Disabling TFTP and auto-TFTP for enhanced security
Using the
ip ssh filetransfer
command to enable SFTP automatically disables TFTP and auto-TFTP (if either or both are enabled), as shown below.
Switch configuration with SFTP enabled
switch(config)# ip ssh filetransfer Tftp and auto-tftp have been disabled. 1 switch(config)# sho run Running configuration: ; J9091A Configuration Editor; Created on release #xx.15.xx hostname "Switch" module 1 type J8702A module 2 type J702A vlan 1 name "DEFAULT_VLAN" untagged A1-A24,B1-B24 ip address 10.28.234.176 255.255.240.0 exit ip ssh filetransfer 2 no tftp-enable password manager password operator
1 Enabling SFTP automatically disables TFTP and auto-tftp and displays this message.
2 Viewing the configuration shows that SFTP is enabled and TFTP is disabled.
If you enable SFTP and then later disable it, TFTP and auto-TFTP remain disabled unless they are explicitly re-enabled.
Operating rules are:
The TFTP feature is enabled by default, and can be enabled or disabled through the CLI or an SNMP application. Auto-TFTP is disabled by default and must be configured through the CLI.
- While SFTP is enabled, TFTP and auto-TFTP cannot be enabled from the CLI. Attempting to enable either non-secure TFTP option while SFTP is enabled produces one of the following messages in the CLI:
SFTP must be disabled before enabling tftp. SFTP must be disabled before enabling auto-tftp.
Similarly, while SFTP is enabled, TFTP cannot be enabled using an SNMP management application. Attempting to do so generates an "inconsistent value" message. (An SNMP management application cannot be used to enable or disable auto-TFTP.) To enable SFTP by using an SNMP management application, you must first disable TFTP and, if configured, auto-TFTP on the switch. You can use either an SNMP application or the CLI to disable TFTP, but you must use the CLI to disable auto-TFTP.