How To Update Exadata Management Network Switch Firmware

Asset ID:	1-71-1593004.1
Update Date:	2015-08-20
Keywords:

Solution Type Technical Instruction Sure

Solution 1593004.1 : How To Update Exadata Management Network Switch Firmware

Applies to:

Oracle SuperCluster T5-8 Full Rack - Version All Versions to All Versions [Release All Releases]
Exadata Database Machine X2-2 Hardware - Version All Versions to All Versions [Release All Releases]
Exadata Database Machine X2-8 - Version All Versions to All Versions [Release All Releases]
Exadata X3-2 Hardware - Version All Versions to All Versions [Release All Releases]
Exadata X3-8 Hardware - Version All Versions to All Versions [Release All Releases]
All Platforms

Goal

Update Cisco Catalyst 4948 Ethernet Switch Firmware.

Solution

Scope

This document is aplicable to Cisco 4948 and 4948E-F model switches in the following Oracle Engineered Systems: Exadata Database Machine, Exalogic Elastic Cloud Machine, and Big Data Appliance.

Assumptions and Prerequisites

Cisco switch included in the Oracle's Engineered System environment has been configured to communicate over management network.
SSH (preferred) or Telnet access and enable password are available.
A system able to connect to the Cisco switch.
- A tftp server is available on the network and can be reached by the Cisco switch.

In order to obtain new Cisco IOS firmware, please open an SR using Hardware CSI with distinct product id, name, component and refer to this MOS note.

SSH is the recommended secure access method. It's also recommended that Telnet be disabled. The default IOS firmware for the Cisco switch inside Oracle's Engineered System as oringally deployed may not have SSH server capability or not have it enabled. In that case Telnet access should be available. New firmware will have SSH capability. This document provides instructions on how to apply new firmware and configure SSH.

1. Login to Cisco management switch

Login to Cisco switch using SSH or Telnet, and log in as the 'admin' user with the admin password. Change to enable mode using the following command. When prompted for a password, use the administrative password.

cisco-switch>enable
Password:
cisco-switch#

2. Verify the switch model version and current firmware version

cisco-switch#show version
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.1(1)SG, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 15-Apr-12 02:55 by prod_rel_team

ROM: 12.2(44r)SG11
cisco-switch uptime is 12 weeks, 5 days, 19 hours, 21 minutes
System returned to ROM by power-on
System restarted at 22:48:47 UTC Fri Jul 12 2013
System image file is "bootflash:cat4500e-ipbasek9-mz.151-1.SG.bin"
Hobgoblin Revision 21, Fortooine Revision 1.40

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C4948E-F (MPC8548) processor (revision 8) with 1048576K bytes of memory.
Processor board ID CAT1714S5YH
MPC8548 CPU at 1GHz, Cisco Catalyst 4948E-F
Last reset from PowerUp
3 Virtual Ethernet interfaces
48 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

cisco-switch#

The switch model number will be in the last section of output indicating the hardware configuration. Cisco switch firmware is specific to a specific model. In this example, the model is WS-C4948E-F. New firmware needs to be for the correct model of Cisco switch. Obtain the appropriate firmware file from Oracle Support.

The IOS version provided to the customer (in response to their SR request) must be the correct version for that customer's switch model.

3. Verify free space available on switch's flash memory

Issue the "show file systems" command to display the available space.

cisco-switch#show file systems
File Systems:

     Size(b)     Free(b)      Type Flags Prefixes
*    125546496      58019840     flash     rw   bootflash:
           -           -    opaque     rw   system:
           -           -    opaque     rw   tmpsys:
           -           -    opaque     ro   crashinfo:
        524284        523608     flash     rw   cat4000_flash:
           -           -    opaque     rw   null:
           -           -    opaque     ro   tar:
           -           -   network     rw   tftp:
           -           -    opaque     ro   profiler:
           -           -    opaque     wo   syslog:
        524284        516777     nvram     rw   nvram:
           -           -   network     rw   rcp:
           -           -   network     rw   http:
           -           -   network     rw   ftp:
           -           -   network     rw   scp:
           -           -   network     rw   https:
           -           -    opaque     ro   cns:

cisco-switch#

The above sample output shows approximately 58MB free space in bootflash. There needs to be sufficient space for the new firmware file update.

You can also display the contents of bootflash using the "dir" command as shown below. Here, it shows two IOS firmware files stored as example.

cisco-switch#dir bootflash:
Directory of bootflash:/

6 -rw- 25213107 Apr 15 2013 02:05:36 +00:00 firmware.file1.bin
7 -rw- 32288280 Jun 24 2013 08:41:32 +00:00 firmware.file2.bin

125546496 bytes total (58019840 bytes free)
cisco-switch#

If there is not enough free space, then older firmware files will need to be deleted. For example:

cisco-switch#delete bootflash:firmware.file1.binDelete filename [firmware.file1.bin]? Delete bootflash:/firmware.file1.bin? [confirm]

4. Prepare the TFTP server

Create a new directory on the TFTP file server for transfering the new firmware file. In this document, we will use /tftpboot/cisco as our remote path on theTFTP file server (named tftp-server in our examples). Download the new Cisco IOS firmware to this directory on the tftp-server host so that Cisco switch can download it via TFTP in later steps. In this document, we will use file firmware.file3.bin . It may look as below:

[root@tftp-server cisco]# ls -l
total 30964
-rw-r--r-- 1 root root 16170184 Jan 13 11:25 firmware.file3.bin

5. Update and Preserve Current Configuration

By default, the current configuration may not be setup to boot from a specific firmware file. As a best practice, we recommend to update current configuration to include the boot firmware file name. In the previous section, we have already identified the default IOS firmware file stored in bootflash. The following steps will update current configuration to specify the firmware boot file. In the example below, the current active firmware file is firmware.file2.bin .

cisco-switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
cisco-switch(config)#no boot system
cisco-switch(config)#boot system bootflash:firmware.file2.bin
cisco-switch(config)# (type <control-z> here to end)

Next, save the current configuration, write to nvram and also save it in boot flash with a unique name.

cisco-switch#copy running-config startup-config all
Destination filename [startup-config]?
% VRF table-id 0 not active
% VRF table-id 0 not active
cisco-switch#copy running-config bootflash:confg-before-newfw
Destination filename [confg-before-newfw]?
% VRF table-id 0 not active
13343 bytes copied in 0.700 secs (19061 bytes/sec)
cisco-switch#

Now, transfer a backup of this configuration to the remote TFTP file server. You may find it necessary to create a placeholder file which is writeable to the world on the TFTP server before you can upload the actual file, this is typically the default behavior of the TFTP daemon. Else the copy operation will fail. The following is an example of how to create the placeholder:

[root@tftp-server cisco]# touch /tftpboot/cisco/confg-before-newfw[root@tftp-server cisco]# chmod 666 /tftpboot/cisco/confg-before-newfw

Alternatively, tftpd can be restarted on the file server with the -c option which should allow the creation of new files.

--create, -c
Allow new files to be created. By default, tftpd will only allow upload of files that already exist. Files are created with default permissions allowing anyone to read or write them, unless the --permissive or --umask options are specified.

Copy the configuration over to the TFTP file server from the switch:

cisco-switch#copy bootflash:confg-before-newfw tftp:

After entering the command above, the switch will prompt for the tftp server name and file name to use when saving to the remote tftp server. Those outputs aren't shown here.

6. Transfer the new Cisco IOS SSH-capable firmware to switch's boot flash

Copy the new firmware file into Cisco switche's flash filesystem and verify its integrity in boot flash. In this example, our tftp server is named "tftp-server" and we have staged the updated IOS firmware on the tftp server at /tftpboot/cisco/firmware.file3.bin. Because /tftpboot is the root directory for TFTP on the tftp server, it is left out of the path name when prompted for 'Source filename'.

cisco-switch#copy tftp: bootflash:
Address or name of remote host []? tftp-server
Source filename []? /cisco/firmware.file3.bin
Destination filename [fimrware.file3.bin]?
Accessing tftp://tftp-server//cisco/firmware.file3.bin...
Loading /cisco/firmware.file3.bin from 192.168.10.100: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 33414512 bytes]

33414512 bytes copied in 96.401 secs (346620 bytes/sec)
cisco-switch#
cisco-switch#dir bootflash:
Directory of bootflash:/

    7 -rw-    32288280 Jun 24 2013 08:41:32 +00:00 firmware.file2.bin
   25 -rw-       13343 Oct 10 2013 18:49:20 +00:00 confg-before-newfw
   26 -rw-    33414512 Oct 10 2013 19:47:18 +00:00 firmware.file3.bin

125546496 bytes total (24532992 bytes free)
cisco-switch#

7. Verify the transferred firmware file for integrity

Run verify command to verify and validate the download was successful and complete

cisco-switch#verify bootflash:firmware.file3.bin
cisco-switch#

If no errors are returned from the verify command, then the verification was successful.

8. Prepare Cisco switch to boot with new IOS firmware

The following steps update the configuration with config-register value of 0x2102 and a new IOS firmware boot file that we just downloaded. 0x2102 instructs the boot process to ignore any breaks, sets baudrate to 9600 and boots into ROM if the main boot process fails for some reason.

cisco-switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
cisco-switch(config)#config-register 0x2102
cisco-switch(config)#no boot system
cisco-switch(config)#boot system bootflash:firmware.file3.bin
cisco-switch(config)#cisco4948-ip(config)# (type <control-z> here to end)
cisco-switch#show run | include boot
boot-start-marker
boot system bootflash:firmware.file3.bin
boot-end-marker
cisco-switch#

Save the configuration into nvram

cisco-switch#copy running-config startup-config all
Destination filename [startup-config]?
% VRF table-id 0 not active
% VRF table-id 0 not active
cisco-switch#write memory
Building configuration...

% VRF table-id 0 not activeCompressed configuration from 13344 bytes to 4271 bytes[OK]
cisco-switch#

9. Boot the Cisco switch with new firmware

There will be a momentary outage of the entire management network on the Engineered System during the following step while the Cisco switch reboots and comes back online.

In this step, we boot the switch under the new IOS firmware. When the "reload" command is issued, the switch will reboot and there will be an outage on the management network for all connected devices (including all storage cells, database servers, ILOMs, and InfiniBand switches) for a minute or two while the switch reboots. A management network outage should not cause an application outage as the databases should all remain available and functioning normally. You will be asked to confirm if you wish to continue and reboot the Cisco switch. Any monitoring of the switch and management network should be blacked out during reboot to avoid any false alarms for outages.

cisco-switch#reload
Proceed with reload? [confirm]

10. Login to switch and verify it is now running the new firmware version

cisco-switch>enable
Password:
cisco-switch#show version
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.1(2)SG2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 05-Sep-13 19:16 by prod_rel_team

ROM: 12.2(44r)SG11
cisco4948-ip uptime is 1 minute
System returned to ROM by reload
System restarted at 20:27:50 UTC Thu Oct 10 2013
System image file is "bootflash:firmware.file3.bin"
Hobgoblin Revision 21, Fortooine Revision 1.40

Last reload reason: Reload command

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C4948E-F (MPC8548) processor (revision 8) with 1048576K bytes of memory.
Processor board ID CAT1714S5YH
MPC8548 CPU at 1GHz, Cisco Catalyst 4948E-F
Last reset from Reload
3 Virtual Ethernet interfaces
48 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

cisco-switch#

The "System image file is" should show the new version, in this example: 'bootflash:firmware.file3.bin'

11. Backup New Current Configuration

Save the current configuration, write to nvram and also save it in boot flash with a unique name.

cisco-switch#copy running-config startup-config all
Destination filename [startup-config]?
% VRF table-id 0 not active
% VRF table-id 0 not active
cisco-switch#copy running-config bootflash:confg-after-newfw
Destination filename [confg-after-newfw]?
% VRF table-id 0 not active
13343 bytes copied in 0.700 secs (19061 bytes/sec)
cisco-switch#

Now, take a backup of this configuration on remote TFTP file server.

cisco-switch#copy bootflash:confg-after-newfw tftp:

After entering the command above, the switch will prompt for the tftp server name and file name to use when saving to the remote tftp server. Those outputs aren't shown here.

12. Configure SSH access (Optional)

With the switch successfully reloaded, reconnect using telnet and configure SSH as shown in the procedure below. The username command in the example below is required and shows the choice of username "admin" and password of "welcome1" to configure a user. This is a required statement, but the username and password can be any username or password (it is recommended to choose a better password than "welcome1"). After telnet login, please use 'enable' command to get superuser privileges again and proceed with following configurations.

cisco-switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
cisco-switch(config)#crypto key generate rsa
% You already have RSA keys defined named cisco4948-ip.us.oracle.com.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 768
% Generating 768 bit RSA keys, keys will be non-exportable...[OK]

cisco-switch(config)#
cisco-switch(config)#username admin password 0 welcome1
cisco-switch(config)#line vty 0 4
cisco-switch(config-line)#transport input all
cisco-switch(config-line)# exit
cisco-switch(config)#aaa new-model
cisco-switch(config)#
cisco-switch(config)#ip ssh time-out 60
cisco-switch(config)#ip ssh authentication-retries 3
cisco-switch(config)#ip ssh version 2
cisco-switch(config)# (type <control-z> here to end)

Verify the SSH configuration is working and configured properly using the "show ip ssh" command:

cisco-switch#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
cisco-switch#

This switch should now be available for SSH logins using username admin, password welcome1 via SSH v2 (which is typically the default for most SSH clients).

13. Disable Telnet access (Optional)

After configuring SSH access and verifying it, some sites may want to disable telnet access to the switch (leaving only SSH access available). This is optional as the switch can allow access via SSH and telnet simultaneously. To disable telnet access, connect to the switch using SSH (since telnet will be disabled as part of this procedure) and enter these commands:

cisco-switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
cisco-switch(config)#
cisco-switch(config)#line vty 0 4
cisco-switch(config-line)#transport input ssh
cisco-switch(config-line)#exit
cisco-switch(config)# (type <control-z> here to end)

If there are more input lines in your operational Cisco firmware, then apply SSH to remaining lines as well. Verify the number of transport lines in 'show running' output.

cisco-switch(config)#line vty 5 15
cisco-switch(config-line)#transport input ssh
cisco-switch(config-line)#exit
cisco-switch(config)# (type <control-z> here to end)

After this change is in place, telnet on the switch is disabled and may be verified. SSH connectivity should be the only allowed connection method.

14. Reverting back to older firmware version (Optional)

Reverting back to an older firmware is just a matter of booting the older version as long as it's still present on the switch.

Display the contents of bootflash using the "dir" command.

cisco-switch#dir bootflash:
Directory of bootflash:/

6 -rw- 25213107 Apr 15 2013 02:05:36 +00:00 firmware.file2.bin
7 -rw- 32288280 Jun 24 2013 08:41:32 +00:00 firmware.file3.bin

125546496 bytes total (58019840 bytes free)
cisco-switch#

Determine the older firmware to revert to. In the following example, it will be firmware.file2.bin .

Update the configuration to boot the older firmware.

cisco-switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
cisco-switch(config)#config-register 0x2102
cisco-switch(config)#no boot system
cisco-switch(config)#boot system bootflash:firmware.file2.bin
cisco-switch(config)#cisco4948-ip(config)# (type <control-z> here to end)
cisco-switch#show run | include boot
boot-start-marker
boot system bootflash:firmware.file2.bin
boot-end-marker
cisco-switch#

Save the configuration into nvram.

cisco-switch#copy running-config startup-config all
Destination filename [startup-config]?
% VRF table-id 0 not active
% VRF table-id 0 not active
cisco-switch#write memory
Building configuration...

% VRF table-id 0 not activeCompressed configuration from 13344 bytes to 4271 bytes[OK]
cisco-switch#

Boot the switch with the older IOS firmware. When the "reload" command is issued, the switch will reboot and there will be an outage on the management network for all connected devices (including all storage cells, database servers, ILOMs, and InfiniBand switches) for a minute or two while the switch reboots. A management network outage should not cause an application outage as the databases should all remain available and functioning normally. You will be asked to confirm if you wish to continue and reboot the Cisco switch. Any monitoring of the switch and management network should be blacked out during reboot to avoid any false alarms for outages.

cisco-switch#reload
Proceed with reload? [confirm]

References

<NOTE:1415044.1> - Upgrading firmware / Configuring SSH on Cisco Catalyst 4948 Ethernet Switch

Attachments

This solution has no attachment