Safely upgrading an IOS image (IOS 15.0x used as Example)

Easy as pie! Using a recent upgrade to 15.0(1)SE2 as an example.

Prepare for the upgrade: 

+ Identify the image feature set needed: run the command # show version
+ Navigate to the Cisco Software Download site and download the needed image.
+ Place the new 15.0(1)SE2 IOS image (.bin file) on your  FTP/ TFTP server, make sure the switch has access to the server (ping sourcing from the TFTP interface).

+ Have the original image also available on the TFTP server  (better safe than sorry no?)

+ Ensure there is console access to the switch that will be upgraded.  If you have a neighboring device – you can setup console access by connecting to the console port from the aux port of the neighboring device and use a very useful reverse telnet

+ Backup the configuration
# copy startup-config tftp
!–Enter IP address, press enter
!–Confirm filename, press enter

+ Check the amount of free memory using the command.
# dir flash:

If there is not enough space, delete the old image – make sure there is a backup of the image.
# Delete flash:c3560-old-imagename-example.bin
!– to dete a directory, # delete /force /recursive {directoryName}
If there is enough free space, copy the image to flash.

Executing the Upgrade

# copy tftp flash:
!– Enter IP address, press enter
!– Confirm Source file name, press enter
!– Confirm destination file name. Press enter.
!– You will see many !!!!! during load.

Confirm the new image is available:
# dir flash:

Verify the checksum
# verify flash:c3560-new-imagename-example.bin
!– If you get an error, the image may have corrupted during transfer.

Set the boot statement to the new image
# config t
(config)# boot system flash:c3560-new-imagename-example.bin

Verify the boot statement
# show boot

Save the configuration
# copy run start
# write memory

Reload the device
# reload

Verify new code is applied
#show ver

Rollback Plan 
Change the boot statement to the original image. Reload.


And that’s all folks!

Exploring STP behaviors – Part 1

Lets explore the behavior of STP (802.1D) on our new device “Switch1”.  We plug it in, power it up and connect to the console with our console cable.  We quickly enter enable mode and run show ver and note our base MAC address.

We can run a few more commands to see what is going on with spanning tree on the switch.
Switch1#show spanning-tree
Switch1#show spanning-tree active 
Switch1#show spanning-tree detail
Switch1#show spanning-tree vlan 1

The commands above will all return the output:  No spanning tree instance exists.

The commands show spanning-tree inconsistentports  will return limited output.  The command show spanning-tree summary will give us a summary of features, most importantly at this point is that it lets us know that the switch is running STP per vlan by default.


Connecting the switch to a shutdown router interface will initiate the STP instance.  Once the router interface is powered on or a device with an active interface is connected, we can observe the spanning tree instance in action.

Switch1#sh spanning-tree


  Spanning tree enabled protocol ieee

  Root ID    Priority    32769

             Address     00 01.6376.BDED

             This bridge is the root

             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)

             Address     0001.6376.BDED

             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ——————————–

Fa0/1            Desg LSN 19        128.1    P2p

The switch will quickly establish himself as the root / begins BPDU exchange and  the interface will begin transitioning through the STP States:

Power On / Initialize


Listening state

Learning state

Forwarding state


add summarization of port state above.


SWITCH1 will send out BPDUs to multicast address(es) 01:80:C2:00:00:00 – 01:80:C2:00:00:10  every 2 seconds according to the default timer avobe.   By default the BPDU’s will carry the default priority of 32769 (about half of 2^16).

BPDU will contain a Root ID (8 bytes – initially self) and a Bridge ID (8 bytes – initially self) and other fields such as the STP version, the timers and BPDU type.  For now lets understand the Bridge ID
Again – the Bridge ID is 8 bytes.  Its composed of the MAC address of the switch/bridge and the priority.  the mac address in this case is 0001.6376.BDED  that’s 12 nybles, or 6 bytes the remaining 2 bytes are used for the Priority.

The details above while wordy are not unimportant.  The root election when other switches are plugged in will depend entirely on the contents of the Bridge ID in the BPDU exchange.

The show spanning-tree details command will now give a more verbose explanation of the spanning tree elements, including very valuable detail regarding topology changes and their source.

Switch1#show spanning-tree detail 

VLAN0001 is executing the ieee compatible Spanning Tree Protocol

  Bridge Identifier has priority of 32768, sysid 1, 0001.6376.BDED

  Configured hello time 2, max age 20, forward delay 15

  Current root has priority 32769

  Topology change flag not set, detected flag not set

  Number of topology changes 0 last change occurred 00:00:00 ago

        from FastEthernet0/1

  Times:  hold 1, topology change 35, notification 2

   hello 2, max age 20, forward delay 15

  Timers: hello 0, topology change 0, notification 0, aging 300

Port 1 (FastEthernet0/1) of VLAN0001 is designated forwarding

  Port path cost 19, Port priority 128, Port Identifier 128.1

  Designated bridge has priority 32769, address 0001.6376.BDED

  Designated port id is 128.1, designated path cost 19

  Timers: message age 16, forward delay 0, hold 0

  Number of transitions to forwarding state: 1

  Link type is point-to-point by default

Here are some of the other commands and their output:

Switch1#show spanning-tree summary 

Switch is in pvst mode

Root bridge for: default

Extended system ID           is enabled

Portfast Default             is disabled

PortFast BPDU Guard Default  is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default            is disabled

EtherChannel misconfig guard is disabled

UplinkFast                   is disabled

BackboneFast                 is disabled

Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active

———————- ——– ——— ——– ———- ———-

VLAN0001                     0         0        0          1          1

———————- ——– ——— ——– ———- ———-

1 vlans                      0         0        0          1          1

Switch1#show spanning-tree interface fastEthernet 0/1

Vlan             Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ——————————–

VLAN0001         Desg FWD 19        128.1     P2p

The output above lets us know that f0/1 on Switch1 is participating in Spanning Tree for VLAN1.  Which has converged (we know this because the port is “Designated” and has transitioned to FWD state.   I will continue this next time with the effects of directly connecting a 2nd and 3rd switch to Switch 1.

That’s all for today.  Later gaters!


Gabe @ presents: How to Subnet – Part 2 (The classful problem)

Welcome! I’m going to assume that you are here because you’ve read Part 1 – (The primer) and are considered by anyone’s measure a binary black belt :D.  If you’re asking yourself “huh.. what the funk is binary?” then you are not yet worthy greenhorn.  Click here now.

So moving forward… every IP address we deal with comes in a pair – IP and subnet mask.   If the IP address is was the coordinates to a location – – the subnet mask might be the specific map.  The purpose of the subnet mask is to identify the portion of the IP describes the network, and you can determine the part that is used to assign to PCs, Servers and Interfaces on network devices.    One can be sort of significant without the other, but when you have the pair you are in business.

If you open up your command prompt and run the ipconfig command , you will see your private IP assigned your router.

In my home LAN, I was assigned IP address with a subnet mask of  So what does that mean? when does subnetting happen?  Hold your horses cowboy I’m getting there :D.   Know that like in my  home network, and in business networks, routers are the hard physical segmentation of a broadcast domain.   Put this thought away for now though, we need to discuss IP further.

Recall the binary from part 1.  The subnet mask means the first three octets define the network (specifically the broadcast network), and the final octet is mostly assignable.   Lets break down the IP and SM into the binary equivalents:

SM in decimal  = Binary equivalent  = 1 1 1 1☺ 1 1 1 1 . 1 1 1 1 ☺ 1 1 1 1 . 1 1 1 1 ☺ 1 1 1 1 . 0 0 0 0 ☺ 0 0 0 0  = 24 bits from the left =  /24

The smileys are just there to help you process the ones.. they’re not significant.  The notation /24 and the subnet are absolutely and totally interchangeable.  Some will call the notation /24 the prefix notation, the “slash notation” (yuck), or the CIDR notation… CIDR probably being the most popular, any is fine as long as you know what we’re talking about.  I call it the prefix notation.

Network Classes (Classful subnet masks)

The is also a special subnet mask as it defines a “classful” class C network.  Just so I don’t throw you off… know that classful networks using a classful subnet mask like or /24 are what we have to work with if a subnetting technique is not applied.  These are easy to remember, there are only three.

Classful Class C = =    /24

Classful Class B =     =    /16

Classful Class A = 255. 0 . 0 . 0    =    /8

To further analyze our home network example.  My IP address with the subnet mask is a class C address and a single node that’s part of a bigger group. The subnet mask lets me know that the first three numbers 192.168.0 identify the network.

Breakdown for network    or      First IP identifies the network segment – known as the network IP, the wire address.  Not assignable.      First usable IP address.. often assigned to the gateway, or routing interface. This one is assigned to my home router.    This IP is assigned to my computer on this network   The broadcast IP address is the last IP of the network segment is also not assignable.

There are 256 IP addresses total if you count all IP addresses from 0 to 255.  One to 255 = 255, and the zero counts as the first one, so total is 256.  Of the 256 you can only use 254 since one IP is reserved for the wire address, and one IP is reserved for the broadcast address.  This is a characteristic of a classful class C network.  It’s useful to slowly get to know the characteristics about classful networks:

Class      Subnet Mask     =  Prefix    Total IP      Usable      Binary Representation of subnet mask
C            255.255.255. 0       =   /24               256                 254          1111 1111 . 1111 1111 . 1111 1111. 0000 0000

B            255.255. 0 . 0          =  /16                65,536           65,534     1111 1111 . 1111 1111 . 0000 0000 . 0000 0000

A            255. 0 . 0 . 0            =   /8               16,777,216      16,777,214   1111 1111 . 0000 0000. 0000 . 0000 0000 . 0000 0000
For the sake of the concept let us only concern ourselves with a class C address for now.  So at this point we need to understand that a network with prefix /24 or subnet mask of represents a classful class C network, one that has 256 IP addresses total.  You can say that the range of IPs from 0 to 255 represents the full  IP space.

With this IP space you could easily design a valid small network and have valid IPs , here is what this may look like:

At this point, your noggin should hold a pretty rock solid idea of what the segment looks like BEFORE we apply subnetting.  If you’ve fallen off the bus, go find yourself and meet us up here once you’ve caught up… otherwise I would find myself leading you into confusion.

Purposeful Subnetting

Like we briefly mentioned earlier on, the router, or router interface will segregate a broadcast domain or network segment… meaning that when designing a new network segment you cannot use IP addresses belonging to an IP space that has already been allocated.  Let me illustrate what would be the effect of this rule on a growing network:

In the scenario the original network is still there, a /24 class C network segment with 100 users.  So knowing what you know at this point you know the following facts about the /24 network:

256     Total IP addressses –
-100   IPs alloted to the users.
-1        IP assigned to the Router1 Interface connected to Switch1.
155      IP’s remaining

Enough for the rest of the network right?  Well… actually not so fast Sancho Panza.  The interface on Router1 delineates the physical end of the /24 LAN.  The 50 users connected to Switch2 cannot use the IPs allocated to the network.

You can solve this without subnetting by using the next available subnet /24.  This allocates another 256 IP addresses, of which only 254 are assignable. In this network segment 50 are assigned to users, 1 to the router interface, and 203 are left unused.   Lastly – what about the single user directly attached to Router1 on the far left?  You guessed it! You have to allocate yet another /24 network.. that means 254 more allocated IPs, and only 3 used (1 user, 1 wire, 1 broadcast).

Anyone doing the math?  When all is said and done, we’ve allocated 768 IP addresses for 151 users, 3 router interfaces and 6 required wire/broadcast IPs.  Can anyone else see a problem with this?  Designing networks using classful boundaries results in very large IP addressing inefficiencies.  To mitigate this problem, RFC 1519 was written in September 1993 introducing subnetting and classless IP routing. RFCs are dense reading, they are very informative but can be confusing to someone trying to learn a concept.

When you subnet an IP space you’re dividing the original IP space into distinct logical networks – each one with its own wire and broadcast address.  This is accomplished by turning on additional bits on the classful subnet mask.  I’ll wrap up this post with a small taste…enough to whet the appetite.

/24 = ~ 255

If you turn on 1 more bit on the subnet mask we end up with the following 2 distinct networks.  Not quite enough to solve our problem above, but getting much closer

/25 = ~ 127    Wire IP  0, broadcast IP 127 ~ 255   Wire IP 128  broadcast IP 255

Grats if you’re still following along, I realize it gets real ugly real quick.  If you’re still on the bus please continue to Part 3. (Hopefully coming real soon :D) If you’ve fallen off, use this time to catch up or ask questions.

Thanks for reading!



Gabe @ presents: How to Subnet – Part 1 (the primer)

Before we get into the meat of this critical matter of subnetting we have to cover a few bases.  I want to move forward assuming you understand a few basic things.   We’ll be dealing with IPv4 addresses, I will call them simply IP addresses… Although I am referring to IPv4 addresses.  IPv6 (the one that looks like a MAC address) is out of scope in everything I write in this post.

Audience:  Those who don’t get subnetting but have a need to learn to subnet.

Here are some fundamental truths you must learn:

++ An IP address can be anything in the range of  and , is not a valid address.  Why not 256? It cannot be represented in the 8 bits that compose the 3rd octet.

You call the value between the periods “octets”.  For IP  …  1 is in the 1st octet, 2 in the 2nd, 3 in the 3rd  and 4 in the fourth.

Each octet is composed of eight bits (bit locations, which could be on or off.

_ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _. _ _ _ _ _ _ _ _. _ _ _ _ _ _ _ _     This is the 4 octects of an IP address represented by the bit locations, each underscore represents a bit location.

There are 32 bits, 8+8+8+8.

You MUST learn the powers of 2, this is elementary and absolute.  for the higher one it helps to remember that 2^10 to the tenth starts with 10.  Every power is twice the previous one, or half of the next one.

. __    __    __    __      __   __  __   __  .     The eight underscores of one octet (8 bits).  You must absolutely without fail learn the value of each bit location.   The left-most bit of an octet is worth 128, this is true for every octet.

128  64     32    16       8     4     2     1           <– These are the values of the specific bit locations.  These values are the same for each bit location.
2^7         –>             –>                 2^0

Here’s a few examples of how you would represent decimal numbers in binary bits (of one octet).

1 =
0      0       0      0        0       0     0     1
__    __    __    __      __   __   __   __
128  64     32    16       8     4     2      1  

2 =
0      0       0      0        0       0     1     0
__    __    __    __      __   __   __   __
128  64     32    16       8     4     2      1  

12 =
0      0       0      0          1     1      0    0
__     __     __    __      __   __   __   __
 128  64     32    16       8     4     2      1  

240 =
1      1       1      1           0     0      0    0
__    __      __    __      __   __   __   __
128  64     32    16       8     4     2      1  

255 =          (all bits on)
1      1       1      1            1     1      1    1
__    __      __    __      __   __   __   __
128  64     32    16       8     4     2      1  

Learning to work with binary numbers (converting a regular decimal number to binary, and binary numbers back to decimal) is a fundamental skill for subnetting.

This skilled must be honed through practice… try the cisco binary game.  Play this game until you’re dreaming in binary.  🙂    You can download the binary game on your iPhone.

A little bit of memorization here goes a long way.  Memorize the additions of the bits from left to right.  192  224  240  248  248  252  254  255.

128+64 = 192
192+32 = 224
224+16 = 240
240+8= 248

Later it will make perfect sense why memorizing these additions is essential.    Once you’ve committed these to memory, and are dominating the Cisco Binary game you can graduate to ‘How to subnet – Part 2’.   As a bonus you can feel confident because no one in their right mind will call you a weaksauce binary noob.  If they do – they are gravely mistaken.

Look deep within your soul… if you feel are ready, click here for Part 2.

Later peeps.


Gabe @