Last modified: October 21, 2017
Contents
1 - Summary
2 - Cisco 851 routers
3 - Cisco ASA 5505 firewalls
4 - Cisco Catalyst 2960 switches
5 - Cisco Catalyst 3560 switches
6 - Cisco Catalyst 3850 switches
7 - Cisco 1130 wireless access points
1 - Summary
This guide will show how to backup the existing software image and load a new
image in different Cisco devices.
2 - Cisco 851 routers
Display the current version that the router is running. In this example, the
router is running IOS 12.4(11)T.
router#show version | include Cisco IOS
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)
Find out the filename of the IOS software. In this example, the filename of the
IOS software is c1130-k9w7-tar.124-25d.JA.tar.
router#show flash | include 850
2 -rwx 11611200 May 29 2006 02:48:56 -05:00 c850-advsecurityk9-mz.124-11.T.bin
Download the new software image from Cisco and make sure the checksums match
what Cisco provides. After making sure the checksums match upload them to the
TFTP server.
server# sha512 c850-advsecurityk9-mz.124-15.T17.bin
SHA512 (c850-advsecurityk9-mz.124-15.T17.bin) = d7cdfd0a4128cd1cb3b63de9b2be...
Upgrade the router software by running the following.
router#copy tftp://192.168.1.17/c850-advsecurityk9-mz.124-15.T17.bin flash:
Destination filename [c850-advsecurityk9-mz.124-15.T17.bin]?
Accessing tftp://192.168.1.17/c850-advsecurityk9-mz.124-15.T17.bin...
Loading c850-advsecurityk9-mz.124-15.T17.bin from 192.168.1.17 (via FastEthernet4): !!!
[OK - 12764740 bytes]
12764740 bytes copied in 1433.396 secs (8905 bytes/sec)
router#reload
Log back in and check the current version that the router is running. You
should see the new verison listed.
router#show version | include Cisco IOS
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T17, RELEASE SOFTWARE (fc2)
3 - Cisco ASA 5505 firewalls
Display the current version that the firewall is running. In this example, the
firewall is running version 8.2(5) and ASDM version 6.4(5).
asa# show version
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
...
Find out the filenames of the firewall software and the ASDM software.
asa# show flash | include asa
132 15390720 May 02 2014 09:41:48 asa825-k8.bin
asa# show flash | include asdm
135 16280544 May 02 2014 09:47:04 asdm-645.bin
Make backup of the current software images to a TFTP server. Create the
files on the TFTP server first.
server# touch /tftp/asa825-k8.bin
server# chmod 777 /tftp/asa825-k8.bin
server# touch /tftp/asdm-645.bin
server# chmod 777 /tftp/asdm-645.bin
Upload a copy of the software images to the TFTP server.
asa# copy flash:asa825-k8.bin tftp
Source filename [asa825-k8.bin]?
Address or name of remote host []? 192.168.1.30
Destination filename [asa825-k8.bin]?
Writing file tftp://192.168.1.30/asa825-k8.bin...
!!!!!!!!
15390720 bytes copied in 12.660 secs (1282560 bytes/sec)
asa# copy flash:asdm-645.bin tftp
Source filename [asdm-645.bin]?
Address or name of remote host []? 192.168.1.30
Destination filename [asdm-645.bin]?
Writing file tftp://192.168.1.30/asdm-645.bin...
!!!!!!!!
16280544 bytes copied in 13.730 secs (1252349 bytes/sec)
Download the new software images from Cisco and make sure the checksums match
what Cisco provides. After making sure the checksums match upload them to the
TFTP server.
server# sha512 asa847-k8.bin
SHA512 (asa847-k8.bin) = 469f900e3b05906ac38067d031b6dc624dd72e4c534c1dec304...
server# sha512 asdm-743.bin
SHA512 (asdm-743.bin) = ca6087b128640e5a2b8115acbd95dd24abff0ba998fcd088dcb2...
Download a copy of the new software images from the TFTP server.
asa# copy tftp://192.168.1.30/asa847-k8.bin flash:
Address or name of remote host [192.168.1.30]?
Source filename [asa847-k8.bin]?
Destination filename [asa847-k8.bin]?
Accessing tftp://192.168.1.30/asa847-k8.bin...!!!!!!!!
Writing file disk0:/asa847-k8.bin...
!!!!!!!!
24809472 bytes copied in 23.570 secs (1078672 bytes/sec)
asa# copy tftp://192.168.1.30/asdm-743.bin flash:
Address or name of remote host [192.168.1.30]?
Source filename [asdm-743.bin]?
Destination filename [asdm-743.bin]?
Accessing tftp://192.168.1.30/asdm-743.bin...!!!!!!!!
Writing file disk0:/asdm-743.bin...
!!!!!!!!
24810876 bytes copied in 23.880 secs (1078733 bytes/sec)
Run the following to specify which software images the firewall should load
next time it reboots.
asa# config t
asa(config)# boot system disk0:/asa847-k8.bin
asa(config)# asdm image disk0:/asdm-743.bin
asa(config)# end
asa# write memory
Building configuration...
Cryptochecksum: 832ba1b4 7904f434 849515e2 f9d68692
2543 bytes copied in 1.100 secs (2543 bytes/sec)
[OK]
Check to make sure the configuration changes were set correctly.
asa# show configuration | include asa847-k8.bin
boot system disk0:/asa847-k8.bin
asa# show configuration | include asdm
asdm image disk0:/asdm-743.bin
Reboot the firewall
asa# reload
Proceed with reload? [confirm]
Log back in and check the current version that the firewall is running. You
should see the new versions listed.
asa# show version
Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.4(3)
...
After you are satisfied that the new software is working fine, you can
delete the old software.
asa# delete flash:asa825-k8.bin
Delete filename [asa825-k8.bin]?
Delete disk0:/asa825-k8.bin? [confirm]
asa# delete flash:asdm-645.bin
Delete filename [asdm-645.bin]?
Delete disk0:/asdm-645.bin? [confirm]
4 - Cisco Catalyst 2960 switches
Log into the switch via SSH. Get into enable mode and display the current
version that the switch is running. In this example, the switch is running IOS
15.2(5)E2.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 30 WS-C2960X-24TS-L 15.2(5)E2 C2960X-UNIVERSALK9-M
...
Find the location and filename of the current IOS software that is being loaded
on boot. In this example, the filename of the IOS software is
c2960x-universalk9-mz.152-2.E5.bin.
switch#show boot | include BOOT
BOOT path-list : flash:/c2960x-universalk9-mz.152-5.E2.bin
Download the new software image from the Cisco website. Check to make sure the
checksum matches what Cisco provides. After making sure the checksum matches,
upload them to the TFTP server.
server# md5 c2960x-universalk9-mz.152-6.E.bin
MD5 (c2960x-universalk9-mz.152-6.E.bin) = 13642d9612f7b6af6d64980701308b6b
server# sha512 c2960x-universalk9-mz.152-6.E.bin
SHA512 (c2960x-universalk9-mz.152-6.E.bin) = 2797cfb40a252d439f495a135e4add1...
Check the minimum memory requirements for the new software image on the Cisco
website. This software image has the following requirements.
Min Memory: DRAM 128 MB Flash 64 MB
Find out how much flash memory the switch has. The switch has 116 MB of flash
memory after deleting the current .bin file so the minimum requirements are
met.
switch#dir flash: | include bytes total
122185728 bytes total (95482368 bytes free)
switch#dir flash:*.bin | include .bin
Directory of flash:/*.bin
3 -rwx 26285056 May 19 2017 19:24:13 -05:00 c2960x-universalk9-mz.152-5.E2.bin
switch#delete /force /recursive flash:c2960x-universalk9-mz.152-5.E2.bin
switch#dir flash: | include bytes total
122185728 bytes total (121979904 bytes free)
Download a copy of the new software image from the TFTP server.
switch#copy tftp://192.168.1.17/c2960x-universalk9-mz.152-6.E.bin flash:
Destination filename [c2960x-universalk9-mz.152-6.E.bin]?
Accessing tftp://192.168.1.17/c2960x-universalk9-mz.152-6.E.bin...
Loading c2960x-universalk9-mz.152-6.E.bin from 192.168.1.17 (via Vlan1): !!!...
[OK - 26537984 bytes]
26537984 bytes copied in 491.467 secs (53997 bytes/sec)
Check to make sure the checksum matches the file on the TFTP server. This IOS
version only supports checking the MD5 checksum.
switch#verify ?
/md5 Compute an md5 signature for a file
flash1: File to be verified
flash: File to be verified
nvram: File to be verified
switch#verify /md5 flash:c2960x-universalk9-mz.152-6.E.bin
...
verify /md5 (flash:c2960x-universalk9-mz.152-6.E.bin) = 13642d9612f7b6af6d64...
Change the boot variable to load the new software image and then reload.
switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#boot system flash:/c2960x-universalk9-mz.152-6.E.bin
switch(config)#end
switch#write memory
Building configuration...
[OK]
switch#show boot | include BOOT
BOOT path-list : flash:/c2960x-universalk9-mz.152-6.E.bin
switch#reload
Log back into the switch via SSH. Get into enable mode and display the current
version that the switch is running. You should see the new version listed.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 30 WS-C2960X-24TS-L 15.2(6)E C2960X-UNIVERSALK9-M
...
After you are satisfied that the new software is working fine, you can
delete the old software if you have any.
switch#delete /force /recursive flash:c2960x-universalk9-mz.152-6.E.bin
5 - Cisco Catalyst 3560 switches
Log into the switch via SSH. Get into enable mode and display the current
version that the switch is running. In this example, the switch is running IOS
15.0(2)SE10a.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3560G-24PS 15.0(2)SE10a C3560-IPBASEK9-M
...
Find the location and filename of the current IOS software that is being loaded
on boot. The filename of the IOS software is c3560-ipbasek9-mz.150-2.SE10a.bin.
switch#show boot | include BOOT
BOOT path-list : flash:/c3560-ipbasek9-mz.150-2.SE10a.bin
Download the new software image from the Cisco website. Check to make sure the
checksum matches what Cisco provides. After making sure the checksum matches,
upload them to the TFTP server.
server# md5 c3560-ipbasek9-mz.150-2.SE11.bin
MD5 (c3560-ipbasek9-mz.150-2.SE11.bin) = b81d9bfd47be75d966d122af60003fef
server# sha512 c3560-ipbasek9-mz.150-2.SE11.bin
SHA512 (c3560-ipbasek9-mz.150-2.SE11.bin) = ee4f7998deb8b3f163bd598280df748f...
Check the minimum memory requirements for the new software image on the Cisco
website. This software image has the following requirements.
Min Memory: DRAM 128 MB Flash 32 MB
Find out how much flash memory the switch has. The switch has 31 MB of flash
memory after deleting the current .bin file so the minimum memory requirements are
close.
switch#dir flash: | include bytes total
32514048 bytes total (15827968 bytes free)
switch#dir flash:*.bin | include .bin
Directory of flash:/*.bin
5 -rwx 16662016 Jun 11 2017 17:07:02 -05:00 c3560-ipbasek9-mz.150-2.SE10a.bin
switch#delete /force /recursive flash:c3560-ipbasek9-mz.150-2.SE10a.bin
switch#dir flash: | include bytes free
32514048 bytes total (32492032 bytes free)
Download a copy of the new software image from the TFTP server.
switch#copy tftp://192.168.1.30/c3560-ipbasek9-mz.150-2.SE11.bin flash:
Destination filename [c3560-ipbasek9-mz.150-2.SE11.bin]?
Accessing tftp://192.168.1.30/c3560-ipbasek9-mz.150-2.SE11.bin...
Loading c3560-ipbasek9-mz.150-2.SE11.bin from 192.168.1.30 (via Vlan1): !!!!...
[OK - 16664448 bytes]
16664448 bytes copied in 324.345 secs (51379 bytes/sec)
Check to make sure the checksum matches the file on the TFTP server. This IOS
version only supports checking the MD5 checksum.
switch#verify ?
/md5 Compute an md5 signature for a file
flash: File to be verified
nvram: File to be verified
switch#verify /md5 flash:c3560-ipbasek9-mz.150-2.SE11.bin
...
verify /md5 (flash:c3560-ipbasek9-mz.150-2.SE11.bin) = b81d9bfd47be75d966d12...
Change the boot variable to load the new software image and then reload.
switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#boot system flash:/c3560-ipbasek9-mz.150-2.SE11.bin
switch(config)#end
switch#write memory
Building configuration...
[OK]
switch#show boot | include BOOT
BOOT path-list : flash:/c3560-ipbasek9-mz.150-2.SE11.bin
switch#reload
Log back into the switch via SSH. Get into enable mode and display the current
version that the switch is running. You should see the new version listed.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 28 WS-C3560G-24PS 15.0(2)SE11 C3560-IPBASEK9-M
...
After you are satisfied that the new software is working fine, you can
delete the old software if you have any.
switch#delete /force /recursive flash:c3560-ipbasek9-mz.150-2.SE11.bin
6 - Cisco Catalyst 3850 switches
Log into the switch via SSH. Get into enable mode and display the current
version that the switch is running. In this example, the switch is running IOS
XE 16.5.1a in install mode. The mode will either be install or bundle.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48T 16.5.1a CAT3K_CAA-UNIVERSALK9 INSTALL
...
Find out the filename of the IOS XE software. The filename of the IOS XE
software is cat3k_caa-universalk9.16.05.01a.SPA.bin.
switch#show flash: | include base
18 24616746 Jun 18 2017 20:19:53.0000000000 +00:00 cat3k_caa-rpbase.16.05.01a.SPA.pkg
Download the new software image from the Cisco website. Check to make sure the
checksum matches what Cisco provides. After making sure the checksum matches,
upload them to the TFTP server.
# md5 cat3k_caa-universalk9.16.06.01.SPA.bin
MD5 (cat3k_caa-universalk9.16.06.01.SPA.bin) = c73ba847525948804f698ab597da3b3d
# sha512 cat3k_caa-universalk9.16.06.01.SPA.bin
SHA512 (cat3k_caa-universalk9.16.06.01.SPA.bin) = 3b8d237089e609a8dc15dc3a59...
Check the minimum memory requirements for the new software image on the Cisco
website. This software image has the following requirements.
Min Memory: DRAM 4096 MB Flash 2048 MB
Find out how much flash memory the switch has. The switch has 2 MB of flash
memory so the minimum memory requirements are met.
switch#dir nvram: | include bytes total
2097152 bytes total (2069666 bytes free)
Download a copy of the new software image from the TFTP server.
switch#copy tftp://192.168.1.30/cat3k_caa-universalk9.16.06.01.SPA.bin flash:
Destination filename [cat3k_caa-universalk9.16.06.01.SPA.bin]?
Accessing tftp://192.168.1.30/cat3k_caa-universalk9.16.06.01.SPA.bin...
Loading cat3k_caa-universalk9.16.06.01.SPA.bin from 192.168.1.30 (via Vlan1): !...
[OK - 408979686 bytes]
408979686 bytes copied in 124.933 secs (3273592 bytes/sec)
Check to make sure the checksum matches the file on the TFTP server. This IOS
version supports checking the MD5 and SHA512 checksums.
switch#verify ?
/md5 Compute an md5 signature for a file
/sha512 Compute sha512 signature for a file
crashinfo: File to be verified
flash: File to be verified
nvram: File to be verified
switch#verify /sha512 flash:cat3k_caa-universalk9.16.06.01.SPA.bin
...
verify /sha512 (flash:cat3k_caa-universalk9.16.06.01.SPA.bin) = 3b8d237089e6...
Install the new software image and then reload.
switch#request platform software package install switch all file \
flash:cat3k_caa-universalk9.16.06.01.SPA.bin new auto-copy
--- Starting install local lock acquisition on switch 1 ---
Finished install local lock acquisition on switch 1
Expanding image file: flash:cat3k_caa-universalk9.16.06.01.SPA.bin
[]: Finished copying to switch
[1]: Expanding file
[1]: Finished expanding all-in-one software package in switch 1
SUCCESS: Finished expanding all-in-one software package.
[1]: Performing install
SUCCESS: install finished
[1]: install package(s) on switch 1
--- Starting list of software package changes ---
Old files list:
Removed cat3k_caa-guestshell.16.05.01a.SPA.pkg
Removed cat3k_caa-rpbase.16.05.01a.SPA.pkg
Removed cat3k_caa-rpcore.16.05.01a.SPA.pkg
Removed cat3k_caa-srdriver.16.05.01a.SPA.pkg
Removed cat3k_caa-webui.16.05.01a.SPA.pkg
New files list:
Added cat3k_caa-guestshell.16.06.01.SPA.pkg
Added cat3k_caa-rpbase.16.06.01.SPA.pkg
Added cat3k_caa-rpcore.16.06.01.SPA.pkg
Added cat3k_caa-srdriver.16.06.01.SPA.pkg
Added cat3k_caa-webui.16.06.01.SPA.pkg
Finished list of software package changes
SUCCESS: Software provisioned. New software will load on reboot.
[1]: Finished install successful on switch 1
Checking status of install on [1]
[1]: Finished install in switch 1
SUCCESS: Finished install: Success on [1]
switch#reload
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
Compressed configuration from 11283 bytes to 5240 bytes[OK]Reload command is
being issued on Active unit, this will reload the whole stack
Log back into the switch via SSH. Get into enable mode and display the current
version that the switch is running. You should see the new version listed.
switch>en
Password:
switch#show version | begin Switch Port
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48T 16.6.1 CAT3K_CAA-UNIVERSALK9 INSTALL
...
After you are satisfied that the new software is working fine, you can
delete the old software if you have any.
switch#request platform software package clean switch all file flash:
This operation may take several minutes...
Running command on switch 1
Cleaning up unnecessary package files
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
packages.conf
File is in use, will not delete.
cat3k_caa-guestshell.16.06.01.SPA.pkg
File is in use, will not delete.
cat3k_caa-rpbase.16.06.01.SPA.pkg
File is in use, will not delete.
cat3k_caa-rpcore.16.06.01.SPA.pkg
File is in use, will not delete.
cat3k_caa-srdriver.16.06.01.SPA.pkg
File is in use, will not delete.
cat3k_caa-webui.16.06.01.SPA.pkg
File is in use, will not delete.
done.
The following files will be deleted:
[switch 1]:
/flash/cat3k_caa-guestshell.16.05.01a.SPA.pkg
/flash/cat3k_caa-rpbase.16.05.01a.SPA.pkg
/flash/cat3k_caa-rpcore.16.05.01a.SPA.pkg
/flash/cat3k_caa-srdriver.16.05.01a.SPA.pkg
/flash/cat3k_caa-universalk9.16.06.01.SPA.conf
/flash/cat3k_caa-webui.16.05.01a.SPA.pkg
/flash/packages.conf.00-
/flash/packages.conf.01-
Do you want to proceed? [y/n]y
[switch 1]:
Deleting file flash:cat3k_caa-guestshell.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-rpbase.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-rpcore.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-srdriver.16.05.01a.SPA.pkg ... done.
Deleting file flash:cat3k_caa-universalk9.16.06.01.SPA.conf ... done.
Deleting file flash:cat3k_caa-webui.16.05.01a.SPA.pkg ... done.
Deleting file flash:packages.conf.00- ... done.
Deleting file flash:packages.conf.01- ... done.
SUCCESS: Files deleted.
7 - Cisco 1130 wireless access points
Display the current version that the wireless access point is running. In this
example, the wireless access point is running IOS 12.4(25d)JA.
wap#show version | include Cisco IOS
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1)
Find out the filename of the IOS software. In this example, the filename of the
IOS software is c1130-k9w7-tar.124-25d.JA.tar.
wap#show flash | include 1130
7 drwx 320 Jul 22 2013 21:22:20 -05:00 c1130-k9w7-mx.124-25d.JA
Download the new software image from Cisco and make sure the checksums match
what Cisco provides. After making sure the checksums match upload them to the
TFTP server.
server# sha512 c1130-k9w7-tar.124-25d.JA2.tar
SHA512 (c1130-k9w7-tar.124-25d.JA2.tar) = 46b1a3e0f13df24c774c22848af72d8bb0...
Upgrade the access point software by running the following.
wap#archive download-sw /force-reload /overwrite tftp://192.168.1.17/c1130-k9w7-tar.124-25d.JA2.tar
examining image...
Loading c1130-k9w7-tar.124-25d.JA2.tar from 192.168.1.17 (via BVI1): !
extracting info (286 bytes)
Image info:
Version Suffix: k9w7-.124-25d.JA2
Image Name: c1130-k9w7-mx.124-25d.JA2
Version Directory: c1130-k9w7-mx.124-25d.JA2
Ios Image Size: 5028352
Total Image Size: 5775872
Image Feature: WIRELESS LAN
Image Family: C1130
Wireless Switch Management Version: 7.0.94.21
...
Log back in and check the current version that the wireless access point is
running. You should see the new version listed.
wap#show version | include Cisco IOS
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(25d)JA2, RELEASE SOFTWARE (fc1)
|