3560 12.2(50)SE SSH Feature

Similar Messages

• ASR1002-x Security License just for SSH?

  Hi, we are about to buy Cisco ASR 1002-X router, By default it comes with IPBASE License.
  As per PCI we shouldnt be using telnet to access router, but as per research IPBASE dont support SSH.
  so does that mean i will need to buy Security license just to enable SSH feature on router for remote management ? :-s
  please guide, if my assumptions are wrong.

  SSH support depends on the IOS you've downloaded.  Make sure the IOS filename contains "k9".   If the filename doesn't contain "k9" then it doesn't support SSH.

• SSH and REMOTE X......Not X Forwarding

  I've setup several web servers at home for myself, a website, and WordPress on both virtual and real hardware to learn more about servers.
  They have varied from just installing Apache on a Ubuntu desktop to installing my website and Wordpress on a lamp server without X.
  I quickly learned the benefits of a server without X and a GUI, so I set a goal to setup and configure a lamp server without installing a GUI......and I finally accomplished it!!
  Now I'll be the first to admit that I'm still more comfortable in a GUI environment compared to the command line. However, I have no problem using the command line when needed, and am comfortable navigating the file system and editing config files using nano, while still learning and trying to remember commands!!!
  My question is where to get more info on how to access my current server without X installed, via SSH and remote X from my Arch desktop to use GUI apps.
  I already use the "connect to remote SSH server" to remotely manipulate the file system over my local network using Nautilus.
  If Nautilus will work via remote X, then all GUI apps in theory will work. I'm just having problems actually figuring out how to it!!!
  I've read that, "By default, this feature is disabled (for security reasons)". So I need to
  startx -listen_tcp
  But to do that, I need to:
  If this server is no longer running, remove /tmp/.X0-lock and start again.
  But when the X server is not running, the tmp file referred to is not there!!
  Any ideas on how to "toggle" this function on and off easily?
  Security risks?
  I would also appreciate any additional refrence material on remote X.
  Last edited by jeff story (2009-10-11 19:42:15)

  mcover,
  First, I'd like to ask you something. Did I really say something so wrong that you have to be a rude f#&ker in your reply and try to belittle me for not knowing as much about how Linux works as you?? Did I unknowingly insult you in some way? Sorry if I did.
  mcover said:
  What you want to do is, run a bunch of GUI apps remotely on your server (let's call it machine B) and forward their X output to your machine (machine A). That certainly defeats the purpose of a server, but heck.. it's all possible.
  OK, based on that statement, either you aren't getting what I'm wanting to do, or perhaps you can explain why you feel that way.
  No, I don't want to run GUI apps on my server and forward X.....Thats exactly what I don't want to do.
  Quote mcover:
  That certainly defeats the purpose of a server
  When I'm NOT going to install anything additional on my server to do what I want, and ask for security considerations?
  Wow....
  Quote mcover:
  But the remote-SSH feature of Nautilus is in no way remote X or X-Forwarding.
  So lets see.....server has no X installed, no Nautilus installed, and I use Nautilus (remotely from the OS and file system I'm manipulating)
  Nautilus front end (GUI) can't display without X .....
  ....hmmm, Sorry if i'm not being clear enough for you. Did I screw up on some Linux terminology or something???? Please elaborate...
  Quote mcover:
  But I do suggest you get comfortable with the command line
  Oh, you obviously missed this paragraph I wrote in the original post then:
  Now I'll be the first to admit that I'm still more comfortable in a GUI environment compared to the command line. However, I have no problem using the command line when needed, and am comfortable navigating the file system and editing config files using nano, while still learning and trying to remember commands!!!
  Quote mcover:
  Then you'd have to look into VNC or NX.
  As I said, I don't want to add anything (packages) to my server, so VNC works without X installed?
  So thanks for your reply, but no thanks, I'll wait until either someone who understands what I am asking replies, or I'll just do more research on this subject on my own.
  BTW: This is the first time I have ever lashed out at someone on a public forum.....but then again, you kinda deserve it don't you.
  Last edited by jeff story (2009-10-11 23:56:19)

• Cisco Catalyst 3750-X or 3560-X Series Switches

  Recently, our company was deciding to buy Cisco switches, but they just tell the requirements and I finally focused on two kinds of switches, Cisco Catalyst
  3750-X or 3560-XSeries Switches? Who can tell me, tnx in advance.

   As I read a blog recently, it listed the specific differences between Cisco 3750-X and 3560-X, except for the common features of Cisco 3750-X and 3560-X, Cisco 3750-X can also offer-- Cisco StackPower technology: An innovative feature and industry first for sharing power among stack members; 
  Cisco StackWise Plus technology for ease of use and resiliency with 64 Gbps of throughput; 
  Investment protection with backward compatibility with all other models of Cisco Catalyst 3750 Series Switches. 
  And made a more detailed comparison between the two products, for ur reference.

• Ability to add secret password to local usernames 2511

  We have a 2511 that I have been tasked with setting up as our access server. I was not comfortable using telnet and making it publicly accessible so I searched for an IOS that had the SSH feature.
  Originally, the IOS version was 12.3 (c2500-is-l.123.3.bin). With this version, there was no SSH. However, I could assign a secret to local usernames (i.e. username jsmith privilege 15 SECRET 5 <&#(sSJ*((#*&@> )
  Now that I have loaded the latest available version that has SSH (c2500-ik8os-l.122-29b.bin) I cannot assign secrets to the usernames. I can only assign passwords with the level 7 encryption. (i.e. username jsmith privilege 15 PASSWORD 7 <password> )
  I was under the impression that anything above 12.2 had md5 password capabilities (the enable secret is encrypted at level 5, but I cannot do the same to my username accounts for local logins)
  Question: Is there a version that has both? I am not turning something on where I should be? What is the name of the feature that enables local login username/password level 5 secret encryption?
  Thank you for your attention.

  Hi Steven,
  I apologize, as I do not have an IOS device in front of me to test this. However, does your device have the 'service password-encryption' command? If so, this should encrypt the passwords in your configuration using MD5.
  Let me know if that works.
  -Mike

• Critical voice vlan support

  Critical voice vlan feature, used to place a newly authenticating phone when radius server is dead into appropriate voice vlan, seems to be a new feature and I find the documentation to be incomplete.  Do the following switches support this feature in any IoS versions?
  WS-C4510R, 4506, 3560, 3550,2960s

  Cicso 3560 and 2960 just got that feature. PLease see the following link
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/release/notes/OL25301.html#wp1104287
  Regards

• Kerberos support on C2960 or C3750

  Hi,
  Does anyone know if Kerberos is supported as AAA method on either 2960 or 3750 switches? If so, what image does support it for 2960, for example?
  Thanks
  Evgueni

  Configuring the Router to Use the Kerberos Protocol
  http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html#wp1001137
  c3750-ipbasek9-tar.122-44.SE5.tar
  Catalyst 3750 IP base cryptographic image and device manager files.
  This image has the Kerberos, SSH1 , Layer 2+, and basic Layer 3 routing features.
  This image also runs on the Cisco EtherSwitch service modules.
  c2960-lanbasek9-tar.122-44.SE5.tar
  Catalyst 2960 cryptographic image file and device manager files. This image has the Kerberos and SSH features.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/release/notes/OL14630.html#wp841480

• Minimum IOS version to support scp URLs

  While recent IOS versions support scp sources or destinations for copy
  operations ...
     aprompt#copy running-config ?
       flash1:         Copy to flash1: file system
       flash2:         Copy to flash2: file system
       flash:          Copy to flash: file system
       ftp:            Copy to ftp: file system
       http:           Copy to http: file system
       https:          Copy to https: file system
       null:           Copy to null: file system
       nvram:          Copy to nvram: file system
       rcp:            Copy to rcp: file system
       running-config  Update (merge with) current system configuration
       scp:            Copy to scp: file system
       startup-config  Copy to startup configuration
       system:         Copy to system: file system
       tftp:           Copy to tftp: file system
       tmpsys:         Copy to tmpsys: file system
     aprompt#copy running-config
  ... older ones obviously don't (here we have 12.1):
     aprompt#copy running-config ?
       bs:             Copy to bs: file system
       flash:          Copy to flash: file system
       ftp:            Copy to ftp: file system
       null:           Copy to null: file system
       nvram:          Copy to nvram: file system
       rcp:            Copy to rcp: file system
       running-config  Update (merge with) current system configuration
       startup-config  Copy to startup configuration
       system:         Copy to system: file system
       tftp:           Copy to tftp: file system
       xmodem:         Copy to xmodem: file system
       ymodem:         Copy to ymodem: file system
       zflash:         Copy to zflash: file system
     aprompt#copy running-config
  Who could tell me the minumum version to support scp URLs?
  Thanks and Regards, Thomas

  Ideally any feature set questions are answerable in Cisco Feature Navigator (http://www.cisco.com/go/fn).
  The Secure Copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files. SCP relies on Secure Shell (SSH), an application and a protocol that provide a secure replacement for the Berkeley r-tools. So ideally you should be running crypto images (k9) which support SSH and hence SCP as well.
  But following are some details about SCP, which may be helpful :
  Feature Name
  Releases
  Feature Information
  Secure Copy
  12.2(2)T12.0(21)S
  12.2(25)S
  This feature was introduced in Cisco IOS Release 12.2(2)T.
  This feature was integrated into Cisco IOS Release 12.0(21)S.
  This feature was integrated into Cisco IOS Release 12.2(25)S.
  The following commands were introduced or modified: debug ip scp, ip scp server enable.
  Following is details Feature Information for Secure Shell Version 2 Support:
  Feature Name
  Releases
  Feature Information
  Secure Shell Version 2 Support
  12.2(11)T
  12.2(25)S
  12.3(4)T
  15.3(2)S
  The Secure Shell Version 2 Support feature allows you to configure Secure Shell (SSH) Version 2 (SSH Version 1 support was implemented in an earlier Cisco IOS software release). SSH runs on top of a reliable transport layer and provides strong authentication and encryption capabilities. SSH version 2 also supports AES counter-based encryption mode.
  The following commands were introduced or modified: debug ip ssh, ip ssh min dh size, ip ssh rsa keypair-name, ip ssh version, ssh.
  Secure Shell Version 2 Client and Server Support
  12.0(32)SY
  12.3(7)JA
  12.4(17)
  The Cisco IOS image was updated to provide for the automatic generation of SNMP traps when an SSH session terminates.
  SSH Keyboard Interactive Authentication
  12.2(33)SXH3
  12.4(18)
  The SSH Keyboard Interactive Authentication feature, also known as Generic Message Authentication for SSH, is a method that can be used to implement different types of authentication mechanisms. Basically, any currently supported authentication method that requires only user input can be performed with this feature.
  Secure Shell Version 2 Enhancements
  12.2(50)SY
  12.4(20)T
  15.1(2)S
  The Secure Shell Version 2 Enhancements feature includes a number of additional capabilities such as support for VRF-aware SSH, SSH debug enhancements, and DH Group 14 and Group 16 exchange support.
  In Cisco IOS 15.1(2)S, support was added for the Cisco 7600 series router.
  Note   
  Only the VRF-aware SSH feature is supported in Cisco IOS Release 12.2(50)SY.
  The following commands were introduced or modified: debug ip ssh, ip ssh dh min size.
  Secure Shell Version 2 Enhancements for RSA Keys.
  15.0(1)M
  15.1(1)S
  The Secure Shell Version 2 Enhancements for RSA Keys feature includes a number of additional capabilities to support RSA key-based user authentication for SSH and SSH server host key storage and verification.
  The following commands were introduced or modified: ip ssh pubkey-chain, ip ssh stricthostkeycheck.
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• Security Features of 3560-x with IOS 15.2(2)E

  Hi All,
  I would like to know for sure if the following features are included in the switch 3560-X
  Threat Defense : Port Security, DHCP Snooping, Dynamic ARP Inspection,IP source guard.
  Advanced Security Features : Secure Shell (SSH) Protocol,Switched Port Analyzer, RADIUS authentication, ecc.
  These are the informations about my software and release
  Software
  IOS
  Release Number
  15.2(2)E
  Platform Name
  CAT3560X
  Feature Set/Supervisor(NX-OS specific)
  UNIVERSAL (IP BASE)
  Software
  IOS
  Release Number
  15.2(2)E
  Platform Name
  CAT3560X
  Feature Set/Supervisor(NX-OS specific)
  UNIVERSAL (IP BASE)
  Many thanks for your answers
  Antonio

  Hi Antonio,
  I took a look at the config guide below and all are supported.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-2_2_e/configuration/guide/b_1522e_consolidated_3750x_3560X_cg.html
  Hope this helps.
  PS : Kindly rate all posts which are helpful
  Thanks,
  Madhu.

• [Feature Request] Wap321 SSH/Telnet Support

  Dear Cisco Developers,
  we are facing a problem with your design choice of not to support Telnet/SSH on the Wap321. We bought this Product because it was one of the only Access Points with SSH and Telnet Support.
  We need the SSH Support for a script that changes the WPA-psk key of the interface wlan0 on more then 20AP's every Week. Everything was good until we got hold of a new charge which came with firmware version 1.0.1.10.
  Changelog:
  "Due to security concerns, Telnet and SSH access options are removed in firmware version 1.0.1.10."
  So I talked with the German Cisco Small Business Support and he said he will investigate and try to get it to the Second Support tier. Well it never came to that, he called us two days later and said that is was a BUG to Support SSH and Telnet on the WAP321 and it was never designed to be a Feature.
  So i guess we have following options:
  1.Bring back the SSH Support for the Wap321 in the next Firmware update
  2.Provide Firmware version 1.0.0.3
  3.Give me a Workaround for my task
  So any help would be appreciated and i hope we are not the only ones that would like to see a comeback of this feature.
  In hope for comments
  Best wish
  Fabian Schwarz
  (PTA-Support)
  PS: Support Ticket was
  624972937

  No Sir I do not.
  According to the response from L2:
  SSH is only enabled for customer to use it on switches.
  Developers normally do not allow SSH (enable or protect with password) for end
  user on any Wireless device. Management is done by web interface.
  In this particular case SSH was enabled only due to some bugs which were
  monitored during first release so it is not meant to be for end user.
  Because of particular security risks, SSH is for troubleshooting by developers.
  Currently there is no chance that they would issue any official firmware for this as
  well as there is a little chance they would create special firmware for just a few
  customers.
  I am sorry for any inconvenience that this has caused.
  Eric Moyers
  If you like you can roll the mouse over my picture and get my actual email address and contact me directly.

• Sample configuration of using (MSTP) feature on 3560

  Hi,
  I have 3560 switch running PVST, performing purely as layer 2 vlans, I already reached 120 vlans so I will be running out of spantree soon.
  I would like to have a sample configuration of using (MST) feature to map multiple vlans to a single vlan to minimize my maximum spantree per vlan usage.
  Any sample config would be highly appreciated.
  thanks,

  Hi Friend,
  Have a look at this
  Switch(config)# spanning-tree mst configuration
  Switch(config-mst)# instance 1 vlan 10-20
  Switch(config-mst)# name region1
  Switch(config-mst)# revision 1
  But I will recommend you to go through the complete link below to get full idea of MST before implementing in your network.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swmstp.htm#wp1017196
  HTH,if yes please rate the post
  Ankur

• TACACS auth working via SSH, but not HTTP (ACS 5.1 / 3560)

  Experts,
  My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+.  I don't even get a log in ACS when attempting to authenticate via HTTPS.
  Here is my AAA config, followed by a debug:
  aaa new-model
  aaa authentication login ACCESS group tacacs+ local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec ACCESS group tacacs+
  aaa authorization commands 1 Priv1 group tacacs+ none
  aaa authorization commands 15 Priv15 group tacacs+ none
  aaa authorization network ACCESS group tacacs+
  aaa accounting exec ACCESS start-stop group tacacs+
  aaa accounting commands 0 ACCESS start-stop group tacacs+
  aaa accounting commands 1 ACCESS start-stop group tacacs+
  aaa accounting commands 15 ACCESS start-stop group tacacs+
  aaa session-id common
  ip http authentication aaa login-authentication ACCESS
  ip http authentication aaa exec-authorization ACCESS
  ip http authentication aaa command-authorization 1 Priv1
  ip http authentication aaa command-authorization 15 Priv15
  ip http secure-server
  no ip http server
  tacacs-server host X.X.X.X key 7
  tacacs-server timeout 3
  tacacs-server directed-request
  Debug:
  47w4d: HTTP AAA Login-Authentication List name: ACCESS
  47w4d: HTTP AAA Exec-Authorization List name: ACCESS
  47w4d: HTTP: Authentication failed for level 15
  Shell authorization profiles are working in ACS when SSHing to devices (Priv1 and Priv15), and I can't figure out why its not working for HTTPS.
  Any ideas?

  Thank you for your response, here is the debug from the 3560:
  BC-3560-48-6-1-1#
  48w0d: HTTP AAA Login-Authentication List name: ACCESS
  48w0d: HTTP AAA Exec-Authorization List name: ACCESS
  48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
  48w0d: TPLUS: processing authentication start request id 0
  48w0d: TPLUS: Authentication start packet created for 0(varnumd)
  48w0d: TPLUS: Using server 10.10.0.16
  48w0d: TPLUS(00000000)/0/NB_WAIT/458EDA8: Started 3 sec timeout
  48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
  48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 27 bytes request
  48w0d: TPLUS(00000000)/0/READ: socket event 1
  48w0d: TPLUS(00000000)/0/READ: Would block while reading
  48w0d: TPLUS(00000000)/0/READ: socket event 1
  48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  48w0d: TPLUS(00000000)/0/READ: socket event 1
  48w0d: TPLUS(00000000)/0/READ: read entire 28 bytes response
  48w0d: TPLUS(00000000)/0/458EDA8: Processing the reply packet
  48w0d: TPLUS: Received authen response status GET_PASSWORD (8)
  48w0d: TPLUS: Queuing AAA Authentication request 0 for processing
  48w0d: TPLUS: processing authentication continue request id 0
  48w0d: TPLUS: Authentication continue packet generated for 0
  48w0d: TPLUS(00000000)/0/WRITE/4332F88: Started 3 sec timeout
  48w0d: TPLUS(00000000)/0/WRITE: wrote entire 30 bytes request
  48w0d: TPLUS(00000000)/0/READ: socket event 1
  48w0d: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)
  48w0d: TPLUS(00000000)/0/READ: socket event 1
  48w0d: TPLUS(00000000)/0/READ: read entire 18 bytes response
  48w0d: TPLUS(00000000)/0/4332F88: Processing the reply packet
  48w0d: TPLUS: Received authen response status PASS (2)
  48w0d: TPLUS: Queuing AAA Authorization request 0 for processing
  48w0d: TPLUS: processing authorization request id 0
  48w0d: TPLUS: Inappropriate protocol: 25
  48w0d: TPLUS: Sending AV service=shell
  48w0d: TPLUS: Sending AV cmd*
  48w0d: TPLUS: Authorization request created for 0(varnumd)
  48w0d: TPLUS: Using server 10.10.0.16
  48w0d: TPLUS(00000000)/0/NB_WAIT/4332E18: Started 3 sec timeout
  48w0d: TPLUS(00000000)/0/NB_WAIT: socket event 2
  48w0d: TPLUS(00000000)/0/NB_WAIT: wrote entire 46 bytes request
  48w0d: TPLUS(00000000)/0/READ: socket event 1
  48w0d: TPLUS(00000000)/0/READ: Would block while reading
  48w0d: TPLUS(00000000)/0/READ: socket event 1
  48w0d: TPLUS(00000000)/0/READ: read 0 bytes
  48w0d: TPLUS(00000000)/0/READ/4332E18: timed out
  48w0d: TPLUS: Inappropriate protocol: 25
  48w0d: TPLUS: Sending AV service=shell
  48w0d: TPLUS: Sending AV cmd*
  48w0d: TPLUS: Authorization request created for 0(varnumd)
  48w0d: TPLUS(00000000)/0/READ/4332E18: timed out, clean up
  48w0d: TPLUS(00000000)/0/4332E18: Processing the reply packet
  48w0d: HTTP: Authentication failed for level 15

• "X11 forward" feature of ssh

  I wanted to use the "X11 forward" feature of ssh so that if I run any GUI tool on the remote server, it will automatically be relinked to my local desktop. So, from the DB server ssh, I gave the command but it seems that it is giving problems as below.
  [oracle@jispdb oracle]$ ssh -X oracle@jispdb
  @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
  The RSA host key for jispdb has changed,
  and the key for the according IP address 10.10.10.26
  is unknown. This could either mean that
  DNS SPOOFING is happening or the IP address for the host
  and its host key have changed at the same time.
  @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that the RSA host key has just been changed.
  The fingerprint for the RSA key sent by the remote host is
  f9:81:fc:f5:bc:ab:29:19:11:72:62:f3:68:67:e6:a9.
  Please contact your system administrator.
  Add correct host key in /home/oracle/.ssh/known_hosts to get rid of this message.
  Offending key in /home/oracle/.ssh/known_hosts:3
  RSA host key for jispdb has changed and you have requested strict checking.
  Host key verification failed.
  [oracle@jispdb oracle]$
  The hostname of the DB server is 'jispdb' as given in the example below and there is a oracle user in the linux OS installed in this server.
  I hope, my question is clear.
  Please, help in solving the doubt.
  regards

  I agree with DBA in Scotland.
  If you're ssh'ing from one server to another, probably within the same corporate network behind one or more firewalls, then the most likely cause is that the server you're ssh'ing to has changed IP addresses or new hardware with a new IP was installed in place of older hardware for a host (happens often here), or just some network reorganizing, etc.
  Just delete the old key from ~/.ssh/known_hosts (i believe its line 3 of the known_hosts file in your example) or you can even create a new key/entry by ssh'ing to either the IP address of the server or ssh using the FQDN for the host you're ssh'ing to.

• Feature Request (EC2): Show SSH Fingerprints in console

  Hi,
  It would be nice if you added something like
  bash -c 'for f in $(ls /etc/ssh/*.pub); do ssh-keygen -lf $f; done'
  to /etc/rc.local on your EC2 AMI - this would display the SSH key fingerprints in the console output (which can be securely obtained from the ec2 console or command line tools). Without a secure way to obtain these fingerprints it is not possible to detect a man-in-the-middle attack of the first SSH connection to the server.
  My current workaround is to place the following scipt as the ec2 user data file:
  #!/bin/bash
  set -o nounset
  set -o errexit
  # Dump SSH fingerprints to console
  for f in $(ls /etc/ssh/*.pub); do ssh-keygen -lf $f; done > /dev/console
  However it would be nice if this functionality was built into the AMI as i'm not currently needing the user data mechanism for anything else.
  Cheers,
  Dave

  Hi Dave,
  Thanks for using our services on AWS. This is really valuable and will surely be considered in our subsequent releases.
  Cheers,
  Shiven

• Cat0-3750 upgrade. Error: system number 1 does not support the same feature

  I am trying to upgrade or rather downgrade from ipadvservices (inadvertently upgraded to) to ipservices on a stack of Cat-3750s, but I get the following error message:
  Ios Image File Size: 0x00877A00
  Total Image File Size: 0x00B04200
  Minimum Dram required: 0x08000000
  Image Suffix: ipservicesk9-122-37.SE1
  Image Directory: c3750-ipservicesk9-mz.122-37.SE1
  Image Name: c3750-ipservicesk9-mz.122-37.SE1.bin
  Image Feature: IP|LAYER_3|PLUS|SSH|3DES|MIN_DRAM_MEG=128
  Error: The image in the archive which would be used to upgrade
  Error: system number 1 does not support the same feature set.
  Any ideas?
  Chris

  I was having the same issue even with entering the following:
  archive download-sw /overwrite /allow-feature-upgrade tftp://172.18.108.26/c3kx-sm10g-tar.150-2.SE7.tar
  I noticed the image which was running on the switch was correct without the ".bin" at the end:
  3560#sh ver | i image
  System image file is "flash:c3560e-universalk9-mz.150-2.SE7"
  I uploaded a fresh IOS image from CCO and made sure the image name had ".bin" at the end. Seems trivial except the error is produced through a sanity check. See below (please excuse the extra unplugging in the output):
  3560#sh ver | i image
  System image file is "flash:c3560e-universalk9-mz.150-2.SE7.bin"
  3560#$de tftp://172.18.108.26/c3kx-sm10g-tar.150-2.SE7.tar
  Loading c3kx-sm10g-tar.150-2.SE7.tar from 172.18.108.26 (via Vlan1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!                             !!!!!!!!!
  Mar 30 01:33:35.480: %USBFLASH-5-CHANGE: usbflash0 has been removed!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Mar 30 01:34:15.636: %PLATFORM_ENV-1-FRU_PS_ACCESS: FRU Power Supply is not responding!!!!!!!!!!!
  [OK - 24893440 bytes]
  Loading c3kx-sm10g-tar.150-2.SE7.tar from 172.18.108.26 (via Vlan1): !!!
  Mar 30 01:34:35.593: %PLATFORM_ENV-6-FRU_PS_OIR: FRU Power Supply 2 removed!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!                             !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  examining image...
  extracting info (100 bytes)
  extracting c3kx-sm10g-mz.150-2.SE7/info (499 bytes)
  extracting info (100 bytes)
  System Type:             0x00010002
    Ios Image File Size:   0x017BDA00
    Total Image File Size: 0x017BDA00
    Minimum Dram required: 0x08000000
    Image Suffix:          sm10g-150-2.SE7
    Image Directory:       c3kx-sm10g-mz.150-2.SE7
    Image Name:            c3kx-sm10g-mz.150-2.SE7.bin
    Image Feature:         IP|LAYER_3|MIN_DRAM_MEG=128
    FRU Module Version:    03.00.78
  Updating FRU Module on switch 1...
  Updating FRU FPGA image...
  FPGA image update complete.
  All software images installed.
  Worked for me, hope this helps.