Tuesday, March 4, 2014

A look at using cisco HTTP server for software downloads

In this post we will the explore a easy  to use the cisco the integral http-server which is available on a cisco switch or router,  and for copying a software image file during upgrades.

Cisco has always support tftp, ftp and scp for images copying. By execution of the cli cmd 

"copy ? " You can see the available options;

SOCPUP01#copy ?
  /erase          Erase destination file system.
  /error          Allow to copy error file.
  /noverify       Don't verify image signature before reload.
  /verify         Verify image signature before reload.
  bs:             Copy from bs: file system
  cns:            Copy from cns: file system
  flash:          Copy from flash: file system
  ftp:            Copy from ftp: file system
  http:           Copy from http: file system
  https:          Copy from https: file system
  logging         Copy logging messages
  null:           Copy from null: file system
  nvram:          Copy from nvram: file system
  rcp:            Copy from rcp: file system
  running-config  Copy from current system configuration
  scp:            Copy from scp: file system
  startup-config  Copy from startup configuration
  system:         Copy from system: file system
  tar:            Copy from tar: file system
  tftp:           Copy from tftp: file system
  tmpsys:         Copy from tmpsys: file system
  vb:             Copy from vb: file system
  xmodem:         Copy from xmodem: file system
  ymodem:         Copy from ymodem: file system

The http and https options has always been option for image and file transfers, but most individuals do not use http for image upgrades. To use the http or https server daemon, you will have to enable this feature and set the http path to that of the source  image location , which is typically  bootflash/flash/disk0 or slot0 depending on the platform that the server is location on.

In this case we will experiment using a cisco 2960,  and with copying  a lanbase image to another 2960.

1st let look at the  topology.

The  switch acting as the server ( SOCDCSW1 )   has been setup with the following  configurations after validation of the  image path and directory;

And here's the  http configurations that our client  will use for accessing  the http-server ;

Take note this config uses http, with no security, and local authentication for the http-users

And now you need to ensure that a  "user"  has been created & with the privilege 15  access.

Finally we can monitor the  http sessions via the cli cmds

show ip http server status   and show ip http server connection;

 A client that want to download the  image from the cisco http-server, would issues a copy command similar to this and by specifying the  usernamed  with the  priv 15 access, he/she  can now download the image directly from the http-server.


copy http://<username:passwword>@ip_address/path  target-path

So  in our example we are copying the image file to  flash;

copy http://blog:blog@ flash:

Keep these thoughts in mind;

  •  https would be preferred over http
  •  This solution might be more suited where you have acl restrictions preventing the usage of  tftp or ftp   ( almost all networks allow http  or https traffic to some degree )

  • This method is great when you have an existing  device that can act as a http-server
  • Or if your accessing a device remotely and need a emergency http-server for a quick fix action
  • Or if you don't happen to have a scp server daemon installed on your local machine or notebook

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   *   *  )=
       /     \

No comments:

Post a Comment