Getting files onto a router from various servers (TFTP, FTP, SCP) is pretty well understood and the most common way of doing it. But what if you're stuck with no servers, no connectivity and a wonderful corporate laptop with a firewall that you can't convince to allow TFTP?
Well, one solution is to use the SSH server on the router itself and copy files via SCP. Not SFTP mind you, but SCP and in a non-interactive way (you're not getting a shell).
Configuring the SCP server is documented in various Cisco docs but it basically needs a working SSH server configuration (you know, domain name, rsa keys and some AAA) and this command:
ip scp server enable.
Once that's done and you can test logging in with the user, try copying something from your machine. Example below is on Windows with
pscp.exe (which you can get from the PuTTY website), replace that with
scp if on Linux.
The major catch here is in the syntax - if you've used command line
scp before you'll notice that for the destination path I did not put anything before the file name. Initially I was trying with
flash: and failed miserably. By writing
192.168.0.16:c800-universalk9-mz.SPA.154-3.M4.bin the file ends up in the root of the router flash memory, although nobody really tells you so.
pscp.exe -scp c800-universalk9-mz.SPA.154-3.M4.bin email@example.com:c800-universalk9-mz.SPA.154-3.M4.bin Using keyboard-interactive authentication. Password: c800-universalk9-mz.SPA.1 | 26920 kB | 373.9 kB/s | ETA: 00:02:24 | 33%
For being on the same LAN, 370 kB/s is rather dull, but I guess the flash write speed is the limiting factor.
Checking the integrity of the image
Once a new IOS image has been uploaded, you MUST (RFC2119) check that it made it to flash in one piece, to avoid any unpleasant surprises when booting it up. To compare the hashes, get them from the download page on the Cisco website.
Up until now I was running the
verify /md5 command to get the md5 hash, but I decided to be adventurous and run it plain, which was a good thing in the end as it turns out you get much more out of it:
897-2-branch#verify flash:c800-universalk9-mz.SPA.154-3.M4.bin Starting image verification Hash Computation: 100% Done! Computed Hash SHA2: B1F6370C1B89EE461E0A8FC49827C2CA 067003E8194838F99056D5DF9A87BFB1 499050DB6B0581244AFF3158B5481D6A 7F10CECBC03114CBEABBEFD192E8266E Embedded Hash SHA2: B1F6370C1B89EE461E0A8FC49827C2CA 067003E8194838F99056D5DF9A87BFB1 499050DB6B0581244AFF3158B5481D6A 7F10CECBC03114CBEABBEFD192E8266E CCO Hash MD5 : E09F9C2502EA9CF7FA8A054092DA3AC6 Digital signature successfully verified in file flash:c800-universalk9-mz.SPA.154-3.M4.bin
And, as always, thanks for reading.