Verifying Cisco IOS File Integrity

Moving files on Cisco devices is important to know how to do but knowing the files are free of errors is also important.  If you have every upgraded a device and find that it won’t boot because the image file corrupted you certainly know what I’m talking about.  While this happens very rarely it’s important none the less.  Additionally, knowing that you got the IOS from Cisco without it being tampered with is also important from a security standpoint.

First, jump onto Cisco.com and log in with your Cisco ID.  Access the download section for a device you have support on.  Click on the title of the download you want.  A box will be displayed that will show you the basics for that file.  This will include the version, minimum RAM and Flash requirements, release date as well as the checksum value.  It will look something like this:

cisco_download_checksum

We can use an MD5 checksum value on our PC, Linux Box, or Cisco network device to verify this value is correct and that the files integrity is 100%.

On a Linux system there is nothing to it!  Simply use the native “md5sum” command with the filename as the argument.  Compare the results to the hash given on Cisco’s site and you’re done.  If the results are different briefly your actually looking at the right file and re download.

[root@test1 ~]# md5sum c3560-ipbasek9-mz.122-58.SE2.bin
bb86b1de4eb8e37fd0710c40d895445c  c3560-ipbasek9-mz.122-58.SE2.bin

On a windows system the process is essentially the same except a utility will be needed to do this process.  Unfortunately Windows does not come with something native for this.  You can download the “File Checksum Integrity Verifier” utility HERE.   You will have to extract the file and throw the executable in a location you can access it.

Run the command with a file as the argument like this:

 C:\TFTP> fciv C:\TFTP\
//
// File Checksum Integrity Verifier version 2.05.
//
bb86b1de4eb8e37fd0710c40d895445c C:\TFTP\c3560-ipbasek9-mz.122-58.SE2.bin
[root@test1 ~]# md5sum c3560-ipbasek9-mz.122-58.SE2.bin
bb86b1de4eb8e37fd0710c40d895445c  c3560-ipbasek9-mz.122-58.SE2.bin

Finally, after the file has been TFTP or moved to the Cisco device in one way or another we can verify the file there as well with the “verify” command:

 sw1#verify /md5 flash:/c3560-ipbasek9-mz.122-58.SE2.bin
...............................................................................Done!
verify /md5 (flash:/c3560-ipbasek9-mz.122-58.SE2.bin) = bb86b1de4eb8e37fd0710c40d895445c

I hope you found this useful!

This entry was posted in Networking and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *