Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3 - Managing Software and Configuration Files [Cisco Services Modules]

Table Of Contents

Managing Software, Licenses, and Configurations

Managing Licenses

Obtaining an Activation Key

Entering a New Activation Key

Installing Application or PDM Software

Installation Overview

Installing Application Software from the FWSM CLI

Installing Application Software from the Maintenance Partition

Installing PDM from the FWSM CLI

Upgrading Failover Pairs

Upgrading to a Major or Minor Release

Upgrading to a Maintenance Release

Installing Maintenance Software

Checking the Maintenance Software Release

Upgrading the Maintenance Software

Downloading and Backing Up Configuration Files

Viewing Files in Flash Memory

Downloading a Text Configuration to the Startup or Running Configuration

Downloading a Context Configuration to Disk

Backing Up the Configuration

Backing up the Single Mode Configuration or Multiple Mode System Configuration

Backing Up a Context Configuration in Flash Memory

Backing Up a Context Configuration within a Context

Copying the Configuration from the Terminal Display

Managing Software, Licenses, and Configurations

This chapter describes how to install new software on the FWSM from an FTP, TFTP, HTTP, or HTTPS server. You can upgrade the application software, the maintenance software, and PDM management software. This chapter includes the following sections:

•Managing Licenses

•Installing Application or PDM Software

•Upgrading Failover Pairs

•Installing Maintenance Software

•Downloading and Backing Up Configuration Files

Managing Licenses

When you install the software, the existing activation key is extracted from the original image and stored in a file in the FWSM file system. This section includes the following topics:

•Obtaining an Activation Key

•Entering a New Activation Key

Obtaining an Activation Key

To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps:

Step 1 Obtain the serial number for your FWSM by entering the following command:
hostname> show version | include Number
Enter the pipe character (|) as part of the command.

Step 2 Connect a web browser to one of the following websites (the URLs are case-sensitive):

Use the following website if you are a registered user of Cisco.com:
http://www.cisco.com/go/license
Use the following website if you are not a registered user of Cisco.com:
http://www.cisco.com/go/license/public
Step 3 Enter the following information, when prompted:

•Your Product Authorization Key

•The serial number of your FWSM.

•Your e-mail address.

The activation key will be automatically generated and sent to the e-mail address that you provide.

Entering a New Activation Key

To enter the activation key, enter the following command:
hostname(config)# activation-key key
The key is a four-element hexadecimal string with one space between each element. For example, a key in the correct form might look like the following key:

0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

The leading 0x specifier is optional; all values are assumed to be hexadecimal.

If you are already in multiple context mode, enter this command in the system execution space.

Note The activation key is not stored in your configuration file. The key is tied to the serial number of the device.

You must reboot the FWSM after entering the new activation key for the change to take effect in the running image.

This example shows how to change the activation key on the FWSM:
hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
Installing Application or PDM Software

This section contains the following topics:

•Installation Overview

•Installing Application Software from the FWSM CLI

•Installing Application Software from the Maintenance Partition

•Installing PDM from the FWSM CLI

Installation Overview

For application software, you can use one of two methods to upgrade:

•Installing to the current application partition from the FWSM CLI

The benefit of this method is you do not have to boot in to the maintenance partition; instead you log in as usual and copy the new software. The activation key is maintained with this method.

This method supports downloading from a TFTP, FTP, HTTP, or HTTPS server.

You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition.

You must have an operational configuration with network access. For multiple context mode, you need to have network connectivity through the admin context.

•Installing to any application partition from the maintenance partition

The benefit of this method is you can copy software to both application partitions, and you do not have to have an operational configuration. You just need to configure some routing parameters in the maintenance partition so you can reach the server on VLAN 1.

The disadvantage is that you need to boot in to the maintenance partition, which might not be convenient if you have an operational application partition.

This method supports downloading from an FTP server only.

To upgrade PDM, you can only install to the current application partition from the FWSM CLI.

See the "Managing the Firewall Services Module Boot Partitions" section on page 2-11 for more information about application and maintenance partitions.

Installing Application Software from the FWSM CLI

When you log in to the FWSM during normal operation, you can copy the application software to the current application partition from a TFTP, FTP, HTTP, or HTTPS server.

For multiple context mode, you must be in the system execution space.

To upgrade software to the current application partition from an FTP, TFTP, or HTTP(S) server, perform the following steps:

Step 1 Enter the following command to confirm access to the selected FTP, TFTP, or HTTP(S) server:
hostname# ping ip_address
Step 2 To copy the application software, enter one of the following commands, directed to the appropriate download server.

•To copy from a TFTP server, enter the following command:
hostname# copy tftp://server[/path]/filename flash:
The flash keyword refers to the application partition on the FWSM. You can only copy an image and PDM software to the flash partition. Configuration files are copied to the disk partition.

•To copy from an FTP server, enter the following command:
hostname# copy ftp://[user[:password]@]server[/path]/filename flash:
•To copy from an HTTP or HTTPS server, enter the following command:
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename flash:
For example, to copy the application software from an FTP server, enter the following command:
hostname# copy ftp://10.94.146.80/tftpboot/bnair/cdisk flash:
copying ftp://10.94.146.80/tftpboot/bnair/cdisk to flash:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!
Received 6128128 bytes.
Erasing current image.This may take some time..
Writing 6127616 bytes of image.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
Image installed.
Step 3 To run the new software, you need to reload the system. If you do not have a failover pair, enter the following command:
hostname# reload
Proceed with reload? [confirm] 
At the `Proceed with reload?' prompt, press Enter to confirm the command.
Rebooting...
If you have a failover pair, see the "Upgrading Failover Pairs" section.

Installing Application Software from the Maintenance Partition

If you log in to the maintenance partition, you can install application software to either application partition (cf:4 or cf:5).

Note The FWSM maintenance partition can only use VLAN 1 on the switch. The FWSM does not support 802.1Q tagging on VLAN 1.

If you are running maintenance software release 1.1, the activation key, if present, is removed and the mode reverts to single context mode. We suggest that you upgrade the maintenance software to Release 2.1 or later to keep the activation key and mode. See the "Installing Maintenance Software" section to upgrade.

Note If you are upgrading between consecutive minor releases (2.3.1 to 2.3.2, for example) and you have a failover pair, first perform this procedure on the standby unit; after the standby unit reloads, force the active unit to fail over to the standby unit using the no failover active command in the system execution space of the active unit; then upgrade the active unit.

If you are upgrading between major releases (2.2 to 2.3, for example), then perform this procedure on the standby unit first. After you complete the procedure for the standby unit, start the procedure for the active unit. To minimize downtime, immediately reenable failover on the standby unit using the failover command as soon as you reboot the active unit. Failover was disabled on the standby unit because it sensed a version mismatch. When you reenable failover on the standby unit while the active unit is down, then the standby unit becomes active.

To install application software from an FTP server while logged in to the maintenance partition, perform the following steps:

Step 1 Each application partition has its own startup configuration, so you need to make the current configuration available to copy to the backup application partition, if desired. You can either copy it to an available TFTP, FTP, or HTTP(S) server, or you can enter the show running-config command and cut and paste the configuration from the terminal. See the "Backing up the Single Mode Configuration or Multiple Mode System Configuration" section

Step 2 If necessary, end the FWSM session by entering the following command:
hostname# exit
Logoff
[Connection to 127.0.0.31 closed by foreign host]
Router#
You might need to enter the exit command multiple times if you are in a configuration mode.

Step 3 To view the current boot partition, enter the command for your operating system. Note the current boot partition so you can set a new default boot partition.

•Cisco IOS software
Router# show boot device [mod_num]
For example:
Router# show boot device
[mod:1 ]:
[mod:2 ]:
[mod:3 ]:
[mod:4 ]: cf:4
[mod:5 ]: cf:4
[mod:6 ]:
[mod:7 ]: cf:4
[mod:8 ]:
[mod:9 ]:
•Catalyst operating system software
Console> (enable) show boot device mod_num
For example:
Console> (enable) show boot device 4
Device BOOT variable = cf:4
Step 4 To change the default boot partition to the backup, enter the command for your operating system:

•Cisco IOS software
Router(config)# boot device module mod_num cf:{4 | 5}
•Catalyst operating system software
Console> (enable) set boot device cf:{4 | 5} mod_num
Step 5 To boot the FWSM into the maintenance partition, enter the command for your operating system at the switch prompt:

•For Cisco IOS, enter the following command:
Router# hw-module module mod_num reset cf:1
•For Catalyst operating system software, enter the following command:
Console> (enable) reset mod_num cf:1
Step 6 To session in to the FWSM, enter the command for your operating system:

•Cisco IOS software
Router# session slot number processor 1
•Catalyst operating system software
Console> (enable) session module_number
Step 7 To log in to the FWSM maintenance partition as root, enter the following command:
Login: root
Password:
By default, the password is cisco.

Step 8 To set network parameters, perform the following steps:

a. To assign an IP address to the maintenance partition, enter the following command:
root@localhost# ip address ip _address netmask
This address is the address for VLAN 1, which is the only VLAN used by the maintenance partition.

b. To assign a default gateway to the maintenance partition, enter the following command:
root@localhost# ip gateway ip_address
c. (Optional) To ping the FTP server to verify connectivity, enter the following command:
root@localhost# ping ftp_address
Step 9 To download the application software from the FTP server, enter the following command:
root@localhost# upgrade ftp://[user[:password]@]server[/path]/filename cf:{4 | 5}
cf:4 and cf:5 are the application partitions on the FWSM. Install the new software to the backup partition.

Follow the screen prompts during the upgrade.

Step 10 To log out of the maintenance partition, enter the following command:
root@localhost# logout
Step 11 To reboot the FWSM into the backup application partition (that you set as the default in Step 4), enter the command for your operating system:

•For Cisco IOS, enter the following command:
Router# hw-module module mod_num reset
•For Catalyst operating system software, enter the following command:
Console> (enable) reset mod_num
Step 12 To session in to the FWSM, enter the command for your operating system:

•Cisco IOS software
Router# session slot number processor 1
•Catalyst operating system software
Console> (enable) session module_number
By default, the password to log in to the FWSM is cisco (set by the password command). If this partition does not have a startup configuration, the default password is used.

Step 13 Enter privileged EXEC mode using the following command:
hostname> enable
The default password is blank (set by the enable password command). If this partition does not have a startup configuration, the default password is used.

Step 14 Each application partition has its own startup configuration, so you might need to copy a current configuration to the application partition. If you have an old configuration running on this partition, you might want to clear it before copying to the running configuration. To clear the running configuration, enter the clear configure all command. To copy the configuration to the running configuration, use one of the following methods:

•Paste the configuration at the command line.

•To copy from a TFTP server, enter the following command:
hostname# copy tftp://server[/path]/filename running-config
•To copy from an FTP server, enter the following command:
hostname# copy ftp://[user[:password]@]server[/path]/filename running-config
•To copy from an HTTP or HTTPS server, enter the following command:
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename 
running-config
•To copy from the local Flash memory, enter the following command:
hostname# copy disk:[path/]filename running-config
Step 15 Save the running configuration to startup using the following command:
hostname# write memory
Step 16 The default context mode is single mode, so if you are running in multiple context mode, set the mode to multiple in the new application partition using the following command:
hostname# configuration terminal
hostname(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Confirm to reload the FWSM.

Installing PDM from the FWSM CLI

When you log in to the FWSM during normal operation, you can copy PDM software to the current application partition from a TFTP, FTP, HTTP, or HTTPS server.

For multiple context mode, you must be in the system execution space.

To copy PDM software, enter one of the following commands for the appropriate download server:

•To copy from a TFTP server, enter the following command:
hostname# copy tftp://server[/path]/filename flash:pdm
The flash keyword represents to application partition on the FWSM. You can only copy an image and PDM software to the flash partition. Configuration files are copied to the disk partition.

•To copy from an FTP server, enter the following command:
hostname# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] flash:pdm
The type can be one of the following keywords:

–ap—ASCII passive mode

–an—ASCII normal mode

–ip—(Default) Binary passive mode

–in—Binary normal mode

Use binary for image files.

•To copy from an HTTP or HTTPS server, enter the following command:
hostname# copy http[s]:// 
[user[:password]@]server[:port][/path]/filename flash:pdm
•To use secure copy, first enable SSH, then enter the following command:
hostname# ssh scopy enable
Then from a Linux client enter the following command:
scp -v -pw password filename username@fwsm_address
The -v is for verbose, and if -pw is not specified you will be prompted for a password.
For example, to copy PDM from a TFTP server, enter:
hostname# copy tftp://209.165.200.226/cisco/pdm.bin flash:pdm
To copy to the PDM from an HTTPS server, enter:
hostname# copy http://admin:letmein@209.165.200.228/adsm/pdm.bin flash:pdm
Upgrading Failover Pairs

The two units in a failover configuration must have the same major (first number) and minor (second number) software version. If you upgrade the failover pair to a new major or minor release, you will have some downtime.

You can use different maintenance versions (third number) of the software during an upgrade process without downtime; for example, you can upgrade one unit from Release 2.3(2) to Release 2.3(3) and have failover remain active.

This section includes the following topics:

•Upgrading to a Major or Minor Release

•Upgrading to a Maintenance Release

Upgrading to a Major or Minor Release

To upgrade a failover pair to a new major or minor release, perform the following steps:

Step 1 Ensure that the standby unit has a configuration saved to memory by entering the following command:
standby(config)# write memory
The saved configuration will load when you restart the standby unit. Because the standby unit will have a different software version from the active unit, it will not synch with the active unit to get a running configuration.

For multiple context mode, if the active unit has context configurations in Flash memory, be sure to enter the write memory command in each context.

Step 2 Download the new image to both units. See the "Installing Application Software from the FWSM CLI" section.

Step 3 Restart the standby unit to load the new software by entering the following command:
standby(config)# reload
After the standby unit restarts, the version mismatch will cause failover to be disabled; because the standby unit sensed the version mismatch with an active unit, it continues to be in a standby state.

Step 4 After the standby unit restarts, restart the active unit by entering the following command:
active(config)# reload
Current connections to the active unit will be disconnected. New connections will be handled by the standby unit after you reenable failover.

Step 5 Immediately reenable failover on the standby unit by entering the following command:
standby(config)# failover
The standby unit senses that the failover link is down, and becomes active.

Step 6 (Optional) Restore the former active unit to be active by entering the following command:
formeractive(config)# failover active
Before performing this step, ensure that the configuration and stateful connections are synched between the two units to minimize traffic loss.

Upgrading to a Maintenance Release

You can use different maintenance versions of the software during an upgrade process and have failover remain active; for example, you can upgrade one unit from Release 2.3(2) to Release 2.3(3). We recommend upgrading both units to the same version to ensure long-term compatibility.

Note You can only install different versions on the failover units if they are contiguous releases, for example 2.3(2) and 2.3(3). You cannot upgrade one unit to 2.3(3) while the other unit is still 2.3(1).

To upgrade a failover pair to a new maintenance release, perform the following steps:

Step 1 Download the new image to both units. See the "Installing Application or PDM Software" section.

Step 2 Reload the standby unit to boot the new image by entering the following command:
standby# reload
Step 3 When the standby unit has finished reloading, force the active unit to fail over to the standby unit by entering the following command on the standby unit:
standby# failover active
Step 4 Reload the former active unit (now the new standby unit) by entering the following command:
newstandby# reload
Installing Maintenance Software

This section includes the following topics:

•Checking the Maintenance Software Release

•Upgrading the Maintenance Software

Checking the Maintenance Software Release

To determine the maintenance software release, you must boot in to the maintenance partition and view the release by performing the following steps:

Step 1 If necessary, end the FWSM session by entering the following command:
hostname# exit
Logoff
[Connection to 127.0.0.31 closed by foreign host]
Router#
You might need to enter the exit command multiple times if you are in a configuration mode.

Step 2 To boot the FWSM into the maintenance partition, enter the command for your operating system at the switch prompt:

•For Cisco IOS, enter the following command:
Router# hw-module module mod_num reset cf:1
•For Catalyst operating system software, enter the following command:
Console> (enable) reset mod_num cf:1
Step 3 To session in to the FWSM, enter the command for your operating system:

•Cisco IOS software
Router# session slot number processor 1
•Catalyst operating system software
Console> (enable) session module_number
Step 4 To log in to the FWSM maintenance partition as root, enter the following command:
Login: root
Password:
By default, the password is cisco.

The FWSM shows the version when you first log in:
Maintenance image version: 2.1(2)
Step 5 To view the maintenance version after you log in, enter the following command:
root@localhost# show version
Maintenance image version: 2.1(2)
mp.2-1-2.bin : Thu Nov 18 11:41:36 PST 2004 : integ@kplus-build-lx.cisco.com
Line Card Number :WS-SVC-FWM-1
Number of Pentium-class Processors :       2
BIOS Vendor: Phoenix Technologies Ltd.
BIOS Version: 4.0-Rel 6.0.9
Total available memory: 1004 MB
Size of compact flash: 123 MB
Daughter Card Info: Number of DC Processors: 3
Size of DC Processor Memory (per proc): 32 MB
Upgrading the Maintenance Software

If you need to upgrade the maintenence software, perform the following steps:

Step 1 Download the maintenance software from Cisco.com at the following URL:

http://www.cisco.com/cisco/software/navigator.html

Put the software on a TFTP, HTTP, or HTTPS server that is accessible from the FWSM admin context.

Step 2 If required, log out of the maintenance partition and reload the application partition by performing the following steps:

a. log out of the maintenance partition by entering the following command:
root@localhost# logout
b. If required, reboot the FWSM into the application partition by entering the command for your operating system:

–For Cisco IOS, enter the following command:
Router# hw-module module mod_num reset
–For Catalyst operating system software, enter the following command:
Console> (enable) reset mod_num
c. To session in to the FWSM, enter the command for your operating system:

–Cisco IOS software
Router# session slot number processor 1
–Catalyst operating system software
Console> (enable) session module_number
Step 3 To upgrade the maintenance partition software, enter one of the following commands for the appropriate download server.

For multiple context mode, you must be in the system execution space.

•To download the maintenance software from a TFTP server, enter the following command:
hostname# upgrade-mp tftp[://server[:port][/path]/filename]
You are prompted to confirm the server information, or if you do not supply it in the command, you can enter it at the prompts.

•To download the maintenance software from an HTTP or HTTPS server, enter the following command:
hostname# upgrade-mp http[s]://[user[:password]@]server[:port][/path]/filename
Passwords for the root and guest accounts of the maintenance partition are retained after the upgrade.

Step 4 Reload the FWSM to load the new maintenance software by entering the following command:
hostname# reload
Alternatively, you can log out of the FWSM in preparation for booting in to the maintenance partition; from the maintenance partition, you can install application software to both application partitions. To end the FWSM session, enter the following command:
hostname# exit
Logoff
[Connection to 127.0.0.31 closed by foreign host]
Router#
You might need to enter the exit command multiple times if you are in a configuration mode.

See the "Installing Application Software from the Maintenance Partition" section to reload the FWSM into the maintenance partition.

The following example shows the prompts for the TFTP server information:
hostname# upgrade-mp tftp
Address or name of remote host [127.0.0.1]? 10.1.1.5 
Source file name [cdisk]? mp.2-1-0-3.bin.gz
copying tftp://10.1.1.5/mp.2-1-0-3.bin.gz to flash
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!
Received 1695744 bytes.
Maintenance partition upgraded.
Downloading and Backing Up Configuration Files

This section describes how to download and back up configuration files, and includes the following sections:

•Viewing Files in Flash Memory

•Downloading a Text Configuration to the Startup or Running Configuration

•Downloading a Context Configuration to Disk

•Backing Up the Configuration

Viewing Files in Flash Memory

You can view files in Flash memory and see information about the files.

•To view the files in Flash memory, enter the following command:
hostname# dir disk:
For example:
hostname# dir
Directory of disk:/
9      -rw-  1411        08:53:42 Oct 06 2005  old_running.cfg
10     -rw-  959         09:21:50 Oct 06 2005  admin.cfg
11     -rw-  1929        08:23:44 May 07 2005  admin_backup.cfg
•To view extended information about a specific file, enter the following command:
hostname# show file information [path:/]filename
The default path is the root directory of the internal Flash memory (disk:/).

For example:
hostname# show file info admin.cfg
disk:/admin.cfg:
  type is ascii text
  file size is 959 bytes
Downloading a Text Configuration to the Startup or Running Configuration

You can download a text file from the following server types to the single mode configuration or the multiple mode system configuration:

•TFTP

•FTP

•HTTP

•HTTPS

For a multiple mode context, see the "Downloading a Context Configuration to Disk" section.

Note When you copy a configuration to the running configuration, you merge the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.

To copy the startup configuration or running configuration from the server to the FWSM, enter one of the following commands for the appropriate download server:

•To copy from a TFTP server, enter the following command:
hostname# copy tftp://server[/path]/filename {startup-config | running-config}
•To copy from an FTP server, enter the following command:
hostname# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] 
{startup-config | running-config}
The type can be one of the following keywords:

–ap—ASCII passive mode

–an—ASCII normal mode

–ip—(Default) Binary passive mode

–in—Binary normal mode

You can use ASCII or binary for configuration files.

•To copy from an HTTP or HTTPS server, enter the following command:
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename 
{startup-config | running-config}
For example, to copy the configuration from a TFTP server, enter the following command:
hostname# copy tftp://209.165.200.226/configs/startup.cfg startup-config
To copy the configuration from an FTP server, enter the following command:
hostname# copy ftp://admin:letmein@209.165.200.227/configs/startup.cfg;type=an 
startup-config
To copy the configuration from an HTTP server, enter the following command:
hostname# copy http://209.165.200.228/configs/startup.cfg startup-config
Downloading a Context Configuration to Disk

To copy context configurations to disk, including the admin configuration, enter one of the following commands for the appropriate download server from the system execution space:

•To copy from a TFTP server, enter the following command:
hostname# copy tftp://server[/path]/filename disk:[path/]filename
•To copy from a FTP server, enter the following command:
hostname# copy ftp://[user[:password]@]server[/path]/filename disk:[path/]filename
•To copy from an HTTP or HTTPS server, enter the following command:
hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename 
disk:[path/]filename
Backing Up the Configuration

To back up your configuration, use one of the following methods:

•Backing up the Single Mode Configuration or Multiple Mode System Configuration

•Backing Up a Context Configuration in Flash Memory

•Backing Up a Context Configuration within a Context

•Copying the Configuration from the Terminal Display

Backing up the Single Mode Configuration or Multiple Mode System Configuration

In single context mode or from the system configuration in multiple mode, you can copy the startup configuration or running configuration to an external server or to the local Flash memory:

•To copy to a TFTP server, enter the following command:
hostname# copy {startup-config | running-config} tftp://server[/path]/filename
•To copy to a FTP server, enter the following command:
hostname# copy {startup-config | running-config} 
ftp://[user[:password]@]server[/path]/filename
•To copy to local Flash memory, enter the following command:
hostname# copy {startup-config | running-config} disk:[path/]filename
Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.

Backing Up a Context Configuration in Flash Memory

In multiple context mode, copy context configurations that are on the local Flash memory by entering one of the following commands in the system execution space:

•To copy to a TFTP server, enter the following command:
hostname# copy disk:[path/]filename tftp://server[/path]/filename
•To copy to a FTP server, enter the following command:
hostname# copy disk:[path/]filename ftp://[user[:password]@]server[/path]/filename
•To copy to local Flash memory, enter the following command:
hostname# copy disk:[path/]filename disk:[path/]newfilename
Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.

Backing Up a Context Configuration within a Context

In multiple context mode, from within a context, you can perform the following backups:

•To copy the running configuration to the startup configuration server (connected to the admin context), enter the following command:
hostname/contexta# copy running-config startup-config
•To copy the running configuration to a TFTP server connected to the context network, enter the following command:
hostname/contexta# copy running-config tftp:/server[/path]/filename
Copying the Configuration from the Terminal Display

To print the configuration to the terminal, enter the following command:
hostname# show running-config
Copy the output from this command, then paste the configuration in to a text file.

	Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3
	Managing Software and Configuration Files
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3 About This Guide Quick Start Steps Introduction to the Firewall Services Module Configuring the Switch for the Firewall Services Module Connecting to the Firewall Services Module and Managing the Configuration Configuring the Firewall Mode Managing Security Contexts Configuring Basic Settings Configuring Bridging Parameters and ARP Inspection Configuring IP Addresses, Routing, and DHCP Configuring Network Address Translation Controlling Network Access with Access Control Lists Allowing Remote Management Configuring AAA Configuring Application and Protocol Inspection Filtering HTTP, HTTPS, or FTP Requests Using an External Server Using Failover Managing Software and Configuration Files Monitoring and Troubleshooting the Firewall Services Module Specifications Sample Configurations Understanding the Command-Line Interface Addresses, Protocols, and Ports Reference Acronyms and Abbreviations	Download this chapter Managing Software and Configuration Files Download the complete book Book-level PDF: Firewall Services Module Configuration Guide, 2.3 (PDF - 4 MB) Table Of Contents Managing Software, Licenses, and Configurations Managing Licenses Obtaining an Activation Key Entering a New Activation Key Installing Application or PDM Software Installation Overview Installing Application Software from the FWSM CLI Installing Application Software from the Maintenance Partition Installing PDM from the FWSM CLI Upgrading Failover Pairs Upgrading to a Major or Minor Release Upgrading to a Maintenance Release Installing Maintenance Software Checking the Maintenance Software Release Upgrading the Maintenance Software Downloading and Backing Up Configuration Files Viewing Files in Flash Memory Downloading a Text Configuration to the Startup or Running Configuration Downloading a Context Configuration to Disk Backing Up the Configuration Backing up the Single Mode Configuration or Multiple Mode System Configuration Backing Up a Context Configuration in Flash Memory Backing Up a Context Configuration within a Context Copying the Configuration from the Terminal Display Managing Software, Licenses, and Configurations This chapter describes how to install new software on the FWSM from an FTP, TFTP, HTTP, or HTTPS server. You can upgrade the application software, the maintenance software, and PDM management software. This chapter includes the following sections: •Managing Licenses •Installing Application or PDM Software •Upgrading Failover Pairs •Installing Maintenance Software •Downloading and Backing Up Configuration Files Managing Licenses When you install the software, the existing activation key is extracted from the original image and stored in a file in the FWSM file system. This section includes the following topics: •Obtaining an Activation Key •Entering a New Activation Key Obtaining an Activation Key To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps: Step 1 Obtain the serial number for your FWSM by entering the following command: hostname> show version \| include Number Enter the pipe character (\|) as part of the command. Step 2 Connect a web browser to one of the following websites (the URLs are case-sensitive): Use the following website if you are a registered user of Cisco.com: http://www.cisco.com/go/license Use the following website if you are not a registered user of Cisco.com: http://www.cisco.com/go/license/public Step 3 Enter the following information, when prompted: •Your Product Authorization Key •The serial number of your FWSM. •Your e-mail address. The activation key will be automatically generated and sent to the e-mail address that you provide. Entering a New Activation Key To enter the activation key, enter the following command: hostname(config)# activation-key key The key is a four-element hexadecimal string with one space between each element. For example, a key in the correct form might look like the following key: 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e The leading 0x specifier is optional; all values are assumed to be hexadecimal. If you are already in multiple context mode, enter this command in the system execution space. Note The activation key is not stored in your configuration file. The key is tied to the serial number of the device. You must reboot the FWSM after entering the new activation key for the change to take effect in the running image. This example shows how to change the activation key on the FWSM: hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e Installing Application or PDM Software This section contains the following topics: •Installation Overview •Installing Application Software from the FWSM CLI •Installing Application Software from the Maintenance Partition •Installing PDM from the FWSM CLI Installation Overview For application software, you can use one of two methods to upgrade: •Installing to the current application partition from the FWSM CLI The benefit of this method is you do not have to boot in to the maintenance partition; instead you log in as usual and copy the new software. The activation key is maintained with this method. This method supports downloading from a TFTP, FTP, HTTP, or HTTPS server. You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition. You must have an operational configuration with network access. For multiple context mode, you need to have network connectivity through the admin context. •Installing to any application partition from the maintenance partition The benefit of this method is you can copy software to both application partitions, and you do not have to have an operational configuration. You just need to configure some routing parameters in the maintenance partition so you can reach the server on VLAN 1. The disadvantage is that you need to boot in to the maintenance partition, which might not be convenient if you have an operational application partition. This method supports downloading from an FTP server only. To upgrade PDM, you can only install to the current application partition from the FWSM CLI. See the "Managing the Firewall Services Module Boot Partitions" section on page 2-11 for more information about application and maintenance partitions. Installing Application Software from the FWSM CLI When you log in to the FWSM during normal operation, you can copy the application software to the current application partition from a TFTP, FTP, HTTP, or HTTPS server. For multiple context mode, you must be in the system execution space. To upgrade software to the current application partition from an FTP, TFTP, or HTTP(S) server, perform the following steps: Step 1 Enter the following command to confirm access to the selected FTP, TFTP, or HTTP(S) server: hostname# ping ip_address Step 2 To copy the application software, enter one of the following commands, directed to the appropriate download server. •To copy from a TFTP server, enter the following command: hostname# copy tftp://server[/path]/filename flash: The flash keyword refers to the application partition on the FWSM. You can only copy an image and PDM software to the flash partition. Configuration files are copied to the disk partition. •To copy from an FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename flash: •To copy from an HTTP or HTTPS server, enter the following command: hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename flash: For example, to copy the application software from an FTP server, enter the following command: hostname# copy ftp://10.94.146.80/tftpboot/bnair/cdisk flash: copying ftp://10.94.146.80/tftpboot/bnair/cdisk to flash: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!! Received 6128128 bytes. Erasing current image.This may take some time.. Writing 6127616 bytes of image. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!! Image installed. Step 3 To run the new software, you need to reload the system. If you do not have a failover pair, enter the following command: hostname# reload Proceed with reload? [confirm] At the `Proceed with reload?' prompt, press Enter to confirm the command. Rebooting... If you have a failover pair, see the "Upgrading Failover Pairs" section. Installing Application Software from the Maintenance Partition If you log in to the maintenance partition, you can install application software to either application partition (cf:4 or cf:5). Note The FWSM maintenance partition can only use VLAN 1 on the switch. The FWSM does not support 802.1Q tagging on VLAN 1. If you are running maintenance software release 1.1, the activation key, if present, is removed and the mode reverts to single context mode. We suggest that you upgrade the maintenance software to Release 2.1 or later to keep the activation key and mode. See the "Installing Maintenance Software" section to upgrade. Note If you are upgrading between consecutive minor releases (2.3.1 to 2.3.2, for example) and you have a failover pair, first perform this procedure on the standby unit; after the standby unit reloads, force the active unit to fail over to the standby unit using the no failover active command in the system execution space of the active unit; then upgrade the active unit. If you are upgrading between major releases (2.2 to 2.3, for example), then perform this procedure on the standby unit first. After you complete the procedure for the standby unit, start the procedure for the active unit. To minimize downtime, immediately reenable failover on the standby unit using the failover command as soon as you reboot the active unit. Failover was disabled on the standby unit because it sensed a version mismatch. When you reenable failover on the standby unit while the active unit is down, then the standby unit becomes active. To install application software from an FTP server while logged in to the maintenance partition, perform the following steps: Step 1 Each application partition has its own startup configuration, so you need to make the current configuration available to copy to the backup application partition, if desired. You can either copy it to an available TFTP, FTP, or HTTP(S) server, or you can enter the show running-config command and cut and paste the configuration from the terminal. See the "Backing up the Single Mode Configuration or Multiple Mode System Configuration" section Step 2 If necessary, end the FWSM session by entering the following command: hostname# exit Logoff [Connection to 127.0.0.31 closed by foreign host] Router# You might need to enter the exit command multiple times if you are in a configuration mode. Step 3 To view the current boot partition, enter the command for your operating system. Note the current boot partition so you can set a new default boot partition. •Cisco IOS software Router# show boot device [mod_num] For example: Router# show boot device [mod:1 ]: [mod:2 ]: [mod:3 ]: [mod:4 ]: cf:4 [mod:5 ]: cf:4 [mod:6 ]: [mod:7 ]: cf:4 [mod:8 ]: [mod:9 ]: •Catalyst operating system software Console> (enable) show boot device mod_num For example: Console> (enable) show boot device 4 Device BOOT variable = cf:4 Step 4 To change the default boot partition to the backup, enter the command for your operating system: •Cisco IOS software Router(config)# boot device module mod_num cf:{4 \| 5} •Catalyst operating system software Console> (enable) set boot device cf:{4 \| 5} mod_num Step 5 To boot the FWSM into the maintenance partition, enter the command for your operating system at the switch prompt: •For Cisco IOS, enter the following command: Router# hw-module module mod_num reset cf:1 •For Catalyst operating system software, enter the following command: Console> (enable) reset mod_num cf:1 Step 6 To session in to the FWSM, enter the command for your operating system: •Cisco IOS software Router# session slot number processor 1 •Catalyst operating system software Console> (enable) session module_number Step 7 To log in to the FWSM maintenance partition as root, enter the following command: Login: root Password: By default, the password is cisco. Step 8 To set network parameters, perform the following steps: a. To assign an IP address to the maintenance partition, enter the following command: root@localhost# ip address ip _address netmask This address is the address for VLAN 1, which is the only VLAN used by the maintenance partition. b. To assign a default gateway to the maintenance partition, enter the following command: root@localhost# ip gateway ip_address c. (Optional) To ping the FTP server to verify connectivity, enter the following command: root@localhost# ping ftp_address Step 9 To download the application software from the FTP server, enter the following command: root@localhost# upgrade ftp://[user[:password]@]server[/path]/filename cf:{4 \| 5} cf:4 and cf:5 are the application partitions on the FWSM. Install the new software to the backup partition. Follow the screen prompts during the upgrade. Step 10 To log out of the maintenance partition, enter the following command: root@localhost# logout Step 11 To reboot the FWSM into the backup application partition (that you set as the default in Step 4), enter the command for your operating system: •For Cisco IOS, enter the following command: Router# hw-module module mod_num reset •For Catalyst operating system software, enter the following command: Console> (enable) reset mod_num Step 12 To session in to the FWSM, enter the command for your operating system: •Cisco IOS software Router# session slot number processor 1 •Catalyst operating system software Console> (enable) session module_number By default, the password to log in to the FWSM is cisco (set by the password command). If this partition does not have a startup configuration, the default password is used. Step 13 Enter privileged EXEC mode using the following command: hostname> enable The default password is blank (set by the enable password command). If this partition does not have a startup configuration, the default password is used. Step 14 Each application partition has its own startup configuration, so you might need to copy a current configuration to the application partition. If you have an old configuration running on this partition, you might want to clear it before copying to the running configuration. To clear the running configuration, enter the clear configure all command. To copy the configuration to the running configuration, use one of the following methods: •Paste the configuration at the command line. •To copy from a TFTP server, enter the following command: hostname# copy tftp://server[/path]/filename running-config •To copy from an FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename running-config •To copy from an HTTP or HTTPS server, enter the following command: hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename running-config •To copy from the local Flash memory, enter the following command: hostname# copy disk:[path/]filename running-config Step 15 Save the running configuration to startup using the following command: hostname# write memory Step 16 The default context mode is single mode, so if you are running in multiple context mode, set the mode to multiple in the new application partition using the following command: hostname# configuration terminal hostname(config)# mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Confirm to reload the FWSM. Installing PDM from the FWSM CLI When you log in to the FWSM during normal operation, you can copy PDM software to the current application partition from a TFTP, FTP, HTTP, or HTTPS server. For multiple context mode, you must be in the system execution space. To copy PDM software, enter one of the following commands for the appropriate download server: •To copy from a TFTP server, enter the following command: hostname# copy tftp://server[/path]/filename flash:pdm The flash keyword represents to application partition on the FWSM. You can only copy an image and PDM software to the flash partition. Configuration files are copied to the disk partition. •To copy from an FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] flash:pdm The type can be one of the following keywords: –ap—ASCII passive mode –an—ASCII normal mode –ip—(Default) Binary passive mode –in—Binary normal mode Use binary for image files. •To copy from an HTTP or HTTPS server, enter the following command: hostname# copy http[s]:// [user[:password]@]server[:port][/path]/filename flash:pdm •To use secure copy, first enable SSH, then enter the following command: hostname# ssh scopy enable Then from a Linux client enter the following command: scp -v -pw password filename username@fwsm_address The -v is for verbose, and if -pw is not specified you will be prompted for a password. For example, to copy PDM from a TFTP server, enter: hostname# copy tftp://209.165.200.226/cisco/pdm.bin flash:pdm To copy to the PDM from an HTTPS server, enter: hostname# copy http://admin:letmein@209.165.200.228/adsm/pdm.bin flash:pdm Upgrading Failover Pairs The two units in a failover configuration must have the same major (first number) and minor (second number) software version. If you upgrade the failover pair to a new major or minor release, you will have some downtime. You can use different maintenance versions (third number) of the software during an upgrade process without downtime; for example, you can upgrade one unit from Release 2.3(2) to Release 2.3(3) and have failover remain active. This section includes the following topics: •Upgrading to a Major or Minor Release •Upgrading to a Maintenance Release Upgrading to a Major or Minor Release To upgrade a failover pair to a new major or minor release, perform the following steps: Step 1 Ensure that the standby unit has a configuration saved to memory by entering the following command: standby(config)# write memory The saved configuration will load when you restart the standby unit. Because the standby unit will have a different software version from the active unit, it will not synch with the active unit to get a running configuration. For multiple context mode, if the active unit has context configurations in Flash memory, be sure to enter the write memory command in each context. Step 2 Download the new image to both units. See the "Installing Application Software from the FWSM CLI" section. Step 3 Restart the standby unit to load the new software by entering the following command: standby(config)# reload After the standby unit restarts, the version mismatch will cause failover to be disabled; because the standby unit sensed the version mismatch with an active unit, it continues to be in a standby state. Step 4 After the standby unit restarts, restart the active unit by entering the following command: active(config)# reload Current connections to the active unit will be disconnected. New connections will be handled by the standby unit after you reenable failover. Step 5 Immediately reenable failover on the standby unit by entering the following command: standby(config)# failover The standby unit senses that the failover link is down, and becomes active. Step 6 (Optional) Restore the former active unit to be active by entering the following command: formeractive(config)# failover active Before performing this step, ensure that the configuration and stateful connections are synched between the two units to minimize traffic loss. Upgrading to a Maintenance Release You can use different maintenance versions of the software during an upgrade process and have failover remain active; for example, you can upgrade one unit from Release 2.3(2) to Release 2.3(3). We recommend upgrading both units to the same version to ensure long-term compatibility. Note You can only install different versions on the failover units if they are contiguous releases, for example 2.3(2) and 2.3(3). You cannot upgrade one unit to 2.3(3) while the other unit is still 2.3(1). To upgrade a failover pair to a new maintenance release, perform the following steps: Step 1 Download the new image to both units. See the "Installing Application or PDM Software" section. Step 2 Reload the standby unit to boot the new image by entering the following command: standby# reload Step 3 When the standby unit has finished reloading, force the active unit to fail over to the standby unit by entering the following command on the standby unit: standby# failover active Step 4 Reload the former active unit (now the new standby unit) by entering the following command: newstandby# reload Installing Maintenance Software This section includes the following topics: •Checking the Maintenance Software Release •Upgrading the Maintenance Software Checking the Maintenance Software Release To determine the maintenance software release, you must boot in to the maintenance partition and view the release by performing the following steps: Step 1 If necessary, end the FWSM session by entering the following command: hostname# exit Logoff [Connection to 127.0.0.31 closed by foreign host] Router# You might need to enter the exit command multiple times if you are in a configuration mode. Step 2 To boot the FWSM into the maintenance partition, enter the command for your operating system at the switch prompt: •For Cisco IOS, enter the following command: Router# hw-module module mod_num reset cf:1 •For Catalyst operating system software, enter the following command: Console> (enable) reset mod_num cf:1 Step 3 To session in to the FWSM, enter the command for your operating system: •Cisco IOS software Router# session slot number processor 1 •Catalyst operating system software Console> (enable) session module_number Step 4 To log in to the FWSM maintenance partition as root, enter the following command: Login: root Password: By default, the password is cisco. The FWSM shows the version when you first log in: Maintenance image version: 2.1(2) Step 5 To view the maintenance version after you log in, enter the following command: root@localhost# show version Maintenance image version: 2.1(2) mp.2-1-2.bin : Thu Nov 18 11:41:36 PST 2004 : integ@kplus-build-lx.cisco.com Line Card Number :WS-SVC-FWM-1 Number of Pentium-class Processors : 2 BIOS Vendor: Phoenix Technologies Ltd. BIOS Version: 4.0-Rel 6.0.9 Total available memory: 1004 MB Size of compact flash: 123 MB Daughter Card Info: Number of DC Processors: 3 Size of DC Processor Memory (per proc): 32 MB Upgrading the Maintenance Software If you need to upgrade the maintenence software, perform the following steps: Step 1 Download the maintenance software from Cisco.com at the following URL: http://www.cisco.com/cisco/software/navigator.html Put the software on a TFTP, HTTP, or HTTPS server that is accessible from the FWSM admin context. Step 2 If required, log out of the maintenance partition and reload the application partition by performing the following steps: a. log out of the maintenance partition by entering the following command: root@localhost# logout b. If required, reboot the FWSM into the application partition by entering the command for your operating system: –For Cisco IOS, enter the following command: Router# hw-module module mod_num reset –For Catalyst operating system software, enter the following command: Console> (enable) reset mod_num c. To session in to the FWSM, enter the command for your operating system: –Cisco IOS software Router# session slot number processor 1 –Catalyst operating system software Console> (enable) session module_number Step 3 To upgrade the maintenance partition software, enter one of the following commands for the appropriate download server. For multiple context mode, you must be in the system execution space. •To download the maintenance software from a TFTP server, enter the following command: hostname# upgrade-mp tftp[://server[:port][/path]/filename] You are prompted to confirm the server information, or if you do not supply it in the command, you can enter it at the prompts. •To download the maintenance software from an HTTP or HTTPS server, enter the following command: hostname# upgrade-mp http[s]://[user[:password]@]server[:port][/path]/filename Passwords for the root and guest accounts of the maintenance partition are retained after the upgrade. Step 4 Reload the FWSM to load the new maintenance software by entering the following command: hostname# reload Alternatively, you can log out of the FWSM in preparation for booting in to the maintenance partition; from the maintenance partition, you can install application software to both application partitions. To end the FWSM session, enter the following command: hostname# exit Logoff [Connection to 127.0.0.31 closed by foreign host] Router# You might need to enter the exit command multiple times if you are in a configuration mode. See the "Installing Application Software from the Maintenance Partition" section to reload the FWSM into the maintenance partition. The following example shows the prompts for the TFTP server information: hostname# upgrade-mp tftp Address or name of remote host [127.0.0.1]? 10.1.1.5 Source file name [cdisk]? mp.2-1-0-3.bin.gz copying tftp://10.1.1.5/mp.2-1-0-3.bin.gz to flash [yes\|no\|again]? yes !!!!!!!!!!!!!!!!!!!!!!! Received 1695744 bytes. Maintenance partition upgraded. Downloading and Backing Up Configuration Files This section describes how to download and back up configuration files, and includes the following sections: •Viewing Files in Flash Memory •Downloading a Text Configuration to the Startup or Running Configuration •Downloading a Context Configuration to Disk •Backing Up the Configuration Viewing Files in Flash Memory You can view files in Flash memory and see information about the files. •To view the files in Flash memory, enter the following command: hostname# dir disk: For example: hostname# dir Directory of disk:/ 9 -rw- 1411 08:53:42 Oct 06 2005 old_running.cfg 10 -rw- 959 09:21:50 Oct 06 2005 admin.cfg 11 -rw- 1929 08:23:44 May 07 2005 admin_backup.cfg •To view extended information about a specific file, enter the following command: hostname# show file information [path:/]filename The default path is the root directory of the internal Flash memory (disk:/). For example: hostname# show file info admin.cfg disk:/admin.cfg: type is ascii text file size is 959 bytes Downloading a Text Configuration to the Startup or Running Configuration You can download a text file from the following server types to the single mode configuration or the multiple mode system configuration: •TFTP •FTP •HTTP •HTTPS For a multiple mode context, see the "Downloading a Context Configuration to Disk" section. Note When you copy a configuration to the running configuration, you merge the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. To copy the startup configuration or running configuration from the server to the FWSM, enter one of the following commands for the appropriate download server: •To copy from a TFTP server, enter the following command: hostname# copy tftp://server[/path]/filename {startup-config \| running-config} •To copy from an FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename[;type=xx] {startup-config \| running-config} The type can be one of the following keywords: –ap—ASCII passive mode –an—ASCII normal mode –ip—(Default) Binary passive mode –in—Binary normal mode You can use ASCII or binary for configuration files. •To copy from an HTTP or HTTPS server, enter the following command: hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename {startup-config \| running-config} For example, to copy the configuration from a TFTP server, enter the following command: hostname# copy tftp://209.165.200.226/configs/startup.cfg startup-config To copy the configuration from an FTP server, enter the following command: hostname# copy ftp://admin:letmein@209.165.200.227/configs/startup.cfg;type=an startup-config To copy the configuration from an HTTP server, enter the following command: hostname# copy http://209.165.200.228/configs/startup.cfg startup-config Downloading a Context Configuration to Disk To copy context configurations to disk, including the admin configuration, enter one of the following commands for the appropriate download server from the system execution space: •To copy from a TFTP server, enter the following command: hostname# copy tftp://server[/path]/filename disk:[path/]filename •To copy from a FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename disk:[path/]filename •To copy from an HTTP or HTTPS server, enter the following command: hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filename Backing Up the Configuration To back up your configuration, use one of the following methods: •Backing up the Single Mode Configuration or Multiple Mode System Configuration •Backing Up a Context Configuration in Flash Memory •Backing Up a Context Configuration within a Context •Copying the Configuration from the Terminal Display Backing up the Single Mode Configuration or Multiple Mode System Configuration In single context mode or from the system configuration in multiple mode, you can copy the startup configuration or running configuration to an external server or to the local Flash memory: •To copy to a TFTP server, enter the following command: hostname# copy {startup-config \| running-config} tftp://server[/path]/filename •To copy to a FTP server, enter the following command: hostname# copy {startup-config \| running-config} ftp://[user[:password]@]server[/path]/filename •To copy to local Flash memory, enter the following command: hostname# copy {startup-config \| running-config} disk:[path/]filename Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command. Backing Up a Context Configuration in Flash Memory In multiple context mode, copy context configurations that are on the local Flash memory by entering one of the following commands in the system execution space: •To copy to a TFTP server, enter the following command: hostname# copy disk:[path/]filename tftp://server[/path]/filename •To copy to a FTP server, enter the following command: hostname# copy disk:[path/]filename ftp://[user[:password]@]server[/path]/filename •To copy to local Flash memory, enter the following command: hostname# copy disk:[path/]filename disk:[path/]newfilename Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command. Backing Up a Context Configuration within a Context In multiple context mode, from within a context, you can perform the following backups: •To copy the running configuration to the startup configuration server (connected to the admin context), enter the following command: hostname/contexta# copy running-config startup-config •To copy the running configuration to a TFTP server connected to the context network, enter the following command: hostname/contexta# copy running-config tftp:/server[/path]/filename Copying the Configuration from the Terminal Display To print the configuration to the terminal, enter the following command: hostname# show running-config Copy the output from this command, then paste the configuration in to a text file.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks