5.9. TFTP and FTP
💡 First Principle: File transfer protocols move files between devices—critical for IOS upgrades, configuration backups, and disaster recovery. TFTP is simple but insecure (no authentication); FTP adds authentication but complexity. The wrong choice in the wrong situation can brick devices or expose sensitive configurations.
What happens when file transfers go wrong: Imagine you're upgrading a router's IOS. Halfway through the transfer, the network blips and TFTP fails. Now the router has a corrupted image—it won't boot from the incomplete file. Without a backup image or ROMMON access, you have an expensive paperweight. This is why you verify file hashes after transfer and always have a recovery plan.
Consider this security scenario: Your TFTP server is on the user VLAN because "it's more convenient." An attacker on that VLAN downloads your router configs, extracts password hashes (even type 7 encrypted passwords are trivially reversible), and now has credentials for your entire network. TFTP has zero authentication—if you can reach it, you can read from it.
Why this matters:
- Config backup before changes:
copy running-config tftp://server/backup.cfgcould save your job - IOS upgrades: Corrupted or interrupted transfers can make devices unbootable
- Disaster recovery: Working backups mean 10-minute recovery vs rebuilding from scratch
TFTP (Trivial File Transfer Protocol):
- UDP port 69
- No authentication
- Simple read/write operations
- Used for firmware updates, config backups
FTP (File Transfer Protocol):
- TCP ports 20 (data) and 21 (control)
- Authentication required
- Full file management (directories, delete, rename)
- More secure than TFTP
Common Use:
Router# copy running-config tftp://10.1.1.100/router-config.txt
Router# copy tftp://10.1.1.100/ios-image.bin flash: