Loading Image Files Through the Network
From time to time you will need to load a new system image, either to upgrade the image that was shipped with your router, to install bug fixes, or to add new feature sets that you've purchased. The most common way to upload an image is to copy it to the router from some other system on your networkafter all, the router is a network device, and it's easiest to use the router's networking capabilities. You can also use the console port or an AUX port to upload an image using Xmodem. In this book, I'll focus on loading image files over the network. We'll cover TFTP first, then provide details on using RCP or SCP, which is often preferred today for its security features.
2.3.1. Using TFTP to Download Files
Say that you have just purchased a 2501 router and want to upgrade to the latest version of IOS. Assume that you have downloaded the new image from Cisco's web site or that you have it on a CD or some other medium. If you haven't already set up the router, you'll need a serial connection from a terminal (or a PC with a terminal-emulation program) to do some simple configuration before you can install the image: at a minimum: you need to set up an IP address. You'll also need a connection to the network so that the router can access your TFTP server. Once you've set things up, your primitive network will look like Figure 2-2.
Figure 2-2. Getting an IOS image from a TFTP server
Before you start the upgrade, you must configure the IP address for the router's Ethernet interface (in this case, ethernet0). Let's assume that the address 10.10.1.1 is available for the router and that the TFTP server is 10.10.1.2. Before you load the new image, enter the following commands:
Router>enable Router#config terminal Router(config)#interface ethernet0 Router(config-if)#ip address 10.10.1.1 255.255.255.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#exit Router#ping 10.10.1.2
The ping command is a simple sanity check: it proves that the router can actually communicate with the TFTP server. Once you've done this, you're ready to start retrieving the image file. In a sense, TFTP is a blind FTP. There are no user logins and there are no directory listing commands. You cannot ask the server to show you what files are available: the requesting system must know the exact name of the file it wants to download. Because TFTP is primitive and has no concept of authentication, it is a well-known security risk. We won't discuss how to set up a TFTP server here, but make sure your server is not accessible from the outside world. (See "Using SCP to Download Files" later in this chapter for a more secure alternative.)
|
Here is the sequence of steps for upgrading a router from an IOS file called igs-j-l.110 to igs-j-l.120:
- Ensure there is enough flash memory on your router to load the IOS image you want. Give the show flash command and compare the output with the size of the image file on the server.
Router#show flash System flash directory: File Length Name/status 1 6070088 igs-j-l.110 [6070152 bytes used, 2318456 available, 8388608 total] 8192K bytes of processor board System flash
The router's flash memory has 8192K bytes total with 2318456 bytes available. A directory listing on our TFTP server shows that our new image is the same size as the current one. Therefore, as long as we replace the old image with the new one, we have enough memory for the upgrade.
- Make a backup of the current IOS image to the network server. This is always a good idea. If the new image does not work or causes problems, you can always load your backup image.
Router#copy flash tftp System flash directory: File Length Name/status 1 6070088 igs-j-l.110 [6070152 bytes used, 2318456 available, 8388608 total] Address or name of remote host [255.255.255.255]? 10.10.1.2 Source file name? igs-j-l.110 Destination file name [igs-j-l.110]? igs-j-l.110.bak Verifying checksum for 'igs-j-l.110' (file # 1)... OK Copy 'igs-j-l.110' from Flash to server as 'igs-j-l.110.bak? [yes/no]yes Writing... Done...
- Load the new IOS.
Router#config terminal Router(config)#config-reg 0x2101 Router(config)#exit Router#reload
Wait for the router to reboot, then reconnect. Once you're back online, re-enter the enable mode.
Router>enable Router#copy tftp flash Address or name of remote host [255.255.255.255]? 10.10.1.2 Source file name? igs-j-l.120 Destination file name [igs-j-l.120]? igs-j-l.120 Accessing file ' igs-j-l.120' on 172.16.101.101... Loading igs-j-l.120 from 10.10.1.2 (via Ethernet0): ! [OK] Erase flash device before writing? [confirm] y Flash contains files. Are you sure you want to erase? [confirm] y Copy ' igs-j-l.120' from server as 'igs-j-l.120' into Flash WITH erase? [yes/no] yes Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee...erased Loading file1 from 10.10.1.2 (via Ethernet0): ! [OK - 6070088 bytes] Verifying checksum... OK (0x14x4) Flash copy took 0:00:31 [hh:mm:ss]
Now undo the configuration register.
Router#config terminal Router(config)#config-reg 0x2102 Router(config)#exit
To abort TFTP, type Ctrl-Shift-^ and then type x.
- Verify your newly loaded image. Even though there are checksums in the image, it is a good idea to verify on your own; you want to be absolutely sure that the new image is not corrupted.
Router#verify flash
If the verify fails, do not move on to Step 5 or reboot your router. Instead, retrieve your backup image with Step 3 by loading the backup copy of the IOS image, which we saved as igs-j-l.110.bak in Step 2.
- Reboot.
Router#reload "IOS Upgrade"
What you type between the quotes does not matter to the router. It is an informational message to tell users and administrators that are currently logged in what caused the router to reboot.
The reload command reboots the router. There is no reboot command. See the entry for reload in Chapter 17 for options.
2.3.2. Using RCP to Download Files
RCP uses the Unix remote copy protocol to store and retrieve files. The server on which the file is stored is usually a Unix or Linux system, though some implementations of RCP are available for other platforms. To set up the server, you must create a user account for the router and an .rhosts file for that account that gives access to the router. See your Unix manuals for more details.
Why would we want to use RCP? On a slow network, TFTP may time out because it is UDP-based. RCP uses TCP for the network connection, which provides a more reliable connection in tough network conditions. Because RCP requires an account, you might be tempted to think that it is also more secure than TFTP. It probably is, but the additional security is so minimal that it can hardly be considered an advantage. As with TFTP, you'll want to take steps to ensure that outsiders can't access your RCP server.
To configure the router to use RCP, set the username to be used by the rcp command:
Router(config)#ip rcmd remote-username name
Replace name with the username you have assigned to the router on the RCP server. To upload a new image, use the same five-step process outlined in the previous section, but replace tftp with rcp in the copy commands. For example, in Step 2, use the command:
Router#copy flash rcp
Be aware that many sites consider the remote shell protocols a security problem and disable them.
You can also run RCP from your Unix workstation. And it's a lot easier to have your routers trust the Unix box than it is to list all your routers in one .rhosts file.
2.3.3. Using SCP to Download Files
Secure Shell (SSH) is now the more modern way to securely access remote nodes. With SSH, the network session is encrypted, which keeps your data secure. And unlike FTP and Telnet, SSH passwords are not sent in clear text across the network. SCP is the "secure copy" form of SSH. Most modern operating systems support SSH service.
As in the previous examples, we use a username of bob and the server 10.1.1.2:
Router#copy scp://bob@10.1.1.2/igs-j-l.120 flash: Address or name of remote host [10.1.1.2]? Destination username [bob]? Destination filename [igs-j-l.120]? Writing igs-j-l.120 Password:
The system prompts you for the SSH password for the user bob. Once you enter the password (the password is not echoed on the screen), the transfer continues as usual. Secure Shell support was introduced in IOS 12.2.