Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Scaling Tcl Script Distribution

In the next example, a central TFTP server has been deployed in the network using an IP address of In this case, the IOS device downloads the Tcl script across the network using TFTP. The signature checking is still performed, thus retaining a high level of security while using an unsecure transfer protocol:

PE11#tclsh tftp://
Loading myscript.tcl from (via Serial2/0.111): !
[OK - 4046 bytes]
argc = 0
argv =
argv0 = tftp://
tcl_interactive = 0

If the script has been modified, we receive the same results as before:

PE11#tclsh tftp://
Loading myscript-changed1char.tcl from (via Serial2/0.111): !
[OK - 4047 bytes]
Invalid Signature
 signing validation failed on script signed with trustpoint name TCLSecurity,
 cannot run the signed TCL script.

The public certificate is stored locally in the router's NVRAM and consequently is taking up valuable memory space. You may find yourself in a situation where the IOS device is running out of memory. To minimize the impact on NVRAM, you can use the service compress-config command to reduce the certificate's overhead on NVRAM:

PE11(config)#service compress-config
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
*Mar 27 23:47:45.323: %SYS-5-CONFIG_I: Configured from console by console
Building configuration...
Compressed configuration from 5689 bytes to 3535 bytes[OK]

Instead of using a central TFTP server as a repository for Tcl scripts, you can use other protocols to transmit the Tcl Scripts from a central server, including FTP, RCP, SCP, HTTP, and HTTPS.

  • + Share This
  • 🔖 Save To Your Account