TomsBlog · Upgrading Cisco switches with K9 image

I recently had to install a new HP c7000 chassis with 16 half height blades.

This came with 4 Cisco 3020’s switches in the back, 2 for normal network traffic and 2 for the iSCSI fabric. This was to be placed in a PCI environment and so had to meet PCI requirements.

PCI DSS states:

2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access

So we need to encrypt the management access to the switches, by default the Cisco IOS doesn’t support SSH or HTTPS Encryption. To enable SSH and HTTPS we need to update the IOS with the K9 image:

cbs30x0-ipbasek9-mz.122-58.SE1.tar

From the cisco website

http://www.cisco.com/cisco/software/release.html?mdfid=280348753&softwareid=280805680&release=12.2.58-SE1&relind=AVAILABLE&rellifecycle=ED&reltype=latest

You need a valid Service Contract login to download IOS software.

Note K9 in the IOS filename just make sure you look for this then you know you have the correct IOS update.

Now you need a TFTP server so you can upload the image to the switch, I usually use TFTPD for Windows. You can download it from here:

http://tftpd32.jounin.net/

Open TFTP and then select the directory in which the IOS update is located. Now TFTPD is looking at the correct directory you need to log on to the switch.

You will obviously need to use the console cable and set an IP address on the Management Interface or VLAN depending on your setup. The 3020’s I am dealing with have a seperate FastEthernet (fa0) interface connecting to the HP Onboard Administrator for management. In my case as well because of the HP Onboard Administrator the fa0 interface is given an IP address through EBIPA. Now connect to the same Subnet as the Management interface.

As you can see above I’ve downloaded the archive update file which contains the updated HTTP files as you never know in the future you might want to use the HTTP interface.

On the switch type the following command:

Switch# archive download-sw /overwrite /reload tftp://ipaddress/cbs30x0-ipbasek9-mz.122-58.SE1.tar

This command will download the image from the specified TFTP server, it will overwrite the current IOS and attempt to reload the switch. If the config hasn’t been saved then the reload will be aborted. To save the config I always run the following before running the above command:

Switch# copy run start

This will copy the running config to the start up config then the switch will automatically reload on the update.

Once the switch has booted up fully it should now have the K9 image installed. you can always confirm this by running the following:

Switch# show version

Cisco IOS Software, CBS30X0 Software (CBS30X0-IPBASEK9-M), Version 12.2(58)SE1

A blog by Thomas Weaver