Upgrade IOS on 2950 Switch

[New2Cisco1999]

I would like to upgrade several 2950 switches to support SSH.

What software image should I use?

 

[ADB100]

You need to use the 'Crypto' image. Be aware though that you will only be able to run this image on EI capable 2950's. SI only 2950's can't run the Crypto image and although the image will install the switch will fail to boot and you will need to perform a software recovery (this is from experience....)

Have a look at the release notes to see if you have SI or EI switches.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/ol8122.htm#wp36950

HTH

Andy

 

[jneiberger]

This is no longer correct. Even the plain old 2950-24 can run the image with SSH, now. This changed last year sometime. I have a whole bunch of 2950-24s running the SSH image now. It's still an SI image, it just happens to have SSH now.

 

[ADB100]

What is the exact part number of the 2950-24 you have since the latest release notes still say :

1. Switches that support only the SI cannot run the cryptographic image. For more information, see the SI-only switches listed in Table 1 and the “Cisco IOS Limitations and Restrictions” section on page 15.

I upgraded a 2950-24 (part no. WS-C2950-24) with the Crypto image last year and during boot up it reported an error through the console saying it couldn't run the Crypto image and restarted. This wasn't the latest IOS (but definitely 12.1(22)EAx).

Andy

 

[jneiberger]

Almost all of our switches are WS-C2950-24. Take a look at this page:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5013/prod_bulletin0900aecd801bfce5.html

Look at the first line in the first table. It indicates that SSHv2 became available in the SI image beginning with 12.1(22)EA2.

 

[jneiberger]

There does seem to be an inconsistency in the release notes. I just opened up a TAC case to get some clarification. Either Software Center is wrong or the release notes are misleading. In either case, something needs to be clarified or corrected.

I'll let you know what I find out.

John

 

[ADB100]

Cool, thanks for the link. I assume it was an earlier crypto release than 12.1(22)EA2 that I used when I did this last year. The release notes are a bit misleading though (

Andy

 

[jneiberger]

I just got a callback from a TAC engineer. He also feels that the documentation is incorrect. He's going to do some more research and, if necessary, talk to the people in charge of the documentation to have them correct it.

 

[jneiberger]

TAC seems to be very confused about this. The first engineer said that he thought I was right. He later left me a voice mail saying that SSH was NOT supported on an SI switch. I sent him CCO documentation that said otherwise and I also included output from one of my SI switches showing that it was, indeed, running SSH. They then came back and said, "Okay, it really does do SSH, but it's just not the best practice."

What the heck are these guys smoking? I have a suspicion that they really mean that it's not recommended to run SSH because it's a resource hog and these switches don't have many resources to spare. I've asked for clarification.

Regardless, we did answer the first question. An SI version of a 2950 can definitely run SSH. TAC just apparently doesn't think you should, but they haven't explained why yet.

 

[jneiberger]

I talked some more with the TAC engineer today and, despite having an incredibly difficult time deciphering his accent, I think it comes down to this: SI models of the 2950 will support SSH but it is not recommended because of the resources required to run it. Apparently, there is a fairly significant chance that the memory requirements and CPU load can adversely affect the switch and possibly may even cause it to reload under the right circumstances.

So, I guess TAC's perspective is that you should use SSH on the 2950s at your own risk.