These people are using SCP on their Aristas!

SCP on Arista Switches

Posted by Kevin Giusti on June 29, 2022

It’s the year 2022 so can we collectively agree to stop using insecure protocols like FTP and TFTP to transfer files to and from your network devices? One of the many advantages of Arista switches is that you can use Secure Copy Protocol (SCP) which is an encrypted protocol to move files to and from them and also use the switch itself as an SCP source or destination. Years ago if you were remote and performed a firmware update to a network device you’d have to set up an FTP or TFTP server and then deal with the headaches when doing active vs. passive FTP if going through a firewall etc. With SCP it runs over port 22 (same as SSH) so in theory if you can SSH to the device you should also be able to SCP to it.

So let’s review some of the configuration & commands in some examples of utilizing SCP on Arista EOS.

Getting Started

To configure the switch to become an SCP server and we will assume RADIUS or TACACS server is not being used the Arista switch (if RADIUS or TACACS are in use, your config will vary), these global configuration commands are required:

aaa authentication login console local

aaa authorization exec default local

Moving Files Around

Here’s a sample of how I push a file from my Macbook’s current directory to a switch:

kevins-macbook% scp EOS-4.25.5.1M.swi eos admin@192.168.30.30:/mnt/flash/

Some notes on the variables in the command:

  • EOS-4.25.5.1M.swi is the file name being pushed
  • eos-admin is my username on the switch
  • 192.168.30.30 is the management IP of the switch
  • /mnt/flash/ is the directory of flash on the switch that I want to place the file into.

Here’s a sample of how to move a file from the switch to a local directory on my Macbook:

arista-switch# scp eos-admin@192.168.30.30:/mnt/flash/ARP_Output.txt ARP_Output.txt

Some notes on the variables in the command:

  • eos-admin is my username on the switch
  • 192.168.30.30 is the management IP of the switch
  • /mnt/flash/ARP_Output.txt is the text file that I want to download from the switch.
  • ARP_Output.txt is the file name I wish to create locally on my Macbook

Here’s how one can transfer an EOS software image from switch to switch:

Arista-720XP-CS1# bash

Arista Networks EOS shell

[eos-admin@Arista-720XP-CS1 ~]$ cd /mnt/flash/

[eos-admin@Arista-720XP-CS1 flash]$

[eos-admin@Arista-720XP-CS1 flash]$ scp EOS-4.25.5.1M.swi eos-admin@192.168.30.70:/mnt/flash/

Some notes on the variables in the command:

  • eos-admin is my username on the switches
  • 192.168.30.70 is the management IP of the switch
  • EOS-4.25.5.1M.swi is the software image that I want to transfer to the other switch.
  • mnt/flash/ is the directory I want to put the software image into

Use Cases

Why should one care about being able to move files to and from the switch with SCP? Here are a few use cases that I’ve found meaningful:

  • SCP encrypts it’s payload, TFTP & FTP payloads are passed in the clear meaning sensitive data can be seen in the data transfer. So SCP is much more secure than the alternatives.
  • SCP can be very helpful when you want to write a “show tech” or other command that has a lot of output to flash and then download it. Because it’s a little more modern, it handles larger file sizes a little better. The “-C” flag can also be used to compress the data stream which can greatly speed up a text file transfer.
  • Perhaps there is a packet capture on the switch (yes, you can perform a PCAP on EOS) that you would like to open locally on a machine. You can perform the PCAP on the shell, SCP it to a laptop and then open it in Wireshark to review it.
  • When working remotely and upgrading a number of switches, you can download the Arista EOS file to a local machine and SCP it up to one of the Arista switches. This usually takes a fair amount of time when pushing roughly a 1GB over a home Internet connection through a SSL VPN connection to the switch. From there you can log into the switch you’ve uploaded the file to and push it to all of the other Arista switches on the corporate network. This is much faster since the transfer will just be going across the corporate LAN with much more bandwidth than the WAN.

Wrapping Up

So as you can see, there is a lot of utility with SCP on Arista switches. Not everyone knows it’s there so I thought I would create this write up. If you have more questions concerning using SCP on Arista switches, please feel free to contact us!

Arista Tips & Tricks: Connecting to Arista Switches with SSH Key Based Authentication

Three Features in Arista EOS That You Need to Know About

EOS Upgrade with Ansible

Dual Datacenter DMZ With VXLAN, VARP, VRF & OSPF with Arista Networks

8 Lessons Learned - Arista Datacenter Interconnect (DCI) with VXLAN and vARP

More News

logo-header-wandynamics
(877) 400-9490
Contact Us
icon-footer-partner

Become a Partner

We built our Agent Partner Program around our agents, providing dedicated sales support, form-fit provider independent-engineered solutions, simple deal registration and reporting, and a top commissions and bonuses program.

Learn more
© copyright 2024 by WAN Dynamics, Inc. All rights reserved.
Site designed by Kiwi Creative