NetworkingCCNA

CCNA TFTP & FTP: File Transfer Protocols for IOS Management

TFTP and FTP are the two file transfer protocols used to manage Cisco IOS images, configuration files, and other network device files. The CCNA 200-301 exam tests the differences between TFTP and FTP, their port numbers, use cases, and the IOS commands for copying files. This guide covers both protocols and the common network device file management operations you need to know.

7 min

4 sections · 6 exam key points

5 practice questions

TFTP: Trivial File Transfer Protocol

TFTP (Trivial File Transfer Protocol, RFC 1350) is a simple, lightweight file transfer protocol using UDP port 69. 'Trivial' is accurate — TFTP has no authentication, no directory listing, no encryption, and no error recovery beyond a stop-and-wait acknowledgment per block. It can only read or write files if you know the exact filename.

TFTP is the standard protocol for transferring IOS images and configuration files on network devices. It's simple enough to be implemented in ROM bootstrap code — devices can TFTP-boot an IOS image from a server before any OS is loaded. This is the primary use case that keeps TFTP relevant despite its limitations.

TFTP uses UDP port 69 for the initial connection request. After the connection is established, the server uses a random ephemeral port for the data transfer. TFTP uses a stop-and-wait protocol: the sender transmits one block (512 bytes by default), then waits for an ACK before sending the next. This is simple but slow for large files over high-latency links.

TFTP security: no authentication means any host that can reach the TFTP server can read or write files (subject to server ACL configuration). TFTP servers should be on a management network accessible only to trusted devices. Never run a TFTP server on a public-facing network.

FTP: File Transfer Protocol

FTP (File Transfer Protocol, RFC 959) is a full-featured file transfer protocol using TCP for reliable delivery. FTP uses two connections: a control connection (TCP port 21) for commands and responses, and a data connection (TCP port 20 in active mode, or a negotiated port in passive mode) for file transfer.

FTP supports authentication (username and password), directory listing, file renaming, deletion, and permission management — features TFTP lacks entirely. However, standard FTP transmits credentials and data in plaintext. FTPS (FTP Secure) adds TLS encryption to FTP. SFTP (SSH File Transfer Protocol) is a completely different protocol that runs over SSH — despite the similar name, it shares no code with FTP.

Active vs passive FTP: in active mode, the client tells the server which port to connect back to for data (the server initiates the data connection). In passive mode, the server tells the client which port to connect to (the client initiates both connections). Passive mode is required when the client is behind NAT or a firewall that blocks incoming connections — which is almost always.

For Cisco IOS, FTP is used when you need authentication or when the file is too large for reliable TFTP transfer. IOS supports both FTP and TFTP for copying images and configurations.

IOS file management commands

The IOS `copy` command is the primary tool for file operations: `copy <source> <destination>`. Sources and destinations can be: `flash:` (device flash storage), `tftp:` (TFTP server), `ftp:` (FTP server), `running-config` (active configuration), `startup-config` (saved configuration), `nvram:` (non-volatile RAM where startup-config lives).

Common operations: backup the running config to TFTP: `copy running-config tftp:` — the IOS prompts for the TFTP server IP and filename. Restore a config from TFTP: `copy tftp: running-config`. Copy an IOS image from TFTP to flash: `copy tftp: flash:`. Copy the running config to startup-config (save): `copy running-config startup-config` (equivalent to `write memory` or `wr`).

Verify flash contents with `show flash:` (or `dir flash:`). Check available flash space before copying a new IOS image — the new image and the old image may need to coexist during verification. Delete old images with `delete flash:<filename>` and then `squeeze flash:` to reclaim space.

`show version` displays the currently running IOS image name, version, and flash filename. This is the first command to run when verifying which IOS version is active after an upgrade.

SCP and HTTPS alternatives

SCP (Secure Copy Protocol) transfers files over SSH, providing authentication and encryption that TFTP and plain FTP lack. Cisco IOS supports SCP with `ip scp server enable`. `copy scp: flash:` or `copy flash: scp:` work similarly to TFTP/FTP copies but with SSH security.

Cisco devices also support HTTPS-based file transfers via the web UI and, in newer IOS-XE versions, REST API-based configuration management — increasingly replacing manual TFTP/FTP workflows. For CCNA, TFTP and FTP are the primary exam focus, with SCP mentioned as the secure alternative.

TFTP vs FTP comparison

Feature	TFTP	FTP
Transport	UDP	TCP
Ports	UDP 69	TCP 21 (control), TCP 20 (data, active)
Authentication	None	Username + password
Encryption	None	None (use FTPS or SFTP for encryption)
Directory listing	No	Yes
Reliability	Stop-and-wait ACK	Full TCP reliability
Primary use	IOS bootstrap, simple file transfer	Authenticated file transfer, large files
Firewall issues	Few (UDP, single port)	Active mode blocked by NAT; use passive mode

Key exam facts — CCNA

TFTP: UDP 69, no authentication, no encryption, stop-and-wait, used for IOS images
FTP: TCP 21 (control) + TCP 20 (data active), authentication, directory listing
Passive FTP: client opens both connections — required behind NAT/firewall
`copy running-config tftp:` — backup config to TFTP server
`copy tftp: flash:` — copy new IOS image from TFTP to flash
`copy running-config startup-config` (= `wr`) — save running config

Common exam traps

SFTP is FTP with encryption added

SFTP (SSH File Transfer Protocol) is a completely different protocol that runs over SSH — it shares no code or design with FTP. FTPS is the version of FTP with TLS encryption added. Both provide secure file transfer, but through different mechanisms.

TFTP uses TCP for reliability

TFTP uses UDP port 69 and implements its own minimal reliability (stop-and-wait ACK per 512-byte block). It does not use TCP. This simple design allows TFTP to be implemented in small ROM code for bootstrap operations.

Active mode FTP works fine behind NAT

In active mode FTP, the server initiates the data connection back to the client — this is blocked by NAT and stateful firewalls. Passive mode (client initiates both connections) is required for FTP clients behind NAT, which is nearly every modern deployment.

Practice questions — TFTP & FTP

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which protocol uses UDP port 69 and is commonly used to transfer IOS images to Cisco devices?

A.FTP

B.SFTP

C.TFTP

D.SCP

Explanation: TFTP (Trivial File Transfer Protocol) uses UDP port 69. It is the traditional protocol for transferring IOS images and configuration files to Cisco devices because of its simplicity and ability to operate before a full OS is loaded.

Q2.A network engineer wants to save the running configuration to a TFTP server at 192.168.1.100. Which IOS command is correct?

A.copy startup-config tftp:

B.copy running-config tftp:

C.copy tftp: running-config

D.backup running-config 192.168.1.100

Explanation: copy running-config tftp: copies the currently active (running) configuration to a TFTP server. IOS prompts for the server IP and destination filename. copy tftp: running-config would restore a config FROM the TFTP server.

Q3.An FTP client behind a NAT router cannot transfer files using active mode FTP. What should be configured to resolve this?

A.Change the FTP server to use TCP port 69

B.Configure the FTP client to use passive mode

C.Use TFTP instead of FTP

D.Disable the NAT router's firewall entirely

Explanation: In active mode FTP, the server initiates the data connection back to the client — this is blocked by NAT. In passive mode, the client initiates both the control and data connections, which works through NAT. Passive mode is required for FTP clients behind NAT or firewalls.

Q4.Which IOS command displays the currently running IOS version and the flash filename of the active image?

A.show flash:

B.show version

C.dir flash:

D.show ip interface brief

Explanation: show version displays the IOS version, the filename of the running image in flash, uptime, hardware details, and installed licenses. show flash: and dir flash: show flash directory contents but don't explicitly show which image is currently running.

Q5.What is the key difference between SFTP and FTPS?

A.SFTP uses UDP; FTPS uses TCP

B.SFTP runs over SSH; FTPS is FTP with TLS encryption added

C.SFTP is faster; FTPS is more secure

D.They are two names for the same protocol

Explanation: SFTP (SSH File Transfer Protocol) is a completely separate protocol from FTP that runs over SSH, providing encryption and authentication. FTPS is FTP with TLS/SSL encryption added to the standard FTP protocol. They serve the same purpose but use different underlying mechanisms.

Frequently asked questions — TFTP & FTP

Why is TFTP still used when FTP and SCP are available?

TFTP is simple enough to implement in small ROM bootstrap code — a Cisco device can TFTP-boot before loading a full OS. It requires no server authentication setup, making it easy to configure for management networks. For environments where the TFTP server is already restricted to trusted devices, the lack of authentication isn't a practical problem. SCP and FTP are preferred when authentication or encryption is required.

What is the difference between copy running-config startup-config and copy running-config tftp:?

copy running-config startup-config saves the running configuration to NVRAM (non-volatile RAM) as the startup config — this is the standard 'save' command (equivalent to wr or write memory). copy running-config tftp: sends the running configuration to an external TFTP server for backup or transfer to another device.

How do I upgrade a Cisco IOS image using TFTP?

1) Verify current version: show version. 2) Check flash space: show flash:. 3) Copy new image: copy tftp: flash: (enter server IP and filename when prompted). 4) Verify the copy: show flash: (check new file is present). 5) Set the boot image: boot system flash:<new-image-name>. 6) Save config: copy running-config startup-config. 7) Reload: reload. 8) Verify: show version after reload.

What ports does FTP use and why does it need two connections?

FTP uses TCP 21 for the control connection (commands like LOGIN, LIST, RETR, STOR) and TCP 20 (active mode) or a negotiated port (passive mode) for the data connection. Two connections are needed because FTP was designed to allow data to flow at full speed while control commands continue independently. The control connection stays open throughout the session; data connections are opened and closed per file transfer.

What command shows the files stored in Cisco device flash memory?

show flash: or dir flash: both list the contents of flash memory including IOS image filenames, file sizes, and free space. show flash: also shows total flash capacity. dir flash: shows a more detailed directory listing. Always check free space before copying a new IOS image to flash.

Practice this topic

CCNApractice questions

Test yourself on TFTP & FTP

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime