Performing a basic upgrade
The overall procedure for a basic upgrade involves copying only the new application, boot, monitor, and combined FPGA images.
There are two ways to perform an upgrade to FIPS-enabled devices:
-
Using Secure Copy (SCP). For more information about SCP, refer to the
Extreme NetIron configuration guides.
-
Using a TFTP server. To upgrade using TFTP at the Privileged EXEC level of the CLI (fips policy allow tftp-access is enabled), you must first enter the command in global configuration mode:
device(config)# fips policy allow tftp-access
Note
- If the device is in FIPS mode, use the
fips policy allow tftp-access command. If the device is not in FIPS mode, TFTP is allowed.
- Once FIPS mode is enabled on the system, even if the mode is disabled at a later time, the firmware integrity test will always be carried out on the device at image copy time. The RSA2048-SHA256-based signature firmware integrity test is run during image installation time and during image reload time when the device has been administratively enabled for FIPS. The test is run on MP and LP images at image reload time, when the device is in the FIPS mode. This test is in addition to the CRC-16 test that is run by the device during image reload time. Both the tests should pass for the device to reload successfully.
- Before upgrading the image, if the device does not have the correct signature files on the device, and the target image is the same as the current image on the device, then we need to run the
force-sync-standby command. Note that you should run the command after the image upgrade and before the device reload. The specific signatures files may not be available if they were removed or not installed before the upgrade attempt, and the image being upgraded to is the same as the one which is on the device prior to the upgrade. For this reason, it is preferable to use simplified upgrade to allow for the correct signatures to be copied simultaneously with the image.
