When you need to transfer configuration files, IOS images, or backups to and from a Cisco device, you rely on file transfer protocols. The CCNA 200-301 exam objective 4.7 expects you to compare TFTP, FTP, and SFTP, understanding their security, reliability, and use cases. In real network engineering, choosing the wrong protocol can lead to failed upgrades or security breaches—this chapter gives you the exact knowledge to make the right call and ace the exam.
Jump to a section
Imagine you need to send a sensitive document across town. You have three courier options: a postcard, a standard parcel service, and an armored truck. The postcard (TFTP) is cheap and fast—you just write the message and drop it in a mailbox. But there's no envelope, no tracking, and no confirmation of delivery. If the postcard gets lost, you only find out when the recipient doesn't reply. It's perfect for quick, non-critical messages where speed matters more than reliability. The standard parcel service (FTP) gives you a box, a tracking number, and a delivery confirmation. You can check the status online, and if the package is lost, you can file a claim. But the box is not locked—anyone along the way could peek inside. It's great for routine shipments where security isn't a concern. The armored truck (SFTP) is the premium option. The document is locked in a secure safe, the truck is guarded, and the driver verifies identity before handing over the package. It's slower and more expensive, but you get encryption, authentication, and integrity checks. In networking, TFTP uses UDP and no authentication—like a postcard. FTP uses TCP but sends passwords in clear text—like an unlocked parcel. SFTP runs over SSH, encrypting everything—like an armored truck. A network engineer chooses based on the sensitivity of the data and the need for reliability. For a quick IOS backup on a lab switch, TFTP is fine. For production configs across the internet, SFTP is mandatory. The exam tests your ability to match the protocol to the scenario.
What They Are and Why They Exist
TFTP (Trivial File Transfer Protocol), FTP (File Transfer Protocol), and SFTP (SSH File Transfer Protocol) are all used to transfer files between network devices, but they differ dramatically in reliability, security, and complexity. On Cisco devices, these protocols are commonly used to backup and restore configurations, upgrade IOS images, and transfer logs. The CCNA exam expects you to know the key differences, especially which one to use in a given scenario.
TFTP was designed in the 1980s as a lightweight alternative to FTP. It runs over UDP port 69 and uses a simple lock-step protocol: each data packet must be acknowledged before the next is sent. It has no authentication, no directory listing, and no security. Its simplicity makes it easy to implement in firmware, which is why it's still used for booting diskless workstations and for quick file transfers on local trusted networks.
FTP, defined in RFC 959, runs over TCP and uses two connections: a control connection on port 21 and a data connection on port 20 (active mode) or a negotiated high port (passive mode). FTP provides authentication (username/password), directory navigation, and file management commands. However, both credentials and data are transmitted in cleartext unless FTP over TLS/SSL (FTPS) is used—but Cisco exam objectives treat FTP as insecure.
SFTP is not FTP over SSH—it is a completely different protocol that runs as a subsystem of SSH (typically on port 22). It provides file transfer with encryption, integrity checking, and strong authentication (password or public key). Cisco IOS supports SFTP as a client starting from certain versions, but it is not a full SFTP server. For the exam, remember that SFTP is the most secure option and is preferred when transferring sensitive data over untrusted networks.
How They Work Step by Step at the Packet/Frame Level
TFTP (UDP-based): - The client sends a Read Request (RRQ) or Write Request (WRQ) to the server on UDP port 69. - The server responds with the first data packet (512 bytes or less) from a source port (usually 69) to the client's ephemeral port. For WRQ, the server sends an ACK first, then data. - The client sends an ACK for each data packet. Each data packet has a block number (starting at 1). The ACK contains the block number of the packet being acknowledged. - If a packet is lost, the sender retransmits after a timeout (default 5 seconds, but configurable). Because it's UDP, there is no congestion control or windowing. - The last data packet is less than 512 bytes (unless the file size is exactly a multiple of 512). The receiver knows the transfer is complete when it receives a packet smaller than 512 bytes. - No authentication or encryption. The only error detection is the UDP checksum.
FTP (TCP-based): - The client opens a TCP control connection to the server on port 21. Authentication (username/password) is sent in cleartext. - The client can request active or passive mode. In active mode, the server opens a TCP data connection from port 20 to the client's ephemeral port. In passive mode, the client opens a TCP data connection to a server port (usually a high port) negotiated via the control connection. - Data transfer occurs over the data connection using TCP, which provides reliability, flow control, and congestion control. - After transfer, the control connection remains open for further commands (e.g., directory listing, delete). - FTP uses separate ports for control and data, which can complicate firewall rules.
SFTP (SSH-based): - The client establishes an SSH connection to the server on port 22. This involves TCP handshake, SSH version negotiation, key exchange, and authentication (password or public key). All traffic is encrypted. - Once the SSH session is established, the client requests an SFTP subsystem. The server responds with an SFTP version packet. - File transfer uses the SFTP protocol messages (e.g., SSH_FXP_OPEN, SSH_FXP_READ, SSH_FXP_WRITE, SSH_FXP_CLOSE) encapsulated in the encrypted SSH channel. - Reliability is provided by TCP underneath SSH. Integrity is ensured by SSH's MAC (Message Authentication Code). - No separate data connection—everything goes over the single SSH connection.
Key States, Timers, and Defaults
TFTP: - Default timeout: 5 seconds for retransmission. - Maximum retransmissions: Usually 5 (varies by implementation). - Block size: 512 bytes (can be larger with TFTP options negotiation, but Cisco defaults to 512). - Ports: Client uses ephemeral UDP port; server listens on UDP 69.
FTP: - Control port: TCP 21. - Data port: TCP 20 (active mode) or negotiated high port (passive mode, typically >1023). - Default timeout for idle control connection: 15 minutes (varies by server). - Transfer mode: Stream (default) or block.
SFTP: - Port: TCP 22 (shared with SSH). - Authentication: Password or public key. - Encryption: Depends on SSH configuration (e.g., AES, 3DES). - No separate data port.
IOS CLI Verification Commands
To copy files using TFTP, FTP, or SFTP, use the copy command:
Router# copy running-config tftp://192.168.1.100/config.txt
Address or name of remote host [192.168.1.100]?
Destination filename [config.txt]?
!!
1024 bytes copied in 1.234 secs (830 bytes/sec)For FTP:
Router# copy running-config ftp://user:pass@192.168.1.100/config.txtFor SFTP:
Router# copy running-config sftp://user@192.168.1.100/config.txtTo verify file transfer success, use dir on the flash:
Router# dir flash:
Directory of flash:/
1 -rw- 1024 Jan 1 2025 00:00:00 +00:00 config.txtTo configure FTP username and password globally (for FTP transfers that don't embed credentials in the URL):
Router# configure terminal
Router(config)# ip ftp username admin
Router(config)# ip ftp password cisco123To set TFTP timeout:
Router(config)# ip tftp timeout 10How They Interact with Related Protocols
DNS: When you use a hostname in the copy command (e.g., tftp://server/config.txt), the device performs a DNS lookup to resolve the hostname to an IP address.
ACLs and Firewalls: TFTP uses UDP, which is connectionless, so stateful firewalls may need special inspection rules. FTP's two-port nature often requires ALG (Application Layer Gateway) or passive mode to traverse NAT. SFTP uses a single TCP port, making it firewall-friendly.
IP SLAs: You can use IP SLA to monitor TFTP server reachability.
NetFlow: File transfers generate flows that can be monitored.
Identify the Transfer Need
Determine what you are transferring and the security requirements. For example, backing up a startup-config to a local server on a trusted LAN: TFTP is sufficient. For transferring an IOS image over the internet to a remote site: SFTP is mandatory. The exam will present scenarios like 'A network administrator needs to securely transfer a configuration file to a remote router across the internet.' The answer is SFTP because it provides encryption.
Set Up the Server
For TFTP, ensure a TFTP server is running on the host (e.g., SolarWinds TFTP Server, tftpd64). The server must have the appropriate directory and file permissions. For FTP, an FTP server (e.g., FileZilla Server) must be configured with user accounts. For SFTP, an SSH server with SFTP subsystem enabled is required (e.g., OpenSSH on Linux). On Cisco devices, the device acts as a client, not a server, for these protocols.
Verify Network Reachability
Use `ping` from the router to the server IP to ensure IP connectivity. For TFTP, also check that UDP port 69 is not blocked by ACLs. For FTP, TCP 21 (control) and TCP 20 or high ports (data) must be open. For SFTP, TCP 22 must be open. Example: `Router# ping 192.168.1.100`.
Execute the Copy Command
Use the appropriate copy command syntax. For TFTP: `copy running-config tftp://192.168.1.100/config.txt`. For FTP: `copy running-config ftp://username:password@192.168.1.100/config.txt`. For SFTP: `copy running-config sftp://username@192.168.1.100/config.txt`. If credentials are not embedded, the router prompts for them. The router will display transfer progress and success message.
Verify the Transfer
After the copy, verify the file exists on the destination server (check server directory) or on the router's flash if it was a download. On the router, use `dir flash:` to see the file. Also check file size and integrity. For configuration files, you can view the content with `more flash:config.txt`.
Troubleshoot if Failed
If the transfer fails, check these common issues: TFTP - ensure the server is running and the file is not read-only. Use `debug ip tftp packet` to see packet exchanges. For FTP, check authentication and passive mode. For SFTP, verify SSH connectivity with `ssh -l username 192.168.1.100`. Also check ACLs and routing. The `show ip sockets` command can show open UDP/TCP connections.
In enterprise networks, TFTP is often used for quick, local transfers within a data center or lab. For example, a network engineer might use TFTP to back up the config of a core switch before a major change. The engineer sets up a TFTP server on their laptop, connects to the switch's management IP, and issues the copy command. The transfer is fast and simple, but there is no encryption—anyone sniffing the network can see the config. This is acceptable on a physically secure, isolated management network.
FTP is sometimes used for transferring large IOS images to routers in a staging area. The engineer can use FTP's directory listing to verify files before transfer. However, because FTP sends passwords in cleartext, it is often replaced by SFTP or SCP in production. A common pitfall is forgetting to configure passive mode when the client is behind a firewall—active FTP will fail because the server cannot initiate a connection to the client. Many Cisco devices default to passive mode for FTP, but it's worth checking.
SFTP is the go-to for secure transfers, especially over the internet or untrusted networks. For instance, an enterprise with branch offices might use SFTP to push configuration updates to routers at remote sites. The SSH tunnel ensures that even if the traffic is intercepted, the contents remain confidential. However, SFTP requires more CPU overhead due to encryption, so for very large files (e.g., 100 MB IOS images), the transfer may be slower than TFTP. Some organizations use SCP (Secure Copy) instead, which is also over SSH and is often faster for file transfers. Cisco devices support SCP as well, but the exam focuses on SFTP.
Misconfiguration can lead to failed transfers. For example, if the TFTP server is not running or the file path is incorrect, the router will timeout after several retries. For FTP, a common error is 'Invalid username or password'—the router prompts for credentials if not provided in the URL. For SFTP, the router must have an SSH client configured (the ip ssh command is not needed for the client, but the server must support SFTP).
The CCNA 200-301 exam objective 4.7 is 'Compare TFTP, FTP, and SFTP.' This is a comparison topic, so expect multiple-choice questions that ask which protocol to use in a given scenario. The exam does not test deep configuration details but focuses on key characteristics: transport protocol (UDP vs TCP), security (cleartext vs encrypted), reliability, and use cases.
Common Wrong Answers and Why Candidates Choose Them: 1. 'TFTP uses TCP for reliability.' This is wrong because TFTP uses UDP. Candidates confuse TFTP with FTP or assume all file transfers use TCP. 2. 'FTP is more secure than TFTP because it requires authentication.' While FTP does require login, the credentials are sent in cleartext, so it is not secure. Candidates often think authentication equals security. 3. 'SFTP is the same as FTP over SSL/TLS.' Actually, SFTP is a separate protocol over SSH. FTPS (FTP over SSL) is different. The exam uses the term SFTP to mean SSH File Transfer Protocol. 4. 'TFTP can list directories.' TFTP has no directory listing capability; it only reads or writes a file if you know the exact path and filename.
Specific Values and Defaults: - TFTP uses UDP port 69. - FTP uses TCP ports 21 (control) and 20 (data in active mode). - SFTP uses TCP port 22 (SSH). - TFTP block size is 512 bytes. - TFTP timeout is 5 seconds.
Decision Rule for Scenario Questions: - If the scenario mentions 'secure transfer' or 'encryption', choose SFTP. - If the scenario mentions 'simple, fast, local network' or 'bootstrapping', choose TFTP. - If the scenario mentions 'authentication' but no encryption, choose FTP (but note it's not secure). - If the scenario mentions 'firewall-friendly' or 'single port', choose SFTP. - If the scenario mentions 'UDP' or 'connectionless', choose TFTP.
TFTP uses UDP port 69, no authentication, no encryption, 512-byte blocks, and a lock-step ACK mechanism.
FTP uses TCP ports 21 (control) and 20 (data in active mode); sends credentials and data in cleartext.
SFTP runs over SSH (TCP port 22), providing encryption, integrity, and strong authentication.
TFTP is suitable for local, trusted networks; SFTP is required for secure transfers over untrusted networks.
Cisco IOS uses the 'copy' command with URLs like tftp://, ftp://, or sftp:// to initiate transfers.
FTP has active and passive modes; passive mode is firewall-friendly and is the default on many Cisco devices.
TFTP has a default timeout of 5 seconds and a maximum of 5 retransmissions per packet.
These come up on the exam all the time. Here's how to tell them apart.
TFTP
Uses UDP port 69
No authentication or encryption
Lock-step: one packet at a time
Block size: 512 bytes
No directory listing
FTP
Uses TCP ports 21 (control) and 20 (data active)
Username/password authentication, but cleartext
TCP provides reliability and flow control
No fixed block size; uses stream mode
Supports directory listing and file management
FTP
Cleartext authentication and data
Two separate TCP connections
Active and passive modes
Can be blocked by firewalls due to multiple ports
Faster due to no encryption overhead
SFTP
Encrypted SSH tunnel
Single TCP connection on port 22
No separate data connection
Firewall-friendly (single port)
Slower due to encryption overhead
Mistake
TFTP uses TCP because it requires acknowledgments.
Correct
TFTP uses UDP (port 69). Acknowledgments are done at the application layer, not by TCP. The protocol itself sends ACK packets for each data block.
Candidates see 'ACK' and assume TCP, but TFTP implements its own ACK mechanism over UDP.
Mistake
FTP is secure because it requires a username and password.
Correct
FTP transmits username and password in cleartext (no encryption). It is not secure unless combined with SSL/TLS (FTPS).
Authentication is often equated with security, but encryption is the key factor.
Mistake
SFTP is just FTP with SSL/TLS added.
Correct
SFTP (SSH File Transfer Protocol) is a completely different protocol that runs as a subsystem of SSH. It is not FTP over SSL.
The similar acronyms cause confusion. FTPS is FTP over SSL, while SFTP is over SSH.
Mistake
TFTP can list directories like FTP.
Correct
TFTP has no directory listing capability. It only supports read and write requests for specific filenames.
Candidates assume all file transfer protocols offer similar features, but TFTP is minimal.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Cisco IOS (and IOS-XE) supports SFTP as a client only. It can initiate SFTP connections to a remote SFTP server, but it does not run an SFTP server. To receive files via SFTP, you need an external SFTP server. For the exam, remember that the router is a client for TFTP, FTP, and SFTP.
SFTP (SSH File Transfer Protocol) is a protocol that runs over SSH (port 22) and provides file transfer with encryption. FTPS (FTP over SSL/TLS) is standard FTP with an added security layer, using port 990 for implicit FTPS or port 21 for explicit. Cisco devices support SFTP as a client; FTPS is not commonly covered in CCNA. The exam uses 'SFTP' to mean the SSH-based protocol.
Technically yes, but it is highly discouraged because TFTP has no security. Data and any credentials (if any) are sent in cleartext. Also, TFTP's UDP-based nature can be problematic across firewalls and unreliable links. For secure transfers over the internet, use SFTP or SCP.
By default, Cisco IOS uses passive FTP mode. You can explicitly set it with the command `ip ftp passive` in global configuration mode. To verify, use `show ip ftp`. Passive mode is firewall-friendly because the client initiates both control and data connections.
The default TFTP timeout is 5 seconds. You can change it with the command `ip tftp timeout <seconds>` in global configuration mode. This timeout applies to waiting for an ACK after sending a data packet.
Common reasons: the TFTP server is not running, the file path is incorrect, a firewall is blocking UDP port 69, or the server is not reachable. Use `debug ip tftp packet` to see the packets being sent and received. Also check that the server has the file in the correct directory with appropriate permissions.
No, SCP (Secure Copy) is also a file transfer protocol over SSH, but it is simpler and often faster. SFTP provides more features like directory listing and resume. Cisco devices support both SCP and SFTP as clients. The CCNA exam focuses on SFTP, but you should know that SCP is an alternative.
You've just covered TFTP, FTP, and SFTP Comparison — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?