This chapter covers a NEW objective in the CCNA v2 exam (200-301 v2.0, 2026 blueprint): Device File Management with SFTP and SCP. Cisco added this to reflect the modern network engineer’s reliance on secure, encrypted file transfers for managing device configurations, images, and logs. In production networks, FTP and TFTP are increasingly deprecated due to security concerns, and SSH-based file transfers are the standard. On the CCNA exam, you’ll need to know how to configure an SFTP/SCP server on a Cisco IOS device, initiate client transfers, and verify operations—all while understanding the underlying SSH infrastructure. This is a hands-on, configuration-heavy topic that rewards practice with real CLI.
Jump to a section
Imagine you need to send a sensitive document from your office to a branch office. You have two choices: you can hand it to a courier who will drive it over in a sealed, tamper-proof briefcase (SFTP/SCP), or you can drop it in an unlocked mailbox on the street (TFTP/FTP). The courier first verifies your identity (SSH authentication), then places the document inside a locked briefcase (encrypted SSH session), and drives to the branch. At the branch, the recipient must present their own ID (SSH authentication) to open the briefcase. The entire journey—handoff, transport, and delivery—is encrypted and authenticated. With the unlocked mailbox, anyone can grab the document, read it, or replace it with a malicious version. In Cisco terms, the courier represents the SSH service: it establishes a secure channel (SSH transport layer) before any file transfer occurs. The briefcase is the encrypted tunnel; even if intercepted, the contents are unreadable. The courier’s identity check is the SSH server’s authentication (local username/password or AAA). If you configure SFTP, the courier uses a special protocol (SFTP subsystem) to list and transfer files within the briefcase. If you use SCP, the courier uses a simpler, faster method (SCP protocol) that copies files without browsing. Both rely on the same secure courier (SSH). The key takeaway: without the courier (SSH), there is no secure file transfer. Just like you wouldn’t send a contract via an unlocked mailbox, Cisco recommends SFTP/SCP over TFTP/FTP for all management traffic.
SFTP (SSH File Transfer Protocol) and SCP (Secure Copy Protocol) are both methods for transferring files securely over a network using the SSH (Secure Shell) protocol. They are not the same as FTP or TFTP. SFTP is a full-featured file transfer protocol that provides file listing, deletion, renaming, and resuming—all over an encrypted SSH connection. SCP is a simpler protocol that only copies files (pull or push) and does not support directory browsing or resuming. Both use TCP port 22 (the same as SSH) and require SSH server configuration on the device acting as the server.
Why Cisco Added This to CCNA v2
The 200-301 v2.0 blueprint, released in 2026, restructured domains and introduced new objectives reflecting modern network security practices. The previous blueprint (v1.1) covered TFTP and FTP for file management but did not require knowledge of SFTP/SCP. In real networks, TFTP and FTP are considered insecure because they transmit data in cleartext, including passwords and configuration files. Many enterprises have banned these protocols. Cisco itself now recommends SFTP/SCP for all management file transfers. By adding this objective, Cisco ensures CCNA candidates understand secure alternatives and can configure them on IOS/IOS-XE devices. The new blueprint’s “Network Services and Security” domain (20% of exam) includes this objective, so expect 1-2 questions.
How It Works: The SSH Foundation
SFTP and SCP both rely on an underlying SSH connection. The process has these phases:
TCP Handshake: The client initiates a TCP connection to port 22 on the server.
SSH Version Exchange: The client and server exchange SSH version strings (e.g., SSH-2.0).
Key Exchange: Using Diffie-Hellman, they agree on a session key and derive encryption keys. The server authenticates itself to the client using its host key.
User Authentication: The client authenticates to the server using a password, public key, or other method.
Channel Establishment: After authentication, an SSH session channel is opened.
File Transfer Subsystem: For SFTP, the client requests the “sftp” subsystem. For SCP, the client executes an “scp” command on the server’s shell.
All subsequent file data is encrypted within this SSH channel.
SFTP vs. SCP: Key Differences
| Feature | SFTP | SCP | |---------|------|-----| | Protocol | Subsystem of SSH | Uses SSH for transport, but its own protocol | | Directory listing | Yes | No | | Resume interrupted transfers | Yes | No | | Recursive transfer | Yes (using -r) | Yes (using -r) | | Speed | Slower due to more handshakes | Faster (simpler) | | Port | 22 | 22 | | IOS configuration | Requires SSH server and SFTP server enablement | Requires SSH server and SCP server enablement |
Configuring SFTP/SCP Server on Cisco IOS
Cisco devices can act as both SFTP/SCP servers and clients. To enable the server, you must first configure SSH (hostname, domain name, crypto keys) and then enable the SCP/SFTP server.
Step 1: Basic SSH Configuration
! Set hostname and domain for RSA key generation
hostname R1
ip domain name cisco.com
! Generate RSA key pair (modulus 2048 bits minimum recommended)
crypto key generate rsa modulus 2048
! Configure SSH version 2 (mandatory for SCP/SFTP)
ip ssh version 2
! Optionally, configure authentication via local database or AAA
username admin secret cisco123
line vty 0 4
transport input ssh
login localStep 2: Enable SCP Server
! Enable SCP server globally
ip scp server enableStep 3: Enable SFTP Server
! Enable SFTP server globally (IOS XE 16.12+)
ip sftp server enableVerification commands:
! Check SSH status
show ip ssh
! Check SCP/SFTP server status
show ip scp status
show ip sftp statusExample output:
R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie-Hellman key size: 1024 bits
IOS Keys in SECSH format(ssh-rsa, host key)
R1# show ip scp status
SCP Server is enabled
R1# show ip sftp status
SFTP Server is enabledClient Operations
From a Cisco IOS device, you can initiate SCP/SFTP transfers to or from a remote server. The syntax is similar to Unix commands.
SCP copy from server to device (pull):
copy scp: flash:
Source filename []? /home/admin/config.txt
Address or name of remote host []? 192.168.1.100
Destination filename [config.txt]?
! You will be prompted for SSH credentialsSCP copy from device to server (push):
copy flash: scp:
Source filename []? running-config
Address or name of remote host []? 192.168.1.100
Destination filename [running-config]?SFTP copy (similar syntax):
copy sftp: flash:Note: The copy command with scp: or sftp: triggers an SSH client connection. The device must have SSH client capabilities (always available if SSH is configured).
Security Considerations
Always use SSH version 2 (SSHv1 is vulnerable).
Use AAA or local authentication with strong passwords.
Restrict VTY access to SSH only (no telnet).
Use ACLs to limit which hosts can initiate SSH sessions to the device.
For maximum security, use public key authentication instead of passwords.
Interaction with Related Protocols
SSH: SFTP/SCP are entirely dependent on SSH. Without a working SSH server, they will not function.
AAA: Authentication, authorization, and accounting (AAA) can be used for SSH login, which then applies to file transfers.
NTP: Not directly related, but accurate timestamps on logs help track file transfers.
Syslog: SFTP/SCP operations may be logged if SSH logging is enabled.
Exam Traps
Candidates often confuse SFTP with FTPS (FTP over SSL). FTPS uses FTP with TLS, not SSH. SFTP uses SSH only.
Some think SCP uses port 22 by default but can be changed. In Cisco IOS, SCP always uses the SSH port (22) and cannot be configured separately.
A common wrong answer: “SCP supports directory listing.” It does not; only SFTP does.
The ip scp server enable command is required even if SSH is already configured. Without it, SCP copy will fail with “%SCP server not enabled” error.
Configure SSH Server
First, ensure the device has a hostname and domain name set. Then generate an RSA key pair (minimum 2048 bits). Enable SSH version 2 and set authentication parameters. Example: ``` R1(config)# hostname R1 R1(config)# ip domain name cisco.com R1(config)# crypto key generate rsa modulus 2048 R1(config)# ip ssh version 2 R1(config)# username admin secret cisco123 R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local R1(config-line)# exit ``` Verify with `show ip ssh`.
Enable SCP/SFTP Server
Enable the SCP server with the global command `ip scp server enable`. For SFTP, use `ip sftp server enable` (available in IOS XE 16.12+). These commands are independent; you can enable one or both. Verify with `show ip scp status` and `show ip sftp status`. Example: ``` R1(config)# ip scp server enable R1(config)# ip sftp server enable R1(config)# end R1# show ip scp status SCP Server is enabled R1# show ip sftp status SFTP Server is enabled ```
Initiate SCP Copy from Client
On the IOS device acting as client, use the `copy` command with the `scp:` prefix. For example, to pull a file from a remote server: ``` R1# copy scp: flash: Source filename []? /home/admin/config.txt Address or name of remote host []? 192.168.1.100 Destination filename [config.txt]? Password: ***** ``` The device will prompt for the SSH username (if not provided in the source path) and password. The file is transferred over the encrypted SSH channel.
Initiate SFTP Copy from Client
SFTP uses the same `copy` command but with the `sftp:` prefix. Example: ``` R1# copy sftp: flash: Source filename []? /home/admin/config.txt Address or name of remote host []? 192.168.1.100 Destination filename [config.txt]? Password: ***** ``` SFTP supports additional features like resuming, but the `copy` command on IOS does not expose all SFTP features; it is used for simple file transfer.
Verify File Transfer
After the copy operation, verify the file exists in the destination filesystem: ``` R1# dir flash: Directory of flash: ... 1792 -rw- config.txt ``` You can also check the file integrity using `verify /md5 flash:config.txt` if you have the original MD5 hash. Check logs for any SSH errors: `show log | include SSH`.
Troubleshoot Common Issues
If SCP/SFTP fails, check: (1) SSH server is running (`show ip ssh`), (2) SCP/SFTP server enabled (`show ip scp status`), (3) VTY lines allow SSH (`show line vty 0 4`), (4) ACLs are not blocking SSH, (5) Authentication credentials are correct. Use debug commands cautiously: `debug ip ssh` and `debug ip scp` (if available). Common error: "%SCP server not enabled" means the `ip scp server enable` command is missing.
Scenario 1: Secure Backup of Configurations to a Central Server
A large enterprise has hundreds of Cisco routers and switches. The network team needs to back up running configurations nightly to a central Linux server. Previously, they used TFTP, but security audit found passwords in clear text. They migrate to SCP because it is faster than SFTP for bulk transfers and requires no additional server software—just SSH. The team writes a script on the Linux server that SCPs into each device (using SSH keys for passwordless authentication) and downloads the config. The script runs via cron. On each IOS device, they configure ip scp server enable and set up a dedicated SSH user with privilege level 15. The script uses scp user@device:running-config backup/device-config-$(date +%Y%m%d).cfg. This reduces backup time by 40% compared to TFTP and eliminates security risks.
Scenario 2: IOS Image Upgrade via SFTP
A network engineer needs to upgrade IOS on a remote branch router that has limited bandwidth. The new image is 150 MB. Using TFTP over a WAN link would be slow and insecure. They choose SFTP because it supports resuming—if the transfer is interrupted, they can resume without restarting. On the router, they enable the SFTP server, then from a management workstation, they use an SFTP client (e.g., WinSCP) to upload the image to flash. The transfer takes 20 minutes; if the link drops, they reconnect and resume. The engineer verifies the image with verify /md5 flash:cat9k_ios.16.12.05.bin before reloading.
Scenario 3: Misconfiguration Leading to Outage
A junior engineer enabled SCP server but forgot to configure SSH version 2 and used default version 1. The SCP client from a modern Linux server failed because SSHv1 is disabled by default. The engineer spent hours troubleshooting, eventually discovering the version mismatch. After changing ip ssh version 2, the transfer succeeded. This highlights the dependency on proper SSH configuration. Another common mistake: forgetting to generate RSA keys—SCP/SFTP will not work at all. Always verify SSH status first.
Exam Objective 4.2: Device File Management with SFTP and SCP
The 200-301 v2.0 exam tests your ability to configure and verify secure file transfers using SCP and SFTP on Cisco IOS devices. Expect 1-2 questions, likely multiple-choice or simulation (simlet) where you must complete a configuration. The questions may ask you to identify the correct commands, troubleshoot why a transfer failed, or differentiate between SCP and SFTP.
New in CCNA v2
This objective is entirely new in the 200-301 v2.0 blueprint (effective 2026). In v1.1, file management covered only TFTP and FTP. Cisco added this to align with industry best practices and the new 5-domain blueprint, where “Network Services and Security” accounts for 20% of the exam. Candidates who studied v1.1 materials will not have seen SFTP/SCP commands. Key changes: (1) You must know ip scp server enable and ip sftp server enable. (2) The copy scp: and copy sftp: commands. (3) The dependency on SSH configuration (hostname, domain, RSA keys, SSH version 2). (4) The fact that SCP does not support directory listing or resume, while SFTP does.
Common Wrong Answers and Traps
“SCP uses port 22, but you can change it with a command.” Wrong. In Cisco IOS, SCP always uses the SSH port (22) and cannot be changed. The port is tied to SSH.
“SFTP is the same as FTPS.” Wrong. FTPS is FTP over SSL/TLS; SFTP is SSH-based. They are completely different.
“You need to configure an FTP server to use SCP.” Wrong. SCP uses SSH, not FTP.
“The command `ip ssh scp enable` exists.” Wrong. The correct command is ip scp server enable.
“SCP supports directory listing.” Wrong. Only SFTP supports listing; SCP is a simple copy.
Specific Values and Commands
SSH version must be 2: ip ssh version 2.
RSA key modulus minimum 2048 (Cisco recommends 2048).
Enable SCP: ip scp server enable.
Enable SFTP: ip sftp server enable (IOS XE 16.12+).
Verification: show ip scp status, show ip sftp status.
Copy from server: copy scp: flash: or copy sftp: flash:.
Copy to server: copy flash: scp: or copy flash: sftp:.
Decision Rule for Scenario Questions
If a question asks which protocol to use for secure file transfer with resume support, choose SFTP. If it asks for fastest simple copy without listing, choose SCP. If the question mentions “no directory browsing,” pick SCP. If it says “resume interrupted downloads,” pick SFTP. Always ensure SSH is configured first.
SFTP and SCP both rely on SSH and use TCP port 22.
SCP supports only file copy (no directory listing or resume).
SFTP supports directory listing, resume, and other file operations.
Enable SCP server with `ip scp server enable` and SFTP server with `ip sftp server enable`.
SSH must be configured: hostname, domain, RSA keys (modulus 2048), version 2, VTY access.
[CCNA v2 NEW] This objective is new in the 200-301 v2.0 blueprint; v1.1 did not cover SFTP/SCP.
Use `copy scp:` or `copy sftp:` to initiate transfers from IOS CLI.
Verify SCP/SFTP server status with `show ip scp status` and `show ip sftp status`.
These come up on the exam all the time. Here's how to tell them apart.
SCP
Simple copy only; no directory listing
No resume support
Faster due to simpler protocol
Uses SSH port 22
Enabled with `ip scp server enable`
SFTP
Full file transfer features (list, rename, delete)
Supports resume of interrupted transfers
Slightly slower due to more handshakes
Uses SSH port 22
Enabled with `ip sftp server enable`
Mistake
SCP and SFTP are interchangeable and support the same features.
Correct
SCP is a simple copy protocol; SFTP is a full file transfer protocol with listing, resume, and more. They are not interchangeable.
Candidates assume both are 'secure file transfer' and ignore feature differences.
Mistake
SFTP is the same as FTPS (FTP over SSL).
Correct
SFTP uses SSH (port 22); FTPS uses FTP over TLS (port 990). They are completely different protocols.
Both have 'FTP' in the name and are secure, leading to confusion.
Mistake
You must configure an FTP server to use SCP.
Correct
SCP uses SSH, not FTP. No FTP server is needed; only SSH server is required.
The 'P' in SCP may be misinterpreted as 'FTP'.
Mistake
The command to enable SCP is `ip ssh scp enable`.
Correct
The correct command is `ip scp server enable`. There is no `ip ssh scp` command.
Candidates guess based on SSH-related command patterns.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. SCP and SFTP both run over SSH. You must configure a hostname, domain name, generate RSA keys, enable SSH version 2, and configure VTY lines for SSH access. Without a working SSH server, SCP and SFTP will not function. The SSH server is a prerequisite.
Yes. One router acts as the server (with `ip scp server enable` or `ip sftp server enable`) and the other as the client. Use the `copy scp:` or `copy sftp:` command on the client to pull or push files. Both routers must have SSH configured.
SFTP (SSH File Transfer Protocol) uses SSH (port 22) for encryption and authentication. FTPS (FTP over SSL) uses FTP with TLS/SSL (port 990 for implicit FTPS). They are incompatible. Cisco IOS supports SFTP/SCP but not FTPS as a server. Know that SFTP is SSH-based, FTPS is FTP+TLS.
Yes, SCP supports recursive copy using the -r option (e.g., `scp -r user@host:/dir/ flash:/`). However, it does not support directory listing or resuming. SFTP also supports recursive copy.
Both use TCP port 22, the same as SSH. You cannot change the port for SCP/SFTP independently; they rely on the SSH port. If you change the SSH port (not recommended), SCP/SFTP use the new port.
Use the `show ip sftp status` command. It will display whether the SFTP server is enabled or disabled. Similarly, `show ip scp status` for SCP. Also verify SSH with `show ip ssh`.
Yes. Cisco IOS supports SSH public key authentication. You can configure a user's public key using the `ip ssh pubkey-chain` commands. This allows passwordless SCP/SFTP transfers, which is useful for automation.
You've just covered Device File Management with SFTP and SCP — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?