Upgrading ProCurve firmware via SFTP
Written by jlgaddis on February 7, 2009 – 2:21 pm -Earlier this week, I described “Upgrading ProCurve firmware via TFTP”. TFTP has been the primary method of updating firmware on network devices for many, many years. TFTP, however, lacks authentication and encryption. HP has begun offering first FTP and now SFTP on some of their network devices as an alternative method for updating firmware. In this post, we will update the switch firmware using SFTP.
A few items to note:
- 192.168.1.113 is the IP address of the ProCurve 2610 (DHCP FTW!)
- BL-C234-AS01 is the hostname assigned to the switch (don’t ask)
Quick aside: I should point out that I don’t actually use DHCP on my switches. This is a brand new, straight out of the box switch I’m messing with. I’m doing this in the home lab, where DHCP is fine for this. Before the switch even gets close to being put into production at $work, it will be fully configured and have an IP address assigned for management. I got an e-mail asking why in hell I’d use DHCP, so I wanted to clear that up. 
In the previous post, we upgraded the switch firmware in the primary flash on an HP ProCurve 2610 switch. We rebooted the switch and verified that it was now running the latest firmware:
BL-C234-AS01# show version
Image stamp: /sw/code/build/nemo(ndx)
Jan 14 2009 15:31:02
R.11.25
301
Boot Image: Primary
We can quickly verify which versions of the firmware currently saved in flash:
BL-C234-AS01# show flash Image Size(Bytes) Date Version ----- ---------- -------- ------- Primary Image : 3790986 01/14/09 R.11.25 Secondary Image : 3689315 01/25/08 R.11.07 Boot Rom Version: R.10.06 Current Boot : Primary
In this post, we are going to use SFTP to transfer the R.11.25 firmware from a Linux server to the secondary flash on the switch.
Quick aside: A much easier way to “sync” the primary and secondary flash is to use the command “copy flash flash <destination>”. “copy flash flash secondary” would copy the firmware in the primary flash to the secondary flash. I’m not going to use that method, however, because the whole purpose is to illustrate the use of SFTP.
The first thing we need to do is to create a “manager” user account. We will use this account when we connect to the switch using SFTP. Here, I’m using “admin” for both the username and password. I don’t do this in real life, and neither should you:
BL-C234-AS01# conf BL-C234-AS01(config)# password manager user-name admin New password for Manager: ***** Please retype new password for Manager: *****
Now that we have a user account set up, we need to enable SSH, then SFTP for transferring files:
BL-C234-AS01(config)# ip ssh BL-C234-AS01(config)# ip ssh filetransfer Tftp and auto-tftp have been disabled.
Note that the switch automatically disabled TFTP and auto-TFTP for us when enabling SFTP. At this point, we should be able to use SFTP to connect to the switch. The first line of output from “show ip ssh” confirms for us that both SSH and Secure Copy (HP’s term for it) are enabled:
BL-C234-AS01# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : Yes
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,
rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
MACs : hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
Ses Type | Protocol Source IP and Port
--- -------- + --------- ---------------------
1 console |
2 inactive |
3 inactive |
4 inactive |
Let’s try to connect:
$ sftp admin@192.168.1.113 Connecting to 192.168.1.113... The authenticity of host '192.168.1.113 (192.168.1.113)' can't be established. RSA key fingerprint is af:a6:20:67:64:8a:64:bf:7a:72:0e:52:c1:27:a6:4c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.113' (RSA) to the list of known hosts. We'd like to keep you up to date about: * Software feature updates * New product announcements * Special events Please register your products now at: www.ProCurve.com admin@192.168.1.113's password: sftp>
Now that we’re in, let’s take a look at the filesystem structure:
sftp> ls -l drwxr-xr-x 2 J9088A J9088A 0 JAN 01 00:00 cfg drwxr-xr-x 2 J9088A J9088A 0 JAN 01 00:00 log drwxr-x--- 2 J9088A J9088A 0 JAN 01 00:00 os drwxr-x--- 3 J9088A J9088A 0 JAN 01 00:00 ssh sftp>
The “cfg” directory holds the running-config and startup-config files. If you wanted to create your startup-config elsewhere (or had a template that you use for new devices), you could upload it there.
The “os” directory is the one we are concerned with here, however. Let’s look at what’s contained there:
sftp> cd os sftp> ls -l -rwxrw---- 1 J9088A J9088A 3790986 JAN 14 2009 primary -rwxrw---- 1 J9088A J9088A 3689315 JAN 25 2008 secondary sftp>
We see two files: “primary” and “secondary”. Note that the filesize corresponds to our earlier output from “show flash”:
BL-C234-AS01# show flash Image Size(Bytes) Date Version ----- ---------- -------- ------- Primary Image : 3790986 01/14/09 R.11.25 Secondary Image : 3689315 01/25/08 R.11.07 Boot Rom Version: R.10.06 Current Boot : Primary
We want to upload our local file, R_11_25.swi, to a file named “secondary” on the switch (note that you cannot create new files on the switch’s internal filesystem). This is accomplished easily enough:
sftp> put R_11_25.swi secondary Uploading R_11_25.swi to /os/secondary R_11_25.swi 100% 3702KB 528.9KB/s 00:07 sftp> exit $
Looks like it went okay. Trust, but verify:
BL-C234-AS01# show flash Image Size(Bytes) Date Version ----- ---------- -------- ------- Primary Image : 3790986 01/14/09 R.11.25 Secondary Image : 3790986 01/14/09 R.11.25 Boot Rom Version: R.10.06 Current Boot : Primary
Success!
Tags: hp, labs, networking | 1 Comment »
February 7th, 2009 at 3:32 pm
Very nice! I have some scribbled notes on this topic from when I did my switch upgrades, but booking marking this will be helpful when I lose them.
I’ve got a few 2610s and some 3400s to upgrade yet, when there’s some downtime.