New Feature Idea

[Chad.Shipman]

Lets see if I can explain this right.. I work with alot of Cisco's, and embeded system that has a) shells in them b) firmware or IOS images.

Right now to upgrade most of them either I have to find my tftp server, start it up and such then login to the box and download / upload the image, etc. Cisco equipment has the ability to use either tftp or FTP (which you can have setup for username and password, I just don't like the idea of having my IOS images sitting around on a ftp server).

The idea is to have a small tftp/ftp server inside of secureCRT/secureFX (maybe a feature for buying the combo pack) that would give me the ability to turn on a ftp server in the software so that I could download / upload the images to the machines. Since it would be only for connecting to the IP that your currently logged into it could be locked to only allow that IP to access the ftp portion.

That could then be tied to some custom scripts so that all you would need to do is place your IOS images in a ftproot dir on your machine and login to the router, etc and have a dialog box that asks Image install Location and Image File name. then it would upload ,etc.

Hope this makes since, it does to me atleast and so far I haven't really come across anything else (atleast in 1 package) that would give me this ability.

Chad Shipman

[adudek]

Chad,
Since you have the same vendor I do, I hope you agree that Y-modem support would be helpful especially if you have do DL IOS over the console.

Aaron

[Chad.Shipman]

Well.. Actually I guess I'm luckly but I have never had to do a x or y modem via console, I mainly work with gear that has rmon, boot ios, then running ios. I make sure that the boot IOS runs, then upgrade the running version so that if it fails it will drop back to the boot ios and atleast bring up the FA intefaces.

The biggest thing I want to be able to do is use FTP to upload new IOS as it screams compared to tftp, but I hate typing the username/password and such into the copy command becasue it will get long enough to where it wraps around the screen and you forget what you had already typed.

[tnygren]

Hi Chad,

I just want to make certain that I understand completely.

You would like to see a small FTP server built into SecureFX so that the Cisco FTP client could connect and download the image.

Is this correct?

Would the FTP server need to be integrated in SecureFX or could it be separate?

[Chad.Shipman]

Well that is the basic idea. ftp and tftp both would be nice since some embeded things only support tftp. One of the main objectives here is that the ftp server can be "locked" via ip address to the client router that you are connecting to. Between that locking and the ftp / tftp server not being active unless specified would provide security for any of your firmware, IOS images, etc.

Here is a example. say your workstation is (I will use internal ip's for example only) 192.168.1.100 and your router is 192.168.1.2.

The idea of this feature would allow you to login to the router and do this:

copy ftp://192.168.1.100/IOS-of-the-month.bin slot0:IOS-of-the-month

Which could then be taken a step futher since we already know a) the IP address of the ftp server b) the ftp server dosn't need a login since it is IP locked. so you could login to the router and bring up a upgrade dialog box that asks. Image to upload (click to select) and a dropdown box or so that list the locations you can upload to (slot0 / slot1 / disk0 / disk1 / nvram / rom / etc). Click ok and it builds the cmd line and inputs it into the router and off we go with a ios upgrade.

Granted this can mostly already be done between somebody writting a Script addon and having a tftp sever on your machine that you can start, etc. The idea behind this is intergration, simplicity, and just plain lets get it done and over.

Does it have to be part of SecureFX... well, I wouldn't think so, could be a full seperate product I would think.. SecureFS (Secure Firmware Server) or so. I was just thinking of having it with the SecureFX and having it "unlock" when you intergrated SecureCRT and SecureFX together, would be some more value add to the total package.

[tnygren]

Hi Chad,

Thank you for the great clarification!

I have added a request for a FTP/TFTP server that could be integrated with SecureFX to our features request database.

If this is added, we will make a post here.

If you would prefer an email notification, please send me a message at support@vandyke.com with a subject of ATTN: Teresa Forum Thread 1649.

[gan]

Quote:

Originally Posted by Chad.Shipman

Image to upload (click to select) and a dropdown box or so that list the locations you can upload to (slot0 / slot1 / disk0 / disk1 / nvram / rom / etc). Click ok and it builds the cmd line and inputs it into the router and off we go with a ios upgrade.

The list mention above should be a list were it's possible to easy add new flash location names using the gui since there are so many options in addition to the list above like sup-bootflash, bootflash and several others.
Also for some Cisco equipment you would normally use another syntax instead of the "copy tftp flash....etc" like "archive tar /x....etc" and "archive download-sw tftp://test.bin" with several differenet parameters that some users use and some don't. Unless it's easy to customize i don't think it would be very useful. The list of flash devices and several different syntax might give so many options that it's easier to just type what you want though.
It should be a optional feature as well i think for those that prefer to use another tftp/ftp server if it will be integrated.

[tnygren]

Hi Gan,

I have added your comments to the request that I made earlier.

If it was added, it would make sense to have this be an option to enable so to not interfere with other FTP/TFTP servers possible installed.

[Chad.Shipman]

Well, this request was actually 2 requests total. One was for the tftp/ftp server that would lock to the ip address(s) that your currently connected to thereby giving you the ability to bypass having to use user authtication commands to access the ftp server via the cisco CLI.

The second part was the GUI interface for interfacing into the equipment. This could be done multiple ways even so far as to say, Here is the tftp/ftp server and you have active scripting so have fun.

Concerning the Cisco commands themself, the location that images goes to can be enumerated with a sh file systems which shows this:

Code:

Cisco-GSR-12008#sh file systems 
File Systems:

          Size(b)          Free(b)      Type  Flags  Prefixes
*       260075520        234033152      disk     rw   disk0:
        260075520        215396352      disk     rw   disk1:
                -                -     flash     rw   slot0: flash:
                -                -     flash     rw   slot1:
          7602176          4250200     flash     rw   bootflash:
                -                -    opaque     rw   system:
                -                -    opaque     rw   null:
                -                -   network     rw   tftp:
           520184           511664     nvram     rw   nvram:
                -                -   network     rw   rcp:
                -                -   network     rw   ftp:
                -                -    opaque     ro   tar:
                -                -    opaque     ro   cns:

key off of the flash or disk fields will let you populate a selection box with the location for the IOS upgrade and the * tells you what location the last IOS load was from. Which would still be a long drawn out way to code all that, better to just list the default flash locations or have it user configurable.

on the diffrent IOS commands there is 2 cisco upload commands:

1) the copy command is for any and all valid cisco IOS images. This has been standard since IOS 11.0.X also to include the CatIOS branch

2) the archive download-sw command is pretty specific to cisco equipment that has full web GUI interfaces, Cisco switches, Aironet, etc. and is only used if the user is attempting to upgrade the web GUI files at the same time as the IOS version. So option in the upload gui for: IOS Only or IOS/WEB would solve that for cisco equipment.

The best options would be for the GUI interface to be:
1) configurable as to the type of equipment the person deals with.
2) configurable within the equipment type area.
3) equipment type specified inside the connection profile so the interface knows what configuration to use.

for example, I deal with Cisco, Extreme, and Foundry equipment.. I wouldn't want to see any option for Ascend, lucent, avia, etc.

[tnygren]

Hi Chad,

Thanks for the great detailed explaination!

I also received your email and have responded to that also.

Please let me know if you do not receive it!

[mekanik]

playing devils' advocate here
i do not like the fact of adding an insecure protocol (ftp and tftp) to a product (scrt) that is really geared towards secure communications. so, lets potentially disclose our credentials using an ftp method to upgrade a router. not the most secure method. now, i do have another idea.

starting with i belive one of the 12.3 releases (possible late 12.2, can't remember), IOS started supporting SCP as a method for transfer of files. IOS has also adopted the method of HTTPS as a transfer method. i would rather see the ability to use SCP/HTTPS as transfer methods than tftp/ftp, IMHO anyways.

/mekanik/

[tnygren]

Hi Melanik,

I can understand your concern but if this is added, it would be an option to be enabled and most likely not enabled by default.

The option of added HTTPS or SCP transfers would be another good idea.

I have added this request to our database also.

A post will be made here also if this is added.

[mekanik]

Quote:

Originally Posted by tnygren

Hi Melanik,

I can understand your concern but if this is added, it would be an option to be enabled and most likely not enabled by default.

The option of added HTTPS or SCP transfers would be another good idea.

I have added this request to our database also.

A post will be made here also if this is added.

reason i mention HTTPS and SCP is the fact that the SSL feature has just recently been added and SCP support should be pretty easy to integrate since there is already SSH support. not to restate it, but FTP and TFTP are naturally insecure protocols.

/mekanik/

[mdella]

I'm not sure I completely understand this one... (Hi Maureen :-)

I do a LOT of cisco upgrades and the like and I do understand the need for the TFTP or FTP server, however since the cisco device takes this information from an IP address (ie, you tell it to pull down images from x.x.x.x), the server needs to reside on a specific IP address. Now you can have that on your PC (where SecureCRT resides) but the issue you generally face is that the PC is either not on the same network (making TFTP sort of impossible) or behind multiple routers/firewalls/etc where port 22 was the only way to get to the device (which leaves out FTP)...

Since SecureCRT is a client program (not a server), it can't change anything on the server side of the equation (that is, the SSHd daemon that is running within the cisco device).

I've re-read this one a couple of times and still can't figure out the chicken/egg approach here...

Marcos

[gan]

Quote:

Originally Posted by mdella

I do a LOT of cisco upgrades and the like and I do understand the need for the TFTP or FTP server, however since the cisco device takes this information from an IP address (ie, you tell it to pull down images from x.x.x.x), the server needs to reside on a specific IP address. Now you can have that on your PC (where SecureCRT resides) but the issue you generally face is that the PC is either not on the same network (making TFTP sort of impossible) or behind multiple routers/firewalls/etc where port 22 was the only way to get to the device (which leaves out FTP)...
Since SecureCRT is a client program (not a server), it can't change anything on the server side of the equation (that is, the SSHd daemon that is running within the cisco device).
I've re-read this one a couple of times and still can't figure out the chicken/egg approach here...
Marcos

I do a lot of cisco upgrades as well and got no problem understanding what is actually requested here and in most cases i get the software from a tftp server running on my PC, but as you say it's sometimes impossible because of firewalls and stuff like that. But since working a lot with Cisco i guess i'm like most other people working with cisco and prefer to use the CLI. So i think a feature as requested here would be of no use to me and a lot of other working with cisco since i would find it faster and easier to just type the commands i need to do the upgrade instead of making selection from a menu to select the name of the flash device, image file and so on. Also i often upgrade a lot of devices of the same type at the same time and then it's way much faster to type the line once and copy/paste to the other devices. Regarding security i never had any issues running a tftp server on my PC during the upgrade and never heard about anyone being hacked or anything because of that so i cannot see that as a problem at all.
There is a lot of good and free tftp/ftp servers out there that is just a small application you can start during the upgrade. Like the one i use which is a small application that include a tftp, ftp and syslog server. I also think that most of what's requested here could be done using a vbscript and run it as a macro as well.

So i hope Vandyke will continue to enhance securecrt and think of securecrt as a terminal emulation program and not include lot of stuff like tftp and ftp servers. That's one of the reasons why i think securecrt is the best available because it's just what it should be....a terminal emulation program and nothing more. If this request is implemented then please make it a add-on that's not installed by default. After all it's not supposed to be a fancy gui that create command lines for people based on menu choices.