Showing results for 
Search instead for 
Did you mean: 

Using a Nexus 9000 as an Emergency TFTP server with Docker




This is not an official guide, just something I've been testing to help during those "difficult" situations. All works here are my own!


There are some situations where we need to load an image onto a Nexus switch (or other network devices for that matter) using a TFTP Server or a USB drive. There are some conditions/circumstances where we might not have access to either of these options (Possibly due to firewalls, Lack of physical access in a "lights-out" DC or when certain parts of the network have no reach-ability).

This document attempts to present a solution using Docker Containers to show how we can run a TFTP Server on a Nexus 9000 running 9.3(1) code utilizing Docker.

This could be used to recover a Nexus device (or any other vendor's device that loads an initial image using TFTP). This would be used in an emergency situations where we have run out of options. 

Use case

A circumstance which may need this solution could be during an upgrade where the switch fails to boot. In order to recover the switch we must wipe the file-system from the switch, losing the NX-OS binary image. In that case we must either use USB or TFTP to bootstrap the switch. There are circumstances where in a remote work situation we don't have physical access to plug in a USB (or remote hands will take some period of time to get to the site) and we don't have a TFTP available in the current network.


  • The broken switch [In this example IP address:]
    • This will be the victim needing access to a TFTP-server
    • We will call this switch "Switch bad" or sw-bad for short.
  • A healthy Nexus device running NX-OS 9.2(x)/9.3(x) code [In this example IP address:]
    • This will be the TFTP-server
    • We will call this switch "Switch good" or sw-good for short.
  • A copy of the NX-OS image (e.g. "nxos.bin" for short) you wish to boot (sw-bad) with. This image needs to be copied to the bootflash of (sw-good)
  • Access to the Internet via the management VRF of (sw-good)
    • Later I'll re-write this guide to include using the default VRF, but for now this guide will only focus on using mgmt0/management VRF on the TFTP-server
  • Connectivity (L2/L3) between sw-goodsw-bad.




Configuration of the switch in Loader> :: sw-bad

# Configure the mgmt0 interface on (sw-bad)
set ip set gw


Configuration of Docker/TFTPd on :: sw-good

# Enable the BASH shell 
feature bash # Enter BASH shell
run bash sudo su # Check if Docker is running
service docker status # Start the Docker Service
service docker start # Invoke a container which exposes port 69 UDP
docker run -d -p 69:69/udp -it pghalliday/tftp # Show the running containers
docker ps # Copy the image from bootflash into the container, replace "container_id" with the "container_id" found
# running the previous "docker ps" command.
sudo docker cp /bootflash/nxos.bin container_id:/var/tftpboot # Exit back to NX-OS and find the mgmt0 interface
exit show ip int bri vrf man (in my example I see # From sw-bad
loader> boot tftp:// # If you want to get into the container (name is taken also from `docker ps` output)
docker exec -it <NAME> /bin/sh # To clean up once complete
docker kill <container_id>


I hope this helps someone get out of a sticky situation!