cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Enable SCP for firmware upgrades

Enable SCP for firmware upgrades

I've opened a few tickets about this and it's driven me crazy that it doesn't exist. I strongly, strongly want SCP for firmware upgrades vs TFTP. One reason is obviously because SCP uses TCP instead of UDP for the firmware transfers - ensuring they're likely to go across more successfully. The other is for security itself. There's a UX issue there of why would you enable SCP as an option if you're not going to support it?

22 Comments
Level 16

I get that about the SCP (TCP and secure)

I just not  sure that NCM should be the frimware repository bank.

sja​​, NCM doesn't have to be the repo bank. While it does have TFTP and SFTP_Root folders, if you point the firmware repo to a share (say: read only, managed securely, etc) - it doesn't become the repo. The issue is that even if that's the case, it will still *transfer* to network equipment via TFTP currently - no other option works for firmware upgrade. Sure, if you run a job SCP will work just fine - but for firmware upgrade, there's a checkbox in the template for "use SCP" and if you try you'll find it just doesn't work. Which is as much of a UX as a lack of functionality for what is otherwise an awesome automated firmware upgrade process.

Tagging KMSigma​ in case my understanding is incorrect.

NCM allows you to specify your own SCP or TFTP server location and authentication values, which if you are already running a central server of these 2 protocols will allow you to create a separate firmware repository bank. However, it is my experience that the majority of deployment will utilise the NCM SCP or TFTP server, which currently does not work fully within the Firmware upgrade feature for SCP support.

Level 16

Hi m_roberts

I quite sure it very bad ide... when you have over 3000 nodes in NCM

It's the same as sending syslog/traps to the pollers without filter layers...

that will not scale and will kill the setup

/SJA

For what reason do you think this is a bad idea?

The TFTP and SCP servers in NCM can support several hundred concurrent sessions.

I've done close to 500 network devices through firmware upgrade. The only issues I've had are security impersonation but nothing involving TFTP/SCP load, because firmware upgrades only go 1 at a time. What are you talking about, sja​ ?

Level 10

pls bring some other option to terribly slow TFTP SOOOOON !!!

thanks

Level 12

Why not use Kiwi CatTools for firmware over NCM? Kiwi CatTools uses SCP...

I didn't know people used Kiwi for SCP, but it's listed as an option for NCM - just not enabled, basically.

late 2018 bump!