Packetwatch.net

Load new software images



Last modified: October 21, 2017

Contents
1 - Summary
2 - Cisco 851 routers
3 - Cisco ASA 5505 firewalls
4 - Cisco Catalyst 2960 switches
5 - Cisco Catalyst 3560 switches
6 - Cisco Catalyst 3850 switches
7 - Cisco 1130 wireless access points


1 - Summary

This guide will show how to backup the existing software image and load a new
image in different Cisco devices.


2 - Cisco 851 routers

Display the current version that the router is running. In this example, the
router is running IOS 12.4(11)T.
router#show version | include Cisco IOS
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)

Find out the filename of the IOS software. In this example, the filename of the
IOS software is c1130-k9w7-tar.124-25d.JA.tar.
router#show flash | include 850
    2  -rwx    11611200  May 29 2006 02:48:56 -05:00  c850-advsecurityk9-mz.124-11.T.bin

Download the new software image from Cisco and make sure the checksums match
what Cisco provides. After making sure the checksums match upload them to the
TFTP server.
server# sha512 c850-advsecurityk9-mz.124-15.T17.bin
SHA512 (c850-advsecurityk9-mz.124-15.T17.bin) = d7cdfd0a4128cd1cb3b63de9b2be...

Upgrade the router software by running the following.
router#copy tftp://192.168.1.17/c850-advsecurityk9-mz.124-15.T17.bin flash:
Destination filename [c850-advsecurityk9-mz.124-15.T17.bin]?
Accessing tftp://192.168.1.17/c850-advsecurityk9-mz.124-15.T17.bin...
Loading c850-advsecurityk9-mz.124-15.T17.bin from 192.168.1.17 (via FastEthernet4): !!!
[OK - 12764740 bytes]

12764740 bytes copied in 1433.396 secs (8905 bytes/sec)
router#reload

Log back in and check the current version that the router is running. You
should see the new verison listed.
router#show version | include Cisco IOS
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T17, RELEASE SOFTWARE (fc2)


3 - Cisco ASA 5505 firewalls

Display the current version that the firewall is running. In this example, the
firewall is running version 8.2(5) and ASDM version 6.4(5).
asa# show version

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
...

Find out the filenames of the firewall software and the ASDM software.
    
asa# show flash | include asa
  132  15390720    May 02 2014 09:41:48  asa825-k8.bin
asa# show flash | include asdm
  135  16280544    May 02 2014 09:47:04  asdm-645.bin
    
Make backup of the current software images to a TFTP server. Create the
files on the TFTP server first.
server# touch /tftp/asa825-k8.bin
server# chmod 777 /tftp/asa825-k8.bin
server# touch /tftp/asdm-645.bin
server# chmod 777 /tftp/asdm-645.bin
    
Upload a copy of the software images to the TFTP server.
asa# copy flash:asa825-k8.bin tftp

Source filename [asa825-k8.bin]?

Address or name of remote host []? 192.168.1.30

Destination filename [asa825-k8.bin]?

Writing file tftp://192.168.1.30/asa825-k8.bin...
!!!!!!!!
15390720 bytes copied in 12.660 secs (1282560 bytes/sec)
asa# copy flash:asdm-645.bin tftp  

Source filename [asdm-645.bin]?

Address or name of remote host []? 192.168.1.30
   
Destination filename [asdm-645.bin]?

Writing file tftp://192.168.1.30/asdm-645.bin...
!!!!!!!!
16280544 bytes copied in 13.730 secs (1252349 bytes/sec)

Download the new software images from Cisco and make sure the checksums match
what Cisco provides. After making sure the checksums match upload them to the
TFTP server.
server# sha512 asa847-k8.bin
SHA512 (asa847-k8.bin) = 469f900e3b05906ac38067d031b6dc624dd72e4c534c1dec304...
server# sha512 asdm-743.bin
SHA512 (asdm-743.bin) = ca6087b128640e5a2b8115acbd95dd24abff0ba998fcd088dcb2...

Download a copy of the new software images from the TFTP server.
asa# copy tftp://192.168.1.30/asa847-k8.bin flash:
       
Address or name of remote host [192.168.1.30]?
    
Source filename [asa847-k8.bin]?
    
Destination filename [asa847-k8.bin]?

Accessing tftp://192.168.1.30/asa847-k8.bin...!!!!!!!!
Writing file disk0:/asa847-k8.bin...
!!!!!!!!
24809472 bytes copied in 23.570 secs (1078672 bytes/sec)
asa# copy tftp://192.168.1.30/asdm-743.bin flash:

Address or name of remote host [192.168.1.30]?

Source filename [asdm-743.bin]?

Destination filename [asdm-743.bin]?

Accessing tftp://192.168.1.30/asdm-743.bin...!!!!!!!!
Writing file disk0:/asdm-743.bin...
!!!!!!!!
24810876 bytes copied in 23.880 secs (1078733 bytes/sec)

Run the following to specify which software images the firewall should load
next time it reboots.
asa# config t
asa(config)# boot system disk0:/asa847-k8.bin
asa(config)# asdm image disk0:/asdm-743.bin
asa(config)# end
asa# write memory
Building configuration...
Cryptochecksum: 832ba1b4 7904f434 849515e2 f9d68692

2543 bytes copied in 1.100 secs (2543 bytes/sec)
[OK]

Check to make sure the configuration changes were set correctly.
asa# show configuration | include asa847-k8.bin
boot system disk0:/asa847-k8.bin
asa# show configuration | include asdm
asdm image disk0:/asdm-743.bin

Reboot the firewall
asa# reload
Proceed with reload? [confirm]

Log back in and check the current version that the firewall is running. You
should see the new versions listed.
asa# show version

Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.4(3)
...

After you are satisfied that the new software is working fine, you can
delete the old software.
asa# delete flash:asa825-k8.bin

Delete filename [asa825-k8.bin]?

Delete disk0:/asa825-k8.bin? [confirm]
asa# delete flash:asdm-645.bin

Delete filename [asdm-645.bin]?

Delete disk0:/asdm-645.bin? [confirm]


4 - Cisco Catalyst 2960 switches

Log into the switch via SSH. Get into enable mode and display the current
version that the switch is running. In this example, the switch is running IOS
15.2(5)E2.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 30    WS-C2960X-24TS-L          15.2(5)E2             C2960X-UNIVERSALK9-M
...

Find the location and filename of the current IOS software that is being loaded
on boot. In this example, the filename of the IOS software is
c2960x-universalk9-mz.152-2.E5.bin.
switch#show boot | include BOOT
BOOT path-list      : flash:/c2960x-universalk9-mz.152-5.E2.bin

Download the new software image from the Cisco website. Check to make sure the
checksum matches what Cisco provides. After making sure the checksum matches,
upload them to the TFTP server.
server# md5 c2960x-universalk9-mz.152-6.E.bin
MD5 (c2960x-universalk9-mz.152-6.E.bin) = 13642d9612f7b6af6d64980701308b6b
server# sha512 c2960x-universalk9-mz.152-6.E.bin
SHA512 (c2960x-universalk9-mz.152-6.E.bin) = 2797cfb40a252d439f495a135e4add1...

Check the minimum memory requirements for the new software image on the Cisco
website. This software image has the following requirements.
Min Memory: DRAM 128 MB Flash 64 MB

Find out how much flash memory the switch has. The switch has 116 MB of flash
memory after deleting the current .bin file so the minimum requirements are
met.
switch#dir flash: | include bytes total
122185728 bytes total (95482368 bytes free)
switch#dir flash:*.bin | include .bin
Directory of flash:/*.bin
    3  -rwx    26285056  May 19 2017 19:24:13 -05:00  c2960x-universalk9-mz.152-5.E2.bin
switch#delete /force /recursive flash:c2960x-universalk9-mz.152-5.E2.bin
switch#dir flash: | include bytes total
122185728 bytes total (121979904 bytes free)

Download a copy of the new software image from the TFTP server.
switch#copy tftp://192.168.1.17/c2960x-universalk9-mz.152-6.E.bin flash:
Destination filename [c2960x-universalk9-mz.152-6.E.bin]? 
Accessing tftp://192.168.1.17/c2960x-universalk9-mz.152-6.E.bin...
Loading c2960x-universalk9-mz.152-6.E.bin from 192.168.1.17 (via Vlan1): !!!...
[OK - 26537984 bytes]

26537984 bytes copied in 491.467 secs (53997 bytes/sec)

Check to make sure the checksum matches the file on the TFTP server. This IOS
version only supports checking the MD5 checksum.
switch#verify ?
  /md5     Compute an md5 signature for a file
  flash1:  File to be verified
  flash:   File to be verified
  nvram:   File to be verified

switch#verify /md5 flash:c2960x-universalk9-mz.152-6.E.bin
...
verify /md5 (flash:c2960x-universalk9-mz.152-6.E.bin) = 13642d9612f7b6af6d64...

Change the boot variable to load the new software image and then reload.
switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#boot system flash:/c2960x-universalk9-mz.152-6.E.bin
switch(config)#end
switch#write memory
Building configuration...
[OK]
switch#show boot | include BOOT
BOOT path-list      : flash:/c2960x-universalk9-mz.152-6.E.bin
switch#reload

Log back into the switch via SSH. Get into enable mode and display the current
version that the switch is running. You should see the new version listed.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model                     SW Version            SW Image
------ ----- -----                     ----------            ----------
*    1 30    WS-C2960X-24TS-L          15.2(6)E              C2960X-UNIVERSALK9-M
...

After you are satisfied that the new software is working fine, you can
delete the old software if you have any.
switch#delete /force /recursive flash:c2960x-universalk9-mz.152-6.E.bin


5 - Cisco Catalyst 3560 switches

Log into the switch via SSH. Get into enable mode and display the current
version that the switch is running. In this example, the switch is running IOS
15.0(2)SE10a.
switch>en
Password: 
switch#show version | begin Switch Port
Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 28    WS-C3560G-24PS     15.0(2)SE10a          C3560-IPBASEK9-M
...

Find the location and filename of the current IOS software that is being loaded
on boot. The filename of the IOS software is c3560-ipbasek9-mz.150-2.SE10a.bin.
switch#show boot | include BOOT
BOOT path-list      : flash:/c3560-ipbasek9-mz.150-2.SE10a.bin

Download the new software image from the Cisco website. Check to make sure the
checksum matches what Cisco provides. After making sure the checksum matches,
upload them to the TFTP server.
server# md5 c3560-ipbasek9-mz.150-2.SE11.bin
MD5 (c3560-ipbasek9-mz.150-2.SE11.bin) = b81d9bfd47be75d966d122af60003fef
server# sha512 c3560-ipbasek9-mz.150-2.SE11.bin
SHA512 (c3560-ipbasek9-mz.150-2.SE11.bin) = ee4f7998deb8b3f163bd598280df748f...

Check the minimum memory requirements for the new software image on the Cisco
website. This software image has the following requirements.
Min Memory: DRAM 128 MB Flash 32 MB

Find out how much flash memory the switch has. The switch has 31 MB of flash
memory after deleting the current .bin file so the minimum memory requirements are
close.
switch#dir flash: | include bytes total
32514048 bytes total (15827968 bytes free)
switch#dir flash:*.bin | include .bin
Directory of flash:/*.bin
    5  -rwx    16662016  Jun 11 2017 17:07:02 -05:00  c3560-ipbasek9-mz.150-2.SE10a.bin
switch#delete /force /recursive flash:c3560-ipbasek9-mz.150-2.SE10a.bin
switch#dir flash: | include bytes free
32514048 bytes total (32492032 bytes free)

Download a copy of the new software image from the TFTP server.
switch#copy tftp://192.168.1.30/c3560-ipbasek9-mz.150-2.SE11.bin flash:
Destination filename [c3560-ipbasek9-mz.150-2.SE11.bin]?
Accessing tftp://192.168.1.30/c3560-ipbasek9-mz.150-2.SE11.bin...
Loading c3560-ipbasek9-mz.150-2.SE11.bin from 192.168.1.30 (via Vlan1): !!!!...
[OK - 16664448 bytes]

16664448 bytes copied in 324.345 secs (51379 bytes/sec)

Check to make sure the checksum matches the file on the TFTP server. This IOS
version only supports checking the MD5 checksum.
switch#verify ?
  /md5    Compute an md5 signature for a file
  flash:  File to be verified
  nvram:  File to be verified

switch#verify /md5 flash:c3560-ipbasek9-mz.150-2.SE11.bin
...
verify /md5 (flash:c3560-ipbasek9-mz.150-2.SE11.bin) = b81d9bfd47be75d966d12...

Change the boot variable to load the new software image and then reload.
switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#boot system flash:/c3560-ipbasek9-mz.150-2.SE11.bin
switch(config)#end
switch#write memory
Building configuration...
[OK]
switch#show boot | include BOOT
BOOT path-list : flash:/c3560-ipbasek9-mz.150-2.SE11.bin
switch#reload

Log back into the switch via SSH. Get into enable mode and display the current
version that the switch is running. You should see the new version listed.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 28    WS-C3560G-24PS     15.0(2)SE11           C3560-IPBASEK9-M
...

After you are satisfied that the new software is working fine, you can
delete the old software if you have any.
switch#delete /force /recursive flash:c3560-ipbasek9-mz.150-2.SE11.bin


6 - Cisco Catalyst 3850 switches

Log into the switch via SSH. Get into enable mode and display the current
version that the switch is running. In this example, the switch is running IOS
XE 16.5.1a in install mode. The mode will either be install or bundle.
switch>en
Password: 
switch#show version | begin Switch Port
Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 56    WS-C3850-48T       16.5.1a           CAT3K_CAA-UNIVERSALK9 INSTALL
...

Find out the filename of the IOS XE software. The filename of the IOS XE
software is cat3k_caa-universalk9.16.05.01a.SPA.bin.
switch#show flash: | include base
 18   24616746 Jun 18 2017 20:19:53.0000000000 +00:00 cat3k_caa-rpbase.16.05.01a.SPA.pkg

Download the new software image from the Cisco website. Check to make sure the
checksum matches what Cisco provides. After making sure the checksum matches,
upload them to the TFTP server.
# md5 cat3k_caa-universalk9.16.06.01.SPA.bin 
MD5 (cat3k_caa-universalk9.16.06.01.SPA.bin) = c73ba847525948804f698ab597da3b3d
# sha512 cat3k_caa-universalk9.16.06.01.SPA.bin 
SHA512 (cat3k_caa-universalk9.16.06.01.SPA.bin) = 3b8d237089e609a8dc15dc3a59...

Check the minimum memory requirements for the new software image on the Cisco
website. This software image has the following requirements.
Min Memory: DRAM 4096 MB Flash 2048 MB

Find out how much flash memory the switch has. The switch has 2 MB of flash
memory so the minimum memory requirements are met.
switch#dir nvram: | include bytes total
2097152 bytes total (2069666 bytes free)

Download a copy of the new software image from the TFTP server.
switch#copy tftp://192.168.1.30/cat3k_caa-universalk9.16.06.01.SPA.bin flash:
Destination filename [cat3k_caa-universalk9.16.06.01.SPA.bin]? 
Accessing tftp://192.168.1.30/cat3k_caa-universalk9.16.06.01.SPA.bin...
Loading cat3k_caa-universalk9.16.06.01.SPA.bin from 192.168.1.30 (via Vlan1): !...
[OK - 408979686 bytes]

408979686 bytes copied in 124.933 secs (3273592 bytes/sec)

Check to make sure the checksum matches the file on the TFTP server. This IOS
version supports checking the MD5 and SHA512 checksums.
switch#verify ?
  /md5        Compute an md5 signature for a file
  /sha512     Compute sha512 signature for a file
  crashinfo:  File to be verified
  flash:      File to be verified
  nvram:      File to be verified

switch#verify /sha512 flash:cat3k_caa-universalk9.16.06.01.SPA.bin
...
verify /sha512 (flash:cat3k_caa-universalk9.16.06.01.SPA.bin) = 3b8d237089e6...

Install the new software image and then reload.
switch#request platform software package install switch all file \
  flash:cat3k_caa-universalk9.16.06.01.SPA.bin new auto-copy
--- Starting install local lock acquisition on switch 1 ---
Finished install local lock acquisition on switch 1

Expanding image file: flash:cat3k_caa-universalk9.16.06.01.SPA.bin
[]: Finished copying to switch 
[1]: Expanding file
[1]: Finished expanding all-in-one software package in switch 1
SUCCESS: Finished expanding all-in-one software package.
[1]: Performing install
  SUCCESS: install finished
[1]: install package(s) on switch 1
--- Starting list of software package changes ---
Old files list:
  Removed cat3k_caa-guestshell.16.05.01a.SPA.pkg
  Removed cat3k_caa-rpbase.16.05.01a.SPA.pkg
  Removed cat3k_caa-rpcore.16.05.01a.SPA.pkg
  Removed cat3k_caa-srdriver.16.05.01a.SPA.pkg
  Removed cat3k_caa-webui.16.05.01a.SPA.pkg
New files list:
  Added cat3k_caa-guestshell.16.06.01.SPA.pkg
  Added cat3k_caa-rpbase.16.06.01.SPA.pkg
  Added cat3k_caa-rpcore.16.06.01.SPA.pkg
  Added cat3k_caa-srdriver.16.06.01.SPA.pkg
  Added cat3k_caa-webui.16.06.01.SPA.pkg
Finished list of software package changes
SUCCESS: Software provisioned.  New software will load on reboot.
[1]: Finished install successful on switch 1
Checking status of install on [1]
[1]: Finished install in switch 1
SUCCESS: Finished install: Success on [1]
switch#reload

System configuration has been modified. Save? [yes/no]: yes
Building configuration...
Compressed configuration from 11283 bytes to 5240 bytes[OK]Reload command is
being issued on Active unit, this will reload the whole stack

Log back into the switch via SSH. Get into enable mode and display the current
version that the switch is running. You should see the new version listed.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 56    WS-C3850-48T       16.6.1            CAT3K_CAA-UNIVERSALK9 INSTALL
...

After you are satisfied that the new software is working fine, you can
delete the old software if you have any.
switch#request platform software package clean switch all file flash:
This operation may take several minutes...
Running command on switch 1
Cleaning up unnecessary package files
  Scanning boot directory for packages ... done.
  Preparing packages list to delete ... 
    packages.conf
      File is in use, will not delete.
    cat3k_caa-guestshell.16.06.01.SPA.pkg
      File is in use, will not delete.
    cat3k_caa-rpbase.16.06.01.SPA.pkg
      File is in use, will not delete.
    cat3k_caa-rpcore.16.06.01.SPA.pkg
      File is in use, will not delete.
    cat3k_caa-srdriver.16.06.01.SPA.pkg
      File is in use, will not delete.
    cat3k_caa-webui.16.06.01.SPA.pkg
      File is in use, will not delete.
  done.
  
The following files will be deleted:
[switch 1]:
/flash/cat3k_caa-guestshell.16.05.01a.SPA.pkg
/flash/cat3k_caa-rpbase.16.05.01a.SPA.pkg
/flash/cat3k_caa-rpcore.16.05.01a.SPA.pkg
/flash/cat3k_caa-srdriver.16.05.01a.SPA.pkg
/flash/cat3k_caa-universalk9.16.06.01.SPA.conf
/flash/cat3k_caa-webui.16.05.01a.SPA.pkg
/flash/packages.conf.00-
/flash/packages.conf.01-

Do you want to proceed? [y/n]y

[switch 1]:
Deleting file flash:cat3k_caa-guestshell.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-rpbase.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-rpcore.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-srdriver.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-universalk9.16.06.01.SPA.conf ... done.
Deleting file flash:cat3k_caa-webui.16.05.01a.SPA.pkg ... done.
Deleting file flash:packages.conf.00- ... done.
Deleting file flash:packages.conf.01- ... done.
SUCCESS: Files deleted.


7 - Cisco 1130 wireless access points

Display the current version that the wireless access point is running. In this
example, the wireless access point is running IOS 12.4(25d)JA.

wap#show version | include Cisco IOS
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1)

Find out the filename of the IOS software. In this example, the filename of the
IOS software is c1130-k9w7-tar.124-25d.JA.tar.
wap#show flash | include 1130
    7  drwx         320  Jul 22 2013 21:22:20 -05:00  c1130-k9w7-mx.124-25d.JA

Download the new software image from Cisco and make sure the checksums match
what Cisco provides. After making sure the checksums match upload them to the
TFTP server.
server# sha512 c1130-k9w7-tar.124-25d.JA2.tar
SHA512 (c1130-k9w7-tar.124-25d.JA2.tar) = 46b1a3e0f13df24c774c22848af72d8bb0...

Upgrade the access point software by running the following.
wap#archive download-sw /force-reload /overwrite tftp://192.168.1.17/c1130-k9w7-tar.124-25d.JA2.tar      
examining image...
Loading c1130-k9w7-tar.124-25d.JA2.tar from 192.168.1.17 (via BVI1): !
extracting info (286 bytes)
Image info:
    Version Suffix: k9w7-.124-25d.JA2
    Image Name: c1130-k9w7-mx.124-25d.JA2
    Version Directory: c1130-k9w7-mx.124-25d.JA2
    Ios Image Size: 5028352
    Total Image Size: 5775872
    Image Feature: WIRELESS LAN
    Image Family: C1130
    Wireless Switch Management Version: 7.0.94.21
...

Log back in and check the current version that the wireless access point is
running. You should see the new version listed.
wap#show version | include Cisco IOS    
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(25d)JA2, RELEASE SOFTWARE (fc1)


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2018.