Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    FTP Server

    This topic describes the following:

    FTP Server Configuration Overview

    To transfer files by the system’s FTP server, you must configure the FTP server and ensure that FTP client software is installed on the network host.

    Although you can transfer any type of file by FTP to the E Series router, the principal aim of this feature is to allow the transfer of system files to nonvolatile storage (NVS). You can transfer files by FTP to the user space. You can then install files from the user space onto the system using the copy command. It is not possible to access the system files directly through FTP operations.

    FTP sessions on the E Series router use the virtual terminal (vty) lines. The E Series router divides its vty resources between Telnet, SSH, and FTP services. Each FTP session requires one vty line. The FTP service uses the authentication method configured for the vty lines.

    Features

    The system supports the following FTP features:

    • Compliance with RFC 959—File Transfer Protocol (FTP) (October 1985)
    • FTP passive mode
    • Efficient NVS organization
    • User authentication by RADIUS or password checking

    FTP Passive Mode

    Normally, when a client connects to an FTP server, the client establishes the control channel with the server, and the server responds by opening a data channel to the client. However, when the FTP client and server are on opposite sides of a firewall that prohibits inbound FTP connections, the server cannot open a data channel to the client.

    FTP passive mode overcomes this connection limitation. In passive mode, the client opens a control channel to the server, tells the server it wants to operate in passive mode, and opens the data channel to the server. This method of establishing the FTP connection allows both the control channel and the data channel to pass through the firewall in the allowed direction.

    Before You Enable the FTP Server

    Before you enable the FTP server, configure the authentication procedure for the vty lines, as follows:

    1. Configure host access lists.
    2. Configure user authentication methods.
    3. Configure the vty lines to use the host access lists and user authentication methods.

    You can specify authentication by a RADIUS server or by password checking. If you choose no authentication service, any client can access the FTP server. For information about authentication on vty lines, see Configuring vty Lines.

    Enabling the FTP Server

    FTP is disabled by default. You must enable the FTP server with the ftp-server enable command before the system allows FTP clients to connect.

    Note:

    • Before enabling the FTP server, you must configure the authentication procedure for the vty lines. For more information, see Before You Enable the FTP Server.
    • You can enable the FTP server on the default virtual router only.

    To enable the FTP server and to monitor the FTP port for attempts to connect to the FTP server:

    • Issue the ftp-server enable command in Global Configuration mode.
      host1(config)#ftp-server enable

      Use the no version to terminate current FTP sessions and to disable the FTP server.

    Example: Enabling FTP Lines

    This example shows you how to enable FTP lines.

    Requirements

    This example uses the following software and hardware components:

    • JunosE Release 7.1.0 or higher-numbered releases
    • E Series router (ERX7xx models, ERX14xx models, the ERX310 router, the E120 router, or the E320 router)
    • ASIC-based line modules that support Fast Ethernet or Gigabit Ethernet

    Overview

    To transfer files by the system’s FTP server, you must configure the FTP server and ensure that FTP client software is installed on the network host.

    FTP sessions on the E Series router use the virtual terminal (vty) lines. The E Series router divides its vty resources between Telnet, SSH, and FTP services. Each FTP session requires one vty line. The FTP service uses the authentication method configured for the vty lines.

    Topology

    Figure 1 shows the scenario for this configuration example.

    Figure 1: FTP Configuration Example

    FTP Configuration Example

    In this example, two FTP lines are required for administrators on the data center subnet, and two more lines are required for users on the POP subnet. The system verifies passwords of administrators on the data center subnet through either a RADIUS server or through simple line authentication if the RADIUS server is unreachable. However, the system verifies passwords of users on the POP subnet only through the RADIUS server.

    Enabling the FTP Lines

    Step-by-Step Procedure

    The following example shows all steps for configuring this scenario, from specifying a RADIUS server to enabling the FTP line:

    1. Configure the RADIUS server.
      host1(config)#radius authentication server 10.6.131.51 host1(config-radius)#key abc123 host1(config-radius)#udp-port 1645
    2. Configure two access lists—one named “ DataCenter,” permitting only the data center subnet, and one named “ Pops,” permitting only the POP subnet.
      host1(config)#access-list DataCenter permit 10.6.128.0 255.255.128.0 host1(config)#access-list DataCenter deny any host1(config)#access-list Pops permit 199.125.128.0 255.255.128.0 host1(config)#access-list Pops deny any
    3. Configure two authentication method lists, named “ RadiusAndLine” and “ RadiusOnly.”
      host1(config)#aaa new-model host1(config)#aaa authentication login RadiusAndLine radius line host1(config)#aaa authentication login RadiusOnly radius
    4. Configure two FTP lines to be used by data center administrators.
      host1(config)#line vty 0 1 host1(config-line)#password foobar host1(config-line)#access-class DataCenter in host1(config-line)#login authentication RadiusAndLine
    5. Configure the remaining FTP lines to be used by POP administrators.
      host1(config)#line vty 2 4 host1(config-line)#password foobar host1(config-line)#access-class Pops in host1(config-line)#login authentication RadiusOnly
    6. Enable the FTP server. For more information, see Enabling the FTP Server.
      host1(config)#ftp-server enable

    Published: 2014-08-12