3
ut3f
ut3a
ct1
dpfe
oc12p
oc12a
ge
fe8
coc12
oc12s
- Use the command after copying a release to verify which subsystems are included and excluded.
- Example
host1#show subsystems file x8.rel
Required: 1423005 bytes
Included Subsystems: 27882192 bytes
ct3
ut3f
ut3a
dpfe
oc12p
oc12a
ge
fe8
coc12
oc12s
Excluded Subsystems: 6840211 bytes
oc3
ct1