Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.2
Managing Software and Configuration Files
Downloads: This chapterpdf (PDF - 222.0KB) The complete bookPDF (PDF - 4.2MB) | Feedback

Managing Software and Configuration Files

Table Of Contents

Managing Software and Configuration Files

Installing Application or PDM Software

Installation Overview

Installing Application or PDM Software to the Current Partition

Installing Application Software to Any Application Partition

Installing Maintenance Software

Downloading and Backing Up Configuration Files

Downloading a Text Configuration

Backing Up the Configuration

Copying the Configuration to a Server

Copying the Configuration from the Terminal Display


Managing Software and Configuration Files


This chapter describes how to install new software on the Firewall Services Module (FWSM) from an FTP, TFTP, HTTP, or HTTPS server. You can upgrade the application software, the maintenance software, and PDM for FWSM management software.


Note If you are upgrading from a pervious release, for example Release 1.1, refer to the FWSM documentation for your version.


This chapter also describes how to download or back up a configuration file.

This chapter contains the following sections:

Installing Application or PDM Software

Installing Maintenance Software

Downloading and Backing Up Configuration Files

Installing Application or PDM Software

This section contains the following topics:

Installation Overview

Installing Application or PDM Software to the Current Partition

Installing Application Software to Any Application Partition

Installation Overview

To upgrade PDM, you can only install to the current application partition. For application software, you can use one of two methods to upgrade:

Installing to the current application partition

The benefit of this method is you do not have to boot into the maintenance partition; instead you log in as usual and copy the new software. The activation key is maintained with this method.

This method supports downloading from a TFTP, FTP, HTTP, or HTTPS server.

You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition.

You must have an operational configuration with network access. For multiple context mode, you need to have network connectivity through the admin context.

Installing to any application partition from the maintenance partition

The benefit of this method is you can copy software to both application partitions, and you do not have to have an operational configuration. You just need to configure some routing parameters in the maintenance partition so you can reach the server on VLAN 1.

The disadvantage is that you need to boot into the maintenance partition, which might not be convenient if you have an operational application partition. Also, if you are running maintenance software Version 1.1, the activation key, if present, is removed and the mode reverts to single context mode. We suggest that you upgrade the maintenance software to Version 2.1 or later to keep the activation key and mode. See the "Installing Maintenance Software" section to upgrade. To view the maintenance software version, log into the maintenance partition (see the "Installing Application Software to Any Application Partition" section), and enter show version.

This method supports downloading from an FTP server only.

See the "Managing the Firewall Services Module Boot Partitions" section for more information about application and maintenance partitions.

Installing Application or PDM Software to the Current Partition

When you log into the FWSM during normal operation, you can copy the application software or PDM software to the current application partition from a TFTP, FTP, HTTP, or HTTPS server.

For multiple context mode, you must be in the system execution space.

Make sure you have network access to the server:

For single context mode, configure any interface, its IP address, and any static routes required to reach the server. See the "Configuring Interfaces" section and then Chapter 8 "Configuring IP Addresses, Routing, and DHCP."

For multiple context mode, you must first add the admin context and configure interfaces, IP addresses, and routing to provide network access. See the "Configuring a Security Context" section, and then the "Configuring Interfaces" section and Chapter 8 "Configuring IP Addresses, Routing, and DHCP."

To copy the application or PDM software, enter one of the following commands for the appropriate download server:

To copy from a TFTP server, enter the following command:

FWSM# copy tftp://server[/path]/filename flash:[image | pdm]
 
   

The image keyword (default) copies the application software, and the pdm keyword copies the PDM software.

To copy from an FTP server, enter the following command:

FWSM# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] 
flash:[image | pdm]
 
   

The image option (default) copies the application software, and the pdm option copies the PDM software.

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

Use binary for image files.

To copy from an HTTP or HTTPS server, enter the following command:

FWSM# copy http[s]:// 
[user[:password]@]server[:port][/path]/filename flash:[image | pdm]
 
   

The image option (default) copies the application software, and the pdm option copies the PDM software.

For example, to copy the application software from a TFTP server, enter:

FWSM# copy tftp://209.165.200.226/cisco/c6svc-fwm-k9.2-1-1.bin flash:image
 
   

To copy the application software from an FTP server, enter:

FWSM# copy ftp://admin:letmein@209.165.200.227/cisco/c6svc-fwm-k9.2-1-1.bin;type=ip 
flash:image
 
   

To copy PDM from an HTTPS server, enter:

FWSM# copy http://admin:letmein@209.165.200.228/pdm/pdm-411.bin flash:pdm
 
   

Installing Application Software to Any Application Partition

If you log into the maintenance partition, you can install application software to either application partition (cf:4 or cf:5).


Note The FWSM maintenance partition can only use VLAN 1 on the switch. The FWSM does not support 802.1Q tagging on VLAN 1.


If you are running maintenance software release 1.1, the activation key, if present, is removed and the mode reverts to single context mode. We suggest that you upgrade the maintenance software to Release 2.1 or later to keep the activation key and mode. See the "Installing Maintenance Software" section to upgrade. To view the maintenance software version, log into the maintenance partition (see the "Installing Application Software to Any Application Partition" section), and enter show version.

To install application software from an FTP server while logged into the maintenance partition, follow these steps:


Step 1 To boot the FWSM into the maintenance partition, enter the command for your operating system:

For Cisco IOS software, enter the following command:

Router# hw-module module mod_num reset cf:1
 
   

For Catalyst OS, enter the following command:

Console> (enable) reset mod_num boot cf:1
 
   

Step 2 To session into the FWSM, enter the command for your operating system:

For Cisco IOS software, enter the following command:

Router# session slot mod_num processor 1
 
   

For Catalyst OS, enter the following command:

Console> (enable) session mod_num
 
   

Step 3 To log into the FWSM maintenance partition as root, enter the following command:

Login: root
 
   

Step 4 Enter the password at the prompt:

Password:
 
   

By default, the password is "cisco."

Step 5 To assign an IP address to the maintenance partition, enter the following command:

root@localhost# ip address ip _address netmask
 
   

This address is the address for VLAN 1, which is the only VLAN used by the maintenance partition.

Step 6 To assign a default gateway to the maintenance partition, enter the following command:

root@localhost# ip gateway ip_address
 
   

Step 7 Optional) To ping the FTP server to verify connectivity, enter the following command:

root@localhost# ping ftp_address
 
   

Step 8 To download the application software from the FTP server, enter the following command:

root@localhost# upgrade ftp://[user[:password]@]server[/path]/filename cf:{4 | 5}
 
   

cf:4 and cf:5 are the application partitions on the FWSM.

Follow the screen prompts during the upgrade.

The configuration file in the application partition is backed up and restored at the end of the upgrade operation.

Step 9 To log out of the maintenance partition, enter the following command:

root@localhost# logout
 
   

Step 10 To reboot the module into the application partition, cf:4 or cf:5, enter the command for your operating system:

For Cisco IOS, enter the following command:

Router# hw-module module mod_num reset cf:{4 | 5}
 
   

For Catalyst OS, enter the following command:

Console> (enable) reset mod_num boot cf:{4 | 5}
 
   

Installing Maintenance Software

You can download the maintenance software from a TFTP, HTTP, or HTTPS server when you are logged into the application partition. Passwords for the root and guest accounts of the maintenance partition are retained after the upgrade.

For multiple context mode, you must be in the system execution space.

Make sure you have network access to the server:

For single context mode, configure any interface, its IP address, and any static routes required to reach the server. See the "Configuring Interfaces" section and then Chapter 8 "Configuring IP Addresses, Routing, and DHCP."

For multiple context mode, you must first add the admin context and configure interfaces, IP addresses, and routing to provide network access. See the "Configuring a Security Context" section, and then the "Configuring Interfaces" section and Chapter 8 "Configuring IP Addresses, Routing, and DHCP."

To upgrade the maintenance partition software, enter one of the following commands for the appropriate download server:

To download the maintenance software from a TFTP server, enter the following command:

FWSM# upgrade-mp tftp[://server[:port][/path]/filename]
 
   

If you do not enter the TFTP server information, you are prompted for the server information.

To download the maintenance software from an HTTP or HTTPS server, enter the following command:

FWSM# upgrade-mp http[s]://[user[:password]@]server[:port][/path]/filename
 
   

The following example shows the prompts for the TFTP server information:

FWSM# upgrade-mp tftp
Address or name of remote host [127.0.0.1]? 10.1.1.5 
Source file name [cdisk]? mp.2-1-0-3.bin.gz
copying tftp://10.1.1.5/mp.2-1-0-3.bin.gz to flash
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!
Received 1695744 bytes.
Maintenance partition upgraded.

Downloading and Backing Up Configuration Files

This section describes how to download and back up configuration files, and includes the following sections:

Downloading a Text Configuration

Backing Up the Configuration

Downloading a Text Configuration

You can download a text file from the following server types:

TFTP

FTP

HTTP

HTTPS

Make sure you have network access to the server:

For single context mode, configure any interface, its IP address, and any static routes required to reach the server. See the "Configuring Interfaces" section and then Chapter 8 "Configuring IP Addresses, Routing, and DHCP."

For multiple context mode, add the admin context and configure interfaces, IP addresses, and routing to provide network access. See the "Configuring a Security Context" section, and then the "Configuring Interfaces" section and Chapter 8 "Configuring IP Addresses, Routing, and DHCP."

To download a text configuration from a server, follow these steps:


Step 1 To copy the single mode startup configuration or the multiple mode system startup configuration from the server to Flash memory, enter one of the following commands for the appropriate download server:

To copy from a TFTP server, enter the following command:

FWSM# copy tftp://server[/path]/filename startup-config
 
   

To copy from an FTP server, enter the following command:

FWSM# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] startup-config
 
   

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

You can use ASCII or binary for configuration files.

To copy from an HTTP or HTTPS server, enter the following command:

FWSM# copy http[s]://[user[:password]@]server[:port][/path]/filename startup-config
 
   

For example, to copy the configuration from a TFTP server, enter the following command:

FWSM# copy tftp://209.165.200.226/configs/startup.cfg startup-config
 
   

To copy the configuration from an FTP server, enter the following command:

FWSM# copy ftp://admin:letmein@209.165.200.227/configs/startup.cfg;type=an startup-config
 
   

To copy the configuration from an HTTP server, enter the following command:

FWSM# copy http://209.165.200.228/configs/startup.cfg startup-config
 
   

Step 2 (Multiple context mode only) To copy context configurations to disk, including the admin configuration, enter one of the following commands for the appropriate download server:

To copy from a TFTP server, enter the following command:

FWSM# copy tftp://server[/path]/filename disk:[path/]filename
 
   

To copy from a FTP server, enter the following command:

FWSM# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] disk:[path/]filename
 
   

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

You can use ASCII or binary for configuration files.

To copy from a HTTP or HTTPS server, enter the following command:

FWSM# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filename
 
   

Step 3 Copy the new startup configuration to the running configuration using one of these options:

To merge the startup configuration with the current running configuration, enter the following command:

FWSM(config)# copy startup-config running-config
 
   

To load the startup configuration and discard the running configuration, restart the FWSM by entering the following command:

FWSM# reboot
 
   

Backing Up the Configuration

To back up your configuration, copy it to an external server. Use one of the following methods:

Copying the Configuration to a Server

Copying the Configuration from the Terminal Display

Copying the Configuration to a Server

You can back up configuration files in the following circumstances:

Backing up the Single Mode Configuration or Multiple Mode System Configuration

Backing Up a Context Configuration within the Context

Backing up the Single Mode Configuration or Multiple Mode System Configuration

In single context mode, or from the system configuration in multiple mode, you can copy the startup configuration, running configuration, or a configuration file by name on disk (such as the admin.cfg).

Enter one of the following commands for the appropriate backup server:

To copy to a TFTP server, enter the following command:

FWSM# copy {startup-config | running-config | disk:[path/]filename} 
tftp://server[/path]/filename
 
   

To copy to a FTP server, enter the following command:

FWSM# copy {startup-config | running-config | disk:[path/]filename} 
ftp://[user[:password]@]server[/path]/filename[;type=xx]
 
   

The type can be one of the following keywords:

ap—ASCII passive mode

an—ASCII normal mode

ip—(Default) Binary passive mode

in—Binary normal mode

Use ASCII or binary for configuration files (as in this case), and binary only for image files.

Backing Up a Context Configuration within the Context

In multiple context mode, from within a context, you can perform the following backups:

To copy the running configuration to the startup configuration server (connected to the admin context), enter the following command:

FWSM/contexta# copy running-config startup-config
 
   

To copy the running configuration to a TFTP server connected to the context network, follow these steps:

a. To specify the TFTP server that is connected to the context network, enter the following command:

FWSM/contexta# tftp-server interface_name ip_address path[/filename]
 
   

b. To copy the running configuration to the TFTP server, enter the following command:

FWSM/contexta(config)# write net [:filename]
 
   

If you specify the filename in the tftp-server command (above), you do not need to identify it in the write net command.

For example:

FWSM/contexta(config)# tftp-server 10.1.1.1 /fwsmconfigs/contextbackup.cfg
FWSM/contexta(config)# write net
 
   

Copying the Configuration from the Terminal Display


To print the configuration to the terminal, enter the following command:

FWSM# write terminal
 
   

Copy the output from this command, then paste the configuration into a text file.