Re: Catalyst 3560X BootLoader upgrade?

andrew.butterworth · ‎02-12-2020

I have a Catalyst 3560X (WS-C3560X-24P-S) running the latest IOS 15.2(4)E9 image, however the bootloader is 12.2(53r)SE2.

ROM: Bootstrap program is C3560E boot loader
BOOTLDR: C3560E Boot Loader (C3560X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)

I have upgraded 3560/3750G/E/X's previously and have seen the microcode updates that take ages. I assumed the bootloader would be upgraded if needed when the IOS image was upgraded.

I have just been working on a couple of Catalyst 3560X's running older IOS 12.2(55)SE10, however these both a have a newer bootloader:

ROM: Bootstrap program is C3560E boot loader
BOOTLDR: C3560E Boot Loader (C3560X-HBOOT-M) Version 15.2(3r)E, RELEASE SOFTWARE (fc1)

The hardware revisions for the switches are different so I am assuming the one I have that is running the latest IOS was actually manufactured before the other two (V04 vs V07).

I have had a search but can't find any references to updating the BootLoader independently of the IOS image - all the release notes just say the bootloader might get upgraded if needed.

I have unpacked the 15.2(4)E9 and the 15.2(1)E1 tar files and compared them and the 15.2(1)E1 includes the file 'pucode_bundle.dat' file that the later image doesn't. Is this the bootloader? Is there a process for upgrading this independently of the IOS image? The 'archive' command has a 'download-ucode' option?

Leo Laohoo · ‎02-12-2020

That's fine.

andrew.butterworth · ‎02-12-2020

Erm, ok? I am sure it is.

That isn't what I asked though. I asked how to upgrade the bootloader.

I have dug a bit deeper and there are comments about the bootloader getting upgraded if FIPS is enabled when upgrading to IOS 15.1. Is there a way to force this?

I am keen to upgrade the bootloader on this switch to the latest available.

Leo Laohoo · ‎02-12-2020

Bootloader is automatically upgraded by the IOS.

andrew.butterworth · ‎02-13-2020

@Leo Laohoo wrote:
Bootloader is automatically upgraded by the IOS.

It obviously isn't in all situations. If you look at my 1st post you can see that I have a 3560X running the latest IOS image:

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.2(4)E9, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 23-Sep-19 14:40 by prod_rel_team

ROM: Bootstrap program is C3560E boot loader
BOOTLDR: C3560E Boot Loader (C3560X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)

I also have some other 3560X's that are running much older code, however they have a much later bootloader:

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:28 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x02800000

ROM: Bootstrap program is C3560E boot loader
BOOTLDR: C3560E Boot Loader (C3560X-HBOOT-M) Version 15.2(3r)E, RELEASE SOFTWARE (fc1)

So obviously during the IOS upgrade on my 1st 3560X it hasn't upgraded the bootloader (12.2(53r)SE2), where as the other 3560X's have a newer bootloader (15.2(3r)E).

So my original question still stands. How can I upgrade the bootloader on the 3560X from 12.2(53r)SE2 to 15.2(3r)E or later? Upgrading the IOS to 15.2(4)E9 didn't upgrade the bootloader.

marce1000 · ‎02-13-2020

> I am keen to upgrade the bootloader on this switch to the latest available.

- As stated by others I wouldn't pay too much attention as to the bootloader being upgraded or not when doing an IOS upgrade. Perhaps the install process may even examine the hardware revision and decide for itself if this is needed on the device or not. There is a more elaborate reply from andesfr in this thread :

https://community.cisco.com/t5/small-business-switches/upgrading-bootloader-on-catalyst-switches/td-p/3672626

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

andrew.butterworth · ‎02-13-2020

I found that post after I started this thread. That is the one that mentions the FIPS thing.

I appreciate the comments about not paying too much attention to the bootloader version, however I would like to upgrade it regardless. Is there a process to do this?

In the 15.0(2)SE & later release notes it mentions the FIPS thing and references the section "Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation" in the documentation. The section in the documentation has a table showing when the bootloader will be upgraded, however it assumes you are running a release prior to 15.0(2)SE1 and that it will only upgrade the bootloader if FIPS mode is enabled.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swipaddr.html#13973

I am guessing that if I downgrade the switch to 12.2(55)SE10, enable FIPS mode, then upgrade it to 15.0(2)SE1 the bootloader will get upgraded. However I don't have a spare 3560X/3750X to test this out on and the 3560X I want to upgrade the bootloader on is in service. I can arrange some downtime but I suspect I'll need to default the switch configuration and then re-apply it after as there are some bits of the configuration that won't work with 12.2.

EDIT: The 15.2(2)E configuration guide also has the same section and mentions 15.2(1)E doing the bootloader upgrade with FIPS.

marce1000 · ‎02-13-2020

>I appreciate the comments about not paying too much attention to the bootloader version, however I would like to upgrade it regardless. Is there a process to do this?

- It's still unclear to me why do you want to pursue this issue so much. In business terms the question becomes : what is the added value ?

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

andrew.butterworth · ‎02-13-2020

@marce1000 wrote:

>I appreciate the comments about not paying too much attention to the bootloader version, however I would like to upgrade it regardless. Is there a process to do this?
- It's still unclear to me why do you want to pursue this issue so much. In business terms the question becomes : what is the added value ?
M.

Please stop trying to understand why. I just do.

Jon Marshall · ‎02-13-2020

@andrew.butterworth wrote:

Please stop trying to understand why. I just do.

☺️

Wish I had an answer for you.

Jon

marce1000 · ‎02-13-2020

:-)

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Leo Laohoo · ‎02-13-2020

I think I may have an answer to the question (as to why there are two different bootloader versions): Post the complete output to the command "sh inventory". I want to see the first 4 lines of each unit.
I suspect the hardware revision numbers are very different.

andrew.butterworth · ‎02-13-2020

I am assuming you don't actually mean 'show inventory' as the 1st four lines don't give you anything other than the PID, the VID and the serial number. The VID on the older bootloader switch is V04, whereas the other two are V07. Is this what you are looking for?

@Leo Laohoo wrote:
I think I may have an answer to the question (as to why there are two different bootloader versions): Post the complete output to the command "sh inventory". I want to see the first 4 lines of each unit.
I suspect the hardware revision numbers are very different.

Leo Laohoo · ‎02-13-2020

@andrew.butterworth wrote:

The VID on the older bootloader switch is V04, whereas the other two are V07. Is this what you are looking for?

That is exactly what I'm looking for.

And I believe this is the answer to your question.

andrew.butterworth · ‎02-14-2020

@Leo Laohoo wrote:
@andrew.butterworth wrote:
The VID on the older bootloader switch is V04, whereas the other two are V07. Is this what you are looking for?
That is exactly what I'm looking for.
And I believe this is the answer to your question.

Hi Leo, are you going to follow that up with anything or just leave me hanging?

If your assumptions is that Hardware VID 04 is bootloader 12.2(53r)SE2 and VID 07 is 15.2(3r)E then what do the release notes regarding FIPS and bootloader upgrades refer to? I am sure someone has an old spare 3560X or 3750X that can do some IOS upgrades/downgrades and add/change the 'fips authorization-key xxxxx' to see what actually happens?