Table Of Contents
Roles of the USB eToken and the USB Flash
Functionality Differences Between an eToken and a USB Flash
How to Set Up and Use USB Modules on Cisco Routers
Storing the Configuration on an External USB Flash Drive or eToken
Accessing and Setting Up the eToken
Use of RSA Keys with an eToken
Setting Administrative Functions on the eToken
Troubleshooting USB Flash Drives and eTokens
The show usb controllers Command
Configuration Examples for Secure Token Support
Logging Into and Saving RSA Keys to eToken: Example
crypto pki token removal timeout
crypto pki token secondary config
USB Storage
The USB Storage feature enables certain models of Cisco routers to support USB flash modules and with SmartCard technology (which is owned by Aladdin Knowledge Systems) in a USB key form factor (also referred to as a USB eToken) to provide secure access to a router.
USB eTokens provides secure configuration distribution and allows users to store Virtual Private Network (VPN) credentials for deployment. USB flash drives allow users to store images and configurations external to the router.
Feature History for USB Storage
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for USB Storage
•
Information About USB Storage
•
How to Set Up and Use USB Modules on Cisco Routers
•
Configuration Examples for Secure Token Support
Prerequisites for USB Storage
Before you can use a USB Flash module or an eToken, you should have the following system requirements:
•
A Cisco 871 router, Cisco 1800 series, Cisco 2800 series, or a Cisco 3800 series router
•
At least a Cisco IOS Release 12.3(14)T image running on any of the supported platforms
•
A Cisco supported USB flash or USB eToken
•
A k9 image is required for USB eToken support. (However, USB flash support is available in all images.)
Restrictions for USB Storage
•
USB eToken support requires a 3DES (k9) Cisco IOS software image, which provides secure file storage.
•
USB hubs are currently not supported. Thus, the number of supported devices is limited to the number of available USB ports on the router chassis.
•
You cannot boot an image from an eToken or a USB flash. (However, you can boot a configuration from both an eToken and flash.)
Information About USB Storage
To use a USB flash module and a secure eToken on your router, you should understand the following concepts:
•
Roles of the USB eToken and the USB Flash
Roles of the USB eToken and the USB Flash
Both USB eTokens and USB flash modules can be used to store files (such as router configurations). The following sections discuss how each device functions and describe the differences between each device:
•
Functionality Differences Between an eToken and a USB Flash
How a USB eToken Works
A SmartCard is a small plastic card, containing a microprocessor and memory that allows you to store and process data. A SmartCard eToken is a SmartCard with a USB interface. The eToken can securely store any type of file within its available storage space (32KB). Configuration files that are stored on the eToken can be encrypted and accessed only via a user PIN. The router will not load the configuration file unless the proper PIN has been configured for secure deployment of router configuration files.
After you plug the eToken into the router, you must log into the eToken; thereafter, you can change default settings, such as the user PIN (default: 1234567890) and the allowed number of failed login attempts before future logins are refused (default: 15 attempts). For more information on accessing and configuring the eToken, see the section "Accessing and Setting Up the eToken."
After you have successfully logged into the eToken, you can copy files from the router on to the eToken via the copy command. By default, after the eToken is removed from the router, all associated RSA keys are removed; IPSec tunnels are not torn down until the next Internet Key Exchange (IKE) negotiation period. (To change the default behavior and configure a specified length of time before the IPSec tunnels are torn down, issue the crypto pki token removal timeout command.)
For more information about the eToken by Aladdin Knowledge Systems, see the Aladdin website at http://www.aladdin.com/etoken/cisco/.
How a USB Flash Works
A Cisco USB flash module allows you to store and deploy router configurations and Cisco IOS software images. Cisco USB flash modules are available in 64MB, 128 MB, and 256MB versions.
Note
The USB flash is not a replacement for the router compact flash, which must be present for the router to boot.
After you plug the USB flash module into the router, the router will automatically begin to boot the configuration file if the start-up configuration contains the boot config command to specify the new configuration located on the USB flash device; for example boot config usbflash0: new-config.
Functionality Differences Between an eToken and a USB Flash
Both eTokens and USB flash provide users with secondary storage; however, each device has its own benefits and limitations. To help determine which device better suits your needs, Table 1 highlights the functionality differences between the eToken and the USB flash.
Benefits of USB Storage
USB flash drive and USB eToken support on a Cisco router provides the following application benefits:
Removable Credentials: Provide or Store VPN Credentials on an External Device for Deployment
An Aladdin eToken can use SmartCard technology to store a digital certificate and configuration for IPSec VPN deployment. This ability enhances the capability of the router to generate RSA public keys to authenticate at least one IPSec tunnel. (Because a router can initiate multiple IPSec tunnels, the eToken can contain several certificates, as appropriate.)
Storing VPN credentials on an external device reduces the threat of compromising secure data.
PIN Configuration for Secure File Deployment
An Aladdin eToken can store a configuration file that can be used for enabling encryption on the router via a user-configured PIN. (That is, no digital certificates, preshared keys, or VPNs are used.)
Touchless or Low Touch Configuration
Both the eToken and USB Flash can provide remote software configuration and provisioning with little or no human interaction. Configuration is set up as an automated process. That is, both devices can store a bootstrap configuration that the router can use to boot from after the eToken or USB Flash has been inserted into the router. The bootstrap configuration connects the router to a TFTP server, which contains a configuration that completely configures the router.
How to Set Up and Use USB Modules on Cisco Routers
This section contains the following procedures that allow you to configure a router to support USB modules:
•
Storing the Configuration on an External USB Flash Drive or eToken
•
Accessing and Setting Up the eToken
•
Troubleshooting USB Flash Drives and eTokens
Storing the Configuration on an External USB Flash Drive or eToken
Use the following task to store the configuration file in the USB flash drive module or in an eToken.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
boot config {usbflash[0-9]:filename | usbtoken[0-9]:filename}
DETAILED STEPS
Accessing and Setting Up the eToken
After you have inserted the eToken into the Cisco router, you must log into the eToken as shown in the following task:
•
Logging Into the eToken (required)
After you have logged into the eToken, you can perform administrative tasks, such as changing the user PIN and copying files from the router to the eToken, as shown in the following task:
•
Setting Administrative Functions on the eToken (optional)
Use of RSA Keys with an eToken
•
RSA keys are loaded after the eToken is successfully logged into the router.
•
By default, newly generated RSA keys are stored on the most recently inserted eToken. Regenerated keys should be stored in the same location that the original RSA key was generated.
Logging Into the eToken
Use this task to log into an eToken manually or automatically.
Automatic Login
Automatic login allows the router to completely come back up without any user or operator intervention. The PIN is stored in the private configuration, so it is not visible in the startup or running configuration.
Note
A hand-generated startup configuration can contain the automatic login command for deployment purposes, but the copy system:running-config nvram: startup-config command must be issued to put the hand-generated configuration in the private configuration.
Manual Login
Manual login can be used when storing a PIN on the router is not desirable. Manual login can be executed with or without privileges, and it will make files and RSA keys on the eToken available to the Cisco IOS software. If a secondary configuration file is configured, it will only be executed with the privileges of the user who is performing the login. Thus, if you want to use manual login and set up the secondary configuration on the eToken to perform anything useful, you need to enable privileges.
Manual login can also be used in recovery scenarios for which the router configuration has been lost. If the scenario contains a remote site that normally connects to the core network with a VPN, the loss of the configuration and RSA keys requires out-of-band services that the eToken can provide. The eToken can contain a boot configuration, a secondary configuration, or both, and RSA keys to authenticate the connection.
Manual login may also be suitable for some initial deployment or hardware replacement scenarios for which the router is obtained from the local supplier or drop-shipped to the remote site.
Unlike automatic login, manual login requires that the user know the actual token PIN. However, if the user also has physical access to the eToken, he or she can use Aladdin's Windows-based utilities to copy the RSA keys and secondary config files from the eToken.
SUMMARY STEPS
1.
enable
2.
crypto pki token token-name [admin] login [pin]
or
configure terminal
3.
crypto pki token token-name user-pin [pin]
4.
exit
5.
show usbtoken[0-9]:filename
DETAILED STEPS
Setting Administrative Functions on the eToken
Use this task to change default settings, such as the user PIN and the maximum number of failed on the eToken.
SUMMARY STEPS
1.
enable
2.
crypto pki token token-name [admin] change-pin [pin]
3.
configure terminal
4.
crypto pki token {token-name | default} removal timeout [minutes]
5.
crypto pki token {token-name | default} max-retries [number]
6.
exit
7.
copy usbflash[0-9]:filename destination-url
8.
show usbtoken[0-9]:filename
9.
crypto pki token token-name logout
DETAILED STEPS
Command or Action PurposeStep 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Enter your password if prompted.
Step 2
crypto pki token token-name [admin] change-pin [pin]
Example:Router# crypto pki token usbtoken0 admin change-pin
(Optional) Changes the user PIN number on the USB eToken.
•
If the PIN is not changed, the default PIN—1234567890—will be used.
Note
After the PIN has been changed, you must reset the login failure count to zero (via the crypto pki token max-retries command). The maximum number of allowable login failures is set (by default) to 15.
Step 3
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 4
crypto pki token {token-name | default} removal timeout [seconds]
Example:Router(config)# crypto pki token usbtoken0 removal timeout 60
(Optional) Sets the time interval, in seconds, that the router will wait before removing the RSA keys that are stored in the eToken after the eToken has been removed from the router.
Note
If this command is not issued, all RSA keys and IPSec tunnels associated with the eToken are torn down immediately after the eToken is removed from the router.
Step 5
crypto pki token {token-name | default} max-retries [number]
Example:Router(config)# crypto pki token usbtoken0 max-retries 20
(Optional) Sets the maximum number of consecutive failed login attempts allowed before access to the eToken is denied.
•
By default, the value is set at 15.
Step 6
exit
Example:Router(config)# exit
Exits global configuration mode.
Step 7
copy usbflash[0-9]:filename destination-url
Example:Router# copy usbflash0:
Copies files from the router to the eToken.
•
destination-url—See the copy command page documentation for a list of supported options.
Step 8
show usbtoken[0-9]:filename
Example:Router#
(Optional) Displays information about the USB eToken. You can use this command to verify whether the USB eToken has been logged onto the router.
Step 9
crypto pki token token-name logout
Example:Router# crypto pki toke usbtoken0 logout
Logs the router out of the USB eToken.
Note
If you want to save any data to the USB eToken, you must log back into the eToken.
Troubleshooting USB Flash Drives and eTokens
This section contains descriptions of the following Cisco IOS commands that can be used to help troubleshoot possible problems that may arise while using a USB Flash or a USB eToken:
•
The show file systems Command
•
The show usb controllers Command
The show file systems Command
Step 1
Use the show file systems command to determine whether the router recognizes that there is a USB module plugged into a USB port. The USB module should appear on the list of file systems. If the module does not appear on the list, it can indicate any of the following problems:
•
A connection problem with the USB module
•
The Cisco IOS image running on the router does not support a USB module
•
A hardware problem with the USB module itself
Step 2
Use the show file systems command to determine if a USB Flash module is formatted properly. To be compatible with a Cisco router, a USB Flash module must be formatted in a FAT16 format. If that is not the case, the show file systems command will display an error indicating an incompatible file system.
Sample output from the show file systems command showing a USB Flash module and a USB eToken appear below. The USB module listing appears in the last line of the examples.
Router# show file systemsFile Systems:Size(b) Free(b) Type Flags Prefixes- - opaque rw archive:- - opaque rw system:- - opaque rw null:- - network rw tftp:* 129880064 69414912 disk rw flash:#491512 486395 nvram rw nvram:- - opaque wo syslog:- - opaque rw xmodem:- - opaque rw ymodem:- - network rw rcp:- - network rw pram:- - network rw ftp:- - network rw http:- - network rw scp:- - network rw https:- - opaque ro cns:63158272 33037312 usbflash rw usbflash0:32768 858 usbtoken rw usbtoken1:
The show usb device Command
Step 1
Use the show usb device command to determine if a USB module is supported by Cisco. The sample output for both the USB Flash and the USB eToken that indicates whether or not the module is supported are highlighted in the sample outputs below.
The following sample output is for a USB Flash module:
Router# show usb deviceHost Controller:1Address:0x1Device Configured:YESDevice Supported:YESDescription:DiskOnKeyManufacturer:M-SysVersion:2.0Serial Number:0750D84030316868Device Handle:0x1000000USB Version Compliance:2.0Class Code:0x0Subclass Code:0x0Protocol:0x0Vendor ID:0x8ECProduct ID:0x15Max. Packet Size of Endpoint Zero:64Number of Configurations:1Speed:FullSelected Configuration:1Selected Interface:0Configuration:Number:1Number of Interfaces:1Description:Attributes:NoneMax Power:140 mAInterface:Number:0Description:Class Code:8Subclass:6Protocol:80Number of Endpoints:2Endpoint:Number:1Transfer Type:BULKTransfer Direction:Device to HostMax Packet:64Interval:0Endpoint:Number:2Transfer Type:BULKTransfer Direction:Host to DeviceMax Packet:64Interval:0The following sample output is for a supported USB eToken:
Router# show usb deviceHost Controller:1Address:0x11Device Configured:YESDevice Supported:YESDescription:eToken Pro 4254Manufacturer:AKSVersion:1.0Serial Number:Device Handle:0x1010000USB Version Compliance:1.0Class Code:0xFFSubclass Code:0x0Protocol:0x0Vendor ID:0x529Product ID:0x514Max. Packet Size of Endpoint Zero:8Number of Configurations:1Speed:LowSelected Configuration:1Selected Interface:0Configuration:Number:1Number of Interfaces:1Description:Attributes:NoneMax Power:60 mAInterface:Number:0Description:Class Code:255Subclass:0Protocol:0Number of Endpoints:0
The show usb controllers Command
Step 1
Use the show usb controllers command to determine if there is a hardware problem with a USB Flash module. If the show usb controllers command displays an error, it indicates a hardware problem in the USB module.
You can also use the show usb controllers command to verify that copy operations onto a USB Flash module are occurring successfully. Issuing the show usb controllers command after performing a file copy should display successful data transfers.
Sample output for the show usb controllers command for a working USB Flash module appears below:
Router# show usb controllersName:1362HCDController ID:1Controller Specific Information:Revision:0x11Control:0x80Command Status:0x0Hardware Interrupt Status:0x24Hardware Interrupt Enable:0x80000040Hardware Interrupt Disable:0x80000040Frame Interval:0x27782EDFFrame Remaining:0x13C1Frame Number:0xDA4CLSThreshold:0x628RhDescriptorA:0x19000202RhDescriptorB:0x0RhStatus:0x0RhPort1Status:0x100103RhPort2Status:0x100303Hardware Configuration:0x3029DMA Configuration:0x0Transfer Counter:0x1Interrupt:0x9Interrupt Enable:0x196Chip ID:0x3630Buffer Status:0x0Direct Address Length:0x80A00ATL Buffer Size:0x600ATL Buffer Port:0x0ATL Block Size:0x100ATL PTD Skip Map:0xFFFFFFFFATL PTD Last:0x20ATL Current Active PTD:0x0ATL Threshold Count:0x1ATL Threshold Timeout:0xFFInt Level:1Transfer Completion Codes:Success :920 CRC :0Bit Stuff :0 Stall :0No Response :0 Overrun :0Underrun :0 Other :0Buffer Overrun :0 Buffer Underrun :0Transfer Errors:Canceled Transfers :2 Control Timeout :0Transfer Failures:Interrupt Transfer :0 Bulk Transfer :0Isochronous Transfer :0 Control Transfer:0Transfer Successes:Interrupt Transfer :0 Bulk Transfer :26Isochronous Transfer :0 Control Transfer:894USBD Failures:Enumeration Failures :0 No Class Driver Found:0Power Budget Exceeded:0USB MSCD SCSI Class Driver Counters:Good Status Failures :3 Command Fail :0Good Status Timed out:0 Device not Found:0Device Never Opened :0 Drive Init Fail :0Illegal App Handle :0 Bad API Command :0Invalid Unit Number :0 Invalid Argument:0Application Overflow :0 Device in use :0Control Pipe Stall :0 Malloc Error :0Device Stalled :0 Bad Command Code:0Device Detached :0 Unknown Error :0Invalid Logic Unit Num:0USB Aladdin Token Driver Counters:Token Inserted :1 Token Removed :0Send Insert Msg Fail :0 Response Txns :434Dev Entry Add Fail :0 Request Txns :434Dev Entry Remove Fail:0 Request Txn Fail:0Response Txn Fail :0 Command Txn Fail:0Txn Invalid Dev Handle:0USB Flash File System Counters:Flash Disconnected :0 Flash Connected :1Flash Device Fail :0 Flash Ok :1Flash startstop Fail :0 Flash FS Fail :0USB Secure Token File System Counters:Token Inserted :1 Token Detached :0Token FS success :1 Token FS Fail :0Token Max Inserted :0 Create Talker Failures:0Token Event :0 Destroy Talker Failures:0Watched Boolean Create Failures:0
The dir Command
Step 1
Use the dir command with the usbflash[0-9]: or the usbtoken[0-9]: keyword to display all files, directories, and their permission strings on the USB Flash or USB eToken.
The following sample output displays directory information for the USB Flash:
Router# dir usbflash0:Directory of usbflash0:/1 -rw- 30125020 Dec 22 2032 05:31:32 +00:00 c3825-entservicesk9-mz.123-14.T63158272 bytes total (33033216 bytes free)The following sample output displays directory information for the USB eToken:
Router# dir usbtoken1:Directory of usbtoken1:/2 d--- 64 Dec 22 2032 05:23:40 +00:00 10005 d--- 4096 Dec 22 2032 05:23:40 +00:00 10018 d--- 0 Dec 22 2032 05:23:40 +00:00 100210 d--- 512 Dec 22 2032 05:23:42 +00:00 100312 d--- 0 Dec 22 2032 05:23:42 +00:00 500013 d--- 0 Dec 22 2032 05:23:42 +00:00 600014 d--- 0 Dec 22 2032 05:23:42 +00:00 700015 ---- 940 Jun 27 1992 12:50:42 +00:00 mystartup-config16 ---- 1423 Jun 27 1992 12:51:14 +00:00 myrunning-config32768 bytes total (858 bytes free)The following sample output displays directory information for all devices the router is aware of:
Router# dir all-filesystemsDirectory of archive:/No files in directoryNo space information availableDirectory of system:/2 drwx 0 <no date> its115 dr-x 0 <no date> lib144 dr-x 0 <no date> memory1 -rw- 1906 <no date> running-config114 dr-x 0 <no date> vfilesNo space information availableDirectory of flash:/1 -rw- 30125020 Dec 22 2032 03:06:04 +00:00 c3825-entservicesk9-mz.123-14.T129880064 bytes total (99753984 bytes free)Directory of nvram:/476 -rw- 1947 <no date> startup-config477 ---- 46 <no date> private-config478 -rw- 1947 <no date> underlying-config1 -rw- 0 <no date> ifIndex-table2 ---- 4 <no date> rf_cold_starts3 ---- 14 <no date> persistent-data491512 bytes total (486395 bytes free)Directory of usbflash0:/1 -rw- 30125020 Dec 22 2032 05:31:32 +00:00 c3825-entservicesk9-mz.123-14.T63158272 bytes total (33033216 bytes free)Directory of usbtoken1:/2 d--- 64 Dec 22 2032 05:23:40 +00:00 10005 d--- 4096 Dec 22 2032 05:23:40 +00:00 10018 d--- 0 Dec 22 2032 05:23:40 +00:00 100210 d--- 512 Dec 22 2032 05:23:42 +00:00 100312 d--- 0 Dec 22 2032 05:23:42 +00:00 500013 d--- 0 Dec 22 2032 05:23:42 +00:00 600014 d--- 0 Dec 22 2032 05:23:42 +00:00 700015 ---- 940 Jun 27 1992 12:50:42 +00:00 mystartup-config16 ---- 1423 Jun 27 1992 12:51:14 +00:00 myrunning-config32768 bytes total (858 bytes free)
Configuration Examples for Secure Token Support
This section contains the following configuration example:
•
Logging Into and Saving RSA Keys to eToken: Example
Logging Into and Saving RSA Keys to eToken: Example
The following configuration example shows to how log into the eToken, generate RSA keys, and store the RSA keys onto the eToken:
! Configure the router to automatically log into the eTokenconfigure terminalcrypto pki token default user-pin 0 1234567890! Generate RSA keys and enroll certificates with the CA.crypto pki trustpoint IOSCAenrollment url http://10.23.2.2exitcrypto ca authenticate IOSCACertificate has the following attributes:Fingerprint MD5:23272BD4 37E3D9A4 236F7E1A F534444EFingerprint SHA1:D1B4D9F8 D603249A 793B3CAF 8342E1FE 3934EB7A% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.crypto pki enrollcrypto pki enroll IOSCA%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The subject name in the certificate will include:c2851-27.cisco.com% Include the router serial number in the subject name? [yes/no]:no% Include an IP address in the subject name? [no]:noRequest certificate from CA? [yes/no]:yes% Certificate request sent to Certificate Authority% The 'show crypto ca certificate IOSCA verbose' command will show the fingerprint.*Jan 13 06:47:19.413:CRYPTO_PKI: Certificate Request Fingerprint MD5:E6DDAB1B0E30EFE6 54529D8A DA787DBA*Jan 13 06:47:19.413:CRYPTO_PKI: Certificate Request Fingerprint SHA1:3B0F33B7 57C02A10 3935042B C4B6CD3D 61039251*Jan 13 06:47:21.021:%PKI-6-CERTRET:Certificate received from Certificate Authority! Issue the write memory command, which will automatically save the RSA keys to the eToken ! instead of private NVRAM.Router# write memoryBuilding configuration...[OK]*Jan 13 06:47:29.481:%CRYPTO-6-TOKENSTOREKEY:Key c2851-27.cisco.com stored onCryptographic Token eToken SuccessfullyThe following sample output from the show crypto key mypubkey rsa command displays stored credentials after they are successfully load from the eToken. Credentials that are stored on the eToken are in the protected area. When storing the credentials on the eToken, the files are stored in a directory called /keystore. However, the key files are hidden from the CLI.
Router# show crypto key mypubkey rsa% Key pair was generated at:06:37:26 UTC Jan 13 2005Key name:c2851-27.cisco.comUsage:General Purpose KeyKey is not exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E3C644 43AA7DDD732E0F4E 3CA0CDAB 387ABF05 EB8F22F2 2431F1AE 5D51FEE3 FCDEA934 7FBD36037C977854 B8E999BF 7FC93021 7F46ABF8 A4BA2ED6 172D3D09 B5020301 0001% Key pair was generated at:06:37:27 UTC Jan 13 2005Key name:c2851-27.cisco.com.serverUsage:Encryption KeyKey is not exportable.Key Data:307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DD96AE 4BF912EB2C261922 4784EF98 2E70E837 774B3778 7F7AEB2D 87F5669B BF5DDFBC F0D521A556AB8FDC 9911968E DE347FB0 A514A856 B30EAFF4 D1F453E1 003CFE65 0CCC6DC721FBE3AC 2F8DEA16 126754BC 1433DEF9 53266D33 E7338C95 BB020301 0001Additional References
The following sections provide references related to USB storage support.
Related Documents
Standards
MIBs
MIBs MIBs LinkNone
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands only.
New Commands
•
crypto pki token removal timeout
•
crypto pki token secondary config
Modified Commands
•
copy
•
dir
boot config
To specify the device and filename of the configuration file from which the router configures itself during initialization (startup), use the boot config command in global configuration mode. To remove the specification, use the no form of this command.
boot config file-system-prefix:[directory/]filename
no boot config
Syntax Description
Defaults
NVRAM (nvram:)
Command Modes
Global configuration
Command History
Release Modification11.0
This command was introduced.
12.3(14)T
Support for Class B file system platforms and the following file system prefix options were added: usbflash[0-9]: and usbtoken[0-9]:.
Usage Guidelines
This command is available only on Class A and Class B file system platforms.
You set the CONFIG_FILE environment variable in the current running memory when you use the boot config command. This variable specifies the configuration file used for initialization (startup). The configuration file must be an ASCII file located in either NVRAM or Flash memory.
Note
When you use this global configuration command, you affect only the running configuration. You must save the environment variable setting to your startup configuration to place the information under ROM monitor control and to have the environment variable function as expected. Use the copy system:running-config nvram:startup-config command to save the environment variable from your running configuration to your startup configuration.
The software displays an error message and does not update the CONFIG_FILE environment variable in the following situations:
•
You specify nvram: as the file system, and it contains only a distilled version of the configuration. (A distilled configuration is one that does not contain access lists.)
•
You specify a configuration file in the filename argument that does not exist or is not valid.
The router uses the NVRAM configuration during initialization when the CONFIG_FILE environment variable does not exist or when it is null (such as at first-time startup). If the software detects a problem with NVRAM or the configuration it contains, the device enters setup mode.
When you use the no form of this command, the router returns to using the default NVRAM configuration file as the startup configuration.
Examples
In the following example, the first line specifies that the router should use the configuration file named router-config located in internal Flash memory to configure itself during initialization. The third line copies the specification to the startup configuration, ensuring that this specification will take effect upon the next reload.
Router(config)# boot config flash:router-configRouter(config)# endRouter# copy system:running-config nvram:startup-configThe following example instructs a Cisco 7500 series router to use the configuration file named router-config located on the Flash memory card inserted in the second PCMCIA slot of the RSP card during initialization. The third line copies the specification to the startup configuration, ensuring that this specification will take effect upon the next reload.
Router (config)# boot config slot1:router-configRouter (config)# endRouter# copy system:running-config nvram:startup-configRelated Commands
copy
To copy any file from a source to a destination, use the copy command in privileged EXEC mode.
copy [/erase] [/verify | /noverify] source-url destination-url
Syntax Description
The exact format of the source and destination URLs varies according to the file or directory location. You may enter either an alias keyword for a particular file or a filename that follows the standard Cisco IOS file system syntax (filesystem:[/filepath][/filename]).
Table 2 shows two keyword shortcuts to URLs.
The following tables list URL prefix keywords by file system type. The available file systems will vary by platform. If you do not specify a URL prefix keyword, the router looks for a file in the current directory.
Table 3 lists URL prefix keywords for Special (opaque) file systems. Table 4 lists them for remote file systems, and Table 5 lists them for local writable storage.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The fundamental function of the copy command is to allow you to copy a file (such as a system image or configuration file) from one location to another location. The source and destination for the file is specified using a Cisco IOS File System URL, which allows you to specify any supported local or remote file location. The file system being used (such as a local memory source, or a remote server) dictates the syntax used in the command.
You can enter on the command line all necessary source- and destination-URL information and the username and password to use, or you can enter the copy command and have the router prompt you for any missing information.
For local file systems, two commonly used aliases exist for the system:running-config and nvram:startup-config files; these aliases are running-config and startup-config, respectively.
Timesaver
Aliases are used to cut down on the amount of typing you need to perform. For example, it is easier to type copy run start (the abbreviated form of the copy running-config startup-config command) than it is to type copy system:r nvram:s (the abbreviated form of the copy system:running-config nvram:startup-config command). These aliases also allow you to continue using some of the common commands used in previous versions of Cisco IOS software.
The entire copying process may take several minutes and differs from protocol to protocol and from network to network.
The colon is required after the file system URL prefix keywords (such as flash). In some cases, file system prefixes that did not require colons in earlier software releases are allowed for backwards compatibility, but use of the colon is recommended.
In the URL syntax for ftp:, http:, https:, rcp:, scp: and tftp:, the location is either an IP address or a host name. The filename is specified relative to the directory used for file transfers.
The following sections contain usage guidelines for the following topics:
•
Understanding Invalid Combinations of Source and Destination
•
Understanding Character Descriptions
•
Copying from a Server to Flash Memory
•
Copying a Configuration File from a Server to the Running Configuration
•
Copying a Configuration File from a Server to the Startup Configuration
•
Storing the Running or Startup Configuration on a Server
•
Saving the Running Configuration to the Startup Configuration
•
Using CONFIG_FILE, BOOT, and BOOTLDR Environment Variables
•
Using the Copy Command with the Dual RSP Feature
Understanding Invalid Combinations of Source and Destination
Some invalid combinations of source and destination exist. Specifically, you cannot copy:
•
From a running configuration to a running configuration
•
From a startup configuration to a startup configuration
•
From a device to the same device (for example, the copy flash: flash: command is invalid)
Understanding Character Descriptions
Table 6 describes the characters that you may see during processing of the copy command.
Understanding Partitions
You cannot copy an image or configuration file to a Flash partition from which you are currently running. For example, if partition 1 is running the current system image, copy the configuration file or image to partition 2. Otherwise, the copy operation will fail.
You can identify the available Flash partitions by entering the show file system EXEC command.
Using rcp
The rcp requires a client to send a remote username upon each rcp request to a server. When you copy a configuration file or image between the router and a server using rcp, the Cisco IOS software sends the first valid username it encounters in the following sequence:
1.
The remote username specified in the copy command, if a username is specified.
2.
The username set by the ip rcmd remote-username global configuration command, if the command is configured.
3.
The remote username associated with the current tty (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the router software sends the Telnet username as the remote username.
4.
The router host name.
For the rcp copy request to process, an account must be defined on the network server for the remote username. If the network administrator of the destination server did not establish an account for the remote username, this command will not run. If the server has a directory structure, the configuration file or image is written to or copied from the directory associated with the remote username on the server. For example, if the system image resides in the home directory of a user on the server, specify that username as the remote username.
If you are writing to the server, the rcp server must be properly configured to accept the rcp write request from the user on the router. For UNIX systems, add an entry to the .rhosts file for the remote user on the rcp server. Suppose the router contains the following configuration lines:
hostname Rtr1ip rcmd remote-username User0If the router IP address translates to Router1.company.com, then the .rhosts file for User0 on the rcp server should contain the following line:
Router1.company.com Rtr1Refer to the documentation for your rcp server for more details.
If you are using a personal computer as a file server, the computer must support the remote shell protocol (rsh).
Using FTP
The FTP protocol requires a client to send a username and password with each FTP request to a remote FTP server. Use the ip ftp username and ip ftp password global configuration commands to specify a default username and password for all copy operations to or from an FTP server. Include the username in the copy command syntax if you want to specify a username for that copy operation only.
When you copy a file from the router to a server using FTP, the Cisco IOS software sends the first valid username that it encounters in the following sequence:
1.
The username specified in the copy command, if a username is specified.
2.
The username set by the ip ftp username command, if the command is configured.
3.
Anonymous.
The router sends the first valid password in the following list:
1.
The password specified in the copy command, if a password is specified.
2.
The password set by the ip ftp password command, if the command is configured.
3.
The router forms a password username@routername.domain. The variable username is the username associated with the current session, routername is the configured host name, and domain is the domain of the router.
The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept the FTP write request from the user on the router.
If the server has a directory structure, the configuration file or image is written to or copied from the directory associated with the username on the server. For example, if the system image resides in the home directory of a user on the server, specify that username as the remote username.
Refer to the documentation for your FTP server for details on setting up the server.
Using HTTP(S)
Copying a file to or from a remote HTTP or HTTPS server, to or from a local file system, is performed using the embedded Secure HTTP client that is integrated in Cisco IOS software. The HTTP client is enabled by default.
Downloading files from a remote HTTP or HTTPS server is performed using the HTTP client integrated in Cisco IOS software.
If a username and password are not specified in the copy command syntax, the system uses the default HTTP client username and password, if configured.
When you copy a file from a remote HTTP(S) server, the Cisco IOS software sends the first valid username that it encounters in the following sequence:
1.
The username specified in the copy command, if a username is specified.
2.
The username set by the ip http client username command, if the command is configured.
3.
Anonymous.
The router sends the first valid password in the following list:
1.
The password specified in the copy command, if a password is specified.
2.
The password set by the ip http client password command, if the command is configured.
3.
The router forms the password username@routername.domain. The variable username is the username associated with the current session, routername is the configured host name, and domain is the domain of the router.
Storing Images on Servers
Use the copy flash: destination-url command (for example, copy flash: tftp:) to copy a system image or boot image from Flash memory to a network server. You can use the copy of the image as a backup copy. Also, you can also use the image backup file to verify that the image in Flash memory is the same as that in the original file.
Copying from a Server to Flash Memory
Use the copy destination-url flash: command (for example, copy tftp: flash:) to copy an image from a server to Flash memory.
On Class B file system platforms, the system provides an option to erase existing Flash memory before writing onto it.
Note
Verify the image in Flash memory before booting the image.
Verifying Images
When copying a new image to your router, you should confirm that the image was not corrupted during the copy process. You can verify the integrity of the image in any of the following ways:
•
Depending on the destination file system type, a checksum for the image file may be displayed when the copy command completes. You can verify this checksum by comparing it to the checksum value provided for your image file on Cisco.com.
CautionIf the checksum values do not match, do not reboot the router. Instead, reissue the copy command and compare the checksums again. If the checksum is repeatedly wrong, copy the original image back into Flash memory before you reboot the router from Flash memory. If you have a corrupted image in Flash memory and try to boot from Flash memory, the router will start the system image contained in ROM (assuming booting from a network server is not configured). If ROM does not contain a fully functional system image, the router might not function and will need to be reconfigured through a direct console port connection.
•
Use the /verify keyword.
•
Enable automatic image verification by default by issuing the file verify auto command. This command will automatically check the integrity of each file that is copied via the copy command (without specifying the /verify option) to the router unless the /noverify keyword is specified.
•
Use the UNIX 'diff' command. This method can also be applied to file types other than Cisco IOS images. If you suspect that a file is corrupted, copy the suspect file and the original file to a UNIX server. (The file names may need to be modified if you try to save the files in the same directory.) Then run the UNIX 'diff' command on the two files. If there is no difference, then the file has not been corrupted.
Copying a Configuration File from a Server to the Running Configuration
Use the copy {ftp: | rcp: | scp: | tftp:} running-config command to load a configuration file from a network server to the running configuration of the router. (Note that running-config is the alias for the system:running-config keyword.) The configuration will be added to the running configuration as if the commands were typed in the command-line interface (CLI). Thus, the resulting configuration file will be a combination of the previous running configuration and the loaded configuration file, with the loaded configuration file having precedence.
You can copy either a host configuration file or a network configuration file. Accept the default value of host to copy and load a host configuration file containing commands that apply to one network server in particular. Enter network to copy and load a network configuration file containing commands that apply to all network servers on a network.
Copying a Configuration File from a Server to the Startup Configuration
Use the copy {ftp: | rcp: | scp: | tftp:} nvram:startup-config command to copy a configuration file from a network server to the router startup configuration. These commands replace the startup configuration file with the copied configuration file.
Storing the Running or Startup Configuration on a Server
Use the copy system:running-config {ftp: | rcp: | scp: | tftp:} command to copy the current configuration file to a network server using FTP, rcp, scp, or TFTP. Use the copy nvram:startup-config {ftp: | rcp: | scp: | tftp:} command to copy the startup configuration file to a network server.
The configuration file copy can serve as a backup copy.
Saving the Running Configuration to the Startup Configuration
Use the copy system:running-config nvram:startup-config command to copy the running configuration to the startup configuration.
Note
Some specific commands might not get saved to NVRAM. You will need to enter these commands again if you reboot the machine. These commands are noted in the documentation. We recommend that you keep a listing of these settings so you can quickly reconfigure your router after rebooting.
If you issue the copy system:running-config nvram:startup-config command from a bootstrap system image, a warning will instruct you to indicate whether you want your previous NVRAM configuration to be overwritten and configuration commands to be lost. This warning does not appear if NVRAM contains an invalid configuration or if the previous configuration in NVRAM was generated by a bootstrap system image.
On all platforms except Class A file system platforms, the copy system:running-config nvram:startup-config command copies the currently running configuration to NVRAM.
On the Class A Flash file system platforms, the copy system:running-config nvram:startup-config command copies the currently running configuration to the location specified by the CONFIG_FILE environment variable. This variable specifies the device and configuration file used for initialization. When the CONFIG_FILE environment variable points to NVRAM or when this variable does not exist (such as at first-time startup), the software writes the current configuration to NVRAM. If the current configuration is too large for NVRAM, the software displays a message and stops executing the command.
When the CONFIG_FILE environment variable specifies a valid device other than nvram: (that is, flash:, bootflash:, slot0:, or slot1:), the software writes the current configuration to the specified device and filename, and stores a distilled version of the configuration in NVRAM. A distilled version is one that does not contain access list information. If NVRAM already contains a copy of a complete configuration, the router prompts you to confirm the copy.
Using CONFIG_FILE, BOOT, and BOOTLDR Environment Variables
For the Class A Flash file system platforms, specifications are as follows:
•
The CONFIG_FILE environment variable specifies the configuration file used during router initialization.
•
The BOOT environment variable specifies a list of bootable images on various devices.
•
The BOOTLDR environment variable specifies the Flash device and filename containing the rxboot image that ROM uses for booting.
•
Cisco 3600 routers do not use a dedicated boot helper image (rxboot), which many other routers use to help with the boot process. Instead, the BOOTLDR ROM monitor environment variable identifies the Flash memory device and filename that are used as the boot helper; the default is the first system image in Flash memory.
To view the contents of environment variables, use the show bootvar EXEC command. To modify the CONFIG_FILE environment variable, use the boot config global configuration command. To modify the BOOTLDR environment variable, use the boot bootldr global configuration command. To modify the BOOT environment variable, use the boot system global configuration command. To save your modifications, use the copy system:running-config nvram:startup-config command.
When the destination of a copy command is specified by the CONFIG_FILE or BOOTLDR environment variable, the router prompts you for confirmation before proceeding with the copy. When the destination is the only valid image in the BOOT environment variable, the router also prompts you for confirmation before proceeding with the copy.
Using the Copy Command with the Dual RSP Feature
The Dual RSP feature allows you to install two Route Switch Processor (RSP) cards in a single router on the Cisco 7507 and Cisco 7513 platforms.
On a Cisco 7507 or Cisco 7513 router configured for Dual RSPs, if you copy a file to nvram:startup-configuration with automatic synchronization disabled, the system prompts whether you also want to copy the file to the slave startup configuration. The default answer is yes. If automatic synchronization is enabled, the system automatically copies the file to the slave startup configuration each time you use a copy command with nvram:startup-configuration as the destination.
Examples
The following examples illustrate uses of the copy command:
•
Verifying the Integrity of the Image Before It Is Copied Example
•
Copying an Image from a Server to Flash Memory Examples
•
Saving a Copy of an Image on a Server Examples
•
Copying a Configuration File from a Server to the Running Configuration Example
•
Copying a Configuration File from a Server to the Startup Configuration Example
•
Copying the Running Configuration to a Server Example
•
Copying the Startup Configuration to a Server Example
•
Saving the Current Running Configuration Example
•
Moving Configuration Files to Other Locations Examples
•
Copying a File from a Remote Web Server Examples
•
Copying an Image from the Master RSP Card to the Slave RSP Card Example
Verifying the Integrity of the Image Before It Is Copied Example
The following example shows how to specify image verification before copying an image:
Router# copy /verify tftp://10.1.1.1/jdoe/c7200-js-mz disk0:Destination filename [c7200-js-mz]?Accessing tftp://10.1.1.1/jdoe/c7200-js-mz...Loading jdoe/c7200-js-mz from 10.1.1.1 (via FastEthernet0/0):!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 19879944 bytes]19879944 bytes copied in 108.632 secs (183003 bytes/sec)Verifying file integrity of disk0:/c7200-js-mz ................................................................................................................................................................................... .......................................................................................... ......................Done!Embedded Hash MD5 :CFA258948C4ECE52085DCF428A426DCDComputed Hash MD5 :CFA258948C4ECE52085DCF428A426DCDCCO Hash MD5 :44A7B9BDDD9638128C35528466318183Signature Verified
Copying an Image from a Server to Flash Memory Examples
The following examples use a copy rcp:, copy tftp:, or copy ftp: command to copy an image file from a server to Flash memory:
•
Copying an Image from a Server to Flash Memory Example
•
Copying an Image from a Server to a Flash Memory Using Flash Load Helper Example
•
Copying an Image from a Server to a Flash Memory Card Partition Example
Copying an Image from a Server to Flash Memory Example
The following example copies a system image named file1 from the remote rcp server with an IP address of 172.16.101.101 to Flash memory. On Class B file system platforms, the Cisco IOS software allows you to first erase the contents of Flash memory to ensure that enough Flash memory is available to accommodate the system image.
Router# copy rcp://netadmin@172.16.101.101/file1 flash:file1Destination file name [file1]?Accessing file 'file1' on 172.16.101.101...Loading file1 from 172.16.101.101 (via Ethernet0): ! [OK]Erase flash device before writing? [confirm]Flash contains files. Are you sure you want to erase? [confirm]Copy 'file1' from serveras 'file1' into Flash WITH erase? [yes/no] yesErasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee...erasedLoading file1 from 172.16.101.101 (via Ethernet0): ![OK - 984/8388608 bytes]Verifying checksum... OK (0x14B3)Flash copy took 0:00:01 [hh:mm:ss]Copying an Image from a Server to a Flash Memory Using Flash Load Helper Example
The following example copies a system image into a partition of Flash memory. The system will prompt for a partition number only if there are two or more read/write partitions or one read-only and one read/write partition and dual Flash bank support in boot ROMs. If the partition entered is not valid, the process terminates. You can enter a partition number, a question mark (?) for a directory display of all partitions, or a question mark and a number (?number) for directory display of a particular partition. The default is the first read/write partition. In this case, the partition is read-only and has dual Flash bank support in boot ROM, so the system uses Flash Load Helper.
Router# copy tftp: flash:System flash partition information:Partition Size Used Free Bank-Size State Copy-Mode1 4096K 2048K 2048K 2048K Read Only RXBOOT-FLH2 4096K 2048K 2048K 2048K Read/Write Direct[Type ?<no> for partition directory; ? for full directory; q to abort]Which partition? [default = 2]**** NOTICE ****Flash load helper v1.0This process will accept the copy options and then terminatethe current system image to use the ROM based image for the copy.Routing functionality will not be available during that time.If you are logged in via telnet, this connection will terminate.Users with console access can see the results of the copy operation.---- ******** ----Proceed? [confirm]System flash directory, partition 1:File Length Name/status1 3459720 master/igs-bfpx.100-4.3[3459784 bytes used, 734520 available, 4194304 total]Address or name of remote host [255.255.255.255]? 172.16.1.1Source file name? master/igs-bfpx-100.4.3Destination file name [default = source name]?Loading master/igs-bfpx.100-4.3 from 172.16.1.111: !Erase flash device before writing? [confirm]Flash contains files. Are you sure? [confirm]Copy 'master/igs-bfpx.100-4.3' from TFTP serveras 'master/igs-bfpx.100-4.3' into Flash WITH erase? [yes/no] yesCopying an Image from a Server to a Flash Memory Card Partition Example
The following example copies the file c3600-i-mz from the rcp server at IP address 172.23.1.129 to the Flash memory card in slot 0 of a Cisco 3600 series router, which has only one partition. As the operation progresses, the Cisco IOS software prompts you to erase the files on the Flash memory PC card to accommodate the incoming file. This entire operation takes 18 seconds to perform, as indicated at the end of the example.
Router# copy rcp: slot0:PCMCIA Slot0 flashPartition Size Used Free Bank-Size State Copy Mode1 4096K 3068K 1027K 4096K Read/Write Direct2 4096K 1671K 2424K 4096K Read/Write Direct3 4096K 0K 4095K 4096K Read/Write Direct4 4096K 3825K 270K 4096K Read/Write Direct[Type ?<no> for partition directory; ? for full directory; q to abort]Which partition? [default = 1]PCMCIA Slot0 flash directory, partition 1:File Length Name/status1 3142288 c3600-j-mz.test[3142352 bytes used, 1051952 available, 4194304 total]Address or name of remote host [172.23.1.129]?Source file name? /tftpboot/images/c3600-i-mzDestination file name [/tftpboot/images/c3600-i-mz]?Accessing file '/tftpboot/images/c3600-i-mz' on 172.23.1.129...Connected to 172.23.1.129Loading 1711088 byte file c3600-i-mz: ! [OK]Erase flash device before writing? [confirm]Flash contains files. Are you sure you want to erase? [confirm]Copy '/tftpboot/images/c3600-i-mz' from serveras '/tftpboot/images/c3600-i-mz' into Flash WITH erase? [yes/no] yesErasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedConnected to 172.23.1.129Loading 1711088 byte file c3600-i-mz: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Verifying checksum... OK (0xF89A)Flash device copy took 00:00:18 [hh:mm:ss]Saving a Copy of an Image on a Server Examples
The following examples use copy commands to copy image files to a server for storage:
•
Copy an Image from Flash Memory to an rcp Server Example
•
Copy an Image from Flash Memory to an SSH Server Using scp Example
•
Copy an Image from a Partition of Flash Memory to a Server Example
•
Copying an Image from a Flash Memory File System to an FTP Server Example
•
Copying an Image from Boot Flash Memory to a TFTP Server Example
Copy an Image from Flash Memory to an rcp Server Example
The following example copies a system image from Flash Memory to an rcp server using the default remote username. Because the rcp server address and filename are not included in the command, the router prompts for it.
Router# copy flash: rcp:IP address of remote host [255.255.255.255]? 172.16.13.110Name of file to copy? gsxxwriting gsxx - copy completeCopy an Image from Flash Memory to an SSH Server Using scp Example
The following example shows how to use scp to copy a system image from Flash Memory to a server that supports SSH:
Router# copy flash:c4500-ik2s-mz.scp scp://user1@host1/Address or name of remote host [host1]?Destination username [user1]?Destination filename [c4500-ik2s-mz.scp]?Writing c4500-ik2s-mz.scpPassword:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Before you can use the server-side functionality, SSH, authentication, and authorization must be properly configured so the router can determine whether a user is at the right privilege level. The scp server-side functionality is configured with the ip scp server enable command.
Copy an Image from a Partition of Flash Memory to a Server Example
The following example copies an image from a particular partition of Flash memory to an rcp server using a remote username of netadmin1.
The system will prompt if there are two or more partitions. If the partition entered is not valid, the process terminates. You have the option to enter a partition number, a question mark (?) for a directory display of all partitions, or a question mark and a number (?number) for a directory display of a particular partition. The default is the first partition.
Router# configure terminalRouter# ip rcmd remote-username netadmin1Router# endRouter# copy flash: rcp:System flash partition information:Partition Size Used Free Bank-Size State Copy-Mode1 4096K 2048K 2048K 2048K Read Only RXBOOT-FLH2 4096K 2048K 2048K 2048K Read/Write Direct[Type ?<number> for partition directory; ? for full directory; q to abort]Which partition? [1] 2System flash directory, partition 2:File Length Name/status1 3459720 master/igs-bfpx.100-4.3[3459784 bytes used, 734520 available, 4194304 total]Address or name of remote host [ABC.CISCO.COM]?Source file name? master/igs-bfpx.100-4.3Destination file name [master/igs-bfpx.100-4.3]?Verifying checksum for 'master/igs-bfpx.100-4.3' (file # 1)... OKCopy 'master/igs-bfpx.100-4.3' from Flash to serveras 'master/igs-bfpx.100-4.3'? [yes/no] yes!!!!...Upload to server doneFlash copy took 0:00:00 [hh:mm:ss]Copying an Image from a Flash Memory File System to an FTP Server Example
The following example copies the file c3600-i-mz from partition 1 of the Flash memory card in slot 0 to an FTP server at IP address 172.23.1.129:
Router# show slot0: partition 1PCMCIA Slot0 flash directory, partition 1:File Length Name/status1 1711088 c3600-i-mz[1711152 bytes used, 2483152 available, 4194304 total]Router# copy slot0:1:c3600-i-mz ftp://myuser:mypass@172.23.1.129/c3600-i-mzVerifying checksum for '/tftpboot/cisco_rules/c3600-i-mz' (file # 1)... OKCopy '/tftpboot/cisco_rules/c3600-i-mz' from Flash to serveras 'c3700-i-mz'? [yes/no] yes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Upload to server doneFlash device copy took 00:00:23 [hh:mm:ss]Copying an Image from Boot Flash Memory to a TFTP Server Example
The following example copies an image from boot Flash memory to a TFTP server:
Router# copy bootflash:file1 tftp://192.168.117.23/file1Verifying checksum for 'file1' (file # 1)... OKCopy 'file1' from Flash to serveras 'file1'? [yes/no]y!!!!...Upload to server doneFlash copy took 0:00:00 [hh:mm:ss]Copying a Configuration File from a Server to the Running Configuration Example
The following example copies and runs a configuration filename host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101:
Router# copy rcp://netadmin1@172.16.101.101/host1-confg system:running-configConfigure using host1-confg from 172.16.101.101? [confirm]Connected to 172.16.101.101Loading 1112 byte file host1-confg:![OK]Router#%SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101Copying a Configuration File from a Server to the Startup Configuration Example
The following example copies a configuration file host2-confg from a remote FTP server to the startup configuration. The IP address is172.16.101.101, the remote username is netadmin1, and the remote password is ftppass.
Router# copy ftp://netadmin1:ftppass@172.16.101.101/host2-confg nvram:startup-configConfigure using rtr2-confg from 172.16.101.101?[confirm]Connected to 172.16.101.101Loading 1112 byte file rtr2-confg:![OK][OK]Router#%SYS-5-CONFIG_NV:Non-volatile store configured from rtr2-config by FTP from 172.16.101.101Copying the Running Configuration to a Server Example
The following example specifies a remote username of netadmin1. Then it copies the running configuration file named rtr2-confg to the netadmin1 directory on the remote host with an IP address of 172.16.101.101.
Router# configure terminalRouter(config)# ip rcmd remote-username netadmin1Router(config)# endRouter# copy system:running-config rcp:Remote host[]? 172.16.101.101Name of configuration file to write [Rtr2-confg]?Write file rtr2-confg on host 172.16.101.101?[confirm]Building configuration...[OK]Connected to 172.16.101.101Copying the Startup Configuration to a Server Example
The following example copies the startup configuration to a TFTP server:
Router# copy nvram:startup-config tftp:Remote host[]? 172.16.101.101Name of configuration file to write [rtr2-confg]? <cr>Write file rtr2-confg on host 172.16.101.101?[confirm] <cr>![OK]Saving the Current Running Configuration Example
The following example copies the running configuration to the startup configuration. On a Class A Flash file system platform, this command copies the running configuration to the startup configuration specified by the CONFIG_FILE variable.
copy system:running-config nvram:startup-configThe following example shows the warning that the system provides if you try to save configuration information from bootstrap into the system:
Router(boot)# copy system:running-config nvram:startup-configWarning: Attempting to overwrite an NVRAM configuration writtenby a full system image. This bootstrap software does not supportthe full configuration command set. If you perform this command now,some configuration commands may be lost.Overwrite the previous NVRAM configuration?[confirm]Enter no to escape writing the configuration information to memory.
Moving Configuration Files to Other Locations Examples
On some routers, you can store copies of configuration files on a Flash memory device. Five examples follow:
•
Copying the Startup Configuration to a Flash Memory Device Example
•
Copying the Running Configuration to a Flash Memory Device Example
•
Copying to the Running Configuration from a Flash Memory Device Example
•
Copying to the Startup Configuration from a Flash Memory Device Example
•
Copying a Configuration File from one Flash Device to Another Example
Copying the Startup Configuration to a Flash Memory Device Example
The following example copies the startup configuration file (specified by the CONFIG_FILE environment variable) to a Flash memory card inserted in slot 0:
copy nvram:startup-config slot0:router-confgCopying the Running Configuration to a Flash Memory Device Example
The following example copies the running configuration from the router to the Flash memory PC card in slot 0:
Router# copy system:running-config slot0:berlin-cfgBuilding configuration...5267 bytes copied in 0.720 secsCopying to the Running Configuration from a Flash Memory Device Example
The following example copies the file named ios-upgrade-1 from the Flash memory card in slot 0 to the running configuration:
Router# copy slot0:4:ios-upgrade-1 system:running-configCopy 'ios-upgrade-1' from flash deviceas 'running-config' ? [yes/no] yesCopying to the Startup Configuration from a Flash Memory Device Example
The following example copies the router-image file from the Flash memory to the startup configuration:
copy flash:router-image nvram:startup-configCopying a Configuration File from one Flash Device to Another Example
The following example copies the file running-config from the first partition in internal Flash memory to the Flash memory PC card in slot 1. The checksum of the file is verified, and its copying time of 30 seconds is displayed.
Router# copy flash: slot1:System flashPartition Size Used Free Bank-Size State Copy Mode1 4096K 3070K 1025K 4096K Read/Write Direct2 16384K 1671K 14712K 8192K Read/Write Direct[Type ?<no> for partition directory; ? for full directory; q to abort]Which partition? [default = 1]System flash directory, partition 1:File Length Name/status1 3142748 dirt/images/mars-test/c3600-j-mz.latest2 850 running-config[3143728 bytes used, 1050576 available, 4194304 total]PCMCIA Slot1 flash directory:File Length Name/status1 1711088 dirt/images/c3600-i-mz2 850 running-config[1712068 bytes used, 2482236 available, 4194304 total]Source file name? running-configDestination file name [running-config]?Verifying checksum for 'running-config' (file # 2)... OKErase flash device before writing? [confirm]Flash contains files. Are you sure you want to erase? [confirm]Copy 'running-config' from flash: deviceas 'running-config' into slot1: device WITH erase? [yes/no] yesErasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased![OK - 850/4194304 bytes]Flash device copy took 00:00:30 [hh:mm:ss]Verifying checksum... OK (0x16)Copying a File from a Remote Web Server Examples
In the following example, the file config1 is copied from a remote server to Flash memory using HTTP:
Router# copy http://www.example.com:8080/configs/config1 flash:config1In the following example, a default username and password for HTTP Client communications is configured, and then the file sample.scr is copied from a secure HTTP server using HTTPS:
Router# configure terminalRouter(config)# ip http client username joeuserRouter(config)# ip http client password letmeinRouter(config)# endRouter# copy https://www.example_secure.com/scripts/sample.scr flash:In the following example, an HTTP proxy server is specified before using the copy http:// command:
Router# configure terminalRouter(config)# ip http client proxy-server edge2 proxy-port 29Router(config)# endRouter# copy http://www.example.com/configs/config3 flash:/configs/config3Copying an Image from the Master RSP Card to the Slave RSP Card Example
The following example copies the router-image file from the Flash memory card inserted in slot 1 of the master RSP card to slot 0 of the slave RSP card in the same router:
Router# copy slot1:router-image slaveslot0:Related Commands
crypto pki token change-pin
To change the user PIN on the USB eToken, use the crypto pki token change-pin command in privileged EXEC mode.
crypto pki token token-name [admin] change-pin [pin]
Syntax Description
Command Default
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If you want to change the administrative PIN on the token, you must be logged into the eToken as an admin via the crypto pki token admin login command.
After the user PIN has been changed, you must reset the login failure count to zero (via the crypto pki token max-retries command). The maximum number of allowable login failures is set (by default) to 15.
Examples
The following example shows that the user PIN was changed to 1234:
crypto pki token usbtoken0 admin login 5678crypto pki token usbtoken0 change-pin 1234Related Commands
Command Descriptioncrypto pki token login
Logs into the USB eToken.
crypto pki token max-retries
Sets the maximum number of allowed failed login attempts.
crypto pki token login
To log into the USB eToken, use the crypto pki token login command in privileged EXEC mode.
crypto pki token token-name [admin] login [pin]
Syntax Description
Command Default
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command allows you to manually log into a USB eToken. To automatically log into an eToken, issue the crypto pki token user-pin command, which allows you to create a PIN for automatic login.
Examples
The following example shows how to log into the USB eToken manually:
crypto pki token usbtoken0:login 1234567890Related Commands
crypto pki token logout
To log the router out of the USB eToken, use the crypto pki token logout command in privileged EXEC mode.
crypto pki token token-name logout
Syntax Description
Command Default
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If you want to save any data to the USB eToken, you must log back into the eToken.
Examples
The following example shows how to successfully log out of a USB eToken:
crypto pki token usbtoken0:logoutToken eToken is usbtoken0Token logout from usbtoken0(eToken) successful*Jan 28 05:46:59.544:%CRYPTO-6-TOKENLOGOUT:Cryptographic Token eToken Logout SuccessfulRelated Commands
crypto pki token max-retries
To set the maximum number of allowed failed login attempts, use the crypto pki token max-retries command in global configuration mode. To return to the default functionality (which is 15 failed login attempts), use the no form of this command.
crypto pki token {token-name | default} max-retries [number]
no crypto pki token {token-name | default} max-retries [number]
Syntax Description
Defaults
15 failed login attempts are allowed
Command Modes
Global configuration
Command History
Usage Guidelines
After the user PIN is changed via the crypto pki token change-pin command, the login failure count is automatically reset to 15; however, it is recommended that the login failure count be set to zero.
Examples
The following example shows how to change the allowed maximum number of failed login attempts to 20:
crypto pki token usbtoken0 max-retries 20
Related Commands
Command Descriptioncrypto pki token change-pin
Changes the user PIN number on the USB eToken.
crypto pki token login
Logs into the USB eToken.
crypto pki token removal timeout
To set the time interval that the router waits before removing the Rivest, Shamir, and Adelman (RSA) keys that are stored in the eToken, use the crypto pki token removal timeout command in global configuration mode. To return to the default functionality (which is no timeout), use the no form of this command.
crypto pki token {token-name | default} removal timeout [seconds]
no crypto pki token {token-name | default} removal timeout [seconds]
Syntax Description
Defaults
RSA keys are automatically removed after the eToken is removed from the router.
Command Modes
Global configuration
Command History
Usage Guidelines
After the eToken is removed from the router, you can clear from your router any RSA keys that were obtained from the eToken; all IPSec tunnels that used those RSA keys for authentication are also torn down. Both the keys and tunnels are immediately cleared unless otherwise specified via the crypto pki token removal timeout command.
Although the RSA keys remain on the eToken, they can only be accessed with the correct PIN. Too many unsuccessful attempts to log into the eToken will disable the PIN and any further login attempts will be refused.
Note
The no version of this command does not remove RSA keys from the router. To immediately remove RSA keys from the router, set the timeout value to zero.
Examples
The following example shows how to set the time that the router will wait before removing the RSA keys that are stored in the eToken after the eToken has been removed from the router:
crypto pki token usbtoken0 removal timeout 60Related Commands
Command Descriptioncrypto pki token logout
Logs the router out of the USB token.
crypto pki token max-retries
Sets the maximum number of allowed failed login attempts.
crypto pki token secondary config
To merge a specified file with the running configuration after the eToken is logged into the router, use the crypto pki token secondary config command in privileged EXEC mode.
crypto pki token token-name secondary config file
Syntax Description
Defaults
A secondary configuration file does not exist.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the crypto pki token secondary config command if you want to merge, not overwrite, a file with the running configuration on the router.
The secondary configuration is processed after the eToken is logged into the router.
Examples
The following example shows how to merge the secondary configuration file "CONFIG1.CFG" with the current running configuration:
crypto pki token default secondary config CONFIG1.CFGRelated Commands
Command Descriptioncrypto pki token login
Logs into the USB eToken.
crypto pki token user-pin
Creates a PIN that automatically allows the router to log into the USB eToken at router startup.
crypto pki token user-pin
To create a PIN that automatically allows the router to log into the USB eToken at router startup, use the crypto pki token user-pin command in global configuration mode. To remove the stored PIN from the configuration, use the no form of this command.
crypto pki token token-name user-pin [pin]
no crypto pki token token-name user-pin [pin]
Syntax Description
Defaults
If this command is not issued, the router cannot access the eToken.
Command Modes
Global configuration
Command History
Usage Guidelines
After the eToken is plugged into the router, the router will use the specified PIN (or the default PIN if no PIN is specified) to automatically log in as the user.
Examples
The following example shows how to access the eToken via the user pin "12345":
crypto pki token usbtoken0 user-pin 12345Related Commands
Command Descriptioncrypto pki login
Logs into the USB eToken.
crypto pki token logout
Logs the router out of the USB eToken.
debug usb driver
To display debug messages about USB transfers, use the debug usb driver command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug usb driver [transfer transfer-method]
no debug usb driver [transfer transfer-method]
Syntax Description
transfer
(Optional) Specifies the type of transfer method for which messages are to be displayed on the console.
transfer-method
One of the following options: interrupt, bulk, or control.
Command Default
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug usb driver command produces a large amount of data that might slow down your system, so use this command with caution.
Examples
The following sample debug output is produced when the the debug usb driver command with the transfer and control keywords is issued and when an eToken is unplugged and plugged back in:
Router# debug usb driver transfer bulkUSB Driver Bulk Transfer debugging is onRouter# debug usb driver transfer controlUSB Driver Control Transfer debugging is onRouter# debug usb stackStack debugging is onRouter#Router#*Dec 22 06:18:29.399:%USB_HOST_STACK-6-USB_DEVICE_DISCONNECTED:A USB device has been removed from port 1.*Dec 22 06:18:29.499:Detached:*Dec 22 06:18:29.499:Host: 1*Dec 22 06:18:29.499:Address: 18*Dec 22 06:18:29.499:Manufacturer: AKS*Dec 22 06:18:29.499:Product: eToken Pro 4254*Dec 22 06:18:29.499:Serial Number:Router#*Dec 22 06:18:29.499:%USB_TOKEN_FILESYS-6-USB_TOKEN_REMOVED:USB Token device removed:usbtoken1.*Dec 22 06:18:29.499:%CRYPTO-6-TOKENREMOVED:Cryptographic token eToken removed from usbtoken1Router#Router#Router#Router#Router#*Dec 22 06:18:38.063:%USB_HOST_STACK-6-USB_DEVICE_CONNECTED:A Low speed USB device has been inserted in port 1.*Dec 22 06:18:38.683:ATTACHED===>Class-driver activated*Dec 22 06:18:38.683:Host: 1*Dec 22 06:18:38.683:Address: 19*Dec 22 06:18:38.683:Manufacturer: AKS*Dec 22 06:18:38.683:Product: eToken Pro 4254*Dec 22 06:18:38.683:Serial Number:*Dec 22 06:18:39.383:Control TransferDevice Handle:0x3010000Direction:0x0Request:0x1Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.383:Control TransferDevice Handle:0x3010000Direction:0x80Request:0x81Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.407:Control TransferDevice Handle:0x3010000Direction:0x0Request:0x3Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.407:Control TransferDevice Handle:0x3010000Direction:0x80Request:0my3825#x83Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.503:Control TransferDevice Handle:0x3010000Direction:0x0Request:0x2Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.507:Control TransferDevice Handle:0x3010000Direction:0x80Request:0x82Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.507:%USB_TOKEN_FILESYS-6-USB_TOKEN_INSERTED:USB Token device inserted:usbtoken1.*Dec 22 06:18:39.515:Control TransferDevice Handle:0x3010000Direction:0x0Request:0x6Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.515:%USB_TOKEN_FILESYS-6-REGISTERING_WITH_IFS:Registering USB Token File System usbtoken1:might take a while...*Dec 22 06:18:39.515:Control TransferDevice Handle:0x3010000Direction:0x80Request:0x86Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0*Dec 22 06:18:39.543:Control TransferDevice Handle:0x3010000Direction:0x0Request:0x6Type:0x40Recipient:0x0ValueDesc:0x0ValueIndex:0x0Index:0x0...delete
To delete a file on a Flash memory device or NVRAM, use the delete command in EXEC mode.
delete url [/force | /recursive]
Syntax Description
url
Cisco IOS File System URL of the file to be deleted. Include the file system prefix, followed by a colon, and, optionally, the name of a file or directory. See Table 7 for list of supported URLs.
/force
(Optional) Deletes the specified file or directory without prompting you for verification.
Note
Use this keyword with caution: the system will not ask you to confirm the file deletion.
/recursive
(Optional) Deletes all files in the specified directory, as well as the directory itself.
Command Modes
EXEC
Command History
Release Modification11.0
This command was introduced.
12.3(14)T
The usbflash[0-9]: and usbtoken[0-9]: options were added to the list of Cisco IOS File System URLs.
Usage Guidelines
If you attempt to delete the configuration file or image specified by the CONFIG_FILE or BOOTLDR environment variable, the system prompts you to confirm the deletion. Also, if you attempt to delete the last valid system image specified in the BOOT environment variable, the system prompts you to confirm the deletion.
When you delete a file in Flash memory, the software simply marks the file as deleted, but it does not erase the file. To later recover a "deleted" file in Flash memory, use the undelete EXEC command. You can delete and undelete a file up to 15 times.
To permanently delete all files marked "deleted" on a linear Flash memory device, use the squeeze EXEC command.
Table 7 contains a list of Cisco IOS File System URLs.
Examples
The following example deletes the file named test from the Flash card inserted in slot 0:
Router# delete slot0:testDelete slot0:test? [confirm]Related Commands
dir
To display a list of files on a file system, use the dir command in EXEC mode.
dir [/all] [filesystem: ][file-url]
Syntax Description
Defaults
The default file system is specified by the cd command. When you omit the /all keyword, the Cisco IOS software displays only undeleted files.
Command Modes
EXEC
Command History
Usage Guidelines
Use the show (Flash file system) command to display more detail about the files in a particular file system.
Examples
The following is sample output from the dir command:
Router# dir slot0:Directory of slot0:/1 -rw- 4720148 Dec 29 2003 17:49:36 -08:00 hampton/nitro/c7200-j-mz2 -rw- 4767328 Jan 02 2004 18:42:53 -08:00 c7200-js-mz5 -rw- 639 Jan 03 2004 12:09:32 -08:00 rally7 -rw- 639 Jan 03 2004 12:37:13 -08:00 the_time20578304 bytes total (3104544 bytes free)Router# dir /all slot0:Directory of slot0:/1 -rw- 4720148 Dec 15 2003 17:49:36 -08:00 hampton/nitro/c7200-j-mz2 -rw- 4767328 Jan 02 2004 18:42:53 -08:00 c7200-js-mz3 -rw- 7982828 Jan 02 2004 18:48:14 -08:00 [rsp-jsv-mz]4 -rw- 639 Jan 03 2004 12:09:17 -08:00 the_time]5 -rw- 639 Jan 03 1994 12:09:32 -08:00 rally6 -rw- 639 Jan 03 1994 12:37:01 -08:00 [the_time]7 -rw- 639 Jan 03 1994 12:37:13 -08:00Table 8 describes the significant fields shown in the output.
Related Commands
format
To format a Class A, Class B, or Class C Flash file system, use the format command in EXEC mode.
Class B and Class C Flash File Systems
format filesystem1:
Class A Flash File System
format [spare spare-number] filesystem1: [[filesystem2:][monlib-filename]]
CautionReserve a certain number of memory sectors as spares, so that if some sectors fail, most of the Flash memory card can still be used. Otherwise, you must reformat the Flash card when some of the sectors fail.
Syntax Description
Command Default
None
Command Modes
EXEC
Command History
Release Modification11.0
This command was introduced.
12.3(14)T
Support for Class B Flash (USB Flash and USB eToken) File Systems was added.
Usage Guidelines
Use this command to format Class A, B, or C Flash memory file systems.
In some cases, you might need to insert a new PCMCIA Flash memory card and load images or backup configuration files onto it. Before you can use a new Flash memory card, you must format it.
Sectors in Flash memory cards can fail. Reserve certain Flash memory sectors as "spares" by using the optional spare argument on the format command to specify 0 to 16 sectors as spares. If you reserve a small number of spare sectors for emergencies, you can still use most of the Flash memory card. If you specify 0 spare sectors and some sectors fail, you must reformat the Flash memory card, thereby erasing all existing data.
The monlib file is the ROM monitor library. The ROM monitor uses this file to access files in the Flash file system. The Cisco IOS system software contains a monlib file.
In the command syntax, filesystem1: specifies the device to format and filesystem2: specifies the optional device containing the monlib file used to format filesystem1:. If you omit the optional filesystem2: and monlib-filename arguments, the system formats filesystem1: using the monlib file already bundled with the system software. If you omit only the optional filesystem2: argument, the system formats filesystem1: using the monlib file from the device you specified with the cd command. If you omit only the optional monlib-filename argument, the system formats filesystem1: using the filesystem2: monlib file. When you specify both arguments—filesystem2: and monlib-filename—the system formats filesystem1: using the monlib file from the specified device. You can specify filesystem1:'s own monlib file in this argument. If the system cannot find a monlib file, it terminates its formatting.
Note
You can read from or write to Flash memory cards formatted for Cisco 7000 series Route Processor (RP) cards in your Cisco 7200 and 7500 series routers, but you cannot boot the Cisco 7200 and 7500 series routers from a Flash memory card formatted for the Cisco 7000 series routers. Similarly, you can read from or write to Flash memory cards formatted for the Cisco 7200 and 7500 series routers in your Cisco 7000 series routers, but you cannot boot the Cisco 7000 series routers from a Flash memory card formatted for the Cisco 7200 and 7500 series routers.
Examples
The following example formats a Flash memory card inserted in slot 0:
Router# format slot0:Running config file on this device, proceed? [confirm]yAll sectors will be erased, proceed? [confirm]yEnter volume id (up to 31 characters): <Return>Formatting sector 1 (erasing)Format device slot0 completedWhen the console returns to the EXEC prompt, the new Flash memory card is formatted and ready for use.
Related Commands
show usb controllers
To display USB host controller information, use the show usb controllers command in Privileged EXEC mode.
show usb controllers [controller-number]
Syntax Description
Defaults
Information about all controllers on the system are displayed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show usb controllers command to display content such as controller register specific information, current asynchronous buffer addresses, and period scheduling information. You can also use this command to verify that copy operations are occurring successfully onto a USB flash module.
Examples
The following example is sample output from the show usb controller command:
Router# show usb controllersName:1362HCDController ID:1Controller Specific Information:Revision:0x11Control:0x80Command Status:0x0Hardware Interrupt Status:0x24Hardware Interrupt Enable:0x80000040Hardware Interrupt Disable:0x80000040Frame Interval:0x27782EDFFrame Remaining:0x13C1Frame Number:0xDA4CLSThreshold:0x628RhDescriptorA:0x19000202RhDescriptorB:0x0RhStatus:0x0RhPort1Status:0x100103RhPort2Status:0x100303Hardware Configuration:0x3029DMA Configuration:0x0Transfer Counter:0x1Interrupt:0x9Interrupt Enable:0x196Chip ID:0x3630Buffer Status:0x0Direct Address Length:0x80A00ATL Buffer Size:0x600ATL Buffer Port:0x0ATL Block Size:0x100ATL PTD Skip Map:0xFFFFFFFFATL PTD Last:0x20ATL Current Active PTD:0x0ATL Threshold Count:0x1ATL Threshold Timeout:0xFFInt Level:1Transfer Completion Codes:Success :920 CRC :0Bit Stuff :0 Stall :0No Response :0 Overrun :0Underrun :0 Other :0Buffer Overrun :0 Buffer Underrun :0Transfer Errors:Canceled Transfers :2 Control Timeout :0Transfer Failures:Interrupt Transfer :0 Bulk Transfer :0Isochronous Transfer :0 Control Transfer:0Transfer Successes:Interrupt Transfer :0 Bulk Transfer :26Isochronous Transfer :0 Control Transfer:894USBD Failures:Enumeration Failures :0 No Class Driver Found:0Power Budget Exceeded:0USB MSCD SCSI Class Driver Counters:Good Status Failures :3 Command Fail :0Good Status Timed out:0 Device not Found:0Device Never Opened :0 Drive Init Fail :0Illegal App Handle :0 Bad API Command :0Invalid Unit Number :0 Invalid Argument:0Application Overflow :0 Device in use :0Control Pipe Stall :0 Malloc Error :0Device Stalled :0 Bad Command Code:0Device Detached :0 Unknown Error :0Invalid Logic Unit Num:0USB Aladdin Token Driver Counters:Token Inserted :1 Token Removed :0Send Insert Msg Fail :0 Response Txns :434Dev Entry Add Fail :0 Request Txns :434Dev Entry Remove Fail:0 Request Txn Fail:0Response Txn Fail :0 Command Txn Fail:0Txn Invalid Dev Handle:0USB Flash File System Counters:Flash Disconnected :0 Flash Connected :1Flash Device Fail :0 Flash Ok :1Flash startstop Fail :0 Flash FS Fail :0USB Secure Token File System Counters:Token Inserted :1 Token Detached :0Token FS success :1 Token FS Fail :0Token Max Inserted :0 Create Talker Failures:0Token Event :0 Destroy Talker Failures:0Watched Boolean Create Failures:0show usb device
To display USB device information, use the show usb device command in privileged EXEC mode.
show usb device [controller-ID [device-address]]
Syntax Description
controller-ID
(Optional) Displays information only for the devices under the specified controller.
device-address
(Optional) Displays information only for the device with the specified address.
Defaults
Information for all devices attached to the system are displayed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show usb device command to display information for either a USB flash drive or a USB eToken, as appropriate.
Examples
The following example is sample output from the show usb device command:
Router# show usb deviceHost Controller:1Address:0x1Device Configured:YESDevice Supported:YESDescription:DiskOnKeyManufacturer:M-SysVersion:2.0Serial Number:0750D84030316868Device Handle:0x1000000USB Version Compliance:2.0Class Code:0x0Subclass Code:0x0Protocol:0x0Vendor ID:0x8ECProduct ID:0x15Max. Packet Size of Endpoint Zero:64Number of Configurations:1Speed:FullSelected Configuration:1Selected Interface:0Configuration:Number:1Number of Interfaces:1Description:Attributes:NoneMax Power:140 mAInterface:Number:0Description:Class Code:8Subclass:6Protocol:80Number of Endpoints:2Endpoint:Number:1Transfer Type:BULKTransfer Direction:Device to HostMax Packet:64Interval:0Endpoint:Number:2Transfer Type:BULKTransfer Direction:Host to DeviceMax Packet:64Interval:0Host Controller:1Address:0x11Device Configured:YESDevice Supported:YESDescription:eToken Pro 4254Manufacturer:AKSVersion:1.0Serial Number:Device Handle:0x1010000USB Version Compliance:1.0Class Code:0xFFSubclass Code:0x0Protocol:0x0Vendor ID:0x529Product ID:0x514Max. Packet Size of Endpoint Zero:8Number of Configurations:1Speed:LowSelected Configuration:1Selected Interface:0Configuration:Number:1Number of Interfaces:1Description:Attributes:NoneMax Power:60 mAInterface:Number:0Description:Class Code:255Subclass:0Protocol:0Number of Endpoints:0Table 9 describes the significant fields shown in the display.
show usb driver
To display information about registered USB class drivers and vendor-specific drivers, use the show usb driver command in privileged EXEC mode.
show usb driver [index]
Syntax Description
Defaults
Information about all drivers is displayed.
Command Modes
Privileged EXEC
Command History
Examples
The following example is sample output for the show usb driver command:
Router# show usb driverIndex:0Owner Mask:0x6Class Code:0x0Subclass Code:0x0Protocol:0x0Interface Class Code:0x8Interface Subclass Code:0x6Interface Protocol Code:0x50Product ID:0x655BD598Vendor ID:0x64E90000Attached Devices:Controller ID:1, Device Address:1Index:1Owner Mask:0x1Class Code:0x0Subclass Code:0x0Protocol:0x0Interface Class Code:0x0Interface Subclass Code:0x0Interface Protocol Code:0x0Product ID:0x514Vendor ID:0x529Attached Devices:Controller ID:1, Device Address:17Index:2Owner Mask:0x5Class Code:0x9Subclass Code:0x6249BD58Protocol:0x2Interface Class Code:0x5DC0Interface Subclass Code:0x5Interface Protocol Code:0xFFFFFFFFProduct ID:0x2Vendor ID:0x1Attached Devices:NoneIndex:3Owner Mask:0x10Class Code:0x0Subclass Code:0x0Protocol:0x0Interface Class Code:0x0Interface Subclass Code:0x0Interface Protocol Code:0x0Product ID:0x0Vendor ID:0x0Attached Devices:NoneTable 10 describes the significant field shown in the display.
show usb port
To sisplay USB root hub port information, use the show usb port command in privileged EXEC mode.
show usb port [port-number]
Syntax Description
port-number
(Optional) Displays information only for a specified. If the port-number is not issued, information for all root ports will be displayed.
Command Default
None
Command Modes
Privileged EXEC
Command History
Examples
The following sample from the show usb port command shows the status of the port 1 on the router:
Router# show usb portPort Number:0Status:EnabledConnection State:ConnectedSpeed:FullPower State:ONPort Number:1Status:EnabledConnection State:ConnectedSpeed:LowPower State:ONshow usbtoken
To display information about the USB eToken (such as the eToken ID), use the show usbtoken command in privileged EXEC mode.
show usbtoken[0-9]:[all | filesystem]
Syntax Description
Command Default
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the show usbtoken command to verify whether a USB eToken is inserted in the router.
Examples
The following example is sample output from the show usbtoken command:
Router# show usbtoken0Token ID :43353334Token device name : token0Vendor name : AladdinProduct Name :Etoken ProSerial number : 22273a334353Firmware version : 4.1.3.2Total memory size : 32 KBFree memory size : 16 KBFIPS version : Yes/NoToken state : "Active" | "User locked" | "Admin locked" | "System Error" | "Uknown"ATR (Answer To Reset) :"3B F2 98 0 FF C1 10 31 FE 55 C8 3"Table 11 describes the significant fields shown in the display.
show usb tree
To display information about the port state and all attached devices, use the show usb tree command in privileged EXEC mode.
show usb tree
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command Modes
EXEC
Command History
Examples
The following example is sample output from the show usb tree command. This output shows that both a USB flash module and a USB eToken are currently enabled.
Router# show usb tree[Host Id:1, Host Type:1362HCD, Number of RH-Port:2]<Root Port0:Power=ON Current State=Enabled>Port0:(DiskOnKey) Addr:0x1 VID:0x08EC PID:0x0015 Configured (0x1000000)<Root Port1:Power=ON Current State=Enabled>Port1:(eToken Pro 4254) Addr:0x11 VID:0x0529 PID:0x0514 Configured (0x1010000)
Copyright © 2005 Cisco Systems, Inc. All rights reserved.



