This document explains the step-by-step procedure to upgrade the software image on Cisco Catalyst series switches with use of the command-line interface CLI. Before you attempt this configuration, ensure that you are familiar with these topics for Catalyst If you are not familiar with the topics, see the Prepare to Upgrade section of this document before you attempt the software upgrade. If you already meet the requirements, skip any or all of these topics.
Refer to the Cisco Technical Tips Conventions for more information on document conventions. You want to implement new features in your network that are available in the later software release.
For details on this procedure, complete these steps:. There are two types of files or file extensions that you see when you download software from the LAN Switches section of Downloads - Switches registered customers only.
If you only want to use the CLI to manage the switch, the. If you want to manage switches or clusters of switches through a web interface, such as HTML, this file is the only file to download. Note: When you download a. This utility can be WinZip or some other third-party software. There is no need to manually extract the files in archive. The extraction occurs automatically during the upgrade process. The is either a Layer 2 L2 or Layer 3 L3 switch, which depends on the software version and feature set that you install.
The SMI image is essentially an L2-only image. This release and later SMI releases use the phrase "basic Layer 3 routing features". This feature set includes:. However, unless you purchased your with an EMI image preinstallation, you must purchase the upgrade kit before you download the EMI image. The ships from the factory with the installation of a CMS image. The extraction process that takes place with a.
The image directory has the same name as the Cisco IOS image. This directory stores the Cisco IOS image. Issue the dir flash: command in order to view the Flash file system. Here is a sample command output:. If you use just the Cisco IOS image to upgrade, you issue the copy tftp command.
If you upgrade with use of the CMS image. There are no minimum DRAM requirements to consider before you upgrade software on the There is a limit to the number of images that you can store in Flash. Always check the size, in bytes, of the image in the LAN Switches section of Downloads - Switches registered customers only before you upgrade software. Issue the dir flash: command in order to compare the size of this image with the free space in Flash.
In order to upgrade with use of a CMS image. This command has a few options. This command leaves the old software, but requires more Flash space. The Software Upgrade Procedure for the Series Switches section of this document covers in detail the use of the delete command and the archive download-sw command. The workaround is to reset the switch MTU value to the default value or to configure the same MTU value on the switch, the authentication server, and the intermediate devices.
These are access control list ACL limitations. The workaround is to disable the Port Aggregation Protocol PAgP on both devices by using the channel-group channel-group-number mode on interface configuration command. PAgP negotiation between these two devices is not reliable. However, after the switch power supply is restored, the Cisco RPS continues providing power to the switch. For more information, see the Cisco RPS installation guide. The workaround is remove the AC power supply, disconnect the Ethernet cable, and then reconnect the Ethernet cable.
This ensures that the switch uses inline power. When an IEEE powered-compliant device is connected to a switch, it allocates 15 W the default to the port. The workaround is to configure the Catalyst Gigabit Ethernet interface with the spanning-tree portfast interface configuration command.
The workaround is to enter the switchport mode trunk interface configuration command on all of the GigaStack interfaces and to do one of these:. This condition occurs on IEEE Some of the GBIC ports might not come up. If a connected device has a power failure, the Cisco RPS immediately begins supplying power to that device and sends status information to other connected devices that it is no longer available as a backup power source.
However, this might merely mean that the Cisco RPS is in standby mode. For more information, see the Cisco RPS documentation. The workaround is to shut down the port, and to re-enable it by using the shutdown and no shutdown interface configuration commands. The workaround, when you remove an EtherChannel group, is to enter the no shutdown interface configuration command on the interfaces that belonged to the port group to bring them back on line.
To determine actual discarded frames, multiply the output buffer failures by the number of VLANs on which the multicast data is replicated. This can occur when a large number of ping packets are sent and received and is the expected behavior. The workaround is to not perform a ping from one interface to another on the same switch.
The workaround is to enter the no switchport block unicast interface configuration command on that specific interface. The problem occurs only when the switch is receiving frames. It is not supported on EtherChannel port channels, even though you can enter these commands through the CLI. When the Catalyst switch is used as the relay agent with DHCP snooping and the option feature using the VLAN-module-port vlan-mod-port format, the switch does not assign the correct value to the port identifier circuit ID suboption.
The value is offset by 1 from the actual interface module- and port-number values. The switch might display tracebacks similar to this example when an EtherChannel interface port-channel type changes from Layer 2 to Layer 3 or the reverse:. After the no interface tunnel0 global configuration command is entered to remove the tunnel interface, the output from the show running-config privileged EXEC command still shows the tunnel interface that was removed.
This can occur if HSRP interface tracking is configured on another interface to track a tunnel interface, if the no interface command was entered before the HSRP tracking configuration was removed, or if the no standby tunnel0 global configuration command was entered on the other interface to disable tracking.
Aliased groups can also leak through the switch. For example, if a user is allowed to receive reports from group Aliasing of reserved addresses means that all groups of the form y. The switchport block multicast command is only applicable to non-IP multicast traffic. If this happens, the switch port where the client is connected might be removed from the IGMP snooping forwarding table. The workaround is to not set an ARP timeout value lower than seconds. The objects in this table are indexed by two numbers: portModuleIndex and portIndex.
The allowable values for portModuleIndex are 1 through Because 0 is not an allowable value, the value 1 represents module 0. Use the clear counters privileged EXEC command to clear the counters. However, no new multicast routes that violate the updated version of the multicast boundary access list are learned, and any multicast routes that are in violation of the updated access list are not relearned if they age out.
After updating a multicast boundary, the workaround is to use the clear ip mroute privileged EXEC command to delete any existing multicast routes that violate the updated boundary. In certain transient states for example, when a multicast stream is forwarded only to the CPU during the route-learning process and the CPU is programming this route into the hardware , a multicast stream packet count might be counted twice. The workaround is to not trust the counter during this transient state.
If the incoming speed is line rate, the outgoing interface cannot duplicate that speed because of the replication of the packets. As a result, certain replicated packets are dropped. However, the switch does not automatically start to use the shared tree. No connectivity problem occurs, but the switch continues to use the shortest path tree for multicast group entries already installed in the multicast routing table.
The workaround is to enter the clear ip mroute privileged EXEC command to force the change to the shared tree. The memory resources can only be recovered by entering the clear ip mroute privileged EXEC command.
The workaround is to not configure more than the recommended number of multicast routes on the switch. This is a limitation in the platform-independent code. The workaround is to not configure the switch to operate with more than the maximum number of supported multicast routes. You can use the show sdm prefer and show sdm prefer routing privileged EXEC commands to view approximate maximum configuration guidelines for the current SDM template and the routing template. This only occurs when there are multiple paths between the rendezvous point RP and the multicast source.
The output from the show mls qos interface interface-id statistics command for the Gigabit Ethernet interface is incorrect. In Table 5 , No means that port security cannot be enabled on a port if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port at the same time. A dash means not applicable. DTP 1 port 2. To display the total number of discarded packets, use the show controllers ethernet-controllers interface-id privileged EXEC command.
In the display, the number of discarded frames includes the frames that were dropped when the tail-drop thresholds were exceeded. When packets are logged by the ACL, this problem can also affect whether or not a match is logged by the CPU, even if the ACL fits into hardware and the permit or deny filtering was completed in hardware.
If you add an entry that checks TCP flags to an access list that is used for QoS classification, the system might report that a hardware limitation has been reached for the policy map.
This can occur when the policy map already contains several other access list entries that check different TCP flags or that check TCP or User Datagram Protocol UDP port numbers by using an operation different from equal eq , such as not equal ne , less than lt , greater than gt , or range.
When the hardware limitation is reached, the service-policy input policy-map-name interface configuration command is removed from the running configuration of the interface. The switch supports no more than six checks within a single policy map. An identical check repeated in multiple entries in the same policy map counts as a single instance. There is no workaround if the limit is reached during a check against the TCP flags in the packet.
Similar checks in a port ACL applied to the same physical interface as the policy map also count toward the limit. Because these resources are allocated on a first-come, first-serve basis, rearranging the order of ACLs within a policy map or the order of entries within a single ACL, placing the TCP flags checks as early as possible, might enable the policy map to be loaded into the hardware.
The switch supports eight checks for all features on the same VLAN label. When the limit is reached, the system might forward packets by using the CPU rather than through hardware, greatly reducing system performance. Because traffic forwarded to the CPU cannot be policed by the policer configured on the interface, this traffic is not accurately rate-limited to the configured police rate.
The workaround is to enter another command such as the police , trust , or set policy-map class configuration commands after entering the class class-map-name policy-map configuration command.
Add the first configuration file to the running-configuration file, and then add the second file to the running-configuration file. This should not be an issue in an environment where the frames are a mix of different sizes. The workaround is to configure the bandwidth of the SVI manually by using the bandwidth interface configuration command. Changing the bandwidth of the interface changes the routing metric for the routes when the SVI is used as an sending interface.
If two Catalyst switches are connected to each other through an interface that is configured for IP routing and fallback bridging, and the bridge group is configured with the bridge bridge-group protocol dec command, both switches act as if they were the spanning-tree root. Therefore, spanning-tree loops might be undetected. The workaround is to remain within the documented recommended and supported limits.
IP connectivity then exists between Router 1 and the switch. There is no IP connectivity between Router 2 and the switch.
This happens when the portion of the adjacency RAM that has been allotted for multipath routes has been used up. Normal networks should not have packets with CRC errors. The switch might reload when it is executing the no snmp-server host global configuration command. ICMP messages that are automatically sent by Cisco routers in response to various actions can give away a lot of information, such as routes, paths, and network conditions, to an unauthorized individual.
Attackers commonly use the following three types of ICMP message response features:. Unreachable —A response to a nonbroadcast packet that uses an unknown protocol known as Protocol Unreachable, or a response to a packet that a responding device failed to deliver because there is no known route to a destination Host Unreachable.
Redirect —A response to a packet that notifies the sender of a better route to a destination. Mask Reply —A response from a network device that knows a subnet mask for a particular subnet in an internetwork to a Mask Request message from a device that requires such knowledge. Example shows that all the services discussed in this lesson are disabled on R8.
You do not see some of them in the running configuration output because of the default settings in this particular version of Cisco IOS Software. In this scenario, R8 needs to be configured as the HTTP server so that it allows remote management through the Cisco web browser interface.
The syntax for the HTTP server command is as follows:. To modify the default, use the following command:. Next, you need to set up basic user authentication on your HTTP server. Although, you can use AAA services for this purpose, this example queries for the local database. The configuration of usernames and passwords in the database was discussed in the first lesson in 'Configuring Passwords, Privileges, and Logins.
To limit access to the server, you can create an access list and then apply it to the HTTP configuration. To associate the list with the HTTP server access, generate the following command:.
You can choose to enable the logging of a router's events to a syslog server, including the HTTP-related activity. To specify syslog logging, use the following set of commands:. The first command on the list, logging on , turns the logging on. The logging facility [ syslog ] command names a syslog server as the logging monitor. The logging source-interface local - interface command identifies local interface that forwards logs to the server.
The logging syslog - server - address command points to the syslog server's IP address. The logging trap command sets up the trap level. Example displays the running configuration of R8. Notice the resolution of the HTTP commands. For example, the port number is changed to Access-list 11, permitting host Now that the HTTP server has been successfully configured, an authorized user can log in. Figures and show the browser login prompt and the postlogin screen, respectively.
This case study is not meant as an in-depth demonstration of the NTP protocol. The main goal is to achieve a functional, secure NTP configuration between the three routers using MD5 authentication. If you are using a local router as your time synchronization source, the first task you need to complete is to set the clock on the router that is to be your server, R5 in this case. The following command establishes the time in military format and date on the router:.
Also, configure the routers to automatically switch to daylight-saving time when appropriate. The following two commands identify the time zone and configure daylight-saving time for that zone:. The summertime clock comes into effect on the first and ends on the second specified day every year, as shown in Example When an external NTP source is not available, as is the case with this NTP configuration scenario, you need to designate a local router as the master that is to be the source of time in the network.
To appoint a router as the NTP master, use the following command:. To implement redundancy, two routers act as masters: R5 and R8. The stratum level of R5 is 1, and the stratum level of R8 is 3; this means that R5 takes precedence over R8.
Next, you need to set up peering between routers for clock synchronization. Use the following command:. Each router in the network has been peered up with the two other routers, as shown in Example Because R8 is separated from R6 by PIX2, the configuration is not fully functional without the firewall's involvement. In Example , you can see that inside and outside interfaces have been assigned their IP addresses. R6 was associated with IP address Inside-to-outside Network Address Translation NAT has been enabled with the global outside 10 interface and nat inside 10 0.
The static inside,outside The route outside 0. Finally, the access list permitting NTP traffic destined for R8 has been applied to the inbound traffic of the outside interface. To allow NTP traffic from the two routers, specify an access list, such as the one in Example , allowing You have reached the final step of this configuration.
NTP supports MD5 authentication, which is useful for preserving your network's security. When MD5 authentication is enforced, your router can be sure that the NTP updates that arrived are from the authorized source. Step 1 Start the NTP authentication process. Step 3 Set up an NTP trusted key that matches the authentication-key. Step 4 Add the authentication-key to the peer statements. To accomplish these tasks, use the following commands and review their application on the routers shown in Example To verify that your NTP configuration is working properly, issue the following commands on any of the routers see Example :.
If you make any changes to the master or the client NTP configuration, they do not take effect until you restart the router in question. In this case study, R5 has been selected as an SSH server. After you complete the necessary configuration tasks, an SSH-enabled client—R6 in this case—can securely connect to the router for administration. Refer to Figure to see the topology. The preliminary tasks for configuring SSH are specifying a host name and a domain name for a router.
As a result, two statements— hostname R5 and ip domain-name cisco. After taking this non-SSH-specific step, you can begin the SSH configuration procedure, which includes the following steps:. The access-list 15 permit The syntax for the command that assigns an inbound access list to the vtys was discussed in Lesson When applied to this scenario, it results in the following line-mode command:.
The next step is to create user accounts, as described in Lesson However, instead of using AAA, a local login has been specified here, as follows:. In other words, the login local command indicates to the router that when a user is trying to connect via SSH, the router uses the local database configured with the username admin privilege 15 password cisco command to authenticate the said user.
To generate a new RSA key pair for R5, use the following command:. At the next prompt, specify R5. To exercise further control over your SSH, use the commands described in the next step. Authentication timeout is the interval, measured in seconds, that the server waits until a client responds with a password.
The default and the maximum are both seconds. In this configuration, the timeout stands at 60 seconds. The syntax for configuring the authentication timeout is as follows:. If a user logs in incorrectly several times, the router drops the connection. The default for authentication attempts is 3, and the maximum is 5.
In this example, the default is kept, but the syntax for the command is as follows:. In Lesson , you allowed Telnet as the type of connection over vtys on R8. Here, you specify SSH as the connection of choice in the following manner:. Example shows the output of the running configuration of R5.
All the steps that have been covered in this case study are displayed. To determine whether the configuration is working, the next logical step is to try to connect to R5 from R6 via SSH. Issue the following statement on R6, as shown in Example Once you are successfully connected, you can input show ssh on R5 to verify that SSH has been successfully enabled and check that your session is using SSH. Example shows the output of the show ssh command, which displays the status of SSH server connections, and the show ip ssh command, which demonstrates the version and configuration data for SSH.
Example illustrates the output of the debug ip ssh client command. The first part of the output is the display of user activity, and the second is the log line that was recorded after the user exited the SSH server. A few years ago, I wrote 'Cisco administration Upgrading routers and switches. That article focused primarily on upgrading routers.
This week, I want to discuss what you specifically need to know to upgrade a Cisco Catalyst switch.
0コメント