The core issue is encryption licensing and hardware compatibility.
root cause analysis
1. Currently Running Version: As you can see from the picture, your current system is c3560e-universalk9-mz.122-55.SE3.bin. Note that the file name contains universalk9, but the system prompt at the top of the picture is c3560E-UNIVERSALX9-M. The key is this X9. This typically indicates that this is an evaluation version or an IOS with no encryption. It has a K9 shell, but internal encryption is disabled.
2. The version you are trying to upgrade to: The c3560e-universalk9-mz.152-4.E10.bin and c3560e-universalk9-mz.152-4.E9.bin you are trying to upgrade to are formal, full-featured universalk9 mirrors with strong encryption features (such as IPSec, SSH, etc.).
3. Point of conflict: Cisco has strict legal controls on the export of cryptographic software. The license level (X9 version without encryption) that your switch is currently running does not match the image you are upgrading (K9 version with full encryption). When the switch boots, it checks whether the hardware and license support encryption for the new mirror, and if it fails, it refuses to load and displays the encryption warning you see.
Simply put: You are trying to upgrade a device with a "software license limited to no encryption" with a "full-feature encrypted version" of software, and so you are blocked.
Solution
You will need to find an IOS image that matches your device's current license level. The following are the specific steps:
Scenario One (preferred): Locate and use an unencrypted version of IOS 15.x mirroring
This is the most fundamental solution. You need to download a version of IOS that is "Universal" instead of "Universalk9".
1. Confirm Model: Confirm again that your switch model is WS-C3560X-48T-S.
2. Find the correct image: Search for the IOS 15.x version for your exact model at the Cisco official software download center. You need to find mirrors that are similar to the following naming rules:
·c3560x-universal-mz.15.2(4)E10.bin
· c3560x-ipservicesk9-mz.15.2(4) E10.bin (if you require IP Services capability but again keep licensing in mind)
· Key Differences: The mirror name should not contain k9 or should be a version that matches your current license. For your device, the universal version is more likely.
Important: The mirroring of Catalyst 3560X and 3560E is not generic. In your picture, the 3560E is shown, but if you say the model is 3560X-48T-S, be sure to confirm the hardware model of the device because using the wrong image can cause the device to become tile. A 3560X mirror typically begins with c3560x-.
Option Two: Purchase and Activate Crypto License
If you do require encryption features in the new version of IOS (such as robust SSH, HTTPS, etc.), you will need to contact Cisco or an authorized reseller to purchase the appropriate Security Technology Package (STP) license for your switch serial number. Your device is not authorized to run an encrypted version of IOS until it is activated.
This process involves license management and is complex and not recommended unless there is a clear need.
Scenario III: Continue to use older versions with the same characteristics
If your network environment does not have special requirements, it is also a safe option to continue with the current stable 12.2 (55) SE3 version. This version is old, but is adequate for the underlying Layer 2/3 switching feature.
