SkarpSkarp

Chapter 21 of 29

QoS, SSH, FTP, and TFTP: Supporting Services for Reliable Operations

Round out your IP services toolkit with QoS basics and secure/legacy management protocols like SSH, FTP, and TFTP that appear in configuration and troubleshooting questions.

27 min readen

Module Overview: Why QoS, SSH, FTP, and TFTP Matter

Big Picture

This module links QoS, SSH, FTP, and TFTP into a toolkit for reliable network operations and CCNA-style troubleshooting.

From Clients to Engineers

Earlier you learned DHCP, DNS, SNMP, syslog, and NTP. Now we focus on services engineers use: QoS, secure remote access, and file transfers.

Learning Goals

You will explain QoS basics, configure SSH on Cisco IOS, compare FTP vs TFTP, and apply device management best practices for the exam and real life.

QoS Fundamentals: Why and When You Need It

What QoS Does

QoS is a toolbox for handling congestion so important traffic gets better treatment than less important traffic when links are overloaded.

When QoS Matters

QoS only really matters when demand exceeds link capacity. Then, it decides which packets wait, which are prioritized, and which are dropped.

Traffic Types

Voice and video need low delay and jitter; interactive apps need low delay; bulk transfers can wait and tolerate some loss.

Key Exam Point

QoS cannot create bandwidth. It only manages who suffers more or less during congestion on limited links.

Classification and Marking: DSCP, CoS, and Trust Boundaries

QoS Pipeline

Modern QoS: first classify traffic, then mark it, then queue and schedule based on those markings along the path.

Classification

Classification uses IPs, ports, VLANs, or existing marks. Cisco class-maps often match ACLs, protocols, or DSCP values.

Marking

Marking writes DSCP at Layer 3 or CoS at Layer 2. EF (DSCP 46) is commonly used for voice; DSCP 0 is best effort.

Trust Boundaries

You usually trust IP phones and remark traffic from PCs at the first switch. DSCP is L3; CoS is L2, a common test detail.

Example: Simple QoS Classification and Marking on Cisco IOS

Scenario

We want to classify VoIP signaling and RTP media on a router and mark them with appropriate DSCP values for downstream QoS.

High-Level Steps

Steps: create ACLs to match voice, class-maps to group flows, a policy-map to set DSCP, then apply the policy outbound on the WAN interface.

Config Highlights

ACLs match SIP (UDP 5060) and RTP ports, class-maps reference those ACLs, and the policy-map sets CS3 for signaling and EF for RTP.

Key Takeaway

At CCNA, be able to read this pattern, know `service-policy output` applies QoS, and relate DSCP EF/CS3 to voice traffic.

SSH: Secure Remote Management (and Replacing Telnet)

Why SSH

SSH encrypts remote CLI sessions, protecting passwords and commands. Telnet is cleartext and is now considered insecure on production networks.

Core SSH Features

SSH gives confidentiality, integrity, and authentication. It normally uses TCP port 22 and supports username/password or key-based logins.

VTY Lines

Cisco devices use VTY lines for remote logins. You apply SSH-only and login settings on these VTY lines.

Best Practice

Use SSH v2 only, disable Telnet, use strong credentials, and restrict who can connect with ACLs or similar controls.

Example: Configuring SSH and Disabling Telnet on Cisco IOS

SSH Config Goal

We want SSHv2 remote access using local usernames, with Telnet disabled on VTY lines and optional IP-based restrictions.

Key Commands

Set hostname and domain, generate RSA keys, enable SSH v2, create a local user, then configure VTY with `transport input ssh` and `login local`.

Security Extras

Use `exec-timeout` to close idle sessions and `access-class` on VTY lines to allow only management subnets to connect.

Exam Pitfalls

Forgetting the domain name before key generation, leaving Telnet enabled, or missing local user definitions are classic errors.

FTP vs TFTP: Protocol Basics and Reliability

FTP in a Nutshell

FTP uses TCP (port 21 for control), supports logins and directories, and is reliable but usually unencrypted in classic form.

TFTP in a Nutshell

TFTP uses UDP port 69, has no authentication or directories, and is extremely simple, often used on local LANs.

Reliability

FTP’s TCP foundation makes it more reliable, especially for large files over WANs. TFTP is more fragile but fine on clean LANs.

Security Note

Neither FTP nor TFTP is secure by default. For sensitive environments, SSH-based SFTP/SCP or other secure options are preferred.

Example: Using FTP and TFTP for Config and Image Transfers

Backing Up Configs with TFTP

Use `copy running-config tftp:` to save a config to a TFTP server on a trusted management VLAN, then `copy tftp: running-config` to restore.

Upgrading IOS with FTP

Set FTP username/password, then `copy ftp: flash:` to download large IOS images reliably, especially over WAN links.

Security and Scope

Keep TFTP on isolated management networks. FTP is more reliable but still unencrypted; use it where risk is acceptable.

Command Pattern

Remember `copy source destination`. Protocol prefixes like `tftp:` and `ftp:` identify the transfer method for exam questions.

Device Management Best Practices: Bringing It All Together

Secure Management

Use SSHv2 only, disable Telnet, use `secret` passwords, and restrict VTY access with ACLs and dedicated management VLANs.

Protect File Transfers

Place TFTP/FTP servers in management segments and limit access with ACLs; use SCP/SFTP where supported for sensitive data.

Backups and Recovery

Regularly back up configs and images, keep clear versions, and practice restore steps so you can recover devices quickly.

QoS for Critical Traffic

Prioritize voice, key control, and management traffic over bulk transfers, marking at the edge and enforcing on congested links.

Thought Exercise: Choosing the Right Tool

Work through these scenarios mentally and decide which protocol or feature you would use. Then compare your reasoning to the guidance.

  1. Scenario A: WAN congestion during backup window
  • Every night at 02:00, large FTP backups run over a 50 Mbps WAN link. Users complain that early-morning voice calls sound choppy.
  • Question: Which feature from this module should you apply, and to which traffic?
  • Think: What gets priority? What gets de-prioritized?
  1. Scenario B: New branch switch with no config
  • You installed a new switch at a small branch. It boots with a default config. There is a TFTP server on the same LAN with a prebuilt configuration file.
  • Question: Which protocol will you likely use to load the config, and why is that acceptable here?
  1. Scenario C: Exposed Telnet on internet edge router
  • A security scan shows TCP port 23 (Telnet) open on your internet edge router. SSH is also enabled.
  • Question: Which configuration changes should you make to align with best practices?
  1. Scenario D: Pushing a 2 GB image to a remote router
  • You need to upgrade IOS on a router over a moderate-quality WAN link. There is both FTP and TFTP available.
  • Question: Which protocol is the better choice, and why?

Reflect on your answers, then check the guidance below.

Guidance:

  • A: Apply QoS to prioritize voice (EF) and de-prioritize bulk FTP backups.
  • B: Use TFTP on the local LAN; simplicity and low overhead are fine in this trusted context.
  • C: Disable Telnet (`transport input ssh` only), ensure SSHv2, and possibly restrict VTY access with ACLs.
  • D: Use FTP for reliable large-file transfer over the WAN.

Quiz 1: QoS and SSH Basics

Check your understanding of QoS and SSH fundamentals.

A company runs VoIP and large nightly backups over the same WAN link. During congestion, voice quality drops. Which combination of actions best addresses this at CCNA level?

  1. Increase WAN bandwidth and disable QoS so all traffic is treated equally.
  2. Implement QoS to classify and mark voice as high priority (EF) and de-prioritize backup traffic.
  3. Move backups to a different VLAN and enable Telnet for easier troubleshooting.
  4. Enable SSHv1 on all routers and switches to encrypt voice packets end-to-end.
Show Answer

Answer: B) Implement QoS to classify and mark voice as high priority (EF) and de-prioritize backup traffic.

QoS is used to manage congestion by prioritizing critical traffic. Classifying and marking voice as high priority (e.g., DSCP EF) and de-prioritizing backups is the correct approach. Simply increasing bandwidth may not be feasible or sufficient; VLAN changes and Telnet/SSH choices do not directly solve congestion for voice.

Quiz 2: FTP vs TFTP and Secure Access

Test your understanding of FTP/TFTP and secure remote management.

You need to upgrade a router’s IOS image over a lossy WAN link and also lock down remote management. Which option is MOST appropriate?

  1. Use TFTP to transfer the image and allow Telnet and SSH on VTY lines for flexibility.
  2. Use FTP to transfer the image and configure VTY lines for SSH only with local login.
  3. Use TFTP to transfer the image and disable both Telnet and SSH to prevent attacks.
  4. Use FTP to transfer the image and enable Telnet only, since SSH can impact performance.
Show Answer

Answer: B) Use FTP to transfer the image and configure VTY lines for SSH only with local login.

FTP over TCP is more reliable than TFTP for large image transfers across lossy WAN links. For secure management, VTY lines should be configured for SSH only, using local usernames (or AAA) for authentication. Allowing Telnet or disabling all remote access would not align with best practices.

Key Term Flashcards: QoS, SSH, FTP, and TFTP

Flip through these cards to reinforce core terms and ideas from this module.

Quality of Service (QoS)
A set of techniques used to manage congestion and provide different levels of service to different types of traffic, typically by classifying, marking, and queuing packets so that critical flows get better treatment than less important ones.
Classification (QoS)
The process of identifying and grouping traffic into classes based on criteria such as IP addresses, ports, protocols, VLANs, or existing QoS markings, so that different policies can be applied to each class.
Marking (QoS)
Writing a QoS value (such as DSCP at Layer 3 or CoS at Layer 2) into packet headers so downstream devices know how to prioritize and queue the traffic.
DSCP (Differentiated Services Code Point)
A 6-bit field in the IP header used to indicate the per-hop behavior a packet should receive; common values include EF (46) for voice and various AF classes for prioritized data.
SSH (Secure Shell)
A secure, encrypted protocol (typically using TCP port 22) for remote command-line access and management of devices, providing confidentiality, integrity, and authentication.
Telnet vs SSH
Telnet provides cleartext remote access and is considered insecure; SSH provides encrypted remote access and is the recommended method for managing network devices.
FTP (File Transfer Protocol)
A TCP-based protocol (control on port 21) for transferring files that supports authentication and directories; reliable but usually unencrypted in its classic form.
TFTP (Trivial File Transfer Protocol)
A simple UDP-based protocol using port 69 for basic file transfers, with no authentication or directory navigation; often used for config and image transfers on trusted LANs.
VTY lines (Cisco IOS)
Logical virtual terminal lines on Cisco devices used for remote CLI access; you configure protocols (SSH/Telnet), authentication, and access restrictions here.
Trust Boundary (QoS)
The point in the network where you decide whether to honor or overwrite incoming QoS markings, typically trusting IP phones and remarking traffic from PCs at the first switch.

Key Terms

ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
CoS
Class of Service, a set of 3 bits in the 802.1Q VLAN tag used at Layer 2 to mark frames for QoS on Ethernet networks.
FTP
File Transfer Protocol, a reliable TCP-based protocol (port 21 for control) used for transferring files, supporting authentication and directory operations but typically lacking encryption.
SSH
Secure Shell, a cryptographic network protocol providing secure remote login and other secure network services over an insecure network, typically using TCP port 22.
DSCP
Differentiated Services Code Point, a 6-bit field in the IP header used for QoS marking to signal per-hop behavior for routers and switches.
TFTP
Trivial File Transfer Protocol, a simple UDP-based file transfer protocol using port 69, with no authentication or directory navigation, commonly used on trusted LANs for config and image transfers.
Telnet
An older, insecure remote terminal protocol that sends data, including passwords, in cleartext; generally replaced by SSH for device management.
Marking
Setting QoS-related bits in packet headers (such as DSCP in the IP header or CoS in the 802.1Q tag) to indicate the priority or handling a packet should receive.
VTY lines
Virtual Teletype lines on Cisco IOS devices, representing logical remote access lines where protocols like SSH and Telnet and related access controls are configured.
Classification
The QoS process of identifying and grouping packets into traffic classes based on attributes like IP addresses, ports, protocols, VLANs, or existing markings.
Trust boundary
In QoS, the point in the network where you decide which devices' QoS markings to trust and where you may remark traffic from untrusted sources.
Quality of Service (QoS)
A collection of techniques used to manage congestion and provide differentiated treatment to traffic classes, so that critical applications like voice and video receive better performance under load.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself