Using the Router as a TFTP Server
Problem
You want to configure your router to act as a TFTP server.
Solution
The tftp-server command configures the router to act as a TFTP server:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin Router1(config)#end Router1#
Discussion
The ability to use a router as a TFTP server can be quite useful. We have often used this feature to upgrade several routers that are separated from the TFTP server by slow WAN connections. In situations like this, you can upgrade one of the remote routers by using TFTP over the slow WAN connection as we described in Recipe 1.6. Then you can configure the first router to act as a TFTP server, and use it to upgrade the remaining routers over high-speed local links.
The router is not a fully functional TFTP server. It can only serve files for download. You cannot use this feature to upload files into the serving router's local flash. However, the router is not limited to just serving IOS images. You can use your router's flash to store configuration files and make them available for download via TFTP as well. Moreover, you can even use it to hold configuration files for nonCisco equipment.
Security is a concern whenever you enable services on a router. Every extra service you enable provides the wily hacker with a new potential avenue to exploit against your network. Therefore, we certainly don't recommend using the TFTP server feature on routers facing the public Internet or other unfriendly networks. However, for internal use, we believe it is reasonably safe. You can increase the security of the router's TFTP server by using an access-list like this:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255 Router1(config)#access-list 99 deny any Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin 99 Router1(config)#end Router1#
In this example, we defined an access-list 99 that will allow all devices on the 172.25.1.0 network to access the router's TFTP server. Then we applied the access-list to the TFTP service by specifying the access-list number at the end of the tftp-server command line. This will help to ensure that only the authorized devices permitted by the access-list may download the specified file via TFTP.
You can configure the router to serve multiple files via TFTP by simply adding more tftp-server commands. And, if security is a concern, you can configure each file to use its own access-list.
Although this feature can be useful, we recommend enabling it only when you need to do a download, and then disabling the service as soon as the download has completed. This will help to mitigate the security concerns of running extra services from your router.
See Also
Recipe 1.6