My Network Lab: Cisco 4000 Series IOS-XE and ROMMON Software Upgrade

There's no leisure travel yet outside of Singapore (as of this writing) due to the COVID-19 pandemic. So I just went around to some local spots like the newly opened Apple Store in Marina Bay Sands. This is the first "floating" Apple Store which has a spherical shaped structure.

I also went to Plaza Singapura to grab some lunch at Five Guys, which is a famous American burger joint. I ordered a cheesburger, hotdog, fries and milkshake. You can choose up to 15 free toppings (and can even ask for "All the Way") for your burger like lettuce, tomato, pickles, grilled onions, A1 steak sauce, etc.

I needed to upgrade a Cisco 4K ISR to IOS-XE 16.9.6 (Fuji) and the ROM Monitor (ROMMON) package to 16.9(1r). It's highly recommended to upgrade the ROMMON and there's a compatibility matrix to follow. The ROM Monitor is a bootstrap program that initializes the hardware and boots the Cisco IOS XE software when you power on or reload a router.

According to the Cisco 4000 series ISR compatibility matrix below, I need to upgrade my Cisco 4331 ROMMON from the current 16.7(3r) version to 16.9(1r). You can still use the minimum 16.7(3r) version with 16.9.x, however you want to avoid any bugs or compatibility issue in the future.

There's a separate download section for the IOS-XE Software and ROMMON.

Hover on the .bin file (green text) to see more details such as the release date, file size, MD5 and SHA512 checksum.

It's always best practice to verify the checksum of the downloaded file from Cisco and also transfer the software directly from the file server. In the example below, the ROMMON file was corrupted since I transferred the software from one file server to another before finally transferring to the router.

4331#upgrade rom-monitor filename bootflash:isr4200_4300_rommon_169_1r_SPA.pkg all

File bootflash:isr4200_4300_rommon_169_1r_SPA.pkg is corrupt or is not a valid package.

4331#dir

Directory of bootflash:/

136545 drwx 4096 Jul 29 2020 15:17:39 +00:00 .installer

104417 drwx 4096 Oct 20 2019 08:59:21 +00:00 sysboot

11 drwx 4096 Aug 24 2020 09:36:54 +00:00 lost+found

72289 drwx 4096 Oct 20 2019 09:19:40 +00:00 core

32129 drwx 4096 Jul 29 2020 15:57:55 +00:00 .prst_sync

40161 drwx 4096 Oct 20 2019 09:17:28 +00:00 .rollback_timer

12 -rw- 0 Oct 20 2019 09:17:41 +00:00 tracelogs.nDF

144577 drwx 20480 Sep 7 2020 09:48:43 +00:00 tracelogs

13 -rw- 30 Aug 24 2020 09:38:08 +00:00 throughput_monitor_params

14 -rw- 35 Jul 29 2020 15:22:09 +00:00 pnp-tech-time

15 -rw- 51176 Jul 29 2020 15:22:19 +00:00 pnp-tech-discovery-summary

16 -rw- 486645440 Jul 29 2020 15:48:49 +00:00 isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

17 -rw- 5010380 Sep 16 2020 12:30:30 +00:00 isr4200_4300_rommon_169_1r_SPA.pkg

18 -rw- 588714445 Sep 16 2020 15:54:00 +00:00 isr4300-universalk9.16.09.06.SPA.bin

3258179584 bytes total (1457758208 bytes free)

You can compare the checksum output to the Cisco download site.

4331#verify /md5 bootflash:isr4200_4300_rommon_169_1r_SPA.pkg

.............................................................................Done!

verify /md5 (bootflash:isr4200_4300_rommon_169_1r_SPA.pkg) = 84534cfd56f1a772fc7715049868743c

4331#verify /md5 bootflash:isr4300-universalk9.16.09.06.SPA.bin

........Done!

verify /md5 (bootflash:isr4300-universalk9.16.09.06.SPA.bin) = 08d876e4eca745843e8aa69a9cf1cb3e

You use the upgrade rom-monitor filename bootflash:<.pkg FILE> all to extract and upgrade the ROMMON.

4331#upgrade rom-monitor filename bootflash:isr4200_4300_rommon_169_1r_SPA.pkg all

Chassis model ISR4331/K9 has a single rom-monitor.

Upgrade rom-monitor

Target copying rom-monitor image file

selected : 0

Booted : 0

Reset Reason: 0

Info: Upgrading only BIOS from the rommon package

4259840+0 records in

4259840+0 records out

262144+0 records in

262144+0 records out

655360+0 records in

655360+0 records out

File is a FIPS ROMMON image

FIPS-140-3 Load Test on has PASSED.

Authenticity of the image has been verified.

Switching to ROM 1

8192+0 records in

8192+0 records out

Upgrade image MD5 signature is 9825aa77548887bb1a45d329006c5acd

4259840+0 records in

4259840+0 records out

4194304+0 records in

4194304+0 records out

4194304+0 records in

4194304+0 records out

262144+0 records in

262144+0 records out

Upgrade image MD5 signature verification is 9825aa77548887bb1a45d329006c5acd

Switching back to ROM 0

ROMMON upgrade complete.

To make the new ROMMON permanent, you must restart the RP.

You'll need to restart the router for the new ROMMON to take effect. Make sure to boot using the original IOS-XE code. You can change the boot variable to the new IOS-XE code but it's not recommended.

4331#show run | inc boot

boot-start-marker

boot system flash isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

boot-end-marker

4331#write memory

Building configuration...

[OK]

4331#reload

Sep 17 01:58:04.922 RP0/0: %P

Initializing Hardware ...

Checking for PCIe device presence...done

System integrity status: 0x610

Rom image verified correctly

System Bootstrap, Version 16.7(3r), RELEASE SOFTWARE // JUST IGNORE OLD ROMMON

Current image running: Boot ROM0

Last reset cause: LocalSoft

ISR4331/K9 platform with 4194304 Kbytes of main memory

Rommon upgrade requested

Flash upgrade reset 1 in progress

........

Initializing Hardware ...

Checking for PCIe device presence...done

System integrity status: 0x610

Rom image verified correctly

System Bootstrap, Version 16.9(1r), RELEASE SOFTWARE

Current image running: *Upgrade in progress* Boot ROM1

Last reset cause: BootRomUpgrade

ISR4331/K9 platform with 4194304 Kbytes of main memory

....

Located isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

##########################################################

##########################################################

Package header rev 1 structure detected

IsoSize = 471482368

Calculating SHA-1 hash...Validate package: SHA-1 hash:

calculated 92A40F6F:F8586BC3:F00F114B:EFB43257:B9728643

expected 92A40F6F:F8586BC3:F00F114B:EFB43257:B9728643

RSA Signed RELEASE Image Signature Verification Successful.

Image validated

%IOSXEBOOT-4-BOOT_SRC: (rp/0): mounting /boot/super.iso to /tmp/sw/isos

Sep 17 02:10:30.465 R0/0: %FLASH_CHECK-3-DISK_QUOTA: Flash disk quota exceeded [free space is 1423312 kB] - Please clean up files on bootflash.

4331#show version

Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release

Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Mon 17-Oct-16 20:23 by mcpre

licensed under the GNU General Public License ("GPL") Version 2.0. The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0. For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

ROM: IOS-XE ROMMON

4331 uptime is 1 minute

Uptime for this control processor is 2 minutes

System returned to ROM by reload at 15:53:35 UTC Wed Jul 29 2020

System image file is "bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin"

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Suite License Information for Module:'esg'

--------------------------------------------------------------------------------

Suite Suite Current Type Suite Next reboot

--------------------------------------------------------------------------------

FoundationSuiteK9 None None None

securityk9

appxk9

AdvUCSuiteK9 None None None

uck9

cme-srst

cube

Technology Package License Information:

-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

appxk9 None None None

uck9 uck9 Permanent uck9

securityk9 securityk9 Permanent securityk9

ipbase ipbasek9 Permanent ipbasek9

cisco ISR4331/K9 (1RU) processor with 1648789K/6147K bytes of memory.

Processor board ID FLM23431234

3 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

3207167K bytes of flash memory at bootflash:.

Configuration register is 0x2102

You can verify the new ROMMON version using either the show platform or show rom-monitor command.

4331#show platform

Chassis type: ISR4331/K9

Slot Type State Insert time (ago)

--------- ------------------- --------------------- -----------------

0 ISR4331/K9 ok 00:02:31

0/0 ISR4331-3x1GE ok 00:00:16

0/4 PVDM4-32 booting 00:00:16

1 ISR4331/K9 ok 00:02:31

R0 ISR4331/K9 ok, active 00:02:31

F0 ISR4331/K9 ok, active 00:02:31

P0 PWR-4330-AC ok 00:02:05

P2 ACS-4330-FANASSY ok 00:02:05

Slot CPLD Version Firmware Version

--------- ------------------- ---------------------------------------

0 19040541 16.9(1r)

1 19040541 16.9(1r)

R0 19040541 16.9(1r)

F0 19040541 16.9(1r)

4331#show rom-monitor ?

0 SM-Inter-Processor slot 0

1 SM-Inter-Processor slot 1

F0 Embedded-Service-Processor slot 0

FP Embedded-Service-Processor

R0 Route-Processor slot 0

RP Route-Processor

4331#show rom-monitor r0 // CISCO 4331 ONLY HAS A SINGLE ROUTE PROCESSOR

System Bootstrap, Version 16.9(1r), RELEASE SOFTWARE

You can now perform the IOS-XE code upgrade using the boot system flash bootflash:<.bin FILE> command.

4331(config)#no boot system // QUICKLY REMOVES ALL BOOT VARIABLE

4331(config)#boot system ?

WORD TFTP filename or URL

flash Boot from flash memory

ftp Boot from a server via ftp

mop Boot from a Decnet MOP server

rcp Boot from a server via rcp

tftp Boot from a tftp server

4331(config)#boot system flash

4331(config)#boot system flash ?

WORD System image filename

<cr>

4331(config)#boot system flash bootflash:isr4300-universalk9.16.09.06.SPA.bin

4331config)#boot system flash bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin // SECONDARY OR FALLBACK IOS-XE

4331(config)#end

4331#write memory

Building configuration...

[OK]

4331#show run | inc boot

boot-start-marker

boot system flash bootflash:isr4300-universalk9.16.09.06.SPA.bin

boot system flash bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin

boot-end-marker

4331#sh bootvar

BOOT variable = bootflash:isr4300-universalk9.16.09.06.SPA.bin,1;bootflash:isr4300-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin,1;

CONFIG_FILE variable does not exist

BOOTLDR variable does not exist

Configuration register is 0x2102 // ENSURE CONFREG IS 0x2102

Standby not ready to show bootvar

4331#reload

Proceed with reload? [confirm]

Initializing Hardware ...

Checking for PCIe device presence...done

System integrity status: 0x610

Rom image verified correctly

System Bootstrap, Version 16.9(1r), RELEASE SOFTWARE

Current image running: Boot ROM1

Last reset cause: LocalSoft

ISR4331/K9 platform with 4194304 Kbytes of main memory

........

Located isr4300-universalk9.16.09.06.SPA.bin

###########################################################

###########################################################

Package header rev 3 structure detected

IsoSize = 558002176

Calculating SHA-1 hash...Validate package: SHA-1 hash:

calculated 76E0E261:4348AB07:1AA1F17F:5C0C2DE6:9FA22E14

expected 76E0E261:4348AB07:1AA1F17F:5C0C2DE6:9FA22E14

RSA Signed RELEASE Image Signature Verification Successful.

Image validated

%IOSXEBOOT-4-BOOT_SRC: (rp/0): WARNING: Attempting to use bootflash for packages storage!

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

Rights clause at FAR sec. 52.227-19 and subparagraph

Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 27-Aug-20 02:41 by mcpre

PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR

LICENSE KEY PROVIDED FOR ANY CISCO SOFTWARE PRODUCT, PRODUCT FEATURE,

AND/OR SUBSEQUENTLY PROVIDED SOFTWARE FEATURES (COLLECTIVELY, THE

"SOFTWARE"), AND/OR USING SUCH SOFTWARE CONSTITUTES YOUR FULL

ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU

ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN.

Your use of the Software is subject to the Cisco End User License Agreement

(EULA) and any relevant supplemental terms (SEULA) found at

http://www.cisco.com/c/en/us/about/legal/cloud-and-software/software-terms.html.

You hereby acknowledge and agree that certain Software and/or features are

licensed for a particular term, that the license to such Software and/or

features is valid only for the applicable term and that such Software and/or

features may be shut down or otherwise terminated by Cisco after expiration

of the applicable license term (e.g., 90-day trial period). Cisco reserves

the right to terminate any such Software feature electronically or by any

other means available. While Cisco may provide alerts, it is your sole

responsibility to monitor your usage of any such term Software feature to

ensure that your systems and networks are prepared for a shutdown of the

Software feature.

cisco ISR4331/K9 (1RU) processor with 1784189K/6147K bytes of memory.

Processor board ID FLM23431234

3 Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

4194304K bytes of physical memory.

3207167K bytes of flash memory at bootflash:.

0K bytes of WebUI ODM Files at webui:.

%INIT: waited 0 seconds for NVRAM to be available

WARNING: Command has been added to the configuration using a type 5 password. However, type 5 passwords will soon be deprecated. Migrate to a supported password type

Verify the new IOS-XE code using the show version command.

4331#show version

Cisco IOS XE Software, Version 16.09.06

Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 27-Aug-20 02:41 by mcpre

licensed under the GNU General Public License ("GPL") Version 2.0. The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0. For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

ROM: IOS-XE ROMMON

4331 uptime is 1 minute

Uptime for this control processor is 3 minutes

System returned to ROM by Reload Command at 02:14:47 UTC Thu Sep 17 2020

System image file is "bootflash:isr4300-universalk9.16.09.06.SPA.bin"