Transferring Files

You may need to transfer files between the following locations:

System space
User space
Network host
Standby SRP module

You can transfer files in any of three ways: the copy command, the system’s FTP server, or a remote host that is configured as an FTP or a TFTP server. Table 37 lists the types of files that you can transfer between the locations using the copy command, which activates a hidden FTP or TFTP client on the E Series router.

You can use the system’s FTP server to transfer files between a network host and the user space. When a firewall separates the E Series router from the network host, you must use the FTP server to transfer files to the user space. You can then install the files from the user space to the system space by using the copy command. However, if there is no firewall between the E Series router and the network host, you can use the copy command, the remote FTP server, or the remote TFTP server to transfer files.

For example, you can transfer a file from a network host to an E Series router through FTP, and then transfer the file through the copy command from the E Series router to other E Series routers. See Figure 22.

Figure 22: Transferring System Files to the E Series Router

References

For more information about file transfer protocols, consult the following resources:

RFC 959—File Transfer Protocol (FTP) (October 1985)
RFC 1350—Trivial File Transfer Protocol (TFTP) (Revision 2) (July 1992)

Copying and Redirecting Files

You have two options for copying or redirecting files to or from a remote FTP or TFTP server:

Include all remote file data in the copy command. You can specify remote files using the URL format and the file redirect option for the related show commands.
Use the host command to define the host and the appropriate file transfer protocol. FTP is the default if you do not specify a file transfer protocol or when Domain Name System (DNS) service is used to map IP addresses to the hostname.

If you include the remote file data, the copy command contains a source and destination filename, either of which (but not both) can be remote files. The following URL format is supported for both source and destination files:

protocol://[username [:password]@]location[/directory]/filename

The location can be a hostname or an IP address.

The two versions of the URL format are as follows:

ftp://[username[:password ]@]location[/directory]/filenametftp://location[/directory]/filename

Note: The TFTP protocol does not support username and password. Entering a username and password in the TFTP version results in a command error.

The protocol specified in the command always overrides the protocol associated with the host entry, if any, in the host table. Some protocols, such as FTP, require a username and password with each request. For the URL version of the copy command, the following sequence is followed:

If the command contains a username, the username and password specified in the command are used. The password null is used if the command does not contain a password.
If the location in the URL is a hostname with a corresponding host entry (created by the host command), the username and password of the host entry are used. A host entry that is created without an explicit user name is created with the default username of anonymous and password of null.

The location is the IP address or hostname of the remote file server. The directory/filename is the full path of the file relative to the user login root path.

The characters in the URL format can be encoded. Any of the delimiter characters can be used in the host, username, password, and directory and file fields when added as encoded characters. The encoded characters must be three characters, starting with a percent and followed by the two hexadecimal digits that are the ASCII equivalent. The system converts all printable characters before passing them to the protocol support. Unprintable characters (0-012F and 0x7f-0x7F) are not converted and are passed directly to the protocol. Printable characters (0x20– 0x7E) are decoded and all others (0x80–0xFF) are rejected.

In the following example, the username contains the @ delimiter character encoded as %40, and the directory passed to the FTP protocol layer is /dirA/dirB/dirC. The delimiter between the hostname and directory is a forward slash (/) character. To add a slash to the start of the directory specification, add the encoded slash after the host and directory delimiter.

ftp://user%40%40name:pwd@mary/%2fdirA/dirB/dirc/fileA

In the following example, the directory passed to the FTP protocol layer is dirA/dirB/dirC.

ftp://username:pwd@mary/dirA/dirB/dirc/fileA

Using the copy Command

Table 37 shows the types of files that you can transfer between the locations by using the copy command.

Table 37: File Types You Can Transfer Using the copy Command

	Destination
Source	System	User Space (Linked Files and Unlinked Files)	Network Host Within a Firewall	Standby SRP Module
System	.cnf .hty (excluding reboot.hty) .log (excluding system.log) .mac .scr .txt	.cnf .hty .log .mac .pub .scr *.txt	.cnf .dmp .hty .log .mac .pub .scr .sts *.txt	None
User Space	.cnf .mac .rel .scr *.txt	.cnf .hty .log .mac .pub .rel ( .rel file only, not files associated with the .rel file) .scr .txt Nonsystem files	None	None
Network Host Within a Firewall	.cnf .mac .rel .scr *.txt	None	None	None
Standby SRP Module	system.log reboot.hty	system.log reboot.hty *.dmp	system.log reboot.hty *.dmp	None

To transfer files using the copy command between the system space and a network host:

Determine whether there is a route to the network host, and create one if necessary. See JunosE IP, IPv6, and IGP Configuration Guide.

Configure the network host as an FTP server, or use a remote host that is configured as a TFTP server.

Note: This command takes place in the context of the current virtual router (VR) rather than the default VR. You must configure the FTP server so that any traffic destined for the VR can reach the VR; typically, you configure the FTP server to reach the default address of the E Series router, which will always be able to reach the VR.

Add the FTP server to the static host table, and specify the file transport protocol (FTP or TFTP), so that the E Series router can access the network host.
(Optional) Specify a source interface to use in FTP packets leaving the router.
Copy the files.

copy

Use to copy a file from one location to another.

Note: You cannot copy script (.scr) or macro (.mac) files while in Boot mode. You can copy only .cnf, .hty, and .rel files. If you issue the dir command from Boot mode, existing .scr and .mac files are not displayed.

See Table 37 for the types of files that you can copy.
Specify a network path to copy to or from another device on the network.
Specify the incoming or outgoing directory to copy to or from the user space.
Specify a subdirectory name to create a subdirectory within the incoming or outgoing directory in the user space.
You cannot use wildcards.
You cannot create or copy over files generated by the system; however, you can copy such files to an unreserved filename.
Examples
host1#copy host1:westford.cnf boston.cnf host1#copy /incoming/releases/2-8-0a3-7.rel 2-8-0a3-7.rel host1#copy /shconfig.txt ftp://joe:passwd@173.28.32.156/ftpDir
/results/shConfigJoe.txt
There is no no version.
See copy.

host

Use to add or modify an entry to the host table. You can enter the optional username and password in plain text (unencrypted). Or, if you know the correct encrypted forms of the username and password, you can enter the encrypted forms (see below).
This command supports both IPv4 and IPv6 address formats.
This command allows network files to be accessible from a host.
This command supports both FTP and TFTP for copying and redirecting files.
You cannot invent an encrypted string to be used with the algorithm 8 option. You must use plain text (unencrypted) strings for the initial configuration. The only way to obtain a valid encrypted string is to enable password encryption (by issuing the service password-encryption command) and then examine the output of the show configuration command. Username and password encryption is made available primarily so that scripts generated from the show configuration output can be saved, used, and transferred without fear of password exposure.
Example
host1(config)#host westford 10.10.8.7 ftp user25 easy53
To determine the encrypted values for usernames and passwords entered in cleartext, you must do the following:
1. Issue the service password-encryption command. This causes subsequently issued show configuration commands to generate encrypted forms of the username and password for this command, as well as for all other commands that support encryption. See Managing the System , for more information about the service password-encryption command.
2. Issue the show configuration command and search for the host command. The encrypted forms are preceded by the number 8.
3. You can copy and paste the command showing the encrypted forms into a macro or script to use as desired. Specify the number 8 before the username and before the password to enter an encrypted value.
Example for encrypted values
host1(config)#service password-encryption host1(config)#host test 10.2.3.4 ftp nick nick host1(config)#end host1#show config | inc host hostname "host1"host test 10.2.3.4 ftp 8 CU&l,XM(S 8 X=emZn>'S
Use the no version to remove a specified host.
See host.

ip ftp source-address

Use to specify an operational interface by IP address as the source interface for FTP packets sent by the system’s FTP client.
This command overrides a setting you configured previously with the ip ftp source-interface command.
If you issue this command, the output of the show configuration command includes an entry of the following format:
ip ftp source-address ipAddress
This entry also appears in the output if you delete an interface or change its IP address after issuing the ip ftp source-interface command, in which case the IP address is the one that was configured on the interface before you issued the ip ftp source-interface command.
Example
host1(config)#ip ftp source-address 10.10.5.21
Use the no version to restore the default, in which the source address in the FTP packets is that of the interface where the FTP connection is made.
See ip ftp source-address.

ip ftp source-interface

Use to specify an operational interface by interface type and location as the source interface for FTP packets sent by the system’s FTP client.
The interface you specify must have an IP address.
This command overrides a setting you configured previously with the ip ftp source-address command.
If you issue this command and the interface is valid, the output of the show configuration command includes an entry of the following format:
ip ftp source-interface interfaceType interfaceSpecifier
- interfaceType—Type of interface
- interfaceSpecifier—Location of the interface
  For information about interface types and specifiers, see Interface Types and Specifiers in JunosE Command Reference Guide.
If you delete the interface or change its IP address, the output of the show configuration command appears as if you had entered the ip ftp source-address command:
ip ftp source-address ipAddress
- ipAddress—IP address of the interface when you issued the ip ftp source-interface command
Example
host1(config)#ip ftp source-interface loopback1
Use the no version to restore the default, in which the source address in the FTP packets is that of the interface where the FTP connection is made.
See ip ftp source-interface.

copy Command Examples

The examples in this section assume that the following host entries have been defined in the host table:

host mary 172.28.32.156 ftp mike mikePwd
host joe 172.28.32.99 ftp joe jPasswd

Example 1

Copy a remote file to a local file by using the CLI file copy command format. The following command creates or replaces the local file autocfg.scr by copying the remote file autocfg.scr located in the directory ftpDir/scripts on the host mary. The username mike and password mikePwd from the host entry mary are used to access the remote file.

copy mary:ftpDir/scripts/autocfg.scr autocfg.scr

Example 2

Copy a local file to a remote fileby using file copy command format. The following command creates or replaces the remote file shConfigForJoe.txt in the directory ftpDir/results on the host joe by copying the local file shConfig.txt. The username joe and password jPasswd from the host entry joe are used to access the remote file.

copy shConfig.txt joe:ftpDir/results/shConfigForJoe.txt

Example 3

Copy a remote file to a local file by using the URL format, use the hostname to specify the location, and specify the user name and password in the command. The following command creates or replaces the local file autocfg.scr by copying the remote file autocfg.scr located in the directory ftpDir/scripts on the host mary. The username fred and the password passwd in the command are used; the username and password in the host entry are ignored.

copy ftp://fred:passwd@mary/ftpDir/scripts/autocfg.scr autocfg.scr

Example 4

Copy a remote file to a local file by using the URL format, use the hostname to specify the location, specify the user name in the command, and use the default value of the password. The following command creates or replaces the local file autocfg.scr by copying the remote file autocfg.scr located in the directory ftpDir/scripts on the host mary. The username fred from the command and the default password null are used; the username and password in the host entry are ignored.

copy ftp://fred@mary/ftpDir/scripts/autocfg.scr autocfg.scr

Example 5

Copy a remote file to a local file by using the URL format, and use the hostname to specify the location. The protocol TFTP, which does not support usernames or passwords, is the protocol in the URL. The following command creates or replaces the local file autocfg.scr by copying the remote file autocfg.scr located in the directory ftpDir/scripts on the host mary. The protocol specified in the command is used; the protocol for the host entry mary is ignored.

copy tftp://mary/ftpDir/scripts/autocfg.scr autocfg.scr

Example 6

Copy a remote file to a local file by using the URL format, use the hostname to specify the location, and use the username and password from the host entry. The following command creates or replaces the local file autocfg.scr by copying the remote file autocfg.scr located in the directory ftpDir/scripts on the host mary. The username mike and password mikePwd from the host entry are used.

copy ftp://mary/ftpDir/scripts/autocfg.scr autocfg.scr

Example 7

Copy a remote file to a local file by using the URL format. Use the host's IP address to specify the location. The following command creates or replaces the local file autocfg.scr by copying the remote file autocfg.scr located in the directory ftpDir/scripts on the host 172.28.32.156. Use the username fred to access the remote file.

copy ftp://fred@172.28.32.156/ftpDir/scripts/autocfg.scr autocfg.scr

Example 8

Copy a local file to a remote file by using the URL format, and use the host's IP address to specify the location. The following command creates or replaces the remote file shConfigJoe.txt in the directory ftpDir/results on the host 172.28.32.156 by copying the local file shConfig.txt. The username joe and the password passwd from the command are used to access the remote file.

copy shConifg.txt ftp://joe:passwd@172.28.32.156/ftpDir/results/shConfigJoe.txt

Example 9

Redirect the output of a command to a remote file by using the URL format, and use the host's IP address to specify the location. Execute show config, and redirect the output to the remote file shConfigJoe.txt in directory ftpDir/results on host 172.28.32.156 using username joe and password passwd.

show config > ftp://joe:passwd@172.28.32.156/ftpDir/results/shConfigJoe.txt

Using TFTP to Transfer Files

You can use TFTP to copy files and redirect output from the E Series router to a remote server if the remote host supports TFTP. Before transferring files by the remote TFTP server, you must use the host command to define the host and to specify TFTP as the file transfer protocol.

The maximum file size is 32 MB for file transfer. The release package for JunosE Release 6.1.0 and higher-numbered releases includes a split version of all release images that exceed 32 MB. Each chunk is less than 32 MB. You can therefore use TFTP with JunosE Release 6.1.0 and higher-numbered releases to transfer large software images. The JunosE Software copies the split images and reassembles them to full size on the router. The file system on the router does not contain any additional images as a result of this operation.

Configuring the FTP Server

To transfer files by the system’s FTP server, you must configure the FTP server and ensure that FTP client software is installed on the network host.

Although you can transfer any type of file by FTP to the E Series router, the principal aim of this feature is to allow the transfer of system files to NVS. You can transfer files by FTP to the user space. You can then install files from the user space onto the system using the copy command. It is not possible to access the system files directly through FTP operations.

FTP sessions on the E Series router use the vty lines. The E Series router divides its vty resources between Telnet, SSH, and FTP services. Each FTP session requires one vty line. The FTP service uses the authentication method configured for the vty lines.

Features

The system supports the following FTP features:

Compliance with RFC 959—File Transfer Protocol (FTP) (October 1985)
FTP passive mode
Efficient NVS organization
User authentication by RADIUS or password checking

FTP Passive Mode

Normally, when a client connects to an FTP server, the client establishes the control channel with the server, and the server responds by opening a data channel to the client. However, when the FTP client and server are on opposite sides of a firewall that prohibits inbound FTP connections, the server cannot open a data channel to the client.

FTP passive mode overcomes this connection limitation. In passive mode, the client opens a control channel to the server, tells the server it wants to operate in passive mode, and opens the data channel to the server. This method of establishing the FTP connection allows both the control channel and the data channel to pass through the firewall in the allowed direction.

Configuring Authentication

Before you enable the FTP server, configure the authentication procedure for the vty lines, as follows:

Configure host access lists.
Configure user authentication methods.
Configure the vty lines to use the host access lists and user authentication methods.

You can specify authentication by a RADIUS server or by password checking. If you choose no authentication service, any client can access the FTP server. For information about authentication on vty lines, see Managing the System .

Configuration Tasks

FTP is disabled by default. You must enable the FTP server with the ftp-server enable command before the system allows FTP clients to connect.

ftp-server enable

Use to enable the FTP server and to monitor the FTP port for attempts to connect to the FTP server.
You can enable the FTP server on the default virtual router only.
Example
host1(config)#ftp-server enable
Use the no version to terminate current FTP sessions and to disable the FTP server.
See ftp-server enable.

Configuration Example

Figure 23 shows the scenario for this configuration example.

Figure 23: FTP Configuration Example

In this example, two FTP lines are required for administrators on the data center subnet, and two more lines are required for users on the POP subnet. The system verifies passwords of administrators on the data center subnet through either a RADIUS server or through simple line authentication if the RADIUS server is unreachable. However, the system verifies passwords of users on the POP subnet only through the RADIUS server.

The following example shows all steps for configuring this scenario, from specifying a RADIUS server to enabling the FTP line:

Configure the RADIUS server.
host1(config)#radius authentication server 10.6.131.51 host1(config-radius)#key abc123 host1(config-radius)#udp-port 1645
Configure two access lists—one named “ DataCenter,” permitting only the data center subnet, and one named “ Pops,” permitting only the POP subnet.
host1(config)#access-list DataCenter permit 10.6.128.0 255.255.128.0 host1(config)#access-list DataCenter deny any host1(config)#access-list Pops permit 199.125.128.0 255.255.128.0 host1(config)#access-list Pops deny any
Configure two authentication method lists, named “ RadiusAndLine” and “ RadiusOnly.”
host1(config)#aaa new-model host1(config)#aaa authentication login RadiusAndLine radius line host1(config)#aaa authentication login RadiusOnly radius
Configure two FTP lines to be used by data center administrators.
host1(config)#line vty 0 1 host1(config-line)#password foobar host1(config-line)#access-class DataCenter in host1(config-line)#login authentication RadiusAndLine
Configure the remaining FTP lines to be used by POP administrators.
host1(config)#line vty 2 4 host1(config-line)#password foobar host1(config-line)#access-class Pops in host1(config-line)#login authentication RadiusOnly
Enable the FTP server.
host1(config)#ftp-server enable

Monitoring the FTP Server

Use the dir command to monitor files on the FTP server. Use the show ftp-server and show users commands to monitor settings of the FTP server.

show ftp-server

Use to display information about the FTP server.
Field descriptions
- FTP Server state—Status of the FTP server: enabled or disabled
- Open connections—Number of open connections to the FTP server
- Statistics since server was last started—Data about the connection attempts since you enabled the FTP server
- Statistics since last system reload—Data about the connection attempts since you last booted the system
  - attempts—Number of attempts to connect
  - failed hosts—Number of connection attempts that failed because of disallowed host addresses
  - failed users—Number of connection attempts that failed because users were not authenticated

Example

host1#show ftp-server
FTP Server state: enabled, 0 open connections
Statistics since server was last started:
        attempts: 32
        failed hosts: 5
        failed users: 7
Statistics since last system reload:
        attempts: 35
        failed hosts: 5
        failed users: 8

See show ftp-server.

show users

Use to display information about users of the vty lines.
Specify the all keyword to view information for all configured lines (both connected and not connected).
Specify the detail keyword to view detailed information.
Field descriptions
- line number—Number of the line to which the user is connected
- line name—Name of the line, the service the line offers, and the relative line number
- user—Name of the user
- connected from—Location or IP address of the user
- connected since—Date and time that the user connected to the line
- idle time—Amount of time it has been since an entry was made from this line (detail only)
- virtual router—Virtual router used by this line user (detail only)
- privilege level—Privilege level of this line user (detail only)
- current command—Command currently being executed by the user over this line (detail only)

Example 1

host1#show users
 line                             connected
number     line name      user       from      connected since
------   --------------   -----   ----------   ----------------
0*       console 0                console      02/12/2001 19:57
4        vty 3 (ftp)      fred    10.10.0.64   02/12/2001 20:04
5        vty 4 (telnet)           10.10.0.64   02/12/2001 20:04

Note: '*' indicates current user.

Example 2

host1#show users detail
 line                             connected                          idle
number     line name      user       from       connected since      time
------   --------------   ----   ------------   ----------------   --------
0        console 0               console        08/14/2003 08:01   00:23:50
1*       vty 0 (telnet)          10.10.120.90   08/15/2003 10:37
 line    virtual   privilege
number   router      level      current command
------   -------   ---------   -----------------
0        default   10
1*       default   10          show users detail
Note: '*' indicates current user.

See show users.

Copying Partial Releases

You can shorten the time it takes to copy a release from a server and reduce the amount of storage needed for a release. At the default setting, all subsystems are included when you copy a release from a server. Use the exclude-subsystem command to specify subsystems that you do not want to copy from the server. Use the show subsystems command to verify which files are included and excluded when you copy a release from a server.

Follow this example:

Determine which subsystems are included in the release on the server.
host1#show subsystems file m:/x/images/x-y-z.rel
Exclude any subsystems in the release that you do not need for the configuration.
host1#(config)#exclude-subsystem coc12 host1#(config)#exclude-subsystem oc12s
(Optional) Remove a subsystem from the exclude list.
host1#(config)#no exclude-subsystem oc12s
(Optional) Verify the subsystems that will be included and excluded in future release copies.
host1#show configuration ...exclude-subsystem coc12
(Optional) After copying a release, view which subsystems were excluded.
host1#show subsystems file x8.rel
(Optional) Determine whether the currently running software is a result of a copy with excluded subsystems. The word “ Partial” indicates that subsystems were excluded.
host1#show version Juniper Networks, Inc. Operating System SoftwareCopyright (c) 200X Juniper Networks, Inc. All rights reserved.System Release: x-y-z.rel Partial

exclude-subsystem

Use to exclude any subsystems that are in a release that you do not need for the system configuration.
Example
host1(config)#exclude-subsystem coc12
The subsystems that you indicate are added to the “ exclude list.” All subsequent release copies will exclude the images for these subsystems from the release copy.
Example
host1(config)#no exclude-subsystem coc12
Use the no version of this command with the subsystem name to remove a subsystem from the exclude list. Use the no version of this command without a subsystem name to remove all subsystems from the exclude list.
See exclude-subsystem.

show subsystems

Use to determine which subsystems are included in the current software release on the system or in a specified software release file.
Specify either a local filename or a remote path and filename to view the subsystems that are included in a software release file other than the current software release on the system.
Field descriptions
- Required—Number of bytes of data for the required portion of the release.
- Included Subsystems—Number of bytes of data for the included subsystems listed. All included subsystems in the release are listed.
- Excluded Subsystems—Number of bytes of data for the excluded subsystems listed. All excluded subsystems in the release are listed.
Use the command before you copy a release to verify which subsystems are present in the release.

Example

host1#show subsystems file m:/x/images/x-y-z.rel
oc3
oc12p
oc12a
ge
fe8
coc12
oc12s

Use the command after copying a release to verify which subsystems are included and excluded.

Example

host1#show subsystems file x8.rel
Required: 1423005  bytes
Included Subsystems:  27882192  bytes
oc12p
oc12a
ge
fe8
coc12
oc12s

Excluded Subsystems:  6840211   bytes
oc3

See show subsystems.