CISCO IOS SCP AND INTEGRITY CHECKING

Getting files onto a router from various servers (TFTP, FTP, SCP) is pretty well understood and the most common way of doing it. But what if you're stuck with no servers, no connectivity and a wonderful corporate laptop with a firewall that you can't convince to allow TFTP?

Well, one solution is to use the SSH server on the router itself and copy files via SCP. Not SFTP mind you, but SCP and in a non-interactive way (you're not getting a shell).

Configuring the SCP server is documented in various Cisco docs but it basically needs a working SSH server configuration (you know, domain name, rsa keys and some AAA) and this command: ip scp server enable.

Once that's done and you can test logging in with the user, try copying something from your machine. Example below is on Windows with pscp.exe (which you can get from the PuTTY website), replace that with scp if on Linux.

The major catch here is in the syntax - if you've used command line scp before you'll notice that for the destination path I did not put anything before the file name. Initially I was trying with ./ or flash: and failed miserably. By writing 192.168.0.16:c800-universalk9-mz.SPA.154-3.M4.bin the file ends up in the root of the router flash memory, although nobody really tells you so.

pscp.exe -scp c800-universalk9-mz.SPA.154-3.M4.bin cisco@192.168.0.16:c800-universalk9-mz.SPA.154-3.M4.bin
Using keyboard-interactive authentication.
Password:
c800-universalk9-mz.SPA.1 | 26920 kB | 373.9 kB/s | ETA: 00:02:24 |  33%

For being on the same LAN, 370 kB/s is rather dull, but I guess the flash write speed is the limiting factor.

Checking the integrity of the image

Once a new IOS image has been uploaded, you MUST (RFC2119) check that it made it to flash in one piece, to avoid any unpleasant surprises when booting it up. To compare the hashes, get them from the download page on the Cisco website.

Up until now I was running the verify /md5 command to get the md5 hash, but I decided to be adventurous and run it plain, which was a good thing in the end as it turns out you get much more out of it:

897-2-branch#verify flash:c800-universalk9-mz.SPA.154-3.M4.bin
Starting image verification
Hash Computation:    100% Done!
Computed Hash   SHA2: B1F6370C1B89EE461E0A8FC49827C2CA
                      067003E8194838F99056D5DF9A87BFB1
                      499050DB6B0581244AFF3158B5481D6A
                      7F10CECBC03114CBEABBEFD192E8266E

Embedded Hash   SHA2: B1F6370C1B89EE461E0A8FC49827C2CA
                      067003E8194838F99056D5DF9A87BFB1
                      499050DB6B0581244AFF3158B5481D6A
                      7F10CECBC03114CBEABBEFD192E8266E

CCO Hash        MD5 : E09F9C2502EA9CF7FA8A054092DA3AC6
Digital signature successfully verified in file flash:c800-universalk9-mz.SPA.154-3.M4.bin

And, as always, thanks for reading.


comments powered by Disqus