Saturday, December 4, 2021

Cisco CSR 1000V IOS-XE Upgrade

Here's a good link to perform an IOS-XE upgrade in a Cisco CSR 1000V. You download the .bin file to perform the IOS-XE code upgrade. The .iso and .ova are only used for the initial virtual machine deployment. The IOS-XE Gibraltar 16.12.5 is the recommended code (with a gold star) as of this writing.


My CSRv lab router runs IOS-XE 16.6.7 so I need to transfer the new .bin file in bootflash.

CSRv#show version
Cisco IOS XE Software, Version 16.06.07
Cisco IOS Software [Everest], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 23-Sep-19 14:33 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

CSRv uptime is 6 days, 18 hours, 17 minutes
Uptime for this control processor is 6 days, 18 hours, 20 minutes
System returned to ROM by reload
System image file is "bootflash:packages.conf"
Last reload reason: Unknown reason

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax

cisco CSR1000V (VXE) processor (revision VXE) with 2190141K/3075K bytes of memory.
Processor board ID 9FVTXL4B123
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3984872K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102


CSRv#copy tftp://192.168.1.100/csr1000v-universalk9.16.12.05.SPA.bin bootflash:
Destination filename [csr1000v-universalk9.16.12.05.SPA.bin]?
Accessing tftp://192.168.1.100/csr1000v-universalk9.16.12.05.SPA.bin...
Loading csr1000v-universalk9.16.12.05.SPA.bin from 192.168.1.100 (via GigabitEthernet1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 468361091 bytes]

468361091 bytes copied in 1381.498 secs (339024 bytes/sec)


CSRv#dir
Directory of bootflash:/

   11  drwx            16384  Jun 27 2021 11:11:18 +00:00  lost+found
130049  drwx             4096  Jun 27 2021 11:12:40 +00:00  .super.iso.dir
260097  drwx             4096  Jun 27 2021 11:15:53 +00:00  .installer
   12  -rw-               31  Jun 27 2021 11:18:47 +00:00  .CsrLxc_LastInstall
   13  -rw-               69  Jun 27 2021 11:18:49 +00:00  virtual-instance.conf
406401  drwx             4096  Jun 27 2021 11:15:33 +00:00  core
   15  -rw-        125829120  Jun 27 2021 11:12:40 +00:00  iosxe-remote-mgmt.16.06.07.ova
373891  -rw-        371549204  Jun 27 2021 11:13:40 +00:00  csr1000v-mono-universalk9.16.06.07.SPA.pkg
373892  -rw-         40656486  Jun 27 2021 11:14:21 +00:00  csr1000v-rpboot.16.06.07.SPA.pkg
373890  -rw-             2776  Jun 27 2021 11:14:21 +00:00  packages.conf
105665  drwx             4096  Jun 27 2021 11:15:23 +00:00  .prst_sync
316993  drwx             4096  Jun 27 2021 11:15:34 +00:00  .rollback_timer
243841  drwx             4096  Jun 27 2021 11:18:54 +00:00  virtual-instance
   16  -rw-               30  Jun 27 2021 11:18:13 +00:00  throughput_monitor_params
   17  -rw-                0  Jun 27 2021 11:18:14 +00:00  cvac.log
   18  -rw-             1766  Jun 27 2021 11:18:58 +00:00  csrlxc-cfg.log
430785  drwx             4096  Jun 27 2021 11:18:56 +00:00  onep
   14  -rw-               35  Jun 27 2021 11:19:37 +00:00  pnp-tech-time
   19  -rw-            58123  Jun 27 2021 11:19:38 +00:00  pnp-tech-discovery-summary
   20  -rw-        468361091  Aug 21 2021 03:18:39 +00:00  csr1000v-universalk9.16.12.05.SPA.bin

7897796608 bytes total (5976797184 bytes free)

It's always best practice to verify the hash of newly transferred file. Verify if the hash is the same in the Cisco download site.


CSRv#verify /md5 bootflash:csr1000v-universalk9.16.12.05.SPA.bin
..........................................................................................................................

<OUTPUT TRUNCATED>

........................................Done!
verify /md5 (bootflash:csr1000v-universalk9.16.12.05.SPA.bin) = 226c54c04dcfbb7fdad5e00dcb66c8f8

Change the boot variable and reload the router.


CSRv#show run | inc boot
boot-start-marker
boot-end-marker
diagnostic bootup level minimal

CSRv#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
CSRv(config)#boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
CSRv(config)#end
CSRv#write memory
Building configuration...
[OK]

CSRv#show run | inc boot
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
boot-end-marker
diagnostic bootup level minimal

CSRv#show bootvar
BOOT variable = bootflash:csr1000v-universalk9.16.12.05.SPA.bin,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102

CSRv#reload
Proceed with reload? [confirm]


<OUTPUT TRUNCATED>

 

The VM bootup using the new IOS-XE in less than 5 minutes (depends on the VM specs). Verify the new IOS-XE version using the show version command.


CSRv#show version
Cisco IOS XE Software, Version 16.12.05
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Fri 29-Jan-21 12:24 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2021 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

CSRv uptime is 2 minutes
Uptime for this control processor is 6 minutes
System returned to ROM by reload at 03:22:42 UTC Sat Aug 21 2021
System image file is "bootflash:csr1000v-universalk9.16.12.05.SPA.bin"
Last reload reason: Reload Command


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type: N/A(Smart License Enabled)
Next reload license Level: ax


Smart Licensing Status: UNREGISTERED/No Licenses in Use

cisco CSR1000V (VXE) processor (revision VXE) with 2079946K/3075K bytes of memory.
Processor board ID 9FVTXL4B123
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3978408K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

The new IOS-XE 16.12.5 converted the username and enable secret to a type 9 password (using scrypt). The call-home config was automatically added and made Smart Licensing mandatory starting IOS-XE 16.10.1a in CSR1000v and ISRv routers. A Public Key Infrastructure (PKI) Trustpoint and Certificate were also generated by the new code.


CSRv#show run
Building configuration...

Current configuration : 5147 bytes
!
! Last configuration change at 11:30:00 UTC Sat Aug 21 2021
!
version 16.12
service config
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CSRv
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
boot-end-marker
!
!
enable secret 9 $14$irt/$vxybaz5tx788zU$nJTdFHkRG6FaEln/IoWRdNJC/kKhYOTcAefKYEp/zhk
!         
no aaa new-model

call-home

 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

 contact-email-addr sch-smart-licensing@cisco.com

 profile "CiscoTAC-1"

  active

  destination transport-method http

  no destination transport-method email

!
no ip domain lookup
ip domain name lab.com
!
!
!
no login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!

crypto pki trustpoint TP-self-signed-808986070

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-808986070

 revocation-check none

 rsakeypair TP-self-signed-808986070

!

crypto pki trustpoint SLA-TrustPoint

 enrollment pkcs12

 revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-808986070

crypto pki certificate chain SLA-TrustPoint

 certificate ca 01

  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

<OUTPUT TRUNCATED>

  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

  D697DF7F 28

        quit

!
license udi pid CSR1000V sn 9FVTXL4B123
diagnostic bootup level minimal
memory free low-watermark processor 72301
!
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 $14$ipiQ$JOPYppUclEDJCE$KqpKTScOAxrx4ue3Kt3Kpp7R.Uiie8nlUPNWkYJq.WM
!
redundancy
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key fortinet address 192.168.1.160  
!
!
crypto ipsec transform-set TSET esp-des esp-md5-hmac
 mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.1.160
 set transform-set TSET
 match address FTG_CISCO_VPN
!
interface Loopback10
 ip address 10.1.1.100 255.255.255.0
 ip nat inside
!
interface GigabitEthernet1
 ip address 192.168.1.140 255.255.255.0
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
 crypto map CMAP
!
interface GigabitEthernet2
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet1   // PART OF CALL-HOME CONFIG
!
ip nat inside source list 101 interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.160
ip ssh version 2
!
ip access-list extended FTG_CISCO_VPN
 10 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
ip access-list extended 101
 10 permit ip 10.1.1.0 0.0.0.255 any
!
control-plane
!
banner login ^C
### CSR1000v LAB ROUTER ###
^C
!
line con 0
 stopbits 1
line vty 0 4
 password cisco
 logging synchronous
 login
!
ntp server pnpntpserver.lab.com
!
end


No comments:

Post a Comment