Here's a good link to perform an IOS-XE upgrade in a Cisco CSR 1000V. You download the .bin file to perform the IOS-XE code upgrade. The .iso and .ova are only used for the initial virtual machine deployment. The IOS-XE Gibraltar 16.12.5 is the recommended code (with a gold star) as of this writing.
My CSRv lab router runs IOS-XE 16.6.7 so I need to transfer the new .bin file in bootflash.
CSRv#show version
Cisco IOS XE Software, Version 16.06.07
Cisco IOS Software [Everest], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 23-Sep-19 14:33 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
CSRv uptime is 6 days, 18 hours, 17 minutes
Uptime for this control processor is 6 days, 18 hours, 20 minutes
System returned to ROM by reload
System image file is "bootflash:packages.conf"
Last reload reason: Unknown reason
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax
cisco CSR1000V (VXE) processor (revision VXE) with 2190141K/3075K bytes of memory.
Processor board ID 9FVTXL4B123
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3984872K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
CSRv#copy tftp://192.168.1.100/csr1000v-universalk9.16.12.05.SPA.bin bootflash:
Destination filename [csr1000v-universalk9.16.12.05.SPA.bin]?
Accessing tftp://192.168.1.100/csr1000v-universalk9.16.12.05.SPA.bin...
Loading csr1000v-universalk9.16.12.05.SPA.bin from 192.168.1.100 (via GigabitEthernet1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<OUTPUT TRUNCATED>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 468361091 bytes]
468361091 bytes copied in 1381.498 secs (339024 bytes/sec)
CSRv#dir
Directory of bootflash:/
11 drwx 16384 Jun 27 2021 11:11:18 +00:00 lost+found
130049 drwx 4096 Jun 27 2021 11:12:40 +00:00 .super.iso.dir
260097 drwx 4096 Jun 27 2021 11:15:53 +00:00 .installer
12 -rw- 31 Jun 27 2021 11:18:47 +00:00 .CsrLxc_LastInstall
13 -rw- 69 Jun 27 2021 11:18:49 +00:00 virtual-instance.conf
406401 drwx 4096 Jun 27 2021 11:15:33 +00:00 core
15 -rw- 125829120 Jun 27 2021 11:12:40 +00:00 iosxe-remote-mgmt.16.06.07.ova
373891 -rw- 371549204 Jun 27 2021 11:13:40 +00:00 csr1000v-mono-universalk9.16.06.07.SPA.pkg
373892 -rw- 40656486 Jun 27 2021 11:14:21 +00:00 csr1000v-rpboot.16.06.07.SPA.pkg
373890 -rw- 2776 Jun 27 2021 11:14:21 +00:00 packages.conf
105665 drwx 4096 Jun 27 2021 11:15:23 +00:00 .prst_sync
316993 drwx 4096 Jun 27 2021 11:15:34 +00:00 .rollback_timer
243841 drwx 4096 Jun 27 2021 11:18:54 +00:00 virtual-instance
16 -rw- 30 Jun 27 2021 11:18:13 +00:00 throughput_monitor_params
17 -rw- 0 Jun 27 2021 11:18:14 +00:00 cvac.log
18 -rw- 1766 Jun 27 2021 11:18:58 +00:00 csrlxc-cfg.log
430785 drwx 4096 Jun 27 2021 11:18:56 +00:00 onep
14 -rw- 35 Jun 27 2021 11:19:37 +00:00 pnp-tech-time
19 -rw- 58123 Jun 27 2021 11:19:38 +00:00 pnp-tech-discovery-summary
20
-rw- 468361091 Aug 21 2021
03:18:39 +00:00 csr1000v-universalk9.16.12.05.SPA.bin
7897796608 bytes total (5976797184 bytes free)
It's always best practice to verify the hash of newly transferred file. Verify if the hash is the same in the Cisco download site.
CSRv#verify /md5 bootflash:csr1000v-universalk9.16.12.05.SPA.bin
..........................................................................................................................
<OUTPUT TRUNCATED>
........................................Done!
verify /md5 (bootflash:csr1000v-universalk9.16.12.05.SPA.bin) = 226c54c04dcfbb7fdad5e00dcb66c8f8
Change the boot variable and reload the router.
CSRv#show run | inc boot
boot-start-marker
boot-end-marker
diagnostic bootup level minimal
CSRv#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
CSRv(config)#boot system
bootflash:csr1000v-universalk9.16.12.05.SPA.bin
CSRv(config)#end
CSRv#write memory
Building configuration...
[OK]
CSRv#show run | inc boot
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
boot-end-marker
diagnostic bootup level minimal
CSRv#show bootvar
BOOT variable = bootflash:csr1000v-universalk9.16.12.05.SPA.bin,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
CSRv#reload
Proceed with reload? [confirm]
<OUTPUT TRUNCATED>
The VM bootup using the new IOS-XE in less than 5 minutes (depends on the VM specs). Verify the new IOS-XE version using the show version command.
CSRv#show version
Cisco IOS XE Software, Version 16.12.05
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Fri 29-Jan-21 12:24 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2021 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
CSRv uptime is 2 minutes
Uptime for this control processor is 6 minutes
System returned to ROM by reload at 03:22:42 UTC Sat Aug 21 2021
System image file is "bootflash:csr1000v-universalk9.16.12.05.SPA.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ax
License Type: N/A(Smart License Enabled)
Next reload license Level: ax
Smart Licensing Status: UNREGISTERED/No Licenses in Use
cisco CSR1000V (VXE) processor (revision VXE) with 2079946K/3075K bytes of memory.
Processor board ID 9FVTXL4B123
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3978408K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Configuration register is 0x2102
The new IOS-XE 16.12.5 converted the username and enable secret to a type 9 password (using scrypt). The call-home config was automatically added and made Smart Licensing mandatory starting IOS-XE 16.10.1a in CSR1000v and ISRv routers. A Public Key Infrastructure (PKI) Trustpoint and Certificate were also generated by the new code.
CSRv#show run
Building configuration...
Current configuration : 5147 bytes
!
! Last configuration change at 11:30:00 UTC Sat Aug 21 2021
!
version 16.12
service config
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CSRv
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
boot-end-marker
!
!
enable secret 9
$14$irt/$vxybaz5tx788zU$nJTdFHkRG6FaEln/IoWRdNJC/kKhYOTcAefKYEp/zhk
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
no ip domain lookup
ip domain name lab.com
!
!
!
no login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-808986070
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-808986070
revocation-check none
rsakeypair TP-self-signed-808986070
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-808986070
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
<OUTPUT TRUNCATED>
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
license udi pid CSR1000V sn 9FVTXL4B123
diagnostic bootup level minimal
memory free low-watermark processor 72301
!
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9
$14$ipiQ$JOPYppUclEDJCE$KqpKTScOAxrx4ue3Kt3Kpp7R.Uiie8nlUPNWkYJq.WM
!
redundancy
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key fortinet address 192.168.1.160
!
!
crypto ipsec transform-set TSET esp-des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.160
set transform-set TSET
match address FTG_CISCO_VPN
!
interface Loopback10
ip address 10.1.1.100 255.255.255.0
ip nat inside
!
interface GigabitEthernet1
ip address 192.168.1.140 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map CMAP
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet1 // PART OF CALL-HOME CONFIG
!
ip nat inside source list 101 interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.160
ip ssh version 2
!
ip access-list extended FTG_CISCO_VPN
10 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
ip access-list extended 101
10 permit ip 10.1.1.0 0.0.0.255 any
!
control-plane
!
banner login ^C
### CSR1000v LAB ROUTER ###
^C
!
line con 0
stopbits 1
line vty 0 4
password cisco
logging synchronous
login
!
ntp server pnpntpserver.lab.com
!
end
