Scaling Tcl Script Distribution
In the next example, a central TFTP server has been deployed in the network using an IP address of 192.168.1.81. In this case, the IOS device downloads the Tcl script across the network using TFTP. The signature checking is still performed, thus retaining a high level of security while using an unsecure transfer protocol:
PE11#tclsh tftp://192.168.1.81/myscript.tcl Loading myscript.tcl from 192.168.1.81 (via Serial2/0.111): ! [OK - 4046 bytes] hello argc = 0 argv = argv0 = tftp://192.168.1.81/myscript.tcl tcl_interactive = 0
If the script has been modified, we receive the same results as before:
PE11#tclsh tftp://192.168.1.81/myscript-changed1char.tcl Loading myscript-changed1char.tcl from 192.168.1.81 (via Serial2/0.111): ! [OK - 4047 bytes] Invalid Signature *Mar 27 23:40:35.543: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE: tcl signing validation failed on script signed with trustpoint name TCLSecurity, cannot run the signed TCL script.
The public certificate is stored locally in the router's NVRAM and consequently is taking up valuable memory space. You may find yourself in a situation where the IOS device is running out of memory. To minimize the impact on NVRAM, you can use the service compress-config command to reduce the certificate's overhead on NVRAM:
PE11(config)#service compress-config PE11(config)#end PE11#write Warning: Attempting to overwrite an NVRAM configuration previously written by a different version of the system image. Overwrite the previous NVRAM configuration?[confirm] *Mar 27 23:47:45.323: %SYS-5-CONFIG_I: Configured from console by console [confirm] Building configuration... Compressed configuration from 5689 bytes to 3535 bytes[OK]
Instead of using a central TFTP server as a repository for Tcl scripts, you can use other protocols to transmit the Tcl Scripts from a central server, including FTP, RCP, SCP, HTTP, and HTTPS.