Hi Ahmed, Thank you.

vasanth77 · ‎09-10-2016

Hi,

I was tried recovering ROMmon mode for the below switch with the IOS version c2960-lanbasek9-mz.152-2.E4.bin .

I downloaded thi IOS to flash with Xmodem and set this IOS with Boot flash:c2960-lanbasek9-mz.152-2.E4.bin

after that I'm not seen the normal console in my case I seen only executing for a long time.

Then I formatted flash and tried with another IOS version c2960-lanbasek9-mz.122-55.SE10.bin and working fine with same procedure.

======

switch working with below IOS installed

SW1#show version
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 24 WS-C2960G-24TC-L 12.2(55)SE10 C2960-LANBASEK9-M

Configuration register is 0xF
SW1#

========

Can someone explain what is the root cause and why it is not taking that 15.2 version of IOS?

Is there any compatibility between Bootloader version and the IOS on the switch?

Quick help would be appreciable

Thanks in advance

Regards,

vasanth

ahmedshoaib · ‎09-10-2016

Hi Vasanth;

As per current recommend software for your switch 2960G-24TC-L is c2960-lanbasek9-mz.122-55.SE11.bin.

While if you want to upgrade the IOS on version 15 then the latest IOS for this platform is c2960-lanbasek9-mz.150-2.SE10.bin not what you was try to upload.

I think you wast try to upload the software for different platform of 2960 series. In Cisco each platform have different IOS.

https://software.cisco.com/download/release.html?mdfid=279963492&softwareid=280805680&release=12.2.55-SE11&relind=AVAILABLE&rellifecycle=ED&reltype=latest

Thanks & Best regards;

vasanth77 · ‎10-05-2016

Thank you

Leo Laohoo · ‎09-10-2016

c2960-lanbasek9-mz.152-2.E4.bin

2960/2960G DO NOT SUPPORT IOS train 15.2. The filename "c2960-lanbasek9-mz.152-2.E4.bin" is for the 2960+. I am suspecting someone deliberately copied the BIN file straight into the 2960G because had the automated command of "archive download-sw" been used the 2960G would've rejected the TAR file and would state that it is for the wrong hardware.

vasanth77 · ‎09-27-2016

Hi Leo,

Hi ,

Is it the key is required for enabling SSH on Cisco switches?

Domain name

crypto key generate rsa

bits<512 or 1024 or 2048>

I think these 3 is enough to enable SSH login on Cisco switches?

then what is the purpose of crypto keys and I've found a lot of numbers in switch configuration and while replacing a hardware I copied the same key and it's working fine with other switch also .

can anybody clarify me why we are using and what the purpose we are using?

crypto pki trustpoint TP-self-signed-3876118144
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3876118144
revocation-check none
rsakeypair TP-self-signed-3876118144
!
crypto pki trustpoint TP-self-signed-2764970624
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2764970624
revocation-check none
rsakeypair TP-self-signed-2764970624
!
!
crypto pki certificate chain TP-self-signed-3876118144
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383736 31313831 3434301E 170D3933 30333031 30303031
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373631
31383134 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A389 5747C00F 42D83F8B 50CD9E61 E88EC979 09EFB731 43378205 D8362983
E3690751 E6B4CAD5 CDF7480D FE52492E 32C1EC36 40CC1E4D 2DE4E4CC D4966BB0
31E0E427 B29043A8 B3B4F2BF 6D68F8F8 1C455FCF 0CF81C87 7DA4FED5 C0C70611
EDAA4A27 5CE89E1E CBCF9BAA 90825C81 B5B09E35 EDCA2CDF 834757DA 1DAE3D4A
1C530203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 14EA938A
79E9F281 610C5DC4 2D388B4A 1D515690 F2301D06 03551D0E 04160414 EA938A79
E9F28161 0C5DC42D 388B4A1D 515690F2 300D0609 2A864886 F70D0101 04050003
818100A2 00A68750 7F002670 E8AFD80A A968A985 1C4179BF B6DAF2FD 0F88A897
23C3A7A4 0F022C32 D04943EE B175ECDB EE64ED68 47BFD85F 80C8F79B 32684EFD
33BF8EF2 29F43267 1327C31F 4DFEB72B C9754E4C 8F5328E4 947DEEF1 13AC1742
5B3CA3FB FB6E6F62 3DE7544E A18422CA 4A4FD761 5E845C88 AED613B5 47DBE917 9909C2
quit
crypto pki certificate chain TP-self-signed-2764970624

Will these keys are generated automatically?if yes which command will generate this ?

We just copy these same settings to same model switch and that all working fine? Please correct me

Can anyone explain me what all these.immediate help would be appreciable.

Thanks in advance

Vasanth

ahmedshoaib · ‎09-27-2016

Hi Vasnath;

To enable SSH or encrypt the client server communication you required RSA Key.

To put the RSA key on Switch/Router we have 2 option either copy from existing device to new device or generate the new key (recommended way).

To enable SSH on network device:

1. Configure Domain name:

ip domain-name <your_domain>

2. Enable SSH or generate RSA Key:

crypto key generate rsa modulus 1024

3. Optional - Configure SSH version

ip ssh version [1|2]

4. Optional - Restrict the vty line for SSH

line vty 1 15
  transport input ssh

Thanks & Best regards;

vasanth77 · ‎09-27-2016

Hi Ahmed,

Thank you.

Enabling SSH you are saying and I did that no issues.

My Question is.

1.I enabled SSH by the crypto commands after that on that switch I'm not seen these much

crypto pki certificate chain TP-self-signed-3876118144
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383736 31313831 3434301E 170D3933 30333031 30303031
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373631
31383134 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A389 5747C00F 42D83F8B 50CD9E61 E88EC979 09EFB731 43378205 D8362983
E3690751 E6B4CAD5 CDF7480D FE52492E 32C1EC36 40CC1E4D 2DE4E4CC D4966BB0
31E0E427 B29043A8 B3B4F2BF 6D68F8F8 1C455FCF 0CF81C87 7DA4FED5 C0C70611
EDAA4A27 5CE89E1E CBCF9BAA 90825C81 B5B09E35 EDCA2CDF 834757DA 1DAE3D4A
1C530203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 14EA938A
79E9F281 610C5DC4 2D388B4A 1D515690 F2301D06 03551D0E 04160414 EA938A79
E9F28161 0C5DC42D 388B4A1D 515690F2 300D0609 2A864886 F70D0101 04050003
818100A2 00A68750 7F002670 E8AFD80A A968A985 1C4179BF B6DAF2FD 0F88A897
23C3A7A4 0F022C32 D04943EE B175ECDB EE64ED68 47BFD85F 80C8F79B 32684EFD
33BF8EF2 29F43267 1327C31F 4DFEB72B C9754E4C 8F5328E4 947DEEF1 13AC1742
5B3CA3FB FB6E6F62 3DE7544E A18422CA 4A4FD761 5E845C88 AED613B5 47DBE917 9909C2
quit

what is this?without these numbers some switches are working.

2.What exactly mean the below config

crypto pki trustpoint TP-self-signed-2764970624
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2764970624
revocation-check none
rsakeypair TP-self-signed-2764970624

this also copied to another switch and working for me

Please advise

Thanks in advance.

vasanth

ahmedshoaib · ‎09-27-2016

Hi Vasanth;

It's a self sign certificate which is generating by device after you enter command "Crypto key generate rsa".

This certificate will be used for client server authentication and encrypt the traffic.

Thanks & Best regards;

vasanth77 · ‎10-05-2016

After giving that command

Crypto key generate rsa

those keys are not visible in running configuration. So that I raised this question

ahmedshoaib · ‎10-05-2016

Hi;

You can verify the RSA key via "show crypto key mypubkey rsa" command.

Thanks & Best regards;

vasanth77 · ‎10-07-2016

Hi Ahmed,

Thank you.

ROMmon mode issue?after boot command executing... for a long time?