How to upgrade Cisco IOS Image

Cisco IOS devices typically use their flash memory to store the IOS image. On most routers, this flash memory can be easily replaced. On some switches, it is integrated in the device and can’t be replaced.

In this lesson, I’ll show you some different options how to copy a new IOS image to your Cisco IOS router or switch. I will use a Cisco 2800 IOS router in these examples.

First, head over to Cisco.com > Support > Download and grab the IOS image that you want. For example:

cisco ios 2800 router latest image

If you hover your mouse over the filename, you will see some extra information:

cisco ios 2800 md5 checksum

Above you can see the file name and MD5 checksum. The checksum can be used to check if the file that you downloaded is the same or has changed. I’ll show you this later.

Once you downloaded the IOS image, check if you have enough space left on your flash memory:

R1#show flash: 
-#- --length-- -----date/time------ path
1         1119 Sep 29 2015 11:11:52 +00:00 r1-r2-r3.cfg
2         1184 Dec 3 2014 15:14:06 +00:00 R1-R2-ASA1-ASA2.cfg
3         1125 Dec 23 2014 13:41:32 +00:00 ASA1-R1-R2-R3.cfg
5           76 Jul 17 2014 12:09:10 +00:00 System Volume Information/IndexerVolumeGuid
6         1060 Aug 11 2015 12:53:50 +00:00 mpls-pe-ce-basic-addressing.cfg
7         1213 Sep 30 2015 15:05:02 +00:00 router-on-a-stick.cfg
8     67926080 Apr 2 2015 14:21:46 +00:00 c2800nm-adventerprisek9-mz.151-4.M10.bin

3862364160 bytes available (137428992 bytes used)

On my flash memory, there are a bunch of configuration files and the current IOS image. There are 3862364160 bytes available (3862 MB) so we have plenty of space.

When we want to copy something to or from this router, we have to use the copy command:

R1#copy ?
  /erase          Erase destination file system.
  /error          Allow to copy error file.
  /noverify       Don't verify image signature before reload.
  /verify         Verify image signature before reload.
  archive:        Copy from archive: file system
  cns:            Copy from cns: file system
  flash:          Copy from flash: file system
  ftp:            Copy from ftp: file system
  http:           Copy from http: file system
  https:          Copy from https: file system
  null:           Copy from null: file system
  nvram:          Copy from nvram: file system
  pram:           Copy from pram: file system
  rcp:            Copy from rcp: file system
  running-config  Copy from current system configuration
  scp:            Copy from scp: file system
  startup-config  Copy from startup configuration
  system:         Copy from system: file system
  tar:            Copy from tar: file system
  tftp:           Copy from tftp: file system
  tmpsys:         Copy from tmpsys: file system
  xmodem:         Copy from xmodem: file system
  ymodem:         Copy from ymodem: file system

We have a lot of options. The most common options for copying an IOS image are:

  • TFTP
  • FTP
  • SCP

I will explain all three options to you.

Newer routers also support copying from USB sticks. This will show up as usbflash: in the filesystem overview.

TFTP

TFTP (Trivial File Transfer Protocol) is similar to FTP but much simpler, like a light weight version. It doesn’t support authentication or encryption and uses UDP for transmission. I will use the following topology:

Cisco Router TFTP Server

We need a TFTP server application, a great choice here is TFTPD32. You can download it for free and it’s an executable, no need to install anything.

Once you downloaded TFTPD32, start it:

tftdp32 icon on desktop

And you will see the main screen:

tftpd32 desktop folder

Make sure you select the correct directory where you downloaded your IOS image and if you have multiple network interfaces, select the correct interface.

The copy command works in both directions. I can copy to and from the TFTP server. Here’s how to copy the current IOS image to the TFTP server:

R1#copy flash: tftp:
Source filename []? c2800nm-adventerprisek9-mz.151-4.M10.bin
Address or name of remote host []? 192.168.1.200
Destination filename [c2800nm-adventerprisek9-mz.151-4.M10.bin]? 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
67926080 bytes copied in 312.508 secs (217358 bytes/sec)

When you use the copy flash: tftp: command, it will ask you for the IP address and filename. When you see something between [] (brackets), you can just hit the enter button. For example, since I specified the source name, the router assumes I want to use the same file name for the destination. Don’t type “y” or “yes” here or that will become the destination filename.

If you are unable to connect to the TFTPD32 server, check your Windows firewall.

We can see the transfer on our router or you can see it in TFTPD32:

tftpd32 copy cisco ios 2800 image

We now have a backup of our current IOS image. Let’s copy the new image to the router:

R1#copy tftp: flash:
Address or name of remote host []? 192.168.1.200
Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? 
Accessing tftp://192.168.1.200/c2800nm-adventerprisek9-mz.151-4.M12a.bin...
Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from 192.168.1.200 (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 67929600 bytes]

67929600 bytes copied in 316.628 secs (214541 bytes/sec)

The transfer has completed, let’s take a look at our flash memory:

R1#show flash: | include .bin
8     67926080 Apr 2 2015 14:21:46 +00:00 c2800nm-adventerprisek9-mz.151-4.M10.bin
25    67929600 Nov 4 2016 12:11:22 +00:00 c2800nm-adventerprisek9-mz.151-4.M12a.bin

Above we can see the new IOS image.

The copy command also allows you to enter parameters like the IP address of the TFTP server and filenames. Here is an example:

R1#copy tftp://192.168.1.200/c2800nm-adventerprisek9-mz.151-4.M12a.bin flash:
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]?

Above you can see that I already entered the IP address and filename. Once I hit enter, it will only ask me for the destination filename (which I also could have entered). If you have to upgrade the IOS image on multiple devices, this is more convenient as you can just copy/paste the above line on all devices.

You can also turn a Cisco IOS router or switch into a TFTP server. You only need one command to accomplish this:

R1(config)#tftp-server flash:c2800nm-advipservicesk9-mz.124-24.T8.bin alias 2800-image.bin

The alias parameters lets you use a different name for the filename. In the example above, “2800-image.bin” refers to the actual file on the flash of my router.

FTP

Copying to or from an FTP server is also no problem, we can do this with the same copy command. One thing you might have to deal with is authentication. Most FTP servers will require a username and password. Here is the topology I will use:

Cisco Router FTP Server

There are two things we can do to supply a username and password. Here is option one::

R1(config)#ip ftp username admin
R1(config)#ip ftp password cisco

We can globally configure the username and password that we want to use for the FTP server. When you use the copy command, Cisco IOS will use these values for authentication.

Personally, I don’t like leaving this information in the running configuration. It’s also possible to supply a username and password with the copy command. Here is an example:

R1#copy ftp://admin:cisco@192.168.1.201/c2800nm-adventerprisek9-mz.151-4.M12a.bin flash:
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]?
Accessing ftp://*****:*****@192.168.1.201/c2800nm-adventerprisek9-mz.151-4.M12a.bin...
Loading c2800nm-adventerprisek9-mz.151-4.M12a.bin from 192.168.1.201 (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 67929600 bytes]
67929600 bytes copied in 884.704 secs (76782 bytes/sec)

Above you can see I embedded the username “admin”, the password “cisco” and the IP address of my FTP server. This way is also easier, you can copy/paste this line on all devices that require an IOS image upgrade.

SCP

Last but not least, we have SCP (Secure Copy) which uses SSH. This is a great method because of two reasons:

  • It allows you to use your router/switch as an SCP server.
  • It uses encryption.
  • You probably already have SSH configured on your router or switch.

I will show you how to configure your router as an SCP server and how to copy files to/from it. I’m going to use two routers for this:

r1 r2 routers

R1 Configuration

First, we have to configure SSH:

R1(config)#ip domain-name NETWORKLESSONS.LOCAL

R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local

R1(config)#crypto key generate rsa 

The name for the keys will be: R1.NETWORKLESSONS.LOCAL
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

R1(config)#ip ssh version 2

Now we only need two additional commands for SCP. The first one is to enable the SCP server:

R1(config)#ip scp server enable

And we need a user that has full access to the router:

R1(config)#username admin privilege 15 password cisco

Let’s continue with R2, our SCP client.

R2 Configuration

R2 will be our SCP client. Let’s try the copy command:

R2#copy scp: flash:                         
Address or name of remote host []? 192.168.1.1 
Source username []? admin
Source filename []? c2800nm-adventerprisek9-mz.151-4.M12a.bin 
Destination filename [c2800nm-adventerprisek9-mz.151-4.M12a.bin]? 
Password: 
!!!!!!!!!!!
67929600 bytes copied in 884.704 secs (76782 bytes/sec)

The copy command will ask for the remote IP address, username, password, and filename.

MD5 Verification

So far we copied a couple of files but how do we know that these files are valid? When we downloaded the Cisco IOS image, I showed you the MD5 checksum that Cisco publishes on their website. We can verify this checksum on our router:

R1#verify /md5 flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin
.................Done!
verify /md5 (flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin) = fcdaeb55b292534e97ecc29a394d35aa

This MD5 checksum is the same as the one we found on the Cisco website. This tells us that we have the same file as Cisco published and that the file has not been tampered with. If the checksum fails, maybe someone has added something nasty to the image.

Boot System

Our router currently has two IOS images:

R1#show flash: | include .bin
8     67926080 Apr 2 2015 14:21:46 +00:00 c2800nm-adventerprisek9-mz.151-4.M10.bin
25    67929600 Nov 4 2016 12:11:22 +00:00 c2800nm-adventerprisek9-mz.151-4.M12a.bin

Which IOS image will it select when the router boots? Deleting the old IOS image is one option but there is another way.

Most routers will select the first filename that they find on the flash memory so in our case, it means it would boot the older IOS image. We can change this with the boot sytem command:

R1(config)#boot system flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin

Let’s reload the router:

R1#reload

System configuration has been modified. Save? [yes/no]: yes
Building configuration...

[OK]

Once the router has reloaded, verify that we are running the new IOS image:

R1#show version 
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 04-Oct-16 03:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

R1 uptime is 14 minutes
System returned to ROM by reload at 14:01:00 UTC Fri Nov 4 2016
System image file is "flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin"

Above we can see we booted the new Cisco IOS image.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
boot system flash:c2800nm-adventerprisek9-mz.151-4.M12a.bin
!
ip cef
!
ip domain name NETWORKLESSONS.LOCAL
!
username admin privilege 15 password 0 cisco
!
ip ssh version 2
ip scp server enable
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
line vty 0 4
 login local
 transport input ssh
!
end

Conclusion

You have now learned how to upgrade your Cisco IOS image through TFTP, FTP and SCP. You have seen how this can be done from your computer to your router/switch or between two routers. We also checked how to verify the integrity of the file with the MD5 checksum and how to configure your router to boot the new IOS image.

Forum Replies

  1. Hello Rene ,
    Is there any possiblity to use a SCP Client software on a laptop for example to update IOS on Router1
    thank you in advance

  2. Hi Rene !
    When we upgrade IOS of router what about configuration ? Is it still the same ?
    I know my question not sound technically cuz I’m new to Networking, but please kindly reply my question.
    Sovandara

  3. Rene,

    Any documentation how to upgrade Cisco IOS on dual superversior (Hitless)? ASR903?

  4. Thank you Lazaros! I just want to confirm that.

  5. Nice write-up.

    I’d like to see you add a few things to this one:

    1. Before configuring the boot system command, you should always remove any existing boot system commands (that point to an existing IOS image(s)). As you’re aware, any new boot system commands are placed AFTER any existing boot system commands.

    2. After doing the above, re-add the existing/old image as a backup in case the new image gets corrupted.

    3. Verify the config register to make sure it’s set for 0x2102 before rebooting to the new image.

3 more replies! Ask a question or join the discussion by visiting our Community Forum