Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to use VRF-Aware SCP

[toc:faq]

Introduction

The SCP feature works on routers however it doesn't work on interfaces which have VRF enabled on it. Since the management interface on the ASR is pre-configured with the VRF and this cannot be removed, it is very important that VRF-AWARE SCP work on ASRs. This document explains how to get it set up.


Solution

For using SCP on a VRF enable interface you will need to do the following:

1) Configure SSH
2) SSH source-interface must be configured (i.e ip ssh source-interface Ethernet1/0). It is required as SCP uses SSH for connection.

Configuration Example

R200#sh ip ssh SSH Enabled - version 1.99 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCe9UNszC4SXqY41ur9IIx5BIGVZcBYcFq8ongfir0C 9NVeJ4hB9/+Xu5eJIN6RCDdZOH1CK5iVrMw4yG4waLgLVSChf+42HoLNs+FQnjgVnKUIsODB2MbaQs9G CARGkh7ZyB6cVxjLDqDKw6yea0O9JL+P50yMl3qXwx4z4ZiYrw==                           
R200#sh vrf
  Name                             Default RD          Protocols   Interfaces
  vpn1                             <not set>           ipv4        Et1/0

R200#sh run | i source
ip ssh source-interface Ethernet1/0

R200#copy unix:check_run scp://cisco@10.10.10.201://unix:
Address or name of remote host [10.10.10.201]? 
Destination username [cisco]? 
Destination filename [unix:]? unix:check-12
Writing unix:check-12 
Password: 
!
11 bytes copied in 12.068 secs (1 bytes/sec)
R200#

R200#copy scp://cisco@10.10.10.201://unix:check_run unix:
Destination filename [unix:check_run]? unix:chck-11
Password: 
!
11 bytes copied in 12.473 secs (1 bytes/sec)

Comments
New Member

This does not work for me.

Switch#show ip vrf
  Name                             Default RD          Interfaces
  RTW1                             65000:1             Fa0/1
  RTW2                             65000:2             Fa0/2

Switch#show run | include ssh
ip ssh source-interface FastEthernet0/2
ip ssh version 2

Switch#copy flash:c3560-ipservicesk9-mz.122-53.SE2.bin scp://tom@172.25.15.82/c3560-ipservicesk9-mz.122-53.SE2.bin
Address or name of remote host [172.25.15.82]?
Destination username [tom]?
Destination filename [c3560-ipservicesk9-mz.122-53.SE2.bin]?
Writing c3560-ipservicesk9-mz.122-53.SE2.bin Destination unreachable; gateway or host down

%Error opening scp://tom@172.25.15.82/c3560-ipservicesk9-mz.122-53.SE2.bin (Transfer aborted)

Any ideas?

New Member

A ping vrf RTW1 172.25.15.82 works by the way, and when I remove Fa0/2 from the VRF and into the global routing table, the SCP command is more succesful. I then get the following error:

Switch#copy flash:c3560-ipservicesk9-mz.122-53.SE2.bin scp://tom@172.25.15.82/c3560-ipservicesk9-mz.122-53.SE2.bin

Address or name of remote host [172.25.15.82]?

Destination username [tom]?

Destination filename [c3560-ipservicesk9-mz.122-53.SE2.bin]?

Writing c3560-ipservicesk9-mz.122-53.SE2.bin

Password:

%Administratively disabled.

7641
Views
15
Helpful
2
Comments