Upgrading a 6500 is pretty straight forward, provided the necessary is done in the right order. I’ve listed the steps I would typically take to fully upgrade a single Cisco-6509-E (single Route-Processor) with a IPSEC VPN SPA blade.
Please lab this if possible BEFORE trying it in a production network. I have illustrated the steps to be taken if some of the known funnies occur during an upgrade. Feel free to use this as a guideline.
Firstly download the IOS and image versions, you need. Obviously do a little homework and check the specific IOS for known bugs using the Bug Toolkit. Don’t just pick any IOS. Make sure all the required features are relatively bug free.
Copy the downloaded files to the following locations:
- ROMMON firmware to sup-bootflash
- BOOTLDR to bootflash
- IOS to flash disk
I always use FTP if possible, due to the higher transfer rates. 10.3.29.239 is connected to the switch and is running a FTP server, expecting a username:password of cisco:pass.
copy ftp://cisco:firstname.lastname@example.org/c6msfc3-rm2.srec.122-17r.SX5 sup-bootflash: copy ftp://cisco:email@example.com/s72033-boot-mz.122-33.SXI2.bin bootflash: copy ftp://cisco:firstname.lastname@example.org/s72033-adventerprisek9_wan-mz.122-33.SXI2.bin disk0: dir sup-bootflash: dir bootflash: dir disk0:
I would recommend verifying the IOS images after copying. It’s relatively easy for the image to get corrupted during copying. No need to waste time with corrupt images, when it can be avoided.
verify /md5 sup-bootflash:c6msfc3-rm2.srec.122-17r.SX5 0c5be63c4e339707efb7881fde7d5324 verify /md5 bootflash:s72033-boot-mz.122-33.SXI2.bin ad9f9c902fa34b90de8365c3a5039a5b verify /md5 disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin 98f47ca4de03a28a7c6988469e99ef8f
It is generally safe practise to backup the working running-config to a file on flash disk0:
copy running-config disk0:/CURRENT-CONFIG
1- Lets start, first upgrade the Rom-Monitor:
upgrade rom-monitor slot 5 rp file sup-bootflash:c6msfc3-rm2.srec.122-17r.SX5
Confirm the current boot variables:
2- Specify the new BootLDR to load during boot:
conf t boot bootldr bootflash:s72033-boot-mz.122-33.SXI2.bin
3- Specify the order of the booting images. Firstly the new IOS image, secondly the previous working IOS image. Refer to a previous post, why to do this HERE.
boot system flash disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin "New IOS" boot system flash disk0:s72033-adventerprisek9_wan-mz.122-18.SXF6.bin "OLD IOS"
4- Reload the box.
5- If during startup, you encounters config related errors like the ones below, make a note of each command the new IOS didn’t apply:
radius-server source-ports 1645-1646 ^ % Invalid input detected at '^' marker. crypto engine subslot 1/0 % Incomplete command.
Do not save the config at any time before reloading using “write mem” or “copy run start”.
Else you will overwrite a working config with the above commands missing.
6- Rename the new IOS file on flash to force the next boot to use the second IOS file listed in boot command along with the working config:
dir disk0: rename disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin-TEMP
7- If the box has a VPN-SPA blade for offloading IPSEC encryption/decryption, it might be necessary to upgrade the SPA FPD (Field Programmable Devices) code.
Before reloading confirm if the SPA FPD code matches the new IOS version.
The following command will show the current/required version:
sh hw-module all fpd
copy ftp://cisco:email@example.com/c6500-fpd-pkg.122-33.SXI2.pkg disk0:
9- Then upgrade the SIP and the IPSEC SPA
upgrade hw-module slot 1 fpd file disk0:c6500-fpd-pkg.122-33.SXI2.pkg upgrade hw-module subslot 1/0 fpd file disk0:c6500-fpd-pkg.122-33.SXI2.pkg
10- Reload the box again. This time the old IOS will be used to boot since the new IOS file is not available. The list of error commands (Point 5) needs to be corrected, either manually or by using notepad. I would suggest using notepad)
11- Copy the running config to your laptop:
copy disk0:running-config ftp://cisco:firstname.lastname@example.org
12- Edit the config file in notepad. Ensure all the commands are corrected for the new IOS. Here is a list of commands I needed to change with this upgrade:
radius-server source-ports 1645-1646 > radius-server source-ports extended mls flow ip full > mls flow ip interface-full tag-switching ip propagate-ttl > no mpls ip propagate-ttl tag-switching advertise-tags for 99 > mpls ldp advertise-labels for 99 tag-switching tdp router-id Lo0 force > mpls ldp router-id loopback0 force crypto engine subslot 1/0 > crypto engine slot 1/0 inside no ethernet point-to-point > (command removed)
13- Rename the config-file to something else, and copy the new config-file back to disk0. Confirm there are now two config-files (original and new):
copy ftp://cisco:email@example.com/new-running-config disk0: dir disk0:
14-Load the changed config to the startup configuration:
copy disk0:new-running-config startup-config
15-Rename the NEW-IOS file back to the original name as listed in the boot command:
rename disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin-TEMP disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin
16-Reload the box the last time. If all was done correctly, everything should be working.
17-Proceed with testing STP, IGP’s, LDP, BGP and VPN’s and Crypto’s.
sh vlan brief "Confirm the VLAN's are active" sh ip int brief "Confirm the necessary interfaces are up" sh ip ospf neighbors "Confirm all expected IGP neighbor are showing" sh mpls ldp neighbors "Confirm all expected MPLS neighbors are showing" sh ip bgp summ "Shows the global BGP neighbors or route-reflectors" sh ip bgp vpnv4 all summ "Shows the MPLS BGP neighbors or router-reflectors" sh crypto isakmp sa "Confirm the expected tunnels are build" sh crypto ipsec sa "Confirm traffic passing through the tunnels"
For a good overall look at what the 6500 is doing, use the following command :
show platform hardware capacity "Displays capacities & utilization of hardware resources"