Transferring Files

You may need to transfer files between the following locations:

• System space
• User space
• Network host
• Standby SRP module

There are two ways of transferring files: using the copy command and using the system's FTP server. Table 26 shows the types of files that you can transfer between the locations using the copy command, which activates a hidden FTP client on the E-series router.

The system's FTP server allows the transfer of files between a network host and the user space. When a firewall separates the E-series router from the network host, you must use the FTP server to transfer files to the user space. You can then install the files from the user space to the system space using the copy command. However, if there is no firewall between the E-series router and the network host, you can use the copy command or the FTP server to transfer files.

For example, you can transfer a file from a network host to an E-series router through FTP, and then transfer the file through the copy command from the E-series router to other E-series routers. See Figure 25.

Figure 25: Transferring System Files to the E-series Router

Using the copy Command

Table 26 shows the types of files that you can transfer between the locations by using the copy command.

 Table 26:  File Types You Can Transfer Using the copy Command 

 

 Destination
 Source
 

 System

 User Space
 (linked files and unlinked files)

 Network Host Within a Firewall

 Standby SRP Module


 System

 *.cnf
 *.hty (excluding reboot.hty)
 *.log (excluding system.log)
 *.mac
 *.scr
 *.txt

 *.cnf
 *.hty
 *.log
 *.mac
 *.pub
 *.scr
 *.txt

 *.cnf
 *.dmp
 *.hty
 *.log
 *.mac
 *.pub
 *.scr
 *.sts
 *.txt

 None


 User Space

 *.cnf
 *.mac
 *.rel
 *.scr
 *.txt

 *.cnf
 *.hty
 *.log
 *.mac
 *.pub
 *.rel
( *.rel file only, not files associated with the *.rel file)
 *.scr
 *.txt
 Nonsystem files

 None

 None


 Network Host Within a Firewall

 *.cnf
 *.mac
 *.rel
 *.scr
 *.txt

 None

 None

 None


 Standby SRP Module

 system.log
 reboot.hty

 system.log
 reboot.hty
 *.dmp

 system.log
 reboot.hty
 *.dmp

 None



 

To transfer files using the copy command between the system space and a network host:

1. Check whether there is a route to the network host, and create one if necessary. See JUNOSe Routing Protocols Configuration Guide, Vol. 1, Chapter 5, Configuring IP.
2. Configure the network host as an FTP server.
   

   NOTE: This command takes place in the context of the current virtual router (VR) rather than the default VR. You must configure the FTP server so that any traffic destined for the VR can reach the VR; typically, you configure the FTP server to reach the default address of the E-series router, which will always be able to reach the VR.

   
   
3. Add the FTP server to the static host table, so that the E-series router can access the network host.
4. (Optional) Specify a source interface to use in FTP packets leaving the router.
5. Copy the files.

copy

• Use to copy a file from one location to another.
  

  NOTE: You cannot copy script (.scr) or macro (.mac) files while in Boot mode. You can copy only .cnf, .hty, and .rel files. If you issue the dir command from Boot mode, existing .scr and .mac files are not displayed.

  
  
• See Table 26 for the types of files that you can copy.
• Specify a network path to copy to or from another device on the network.
• Specify the incoming or outgoing directory to copy to or from the user space.
• Specify a subdirectory name to create a subdirectory within the incoming or outgoing directory in the user space.
• You cannot use wildcards.
• You cannot create or copy over files generated by the system; however, you can copy such files to an unreserved filename.
• Examples

host1#copy host1:westford.cnf boston.cnf

host1#copy /incoming/releases/2-8-0a3-7.rel 2-8-0a3-7.rel

• There is no no version.

host

• Use to add or modify an entry to the host table.
• Specify the number 8 before the user name and before the password to encrypt these values. By default, the user name and password are not encrypted.
• This command supports both IPv4 and IPv6 address formats.
• This command allows network files to be accessible from a host.
• Example

host1(config)#host westford 10.10.8.7 ftp 8 user25 8 kxu83m41

• Use the no version to remove a specified host.

ip ftp source-address

• Use to specify an operational interface by IP address as the source interface for FTP packets sent by the system's FTP client.
• This command overrides a setting you configured previously with the ip ftp source-interface command.
• If you issue this command, the output of the show configuration command includes an entry of the following format:

ip ftp source-address ipAddress

• ipAddress—IP address of the interface

This entry also appears in the output if you delete an interface or change its IP address after issuing the ip ftp source-interface command, in which case the IP address is the one that was configured on the interface before you issued the ip ftp source-interface command

• Example

host1(config)#ip ftp source-address 10.10.5.21

• Use the no version to restore the default, in which the source address in the FTP packets is that of the interface where the FTP connection is made.

ip ftp source-interface

• Use to specify an operational interface by interface type and location as the source interface for FTP packets sent by the system's FTP client.
• The interface you specify must have an IP address.
• This command overrides a setting you configured previously with the ip ftp source-address command.
• If you issue this command and the interface is valid, the output of the show configuration command includes an entry of the following format:

ip ftp source-interface interfaceType interfaceSpecifier

• interfaceType—Type of interface
• interfaceSpecifier—Location of the interface

For information about interface types and specifiers, see JUNOSe Command Reference Guide, About This Guide.

• If you delete the interface or change its IP address, the output of the show configuration command appears as if you had entered the ip ftp source-address command:

ip ftp source-address ipAddress

• ipAddress—IP address of the interface when you issued the ip ftp source-interface command

• Example

host1(config)#ip ftp source-interface loopback1

• Use the no version to restore the default, in which the source address in the FTP packets is that of the interface where the FTP connection is made.

Configuring the FTP Server

To transfer files by the system's FTP server, you must configure the FTP server and ensure that FTP client software is installed on the network host.

Although you can transfer any type of file by FTP to the E-series router, the principal aim of this feature is to allow the transfer of system files to NVS. You can transfer files by FTP to the user space. You can then install files from the user space onto the system using the copy command. It is not possible to access the system files directly through FTP operations.

FTP sessions on the E-series router use the vty lines. The E-series router divides its vty resources between Telnet, SSH, and FTP services. Each FTP session requires one vty line. The FTP service uses the authentication method configured for the vty lines.

Features

The system supports the following FTP features:

• Compliance with RFC 959—File Transfer Protocol (FTP) (October 1985)
• FTP passive mode
• Efficient NVS organization
• User authentication by RADIUS or password checking

FTP Passive Mode

Normally, when a client connects to an FTP server, the client establishes the control channel with the server, and the server responds by opening a data channel to the client. However, when the FTP client and server are on opposite sides of a firewall that prohibits inbound FTP connections, the server cannot open a data channel to the client.

FTP passive mode overcomes this connection limitation. In passive mode, the client opens a control channel to the server, tells the server it wants to operate in passive mode, and opens the data channel to the server. This method of establishing the FTP connection allows both the control channel and the data channel to pass through the firewall in the allowed direction.

Configuring Authentication

Before you enable the FTP server, configure the authentication procedure for the vty lines, as follows:

1. Configure host access lists.
2. Configure user authentication methods.
3. Configure the vty lines to use the host access lists and user authentication methods.

You can specify authentication by a RADIUS server or by password checking. If you choose no authentication service, any client can access the FTP server. For information about authentication on vty lines, see
Chapter 7, Passwords and Security.

Configuration Tasks

FTP is disabled by default. You must enable the FTP server with the ftp-server enable command before the system allows FTP clients to connect.

ftp-server enable

• Use to enable the FTP server and to monitor the FTP port for attempts to connect to the FTP server.
• You can enable the FTP server on the default virtual router only.
• Example

host1(config)#ftp-server enable

• Use the no version to terminate current FTP sessions and to disable the FTP server.

Configuration Example

Figure 26 shows the scenario for this configuration example.

Figure 26: FTP Configuration Example

In this example, two FTP lines are required for administrators on the data center subnet, and two more lines are required for users on the POP subnet. The system verifies passwords of administrators on the data center subnet through either a RADIUS server or through simple line authentication if the RADIUS server is unreachable. However, the system verifies passwords of users on the POP subnet only through the RADIUS server.

The following example shows all steps for configuring this scenario, from specifying a RADIUS server to enabling the FTP line:

1. Configure the RADIUS server.

host1(config)#radius authentication server 10.6.131.51

host1(config-radius)#key abc123

host1(config-radius)#udp-port 1645

2. Configure two access lists; one named "DataCenter," permitting only the data center subnet, and one named "Pops," permitting only the POP subnet.

host1(config)#access-list DataCenter permit 10.6.128.0 255.255.128.0

host1(config)#access-list DataCenter deny any

host1(config)#access-list Pops permit 199.125.128.0 255.255.128.0

host1(config)#access-list Pops deny any

3. Configure two authentication method lists, named "RadiusAndLine" and "RadiusOnly."

host1(config)#aaa new-model

host1(config)#aaa authentication login RadiusAndLine radius line

host1(config)#aaa authentication login RadiusOnly radius

4. Configure two FTP lines to be used by data center administrators.

host1(config)#line vty 0 1

host1(config-line)#password foobar

host1(config-line)#access-class DataCenter in

host1(config-line)#login authentication RadiusAndLine

5. Configure the remaining FTP lines to be used by POP administrators.

host1(config)#line vty 2 4

host1(config-line)#password foobar

host1(config-line)#access-class Pops in

host1(config-line)#login authentication RadiusOnly

6. Enable the FTP server.

host1(config)#ftp-server enable

Monitoring the FTP Server

Use the dir command to monitor files on the FTP server. Use the show ftp-server and show users commands to monitor settings of the FTP server.

show ftp-server

• Use to display information about the FTP server.
• Field descriptions

• FTP Server state—Status of the FTP server: enabled or disabled
• Open connections—Number of open connections to the FTP server
• Statistics since server was last started—Data about the connection attempts since you enabled the FTP server
• Statistics since last system reload—Data about the connection attempts since you last booted the system

• attempts—Number of attempts to connect
• failed hosts—Number of connection attempts that failed because of disallowed host addresses
• failed users—Number of connection attempts that failed because users were not authenticated

• Example

host1#show ftp-server

FTP Server state: enabled, 0 open connections

Statistics since server was last started:

        attempts: 32

        failed hosts: 5

        failed users: 7

Statistics since last system reload:

        attempts: 35

        failed hosts: 5

        failed users: 8

show users

• Use to display information about users of the vty lines.
• Specify the all keyword to view information for all configured lines (both connected and not connected).
• Specify the detail keyword to view detailed information.
• Field descriptions

• line number—Number of the line to which the user is connected
• line name—Name of the line, the service the line offers, and the relative line number
• user—Name of the user
• connected from—Location or IP address of the user
• connected since—Date and time that the user connected to the line
• idle time—Amount of time it has been since an entry was made from this line (detail only)
• virtual router—Virtual router used by this line user (detail only)
• privilege level—Privilege level of this line user (detail only)
• current command—The command currently being executed by the user over this line (detail only)

• Example 1

host1#show users

 line                             connected

number     line name      user       from      connected since

------   --------------   -----   ----------   ----------------

0*       console 0                console      02/12/2001 19:57

4        vty 3 (ftp)      fred    10.10.0.64   02/12/2001 20:04

5        vty 4 (telnet)           10.10.0.64   02/12/2001 20:04

Note: '*' indicates current user.

• Example 2

host1#show users detail

 line                             connected                          idle

number     line name      user       from       connected since      time

------   --------------   ----   ------------   ----------------   --------

0        console 0               console        08/14/2003 08:01   00:23:50

1*       vty 0 (telnet)          10.10.120.90   08/15/2003 10:37

 line    virtual   privilege

number   router      level      current command

------   -------   ---------   -----------------

0        default   10

1*       default   10          show users detail

Note: '*' indicates current user. 

Copying Partial Releases

You can shorten the time it takes to copy a release from a server and reduce the amount of storage needed for a release. At the default setting, all subsystems are included when you copy a release from a server. Use the exclude-subsystem command to specify subsystems that you do not want to copy from the server. Use the show subsystems command to verify which files are included and excluded when you copy a release from a server. Follow this example:

1. Determine which subsystems are included in the release on the server.

host1#show subsystems file m:/x/images/x-y-z.rel

2. Exclude any subsystems in the release that you do not need for the configuration.

host1#(config)#exclude-subsystem ct1

host1#(config)#exclude-subsystem coc12

host1#(config)#exclude-subsystem oc12s

3. (Optional) Remove a subsystem from the exclude list.

host1#(config)#no exclude-subsystem oc12s

4. (Optional) Verify the subsystems that will be included and excluded in future release copies.

host1#show configuration

...

exclude-subsystem ct1

exclude-subsystem coc12

5. (Optional) After copying a release, view which subsystems were excluded.

host1#show subsystems file x8.rel

6. (Optional) Determine whether the currently running software is a result of a copy with excluded subsystems. The word "Partial" indicates that subsystems were excluded.

host1#show version

Juniper Networks, Inc. Operating System Software

Copyright (c) 200X Juniper Networks, Inc. All rights reserved.

System Release: x-y-z.rel Partial

exclude-subsystem

• Use to exclude any subsystems that are in a release that you do not need for the system configuration.
• Example

host1(config)#exclude-subsystem ct1

• The subsystems that you indicate are added to the "exclude list." All subsequent release copies will exclude the images for these subsystems from the release copy.
• Example

host1(config)#no exclude-subsystem ct1

• Use the no version of this command with the subsystem name to remove a subsystem from the exclude list. Use the no version of this command without a subsystem name to remove all subsystems from the exclude list.

show subsystems

• Use to determine which subsystems are included in the current software release on the system or in a specified software release file.
• Specify either a local filename or remote path and filename to view the subsystems that are included in a software release file other than the current software release on the system.
• Field descriptions

• Required—Number of bytes of data for the required portion of the release
• Included Subsystems—Number of bytes of data for the included subsystems listed. All included subsystems in the release are listed.
• Excluded Subsystems—Number of bytes of data for the excluded subsystems listed. All excluded subsystems in the release are listed.

• Use the command before you copy a release to verify which subsystems are present in the release.
• Example

host1#show subsystems file m:/x/images/x-y-z.rel

oc3

ct3

ut3f

ut3a

ct1

dpfe

oc12p

oc12a

ge

fe8

coc12

oc12s

• Use the command after copying a release to verify which subsystems are included and excluded.
• Example

host1#show subsystems file x8.rel

Required:     1423005      bytes

Included Subsystems:  27882192  bytes

ct3

ut3f

ut3a

dpfe

oc12p

oc12a

ge

fe8

coc12

oc12s

Excluded Subsystems:  6840211   bytes

oc3

ct1