Showing results for 
Search instead for 
Did you mean: 

How to upgrade or downgrade the IOS on an ISR (or similar) router



1) Get the new IOS to the router

2) Verify the integrity of the new IOS binary

3) Change the boot statements to ensure that the correct IOS loads after restart

4) Save configuration changes

5) Reload the device and verify that the correct IOS has loaded

Why change IOS versions:

The most frequent reasons that one would change the IOS on a router are:

  • New version has new features
  • New version fixes or avoids triggering a bug
  • Security patching/compliance (ex PCI compliance)

Potential Caveats:

Usually these would only affect older routers but the main caveats would be ensuring there is enough system memory (RAM) and also flash to store the new IOS.

Step 1: Get the new IOS to the router.

If you are onsite then often the simplest way to get the new IOS to the router is to copy the IOS to a flash card, or on newer ISR G2s, USB thumb drive.

Otherwise you would copy the file to the router using TFTP, FTP, etc.  Detailed instructions for this step are out of scope but an example would be:

copy ftp: flash:       
(Follow the prompts for server IP and file name.)

Step 2: Verify the integrity of the new IOS binary

The next step we take is to verify that the IOS was not corrupted during transit or copying.

verify flash:c2800nm-advsecurityk9-mz.150-1.M8.bin

Success will show that the calculated MD5 hash is the same as the embedded hash.

Step 3: Change the boot statements to ensure that the correct IOS loads after restart

We need to remove the old boot statement(s) and add the new one.  (There are other ways to select which IOS to run but this is the simplest method.)

a. examine the current boot statement(s)

show run | include boot


boot system flash:c2800nm-advsecurityk9-mz.12.4-15.T3.bin


b. remove the old boot statement  (Output in step a)

config t

no boot system flash:c2800nm-advsecurityk9-mz.12.4-15.T3.bin

c. add the new boot statement  (this will include the file name of the new binary)

boot system flash:c2800nm-advsecurityk9-mz.15.0-1-M8.bin

Step 4: Save configuration changes

While still in configuration mode from before:


write memory

show start | include boot


boot system flash:c2800nm-advsecurityk9-mz.15.0-1-M8.bin


To recap all of the commands (in this example) would then be:

show run | include boot

config t

no boot system flash:c2800nm-advsecurityk9-mz.12.4-15.T3.bin

boot system flash:c2800nm-advsecurityk9-mz.15.0-1-M8.bin


write memory

show start | include boot

Step 5: Reload the device and verify that the correct IOS has loaded

For normal ISR's the only way to change the IOS is to reload the device.  (ISSU, In-Service Software Upgrade, is not currently supported.)

After the device has reloaded please do a "show version" and confirm that the router is now running the correct version of IOS. 

Then you are done.

Community Member

Thank you for the clear instructions. Thumbs up :p


It's supposed that performing the upgrade process have not a negative impact in the configuration, isn't it?. In other words, upgrade dosn't erase or change the current configuration, does it?



Thanks for the post. Ive done all the steps you've mentioned but I have an issue with my New IOS booting up after the reboot.

I can see my New IOS in the directory and I have verified the IOS.

the conf reg is 0x2102 and my boot system flash is specifies the new IOS.

however after reboot it doesn't pick up the new IOS. It remains on the current IOS which I am trying to upgrade.

Im using an ISR 4321

any advice?

p.s im doing this remotely so I do not have console access


Try the following.  

What caused me headaches until a coworker showed me was that the 4321's boot from "bootflash"  not "flash"

sh run | i boot


boot system bootflash:isr4300-universalk9.03.13.06a.S.154-3.S6a-ext.SPA.bin



Hey Matthew thanks mate, 

just wondering whats the difference between these two commands

#copy ftp://username:password@<ip address>/filename flash:


#copy ftp://username:password@<ip address>/filename bootflash:

ive tried both and on both occasions i get the same output

Directory of bootflash:/

11 drwx 16384 Jun 9 2015 04:43:39 +01:00 lost+found
177409 drwx 4096 Oct 16 2016 12:52:40 +01:00 .prst_sync
12 -rw- 419887876 Jun 9 2015 04:56:28 +01:00 isr4300-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin
193537 drwx 4096 Jun 9 2015 04:44:15 +01:00 .installer
129025 drwx 4096 Jul 1 2016 11:36:09 +01:00 core
225793 drwx 4096 Jun 9 2015 05:08:03 +01:00 .rollback_timer
13 -rw- 0 Jun 9 2015 05:08:18 +01:00 tracelogs.046
161281 drwx 12288 Oct 16 2016 13:33:27 +01:00 tracelogs
14 -rw- 245617 Jul 1 2016 11:35:18 +01:00 crashinfo_RP_00_00_20160701-113516-BST
15 -rw- 420388932 Oct 18 2016 11:04:32 +01:00 isr4300-universalk9.03.13.06.S.154-3.S6-ext.SPA.bin

ISR is currently running on isr4300-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin

trying to upgrade to: isr4300-universalk9.03.13.06.S.154-3.S6-ext.SPA.bin

4321_router #sh run | i boot
boot system flash isr4300-universalk9.03.13.06.S.154-3.S6-ext.SPA.bin

just to recap my issue - after issuing Wr Mem and rebooting it will not pick up the new S6 IOS. it remains on the S2 (old IOS) 

ive done this a million times on smaller 897 routers with no issues - im stumped and i just know its going to be something so simple that im overlooking


OK i think I've understood my mistake. Not sure if this is the cause yet I will post up a resolution once I've ran a second attempt. 

Basically entering the full path in your boot sys command 

boot system flash:bootflash/isr4300-universalk9.03.13.06.S.154-3.S6-ext.SPA.bin

previously I only had this command in

boot system flash isr4300-universalk9.03.13.06.S.154-3.S6-ext.SPA.bin

hoping this is the cause

Community Member

worked great wish I could upvote you.

nicholas platt

Found where the boot statement above is incorrect.

For anyone looking to find this info specific to the 4K series routers the link is here:

Down at the bottom is the correct statement:

boot system flash bootflash:<filename>

HTH :)

Community Member

hello friends,

Please suggestion me,
when i  backup OS from Cisco Router ISR 4321 direct to laptop trough software "Xligh FTP server" it's occurred "timeout", what happen?

thanks an advance

Hi Nicholas,

Thanks for sharing the above information..

I tried and it works for me..

appreciate your support here..

below is the path I have taken here..

boot system flash bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin

Good job on getting people stuck in boot loop with this command 

boot system flash:c2800nm-advsecurityk9-mz.15.0-1-M8.bin

Thank you so much for sharing everything you guys have done here! Very useful information!!!