Image of Cortney & Jeremy

Upgrading ProCurve firmware via SFTP

by Jeremy L. Gaddis on February 7, 2009 · 3 comments

in Networking

Earlier this week, I described “Upgrading ProCurve firmware via TFTP”. TFTP has been the primary method of updating firmware on network devices for many, many years. TFTP, however, lacks authentication and encryption. HP has begun offering first FTP and now SFTP on some of their network devices as an alternative method for updating firmware. In this post, we will update the switch firmware using SFTP.

A few items to note:

  • is the IP address of the ProCurve 2610 (DHCP FTW!)
  • BL-C234-AS01 is the hostname assigned to the switch (don’t ask)

Quick aside: I should point out that I don’t actually use DHCP on my switches. This is a brand new, straight out of the box switch I’m messing with. I’m doing this in the home lab, where DHCP is fine for this. Before the switch even gets close to being put into production at $work, it will be fully configured and have an IP address assigned for management. I got an e-mail asking why in hell I’d use DHCP, so I wanted to clear that up. :)

In the previous post, we upgraded the switch firmware in the primary flash on an HP ProCurve 2610 switch. We rebooted the switch and verified that it was now running the latest firmware:

BL-C234-AS01# show version
Image stamp:    /sw/code/build/nemo(ndx)
                Jan 14 2009 15:31:02
Boot Image:     Primary

We can quickly verify which versions of the firmware currently saved in flash:

BL-C234-AS01# show flash
Image           Size(Bytes)   Date   Version
-----           ----------  -------- -------
Primary Image   : 3790986   01/14/09 R.11.25
Secondary Image : 3689315   01/25/08 R.11.07
Boot Rom Version: R.10.06
Current Boot    : Primary

In this post, we are going to use SFTP to transfer the R.11.25 firmware from a Linux server to the secondary flash on the switch.

Quick aside: A much easier way to “sync” the primary and secondary flash is to use the command “copy flash flash <destination>”. “copy flash flash secondary” would copy the firmware in the primary flash to the secondary flash. I’m not going to use that method, however, because the whole purpose is to illustrate the use of SFTP.

The first thing we need to do is to create a “manager” user account. We will use this account when we connect to the switch using SFTP. Here, I’m using “admin” for both the username and password. I don’t do this in real life, and neither should you:

BL-C234-AS01# conf
BL-C234-AS01(config)# password manager user-name admin
New password for Manager: *****
Please retype new password for Manager: *****

Now that we have a user account set up, we need to enable SSH, then SFTP for transferring files:

BL-C234-AS01(config)# ip ssh
BL-C234-AS01(config)# ip ssh filetransfer
Tftp and auto-tftp have been disabled.

Note that the switch automatically disabled TFTP and auto-TFTP for us when enabling SFTP. At this point, we should be able to use SFTP to connect to the switch. The first line of output from “show ip ssh” confirms for us that both SSH and Secure Copy (HP’s term for it) are enabled:

BL-C234-AS01# show ip ssh

  SSH Enabled     : Yes                 Secure Copy Enabled : Yes
  TCP Port Number : 22                  Timeout (sec)       : 120
  Host Key Type   : RSA                 Host Key Size       : 2048

  Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,
  MACs    : hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

  Ses Type     | Protocol  Source IP and Port
  --- -------- + --------- ---------------------
  1   console  |
  2   inactive |
  3   inactive |
  4   inactive |

Let’s try to connect:

$ sftp admin@
Connecting to
The authenticity of host ' (' can't be established.
RSA key fingerprint is af:a6:20:67:64:8a:64:bf:7a:72:0e:52:c1:27:a6:4c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
We'd like to keep you up to date about:
  * Software feature updates
  * New product announcements
  * Special events

Please register your products now at:

admin@'s password:

Now that we’re in, let’s take a look at the filesystem structure:

sftp> ls -l
drwxr-xr-x    2 J9088A   J9088A          0 JAN 01 00:00 cfg
drwxr-xr-x    2 J9088A   J9088A          0 JAN 01 00:00 log
drwxr-x---    2 J9088A   J9088A          0 JAN 01 00:00 os
drwxr-x---    3 J9088A   J9088A          0 JAN 01 00:00 ssh

The “cfg” directory holds the running-config and startup-config files. If you wanted to create your startup-config elsewhere (or had a template that you use for new devices), you could upload it there.

The “os” directory is the one we are concerned with here, however. Let’s look at what’s contained there:

sftp> cd os
sftp> ls -l
-rwxrw----    1 J9088A   J9088A    3790986 JAN 14  2009 primary
-rwxrw----    1 J9088A   J9088A    3689315 JAN 25  2008 secondary

We see two files: “primary” and “secondary”. Note that the filesize corresponds to our earlier output from “show flash”:

BL-C234-AS01# show flash
Image           Size(Bytes)   Date   Version
-----           ----------  -------- -------
Primary Image   : 3790986   01/14/09 R.11.25
Secondary Image : 3689315   01/25/08 R.11.07
Boot Rom Version: R.10.06
Current Boot    : Primary

We want to upload our local file, R\_11\_25.swi, to a file named “secondary” on the switch (note that you cannot create new files on the switch’s internal filesystem). This is accomplished easily enough:

sftp> put R_11_25.swi secondary
Uploading R_11_25.swi to /os/secondary
R_11_25.swi                                                                           100% 3702KB 528.9KB/s   00:07
sftp> exit

Looks like it went okay. Trust, but verify:

BL-C234-AS01# show flash
Image           Size(Bytes)   Date   Version
-----           ----------  -------- -------
Primary Image   : 3790986   01/14/09 R.11.25
Secondary Image : 3790986   01/14/09 R.11.25
Boot Rom Version: R.10.06
Current Boot    : Primary


{ 3 comments… read them below or add one }

Leave a Comment

Previous post:

Next post: