This covers the, (more modern) Route based VPN to a Cisco ASA that’s using a VTI (Virtual Tunnel Interface).
Virtual Network Gateway Options
With VPN’s into Azure you connect to a Virtual Network Gateway, of which there are TWO types Policy Based, and Route Based. This article will deal with Route Based, for the older Policy Based option, see the following link;
These were typically used with routers, because routers used Virtual Tunnel Interfaces to terminate VPN tunnels, that way traffic can be routed down various different tunnels based on a destination, (which can be looked up in a routing table). Cisco ASA now supports Virtual Tunnels Interfaces (After version 9.7(1)).
Advantages
Can be used for VPNs to multiple sites.
Disadvantages
Requires Cisco ASA OS 9.7(1) So no ASA 5505, 5510, 5520, 5550, 5585 firewalls can use this.
Policy Based
These came first, essentially they work like this, “If traffic is destined for remote network (x) then send the traffic ‘encrypted’ to local security gateway (y).” Note: Where Local Security Gateway is a firewall at YOUR site, NOT in Azure! This is the way traditionally VPNs have been done in Cisco ASA, in Cisco Firewall speak it’s the same as “If traffic matches the interesting traffic ACL, then send the traffic ‘encrypted’ to the IP address specified in the crypto map”.
Advantages:
Can be used on older Cisco Firewalls (ASA 5505, 5510, 5520, 5550, 5585).
Can be used on newer Cisco Firewalls (ASA 5506-x, 5508-X, 5512-x, 5515-x, 5516-x, 5525-X, 5545-X, 5555-x, 5585-X)
Can be used with Cisco ASA OS (pre 8.4) IKEv1 only.
Disadvantages
Can only be used for ONE connection from your Azure Subnet to your local subnet. Note: You could ‘hairpin’ multiple sites over this one tunnel, but that’s not ideal.
Configure Azure for ‘Route Based’ IPSec Site to Site VPN
You may already have Resource Groups and Virtual Networks setup, if so you can skip the first few steps.
Sign int0 Azure > All Services > Resource Groups > Create Resource Group > Give your Resource Group a name, and select a location > Create.
OK, if you’re used to networking this can be a little confusing, we are going to create a virtual network, and in it we are going to put a virtual subnet, (yes I know this is odd, bear with me!) It’s the ‘Subnet Name‘and ‘address range‘ that things will actually connect to, (10.0.0.0/24).
All Services > Virtual Networks > Create Virtual Network > Give the Virtual Network a name, a subnet, select your resource group > Then create a Subnet, give it a name and a subnet > Create.
To further confuse all the network engineers, we now need to add another subnet, this one will be used by the ‘gateway’. If you are a ‘networking type’ it’s part of the virtual network, but is more specific than the subnet you already created.
With your virtual network selected >Subnets > +Gateway Subnet.
You can’t change the name, (you could before, then it wouldn’t work, which was strange, but I suppose it’s fixed now) > put in another network that’s part of the Virtual-Network, but does not overlap with the subnet you created in the previous step > OK.
All Services > Virtual Network Gateways > Create Virtual Network Gateway > Name it > Route Based > Create New Public IP > Give it a Name > Create.
Note: This will take a while, go and put the kettle on! Make sure all running tasks and deployments are complete before continuing.
You can do the next two steps together, but I prefer to do then separately, or it will error if the first one does not complete!
Now you need to create a Local Security Gateway. (To represent your Cisco ASA). All Services > Local Security Gateway > Create Local Security Gateway > Name it > Supply the public IP > Supply the Subnet(s) ‘behind’ the ASA > Select your Resource Group > Create.
Finally create the VPN > Select your Virtual Network Gateway > Connections > Add.
Give the tunnel a name > Site-to-Site IPSec > Select your Local Network Gateway (ASA) > Create a pre-shared-key (you will need this for the ASA config!) > Select your Resource Group > OK.
Configure the Cisco ASA for ‘Policy Based’ Azure VPN
I’m using 9.9(2)36, VTIs are supported on 9.7, but as with all new things, I’d assume that was buggy and go for 9.8 or above.
To Avoid Emails:
What IP do I put on my Tunnel interface / Where do I get that from? Use whatever you want, NO it does not have to be on the same network as something in Azure, in fact I’m using an APIPA 169.254.x.x. address, and it works fine, (think of it like a local loopback address, though do note the difference to the last octet in the route statement!)
Where’s the Crypto Map? It doesn’t need one.
Do I need to do NAT Exemption? NO (Unless you were hair pinning a traditional VPN from another ASA into this tunnel, or an AnyConnect client VPN session.)
There’s No ACL to Allow the Traffic, or an Interesting Traffic ACL? That’s correct, you don’t need any, (unless you apply an access-list to the the tunnel interface).
There are a couple of extra commands you will need, these are sysops commands. Their purpose is to set things globally, and are generally hidden from the config, (i.e ‘show run’ wont show them). These are recommendations from Azure. The first one drops the maximum segment size to 1350.The second command keeps the TCP session information even if the VPN tunnel drops.
The last thing to do, is tell the firewall to ‘route’ the traffic for Azure though the VTI. Note: The last octet in the destination IP is different from the VTI IP!
To test we usually use ‘ping’, the problem with that is, if you are using Windows Servers they will have their Windows firewall on by default, which blocks pings, (bear this in mind when testing). Also your ASA needs to be setup to allow pings, (try pinging 8.8.8.8 that usually responds), if yours doesn’t then configure your ASA to allow ping traffic.
As mentioned above, you might want to turn the firewalls off to test.
On the ASA the first thing to make sure is that the Tunnel Interface is up!
[box]
Petes-ASA# show interface tunnel 1
Interface Tunnel1 "AZURE-VTI01", is up, line protocol is up
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 169.254.225.1, subnet mask 255.255.255.252
Tunnel Interface Information:
Source interface: outside IP address: 126.63.123.43
Destination IP address: 40.115.49.202
Mode: ipsec ipv4 IPsec profile: AZURE-PROFILE
[/box]
You can also use the following;
[box]
Petes-ASA# show crypto ikev2 sa
IKEv2 SAs:
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
268975001 123.123.12.1/500 40.115.49.202/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/814 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x7b10e41a/0xfcb4576a
[/box]
Thats Phase 1 connected, you will also need to check Phase 2
[box]
Petes-ASA(config)# show crypto ipsec sa
interface: AZURE-VTI01
Crypto map tag: __vti-crypto-map-11-0-1, seq num: 65280, local addr: 82.21.58.194
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 40.115.49.202
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 32, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 123.123.123/500, remote crypto endpt.: 40.115.49.202/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DA3A1C28
current inbound spi : B562D9C6
inbound esp sas:
spi: 0xB562D9C6 (3043154374)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, VTI, }
slot: 0, conn_id: 11, crypto-map: __vti-crypto-map-11-0-1
sa timing: remaining key lifetime (kB/sec): (3962877/28755)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x000003FF 0xFFFFFFFF
outbound esp sas:
spi: 0xDA3A1C28 (3661241384)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, VTI, }
slot: 0, conn_id: 11, crypto-map: __vti-crypto-map-11-0-1
sa timing: remaining key lifetime (kB/sec): (4193277/28755)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Petes-ASA(config)#
[/box]
Related Articles, References, Credits, or External Links
I was called to a 2003 Server yesterday, that was riddled with malware, whatever was on there was generating a lot of network traffic, so the first thing I did was disconnect it from the network.
That’s fine, but if I wanted to use my usual ‘weapon of choice’ Malwarebytes, how was I going to get the latest database installed?
Solution
WARNING: There is a note on the Malwarebytes website that discourages this procedure, as it breaks the incremental update mechanism of Malwarebytes. They recommend that you use this utility to do the job, and that it should be updated every week (though the page currently has December 2011 as the update date!) . In my case once the machine is clean, I’ll remove Malwarebytes and install Trend Worry Free on it anyway. Either way, I prefer to know for a fact I’m using the latest database.
1. Install and update Malwarebytes on a nice clean machine (In this case, my Windows 7 laptop).
2. Find out what version of Malwarebytes you are running (on the about tab).
3. Navigate to the following location, and take a copy of the rules.ref file, i.e. put a copy on a USB thumb drive.
A client who we recently did a WDS (Windows 7) install for, needed to image a couple of Windows XP machines, (They had some software that either would not run, or was not supported on Windows 7).
They asked me for some documentation on how to do this, it’s been such a long time since I imaged any XP machine, so I took the opportunity to document it properly.
Solution
Before you begin, be aware you need to be building your reference machine with a Volume Licenced copy of Windows XP NOT an OEM or Retail copy (i.e. DONT build the machine with manufacturers rescue disks like Dell or HP). If you don’t do this you will need to activate every Windows machine that you deploy with Microsoft.
Make sure the version of sysprep you are using is at the same service pack level as the reference machine or bad things will happen.
1. Build your reference machine, and configure it as you require.
2. Create a folder on the root of the C: Drive called ‘Sysprep”. Insert the Windows XP CD and locate the Deploy cabinet file. (This is ‘like’ a zip file and it’s in the supporttools folder).
3. Double click the support cab, then copy over the sysprep.exe file, the setupcl.exe file and the setupmgr.exe file to your c:sysprep folder.
4. You can now run sysprep.exe and skip to step 13. BUT if you require an answerfile (a script that will answer all the questions Windows will ask while it’s reinstalling post sysprep) then run the setupmgr.exe program, at the welcome screen click next.
5. Create New > Sysprep Setup > Windows XP Professional.
6. Fully Automate > Enter Name and Organisation > Set the Display Properties.
7. Set Time Zone > Enter the Volume Licence unlock code > If you are joining a domain, I suggest generating a random name then changing it later.
8. Set the Local Administrators password > Typical settings will enable DHCP > Supply any domain and domain credentials you need to join your domain.
9. Telephony (I just skip this) > Regional Settings > Languages.
10. Printers > Run Once commands > Additional Commands.
11. Enter a string that will go into the registry, and can be identified later > Finish > Accept the default save path > OK > At this point it looks like it’s crashed, you can manually close the setupmgr.
12. Now you can run sysprep.exe > OK > I select ‘mini-setup’ (If you don’t, it will run the welcome to windows session and play the annoying music you cant turn down!) > If you have installed applications and are going to image the machine click Reseal > OK.
Note: Factory will literally set the machine back to a ‘day one’ install of Windows XP.
The machine will then shut down and can be imaged.
Final Note: If you power it back on, it will rebuild itself and delete the c:sysprep directory. Which is fine unless you are doing some testing and realise you have to do the whole thing from scratch!
Related Articles, References, Credits, or External Links
I needed to get a list of installed programs from a server I was having problems with, so I could compare the results with another server. Note: This will work on Windows client OS’s as well.
Solution
1. On the machine in question launch a command window.
2. To display all the installed programs execute the following two commands;
[box]
WMIC
product get name,version [/box]
3. To export all the installed programs to a text file (c:ProgramList.txt) execute the following two commands;
[box]
WMIC
/output:c:ProgramList.txt product get name,version [/box]
4. Here’s the sort of information you can get.
5. To export all the installed updates to a text file (c:UpdateList.txt) execute the following two commands;
[box]
WMIC
/output:C:UpdatelList.txt QFE get [/box]
Note: You can get a list of updates by running the ‘systeminfo’ command but this gives you much more information.
6. Here’s the sort of information you can get.
Related Articles, References, Credits, or External Links
When attempting to check Direct Access connection status on a Windows 8 client machine with a Get-DaConnectionStatus command you see the following error;
Get-DaConnectionStatus : Network Connectivity Assistant service is stopped or not responding.
OK, so lets go and check the status of that service, if it starts great, but mine did not as you can see.
And it logged an Event ID 7024
The Network Connectivity Assistant service terminated with the following service-specific error:
The request is not supported.
Note: This will also happen if you have not configured Remote Access properly on your server, and the client has not got the necessary group policies applied, so make sure that’s discounted first!
Solution
In my case the problem was a little more obscure, it seems this will not work on Windows 8 (Professional), to check your version simply run msinfo32;
Windows 8 Professional
Windows 8 Enterprise
Try the same this on a Windows 8 (Enterprise) client and it will run without error.
Related Articles, References, Credits, or External Links
Fired up one of my test machines this morning, and opened Outlook to see,
Error: Microsoft Outlook (Product Activation Failed)
Though if you open other applications you will get the same;
Error: Microsoft Word (Product Activation Failed)
Error: Microsoft Excel (Product Activation Failed)
etc.
Solution
I’m not sure why this happened, (perhaps I entered the wrong key when I installed it). But it’s simple to fix.
1. In this Example I’m using Outlook but select > File > Help > Change Product Key.
2. Enter a valid Office 2010 key > Continue > Follow the on-screen prompts.
3. When finished, restart Outlook and it will prompt you to activate, again follow the instructions.
4. When complete it should say “Thank You. You copy of Microsoft Office {version} is activated” > Restart your Office applications to remove the red warning bar.
Related Articles, References, Credits, or External Links
Part Two – Prerequisites for Windows Server 2008 R2
KB ID 0000717
Problem
Originally I was just going to write a ‘Prerequisite for Exchange 2013’ article, but the needs of Windows Server 2008 R2 are so much greater than those of Windows Server 2012, I split them up. With that in mind, Id suggest you use Window s server 2012 rather than 2008 R2. (It will be supported for longer).
But if you are determined read on.
Solution
Planning ‘Time spent on reconnaissance is seldom wasted’
If you are going to deploy Exchange 2013 within your organisation, then you either already have Exchange (or another mail server product), or it’s a ‘Greenfield Site’.
You already have Exchange
Coexistence with Exchange 2003 is not supported, before you consider bringing in Exchange 2013, you will need to migrate to Exchange 2010, (a migration to Exchange 2007 would also work, but Exchange 2010 would be more sensible). Exchange 2013 Server can coexist in the same Exchange environment with both Exchange 2007 and Exchange 2010.
Make Sure you have the DVD or ISO file for Exchange 2013, you don’t want to download a 3.5GB File at a clients site through a slow ADSL Link! Also the prerequisite software is pretty big, get all that burned to disk, or on a USB Drive before you start.
Software Requirements
Well we are installing on Server 2008 R2 (Standard/Enterprise or Datacenter, though if you plan to deploy this server as part of a DAG Group, it needs to be Enterprise/Datacenter), so what else would you need to worry about? How about backup software? Does your current backup solution support Exchange 2013? Also check with your anti-virus/antispam vendor that 2013 wont be a problem. Do you have any mail archiving software, custom email signature software etc? Take a good look at the software packages in your existing mail system to make sure.
Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.
1. CPU: As you’re planning on deploying with Windows Server 2008 R2 you will already have a server with an x64 bit CPU to deploy Exchange 2013 on, though IA64 is NOT supported.
2. RAM: This is dependent on what roles the server will have, for a Client Access Server the recommendation is 4GB, for a Mailbox Server it’s 8GB. And if the server will hold both roles the figure remains at 8GB. Though if I were deploying an Exchange 2013 Server in anger I would start at 12GB for a small (less than 80 mailbox’s) deployment and work upwards.
3. Disk Space: The drive which will hold the Exchange program files needs 30GB free space (that seems like a lot!) then there are some smaller figures you need to add up,
500MB per Universal Massaging Pack Language you are going to deploy.
200MB free on the servers system (OS) drive.
500MB free on the drive that will house the message queue database.
If the server will be a Mailbox server then it will need sufficient room to store the mailbox/public folder databases.
4. DVDROM Drive: Actually this is not really a requirement, but I’m mentioning it because a few modern servers ship without DVDROM drives now. You don’t want to go to site with a disk and look like a clown! Exchange 2013 will deploy quite happily from an ISO image. (If in doubt use 7ZIP to extract the ISO to a folder, and take that with you).
Pre Deployment – Environment
1. The Windows 2008 R2 server should be at least SP1. (If in doubt, Windows Key+R > winver {enter}).
2. Your forest functional level should be at least Windows Server 2003. To see your forest functional level, Windows Key > Active Directory Domains and Trusts > Action > Raise Forest Functional Level.
3. The domain controller that is holding the Schema Master FSMO role in your domain, needs to be at least Windows Server 2003 SP2. To see which server is the schema master server, run the following command;
Note: In this example, I’m on a standalone server, that’s also a domain controller (not recommended for production environments!). In a live environment you may need to plan in some downtime to update the schema master.
4. The server you are deploying on, must already be a member of your domain.
5. Run Windows Update, and make sure the server is fully up to date.
6. You will need to install both .Net 4.5 and Windows Management Framework 3.0 (That’s new WMI and Powershell 3 in case you were wondering), and Windows Management Framework 3.0. (Note: you need the Windows6.1-KB2506143-x64 version).
Note: These two pieces of software are needed on the server that will prepare the Active Directory, so they are not strictly prerequisites for Exchange 2013.
7. The Exchange 2013 Server needs the ADDS (RSAT) administration tools installing. To do that simply run the following command;
[box]Add-WindowsFeature RSAT-ADDS[/box]
Note: If you skipped step 6 then you will see the following error;
The term ‘Add-WindowsFeature’ is not recognized as the name of a cmdlet function, script file, or operable program.
Pre Deployment – Roles Required
Like previous versions of Exchange, you need to add certain roles to the server before you can install the product. Which roles you need, depend on whether you are deploying a server with the client access server role, or the mailbox server role (Note: if the server will hold BOTH roles, then the roles for mailbox server will cover both.)
Mailbox Server (Or Mailbox Server with Client Access Sever) – Roles Required
Note: At time of writing there is no Office 2013 Filter pack. I suspect that when it is released, it will need installing instead of the Office 2010 version, (that’s what happened with Exchange 2010 anyway).
7. Then install the Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008). Note: This update requires a reboot.
8. Then install the Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution). If you are fully up to date you may find that this update will not be applicable to your system, and you will see the following popup.
Client Access Server Only – Roles Required
The only difference for a server running the Client Access Role is that .Net 4.5 and the WindowsManagement Framework are not requirements. However if you have been following all the steps you will already have them installed. And having them installed will cause you no problems. So, follow all the same steps, and install all the roles and software that is required for the ‘Mailbox/Combined Mailbox and Client Access Server’.
Related Articles, References, Credits, or External Links
Originally I was just going to write a ‘Prerequisite for Exchange 2013’ article, but the needs of Windows Server 2008R2 are so much greater, I split them up.
Solution
Planning ‘Time spent on reconnaissance is seldom wasted’
If you are going to deploy Exchange 2013 within your organisation, then you either already have Exchange (or another mail server product), or it’s a ‘Greenfield Site’.
You already have Exchange
Coexistence with Exchange 2003 is not supported, before you consider bringing in Exchange 2013, you will need to migrate to Exchange 2010, (a migration to Exchange 2007 would also work, but Exchange 2010 would be more sensible). Exchange 2013 Server can coexist in the same Exchange environment with both Exchange 2007 and Exchange 2010.
Warning: Even at Exchange 2010 – You cannot upgrade to Exchange 2013 without Service Pack 3.
Make Sure you have the DVD or ISO file for Exchange 2013, you don’t want to download a 3.5GB File at a clients site through a slow ADSL Link! Also the prerequisite software is pretty big, get all that burned to disk, or on a USB Drive before you start.
Software Requirements
Well we are installing on Server 2012 (Standard or Datacenter) so what else would you need to worry about? How about backup software? Does your current backup solution support Exchange 2013? Also check with your anti-virus/antispam vendor that 2013 wont be a problem. Do you have any mail archiving software, custom email signature software etc? Take a good look at the software packages in your existing mail system to make sure.
Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.
1. CPU: As you’re planning on deploying with Windows Server 2012 you will already have a server with an x64 bit CPU to deploy Exchange 2013 on, though IA64 is NOT supported.
2. RAM: This is dependent on what roles the server will have, for a Client Access Server the recommendation is 4GB, for a Mailbox Server it’s 8GB. And if the server will hold both roles the figure remains at 8GB. Though if I were deploying an Exchange 2013 Server in anger I would start at 12GB for a small (less than 80 mailbox’s) deployment and work upwards.
3. Disk Space: The drive which will hold the Exchange program files needs 30GB free space (that seems like a lot!) then there are some smaller figures you need to add up,
500MB per Universal Massaging Pack Language you are going to deploy.
200MB free on the servers system (OS) drive.
500MB free on the drive that will house the message queue database.
If the server will be a Mailbox server then it will need sufficient room to store the mailbox/public folder databases.
4. DVDROM Drive: Actually this is not really a requirement, but I’m mentioning it because a few modern servers ship without DVDROM drives now. You don’t want to go to site with a disk and look like a clown! Exchange 2013 will deploy quite happily from an ISO image. (If in doubt use 7ZIP to extract the ISO to a folder, and take that with you).
Pre Deployment – Environment
1. The Windows 2012 server should be at least RTM, and should NOT be pre-release (If in doubt, Windows Key+R > winver {enter}). The build number should be at least 9200.
2. Your forest functional level should be at least Windows Server 2003. To see your forest functional level, Windows Key > Active Directory Domains and Trusts > Action > Raise Forest Functional Level.
3. The domain controller that is holding the Schema Master FSMO role in your domain, needs to be at least Windows Server 2003 SP2. To see which server is the schema master server, run the following command;
Note: In this example, I’m on a standalone server, that’s also a domain controller (not recommended for production environments!). In a live environment you may need to plan in some downtime to update the schema master.
4. The server you are deploying on, must already be a member of your domain.
5. Run Windows Update, and make sure the server is fully up to date. You will find Windows Update in Server Manager > Local Server.
6. Windows Server 2012 comes pre installed with .Net 4.5 and Windows Management Framework 3.0 (That’s new WMI and Powershell 3 in case you were wondering). So there’s nothing to do for this step, I only mention it for completeness.
7. The Exchange 2013 Server needs the ADDS (RSAT) administration tools installing. To do that simply run the following command;
[box] Install-WindowsFeature RSAT-ADDS [/box]
Note: As previously stated, the server used in the example above is a domain controller, so it already had the tools installed, hence the NoChangeNeeded exit code.
Pre Deployment – Roles Required
Note: From THIS POINT FORWARD, all roles can now installed with the RTM release of Exchange 2012 during setup. The following will only need to be carried out if you are installing the pre-release version of Exchange 2013.
Like previous versions of Exchange, you need to add certain roles to the server before you can install the product. Which roles you need, depend on whether you are deploying a server with the client access server role, or the mailbox server role (Note: if the server will hold BOTH roles, then the roles for mailbox server will cover both.)
Note: At time of writing there is no Office 2013 Filter pack. I suspect that when it is released, it will need installing instead of the Office 2010 version, (that’s what happened with Exchange 2010 anyway).
Related Articles, References, Credits, or External Links
The following procedure was carried out on two Cisco Catalyst 3750 switches.
Solution
1. We can see (above) that we have two switches, but if your connected remotely, best make sure.
[box]
Petes-Stack#show switch
Switch/Stack Mac Address : 0018.7347.a000
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 0018.7347.a000 1 0 Ready
2 Member 0024.f79b.9b00 1 0 Ready
[/box]
2. Lets see what IOS files are in the flash memory on both switches.
3. Well there’s only one IOS file in there but let’s make sure anyway, by seeing what version is loaded.
[box]
Petes-Stack#show version----output ommitted for the sake of brevity----
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750-48P 12.2(55)SE8 C3750-IPSERVICESK9-M
2 52 WS-C3750-48P 12.2(55)SE8 C3750-IPSERVICESK9-M
----output ommitted for the sake of brevity----
[/box]
4. Lets delete the IOS file from flash1, and make sure it’s gone.
8. Even though it’s been deleted, the boot variable will be set to the OLD version of the IOS, to demonstrate issue the following command.
[box]
Petes-Stack#show boot
BOOT path-list : flash:/c3750-ipservicesk9-mz.122-55.SE8
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
NVRAM/Config file
buffer size: 524288
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
-------------------
Switch 2
-------------------
BOOT path-list : flash:/c3750-ipservicesk9-mz.122-55.SE8
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : no
Auto upgrade path :
Petes-Stack#
[/box]
9. So change the boot variable to the new one, and check again.
[box]
Petes-Stack# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Stack(config)# boot system switch all flash:c3750-ipservicesk9-mz.122-55.SE9.bin
Petes-Stack#show boot
BOOT path-list : flash:c3750-ipservicesk9-mz.122-55.SE9.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
NVRAM/Config file
buffer size: 524288
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
-------------------
Switch 2
-------------------
BOOT path-list : flash:c3750-ipservicesk9-mz.122-55.SE9.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : no
Auto upgrade path :
Petes-Stack#
[/box]
10. Save the changes, and reload the switch.
[box]
Petes-Stack#write mem
Building configuration...
[OK]
Petes-Stack#reload
Proceed with reload? [confirm] {Enter}
Switch 2 reloading...
[/box]
11. Post reboot, log in and check that the stack is running the new code.
[box]
Petes-Stack#show version
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Mon 03-Mar-14 22:45 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Petes-Stack uptime is 5 minutes
System returned to ROM by power-on
System image file is "flash:c3750-ipservicesk9-mz.122-55.SE9.bin"
[/box]
Option 2
You can also carry out the following procedure on the switch ‘stack master’ that will automate the entire procedure for you. Note: This requires the IOS in .tar format not .bin (as above);