Friday, October 9, 2020

Cisco 4000 Series IOS-XE and ROMMON Software Upgrade

There's no leisure travel yet outside of Singapore (as of this writing) due to the COVID-19 pandemic. So I just went around to some local spots like the newly opened Apple Store in Marina Bay Sands. This is the first "floating" Apple Store which has a spherical shaped structure.


I also went to Plaza Singapura to grab some lunch at Five Guys, which is a famous American burger joint. I ordered a cheesburger, hotdog, fries and milkshake. You can choose up to 15 free toppings (and can even ask for "All the Way") for your burger like lettuce, tomato, pickles, grilled onions, A1 steak sauce, etc.
 



I needed to upgrade a Cisco 4K ISR to IOS-XE 16.9.6 (Fuji) and the ROM Monitor (ROMMON) package to 16.9(1r). It's highly recommended to upgrade the ROMMON and there's a compatibility matrix to follow. The ROM Monitor is a bootstrap program that initializes the hardware and boots the Cisco IOS XE software when you power on or reload a router. 



According to the Cisco 4000 series ISR compatibility matrix below, I need to upgrade my Cisco 4331  ROMMON from the current 16.7(3r) version to 16.9(1r). You can still use the minimum 16.7(3r) version with 16.9.x, however you want to avoid any bugs or compatibility issue in the future.

There's a separate download section for the IOS-XE Software and ROMMON.

Hover on the .bin file (green text) to see more details such as the release date, file size, MD5 and SHA512 checksum.


 

It's always best practice to verify the checksum of the downloaded file from Cisco and also transfer the software directly from the file server. In the example below, the ROMMON file was corrupted since I transferred the software from one file server to another before finally transferring to the router.

4331#upgrade rom-monitor filename bootflash:isr4200_4300_rommon_169_1r_SPA.pkg all

 

File bootflash:isr4200_4300_rommon_169_1r_SPA.pkg is corrupt or is not a valid package.

 

 

4331#dir

Directory of bootflash:/

 

136545  drwx             4096  Jul 29 2020 15:17:39 +00:00  .installer

104417  drwx             4096  Oct 20 2019 08:59:21 +00:00  sysboot

   11  drwx             4096  Aug 24 2020 09:36:54 +00:00  lost+found

72289  drwx             4096  Oct 20 2019 09:19:40 +00:00  core

32129  drwx             4096  Jul 29 2020 15:57:55 +00:00  .prst_sync

40161  drwx             4096  Oct 20 2019 09:17:28 +00:00  .rollback_timer

   12  -rw-                0  Oct 20 2019 09:17:41 +00:00  tracelogs.nDF

144577  drwx            20480   Sep 7 2020 09:48:43 +00:00  tracelogs

   13  -rw-               30  Aug 24 2020 09:38:08 +00:00  throughput_monitor_params

   14  -rw-               35  Jul 29 2020 15:22:09 +00:00  pnp-tech-time

   15  -rw-            51176  Jul 29 2020 15:22:19 +00:00  pnp-tech-discovery-summary

   16  -rw-        486645440  Jul 29 2020 15:48:49 +00:00  isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

   17  -rw-          5010380  Sep 16 2020 12:30:30 +00:00  isr4200_4300_rommon_169_1r_SPA.pkg

   18  -rw-        588714445  Sep 16 2020 15:54:00 +00:00  isr4300-universalk9.16.09.06.SPA.bin

 

3258179584 bytes total (1457758208 bytes free)

 

 

You can compare the checksum output to the Cisco download site.

 

4331#verify /md5 bootflash:isr4200_4300_rommon_169_1r_SPA.pkg

.............................................................................Done!

verify /md5 (bootflash:isr4200_4300_rommon_169_1r_SPA.pkg) = 84534cfd56f1a772fc7715049868743c

 

 

4331#verify /md5 bootflash:isr4300-universalk9.16.09.06.SPA.bin

 

<OUTPUT TRUNCATED>

 

........Done!

verify /md5 (bootflash:isr4300-universalk9.16.09.06.SPA.bin) = 08d876e4eca745843e8aa69a9cf1cb3e

 

 

You use the  upgrade rom-monitor filename bootflash:<.pkg FILE> all to extract and upgrade the ROMMON.

 

4331#upgrade rom-monitor filename bootflash:isr4200_4300_rommon_169_1r_SPA.pkg all

Chassis model ISR4331/K9 has a single rom-monitor.

 

Upgrade rom-monitor

 

Target copying rom-monitor image file

selected : 0

Booted : 0

Reset Reason: 0

 

Info: Upgrading only BIOS from the rommon package

4259840+0 records in

4259840+0 records out

262144+0 records in

262144+0 records out

655360+0 records in

655360+0 records out

File  is a FIPS ROMMON image

FIPS-140-3 Load Test on  has PASSED.

Authenticity of the image has been verified.

Switching to ROM 1

8192+0 records in

8192+0 records out

Upgrade image MD5 signature is 9825aa77548887bb1a45d329006c5acd

4259840+0 records in

4259840+0 records out

4194304+0 records in

4194304+0 records out

4194304+0 records in

4194304+0 records out

262144+0 records in

262144+0 records out

Upgrade image MD5 signature verification is 9825aa77548887bb1a45d329006c5acd

Switching back to ROM 0

ROMMON upgrade complete.

To make the new ROMMON permanent, you must restart the RP.

 

 

You'll need to restart the router for the new ROMMON to take effect. Make sure to boot using the original IOS-XE code. You can change the boot variable to the new IOS-XE code but it's not recommended.

 

4331#show run | inc boot

boot-start-marker

boot system flash isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

boot-end-marker

4331#write memory

Building configuration...

 

[OK]

4331#reload

 

Sep 17 01:58:04.922 RP0/0: %P

 

Initializing Hardware ...

 

Checking for PCIe device presence...done

System integrity status: 0x610

Rom image verified correctly

 

 

System Bootstrap, Version 16.7(3r), RELEASE SOFTWARE   // JUST IGNORE OLD ROMMON

Copyright (c) 1994-2017  by cisco Systems, Inc.

 

 

Current image running: Boot ROM0

 

Last reset cause: LocalSoft

ISR4331/K9 platform with 4194304 Kbytes of main memory

 

Rommon upgrade requested

Flash upgrade reset 1 in progress

 

........

 

Initializing Hardware ...

 

Checking for PCIe device presence...done

System integrity status: 0x610

Rom image verified correctly

 

 

System Bootstrap, Version 16.9(1r), RELEASE SOFTWARE

Copyright (c) 1994-2018  by cisco Systems, Inc.

 

 

Current image running: *Upgrade in progress* Boot ROM1

 

Last reset cause: BootRomUpgrade

ISR4331/K9 platform with 4194304 Kbytes of main memory

 

....

Located isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

##########################################################

 

<OUTPUT TRUNCATED>

 

##########################################################

 

Package header rev 1 structure detected

IsoSize = 471482368

Calculating SHA-1 hash...Validate package: SHA-1 hash:

calculated 92A40F6F:F8586BC3:F00F114B:EFB43257:B9728643

expected   92A40F6F:F8586BC3:F00F114B:EFB43257:B9728643

RSA Signed RELEASE Image Signature Verification Successful.

Image validated

%IOSXEBOOT-4-BOOT_SRC: (rp/0): mounting /boot/super.iso to /tmp/sw/isos

Sep 17 02:10:30.465 R0/0: %FLASH_CHECK-3-DISK_QUOTA: Flash disk quota exceeded [free space is 1423312 kB] - Please clean up files on bootflash.

 

 

<OUTPUT TRUNCATED>

 

4331#show version

Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release

Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Mon 17-Oct-16 20:23 by mcpre

 

 

Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc.

All rights reserved.  Certain components of Cisco IOS-XE software are

licensed under the GNU General Public License ("GPL") Version 2.0.  The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0.  For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

 

 

ROM: IOS-XE ROMMON

 

4331 uptime is 1 minute

Uptime for this control processor is 2 minutes

System returned to ROM by reload at 15:53:35 UTC Wed Jul 29 2020

System image file is "bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin"

Last reload reason: Reload Command

 

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

 

Suite License Information for Module:'esg'

 

--------------------------------------------------------------------------------

Suite                 Suite Current         Type           Suite Next reboot    

--------------------------------------------------------------------------------

FoundationSuiteK9     None                  None           None                 

securityk9

appxk9

 

AdvUCSuiteK9          None                  None           None                 

uck9

cme-srst

cube

 

 

Technology Package License Information:

 

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

Current       Type           Next reboot 

------------------------------------------------------------------

appxk9           None             None             None

uck9             uck9             Permanent        uck9

securityk9       securityk9       Permanent        securityk9

ipbase           ipbasek9         Permanent        ipbasek9

 

cisco ISR4331/K9 (1RU) processor with 1648789K/6147K bytes of memory.

Processor board ID FLM23431234

3 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

3207167K bytes of flash memory at bootflash:.

 

Configuration register is 0x2102

 

 

You can verify the new ROMMON version using either the show platform or  show rom-monitor command.


4331#show platform

Chassis type: ISR4331/K9

 

Slot      Type                State                 Insert time (ago)

--------- ------------------- --------------------- -----------------

0         ISR4331/K9          ok                    00:02:31     

 0/0      ISR4331-3x1GE       ok                    00:00:16     

 0/4      PVDM4-32            booting               00:00:16     

1         ISR4331/K9          ok                    00:02:31     

R0        ISR4331/K9          ok, active            00:02:31     

F0        ISR4331/K9          ok, active            00:02:31     

P0        PWR-4330-AC         ok                    00:02:05     

P2        ACS-4330-FANASSY    ok                    00:02:05     

 

Slot      CPLD Version        Firmware Version                       

--------- ------------------- ---------------------------------------

0         19040541            16.9(1r)                           

1         19040541            16.9(1r)                           

R0        19040541            16.9(1r)                           

F0        19040541            16.9(1r)                           

 

 

4331#show rom-monitor ?

  0   SM-Inter-Processor slot 0

  1   SM-Inter-Processor slot 1

  F0  Embedded-Service-Processor slot 0

  FP  Embedded-Service-Processor

  R0  Route-Processor slot 0

  RP  Route-Processor

 

4331#show rom-monitor r0   // CISCO 4331 ONLY HAS A SINGLE ROUTE PROCESSOR

 

System Bootstrap, Version 16.9(1r), RELEASE SOFTWARE

Copyright (c) 1994-2018  by cisco Systems, Inc.

 

 

You can now perform the IOS-XE code upgrade using the boot system flash bootflash:<.bin FILE> command.

 

4331(config)#no boot system   // QUICKLY REMOVES ALL BOOT VARIABLE

4331(config)#boot system ?

  WORD   TFTP filename or URL

  flash  Boot from flash memory

  ftp    Boot from a server via ftp

  mop    Boot from a Decnet MOP server

  rcp    Boot from a server via rcp

  tftp   Boot from a tftp server

 

4331(config)#boot system flash

4331(config)#boot system flash ?

  WORD  System image filename

  <cr>

4331(config)#boot system flash bootflash:isr4300-universalk9.16.09.06.SPA.bin

4331config)#boot system flash bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin   // SECONDARY OR FALLBACK IOS-XE

4331(config)#end

4331#write memory

Building configuration...

 

[OK]

 

4331#show run | inc boot

boot-start-marker

boot system flash bootflash:isr4300-universalk9.16.09.06.SPA.bin

boot system flash bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

boot-end-marker

4331#sh bootvar

BOOT variable = bootflash:isr4300-universalk9.16.09.06.SPA.bin,1;bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin,1;

CONFIG_FILE variable does not exist

BOOTLDR variable does not exist

Configuration register is 0x2102   // ENSURE CONFREG IS 0x2102

 

Standby not ready to show bootvar

 

4331#reload

Proceed with reload? [confirm]

 

 

Initializing Hardware ...

 

Checking for PCIe device presence...done

System integrity status: 0x610

Rom image verified correctly

 

 

System Bootstrap, Version 16.9(1r), RELEASE SOFTWARE

Copyright (c) 1994-2018  by cisco Systems, Inc.

 

 

Current image running: Boot ROM1

 

Last reset cause: LocalSoft

ISR4331/K9 platform with 4194304 Kbytes of main memory

 

 

........

Located isr4300-universalk9.16.09.06.SPA.bin

###########################################################

 

<OUTPUT TRUNCATED>

 

###########################################################

 

Package header rev 3 structure detected

IsoSize = 558002176

Calculating SHA-1 hash...Validate package: SHA-1 hash:

calculated 76E0E261:4348AB07:1AA1F17F:5C0C2DE6:9FA22E14

expected   76E0E261:4348AB07:1AA1F17F:5C0C2DE6:9FA22E14

RSA Signed RELEASE Image Signature Verification Successful.

Image validated

 

 

%IOSXEBOOT-4-BOOT_SRC: (rp/0):        WARNING: Attempting to use bootflash for packages storage!

 

              Restricted Rights Legend

 

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

 

           Cisco Systems, Inc.

           170 West Tasman Drive

           San Jose, California 95134-1706

 

 

Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2020 by Cisco Systems, Inc.

Compiled Thu 27-Aug-20 02:41 by mcpre

 

 

PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR

LICENSE KEY PROVIDED FOR ANY CISCO SOFTWARE PRODUCT, PRODUCT FEATURE,

AND/OR SUBSEQUENTLY PROVIDED SOFTWARE FEATURES (COLLECTIVELY, THE

"SOFTWARE"), AND/OR USING SUCH SOFTWARE CONSTITUTES YOUR FULL

ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU

ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN.

 

Your use of the Software is subject to the Cisco End User License Agreement

(EULA) and any relevant supplemental terms (SEULA) found at

http://www.cisco.com/c/en/us/about/legal/cloud-and-software/software-terms.html.

 

You hereby acknowledge and agree that certain Software and/or features are

licensed for a particular term, that the license to such Software and/or

features is valid only for the applicable term and that such Software and/or

features may be shut down or otherwise terminated by Cisco after expiration

of the applicable license term (e.g., 90-day trial period). Cisco reserves

the right to terminate any such Software feature electronically or by any

other means available. While Cisco may provide alerts, it is your sole

responsibility to monitor your usage of any such term Software feature to

ensure that your systems and networks are prepared for a shutdown of the

Software feature.

 

 

cisco ISR4331/K9 (1RU) processor with 1784189K/6147K bytes of memory.

Processor board ID FLM23431234

3 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

3207167K bytes of flash memory at bootflash:.

0K bytes of WebUI ODM Files at webui:.

 

%INIT: waited 0 seconds for NVRAM to be available

 

 WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type

 WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type

 

 

Verify the new IOS-XE code using the show version command.

 

4331#show version

Cisco IOS XE Software, Version 16.09.06

Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2020 by Cisco Systems, Inc.

Compiled Thu 27-Aug-20 02:41 by mcpre

 

 

Cisco IOS-XE software, Copyright (c) 2005-2020 by cisco Systems, Inc.

All rights reserved.  Certain components of Cisco IOS-XE software are

licensed under the GNU General Public License ("GPL") Version 2.0.  The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0.  For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

 

 

ROM: IOS-XE ROMMON

 

4331 uptime is 1 minute

Uptime for this control processor is 3 minutes

System returned to ROM by Reload Command at 02:14:47 UTC Thu Sep 17 2020

System image file is "bootflash:isr4300-universalk9.16.09.06.SPA.bin"

Last reload reason: Reload Command

 

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

 

Suite License Information for Module:'esg'

 

--------------------------------------------------------------------------------

Suite                 Suite Current         Type           Suite Next reboot    

--------------------------------------------------------------------------------

FoundationSuiteK9     None                  None           None                 

securityk9

appxk9

 

AdvUCSuiteK9          None                  None           None                 

uck9

cme-srst

cube

 

 

Technology Package License Information:

 

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot 

------------------------------------------------------------------

appxk9           None             None             None

uck9             uck9             Permanent        uck9

securityk9       securityk9       Permanent        securityk9

ipbase           ipbasek9         Permanent        ipbasek9

 

The current throughput level is 100000 kbps

 

 

Smart Licensing Status: Smart Licensing is DISABLED

 

cisco ISR4331/K9 (1RU) processor with 1784189K/6147K bytes of memory.

Processor board ID FLM23431234

3 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

3207167K bytes of flash memory at bootflash:.

0K bytes of WebUI ODM Files at webui:.

 

Configuration register is 0x2102

 

 

4331#show platform

Chassis type: ISR4331/K9

 

Slot      Type                State                 Insert time (ago)

--------- ------------------- --------------------- -----------------

0         ISR4331/K9          ok                    00:03:26     

 0/0      ISR4331-3x1GE       ok                    00:01:31     

 0/4      PVDM4-32            ok                    00:01:03     

1         ISR4331/K9          ok                    00:03:26     

R0        ISR4331/K9          ok, active            00:03:26     

F0        ISR4331/K9          ok, active            00:03:26     

P0        PWR-4330-AC         ok                    00:03:06     

P2        ACS-4330-FANASSY    ok                    00:03:06     

 

Slot      CPLD Version        Firmware Version                       

--------- ------------------- ---------------------------------------

0         19040541            16.9(1r)                           

1         19040541            16.9(1r)                           

R0        19040541            16.9(1r)                           

F0        19040541            16.9(1r)

 

1 comment: