SCP’ing an IOS image to a Cisco 2960XR stack

Well, obviously you need SSH access to do this.  You also need your IOS device to be set up as an SCP server.  If you aren’t set that way, you’ll get this:

scp ~/Downloads/c2960x-universalk9-mz.152-2.E5.bin sysadmin1@
Administratively disabled.

To fix that, get into config mode and run:

ip scp server enable

Save, try again:

scp ~/Downloads/c2960x-universalk9-mz.152-2.E5.bin sysadmin1@
Privilege denied.

Okay, now the reason you’re receiving this is because you need privilege level 15 to do remote file copy, and if you’ve got your switch set up the ‘old fashioned’ way, it won’t work.  By ‘old fashioned’, I mean the classic way people have been configuring Cisco IOS for decades, where you’ve got a user you ssh (or console, or formerly telnet) in as, and then you ‘enable’ with a separate enable password to get config access.  You need to SSH in as a user with privilege 15.

Let’s set that up, and for the hell of it, let’s switch to modern key-based authentication.  I’m also going to lock things down to ONLY ssh access for network access.  A word of warning, don’t proceed with these if you use any type of remote authentication like TACACS+, RADIUS, etc. as it may break.  Also don’t use this if you use telnet; it will break.

Let’s add this config:

line con 0
exec-timeout 30 0
logging synchronous
line vty 0 4
exec-timeout 30 0
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 30 0
logging synchronous
transport input ssh
aaa new-model
aaa authorization exec default local if-authenticated
ip ssh version 2
ip ssh pubkey-chain
username admin1

The “aaa authorization exec default local if-authenticated” is to give your locally authenticated user exec privilege (i.e. level 15).  Now it’s at this point where you would normally enter your entire SSH public key, including the leading ssh-rsa.  However, you can’t do that, because Cisco’s interface sucks.  If you try to paste it in, you’ll get this:

%SSH: Failed to decode the Key Value

It will only take <250 characters, so any modern ssh key won’t fit.  You have to enter it as multiple lines.  If you’re on a unix system or a Mac, from a command prompt, use the handy ‘fold’ command to spit out your ssh key in happy chunks.  Here’s how to spit out no more than 100 characters per line, for example:

# fold -w 100 ~/.ssh/

Now you can just paste that into the IOS prompt and follow it up by “exit” on a line by itself to let IOS know you’re done entering the key:

swh-1(config)#ip ssh pubkey-chain
swh-1(conf-ssh-pubkey)#username sysadmin1
swh-1(conf-ssh-pubkey-data)#ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFl7glLz+aBi5fWruLFY2LJXEufRCZe23Mj5DDYgUNFDXaSARBPOmuzInKwlQB

Woohoo, at this point, you should be able to simply ssh in as your username and immediately be given a privilege 15 exec prompt.

If that’s all good, you should be able to scp your new IOS file to the device now.  For an added bonus, if this is a stack,  here’s how you SCP it to what would be the second switch in the stack (flash2):

scp ~/Downloads/c2960x-universalk9-mz.152-2.E5.bin sysadmin1@

The tricky part about the above is if you attempt to just give a target directory, like normal unix to unix scp, it will fail.  So, if your intent was to get the image onto switch2’s flash, by doing this:

scp ~/Downloads/c2960x-universalk9-mz.152-2.E5.bin sysadmin1@


that won’t work, you’ll get:

scp: flash2:/: No such file or directory

So, just give it the flash2 and full filename for the target; it will work.  Now, what I can’t figure out for the life of me is why scp operations are so slow….  Ended up taking 15 minutes:

c2960x-universalk9-mz.152-2.E5.bin           100%   20MB  21.9KB/s   15:50

No, there’s no port/speed/duplex issues, I’m plugged into the switch directly at gig and scp’ing to it from the management vlan which I’m also on, so no routing.  Only unusual part of the scenario is the management IP is obviously that of the stack master, and the target is the second switch in the stack; maybe that causes it to do something stupid.  Ha; better, but no huge difference from a time wasted perspective, even though it was a third less time from a statistics perspective; weird.

c2960x-universalk9-mz.152-2.E5.bin 100% 20MB 33.8KB/s 10:14

8 Replies to “SCP’ing an IOS image to a Cisco 2960XR stack”

  1. Gg

    I have configured everything exactly the way you have using the steps you have mentioned. I have no tacacs+ config on the switch and I configured ip ssh pub-keychain and I am able to login using the username/ssh keys that I have specified. However, when I try to scp, I am receiving the following error:

    admin@serverbox:/tmp$ scp sw1:/04-20-17_sw1.conf sw1.conf
    Authorization denied.

    Do you have any ideas what might be wrong? Is there another config that I need to use? I previously received the “privilege denied” message until I added “aaa authorization exec default local if-authenticated”.

    • Your Mom Post author

      Couple questions. Are you sure your ssh key is configured on the switch for a username of ‘admin’ since that’s what it will try logging in as since you didn’t specify the user? Are you sure “ip scp server enable” is in your config? Are you sure there’s a file on your switch named 04-20-17_sw1.conf? From your example, you’re trying to copy a file off the device to your local system; do you have permission to write into the directory you’re in? I replicated what you’re trying to do, and same local directory, with the switch’s config file and it worked:

      sysadmin@iMac:/tmp# scp switchadmin@ .
      config.text 100% 19KB 19.2KB/s 00:01
      Connection to closed by remote host.
      sysadmin@iMac:/tmp# ls config.text

  2. Gg

    Thanks for the reply! Yes, the ssh key is configured on the switch for ‘admin’ and scp server is enabled on the switch:

    ip ssh pubkey-chain
    username admin
    key-hash ssh-rsa
    ip scp server enable

    Thus, I am able to ssh in as ‘admin’. The file ’04-20-17_sw1.conf’ is also in there and I have permission to write into the directory I am in.

    Just as a test to verify the accessibility of the file as well as my permissions on my server, I created a user on the switch:

    username user privilege 15 password 7

    And then set authorization and authentication as local:

    aaa authentication login default local
    aaa authorization exec default local

    And SCP worked…

    I should mention my switch is a C3750E…

    • Your Mom Post author

      My other testing was to a 2960 so I just tried the same setup on a 3850 and it worked there as well. Unfortunately I don’t have access to a 3750 to test with but I really can’t see why that should be an issue. Are you able to scp a file into the device or does that fail too? And I assume no useful info in ‘show log’?

      • Gg

        Not able to scp a file into the device nor does show log show anything useful :(

        I also have a 3850 and tried the same config on there and I’m seeing the same problem… perhaps it’s a version issue.. although it would be strange across two different Cat3K models…

        • Your Mom Post author

          If it helps, the 3850 I tested with is:

          * 1 56 WS-C3850-48P 03.03.04SE cat3k_caa-universalk9 INSTALL

          and the 2960XR is 15.2(2)E5. Sorry I couldn’t help; haven’t run into it not working yet.

      • Gg

        Here is an interesting additional discovery…

        When I have “aaa authorization exec default local if-authenticated” configured, I cannot ssh to the switch. I get:

        admin@serverbox:/tmp$ ssh sw1
        % Authorization failed.

        When I remove “aaa authorization exec default local if-authenticated”, ssh works (but of course scp still isn’t).

        I know that that auth is working though even without that config because if I modify the key-string for the ‘admin’ user to something incorrect, I cannot log in.


Leave a Reply

Your email address will not be published. Required fields are marked *