AAA on 3750 switch

Similar Messages

• AAA Radius accounting command is not taking in 3750 switch

         Hi Cisco Support community,
  I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
  This is the config that is on the switch for Radius.
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization exec my-authradius group radius if-authenticated.
  radius-server attribute 6 on-for-login-auth
  radius-server dead-criteria time 20 tries 5
  radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
  radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
  When i try to add the following command for accounting, this is not saving.
  (aaa accounting commands 0 default start-stop group radius
  aaa accounting commands 1 default start-stop group radius
  aaa accounting commands 15 default start-stop group radius)
  If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
  I  tried to create a server group and add the radius server  in the group.  Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
  Can anyone please help me with this issue.

  Hi,
  thanks for your reply but the thing is that  i want to see the command that are being run by a user on  this particular device. If i use the network command it will only show me the  network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
  I have read the document from this link and it is stating that we can use command accounting. Below is the link
  http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html. 
  Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
  aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

• 3750 switch not forwarding EAPoL to RADIUS server

  I have a 3750 switch stack running version 12.2(53)SE2 IPBASEK9-M. I have dot1x configured on the switch and have a Windows 7 PC connected with 802.1x configured on the interface. I see the EAPoL start message from the PC, but I don't see any RADIUS packets from the switch to the RADIUS server. I have a simple dot1x config just to try to get it working prior to adding additional features such as guest-vlan...
  Config and debug file attached.
  I don't know if the ip dhcp snooping and arp inspection configuration is causing an issue with this or not. I see the EAPoL packet received on the switch as seen in the debug attachment, but I still never see the RADIUS packet. I did set both to trust on the interface but still the same outcome. I can't disable it since it is a production switch with a test interface.
  Any ideas?
  Thanks,
  Mark

  Hi Mark,
  The config seems to be OK, nothing I would miss if I assume that mandatory
  commands not shown in your config are in place
  aaa-new-model is required for dot1x to function, I don't seee that command.
  I have configured dot1x just a few times but I always used the commands
  aaa authorization network default group radius
  and
  radius-server vsa send
  (honestly, I'm not sure whether they are required, it's just a template which
  I know as working)
  Careful if this is a production system
  AAA New-Model will radically change every authentication behaviour on the
  switch if it is not already configured
  The main issue seems that the catalys is not sending an "EAP-Request/Identity"
  back, Radius-Packets will only be sent after the "EAP-Response/Identity":
  (taken from http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html)
  Do you have any other dot1x client?
  You can use a cisco router for testing dot1x if you have
  test system at hand:
  conf term
  dot1x credentials DOT1XTEST
    username testuser
    password testpassword
    exit
  interface [name-of-interface-connected-to-catalyst]
    dot1x pae supplicant
    dot1x credentials DOT1XTEST
  Another approach:
  use the classic config (not auth-manager but "dot1x syntax") you are
  using a very new version of IOS, might be buggy:
  Switch(config)# aaa new-model
  Switch(config)# aaa authentication dot1x default group radius
  Switch(config)# aaa authorization network default group radius
  Switch(config)# radius-server host [IP-address] auth-port [port] key [port]
  Switch(config)# dot1x system-auth-control
  Switch(config)# interface [interface]
  Switch(config-if)# switchport mode access
  Switch(config-if)# dot1x port-control auto
  Hope something is helpful
  Additional debug hints:
  use
  show dot1x all
  show dot1x interface [interface-name] detail
  show dot1x interface [interface-name] satistic
  Do see something like "RxResp = x" with x>0?
  rgds, MiKa

• Connection of LC/APC fiber patch cords to Cisco Catalyst 6500 $ Cisco Access 3750 Switches

  I have an LC/APC fiber patch cord infrastructure and I want to connect it to Cisco Catalyst 6500 & Cisco Access 3750 Switches. what type of transceiver should be used?
  I read a note on Cisco website stating the following for Cisco SFP+ transceivers:
  Note: "Only connections with patch cords with PC or UPC connectors are supported. Patch cords with APC connectors are not supported. All cables and cable assemblies used must be compliant with the standards specified in the standards section"

  Thank you,  but my question is that I have a single mode fiber patch cord with LC/APC connector while cisco stating a note that only use LC/PC or LC/UPC type of connectors with SFP+ transceiver.  
  So what type of transceiver should I use to connect LC/APC patch cord to cisco switches?  Is there another type or SFP+ still can be used? 

• 802.1x "MachineorUser" Auth Mode strange behavior in 2950 & 3750 Switches

  Good Day Support Team around the world,
  Having started recently  tests with 802.1x in a lab environment, I noticed  a strange behavior related to authentication. First let me provide you with the network components I used.
  supplicant:                    domain-joined laptop with Windows XP SP3 802.1x embedded client
  authenticator1:              Cisco 2950-24   
  authenticator2:              Cisco 3750-24
  authentication server:     MS NPS Windows Server 2008
  1.     In the first scenario with 3750 switch when I connect the laptop to relevant port the machine authentication is successful. Then I try to login with a domain account and again the authentication is completed without any problem. Then I log off and user authentication is revoked and the machine authentication is used again without any issue. When I try to login again as local user the authentication fails as expected but the port remains disabled (port blinking amber) regardless the fact that port is configured for Auth-Fail Vlan. When I log off then the machine authentication is used again and the access is granted.
  2.     In the second scenario with 2950 switch as authenticator, I follow the same steps as before and when I try to login as local user the authentication is failed and the port is assigned the Auth-Fail Vlan (as expected based on configuration). However when I log off it seems that the 2950 switch still use the Auth-Fail Vlan for that port and never authenticates again for machine authentication.
  Could you please let me someone know if this is normal ( I suppose no). Please find attached the relevant debug output from the second scenario.
  Thank you!!!

  Hi,
  basically what happens is that the maximum EAP packet size for communication between client and RADIUS server is negotiated. Therefore, in your case the switch notifies NPS that the client is capable of handling packets up to 9000 bytes in size.
  EAP messages, especially those containing the server certificate, are usually bigger than 1500 bytes and arrive at the switch in multiple fragments:
  Mar  6 15:50:11.881: RADIUS(0000002C): Received from id 1645/41
  Mar  6 15:50:11.881: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+253+253+253+253+20, total 2044 bytes
  Having learned that 2044 bytes is acceptable for the client, the switch forwards the full message in one chunk, but since your client is likely to have set the interface MTU to 1500, the packet is oversized and never reaches its destination.
  And yes, I think changing the System Jumbo MTU to 1500 bytes would lead to the same result. If my memory serves me right, a new setting takes effect only after a reboot, so I'd suggest giving it a go in your lab first.
  Best regards,
  Josef

• Question on ARP table on 3750 switch

  Hi,
  So I have a cisco 3750 switch directly connected to a 2851 router gig 0/0 interface.
  Should the show arp command on the switch show an entry for the IP and mac address of the routers gig 0/0 interface?
  I dont see one in there now and was just wondering.
  Connectivity between the switch and router work fine right now.
  thanks

  HI Bill,
  if u can ping from Swicth ro router,,,,then please check with this command: sh ip arp.
  Just for Info;
  To be able to ARP a device, you must have an interface (SVI) on that switch on that network. To ARP a device you must have an interface with a layer 3 IP on the same layer 2 vlan.
  You will need to connect to a switch that has an interface on that vlan on it. I would traceroute to the host, and hopefully the next to last hop is the layer 3 switch, or if it's a router, connect to it and do a show cdp neighbors and see if you can find the switch that way. (If you do connect to the router, you'll find the ARP entries there, if it's a layer 3 switch, then it's both a router and switch in one box)
  "sh mac address-table". This will give which MAC is connected to which port.
  "sh ip device tracking interface gigabitEthernet ". This will give which IP is connectd to a port.
  "sh ip arp" will give you a IP to MAC table
  Regards
  Dont forget to rate helpful posts.

• Best IOS version for 3750 switch

  I have just received 2 3750 switches, but both have a different IOS version.
  One has -> IOS version 12.1(19)EA1d
  and the other has -> IOS version 12.2(25)SEB2.
  I just want to use the switches as Gb collectors for a serverfarm seperatly (so no stack configuration) with a redundant uplink to my distribution layer.
  Can someone advise my which IOS is the best for my network?
  Thanx, Marty

  Switch 1:
  Cisco Internetwork Operating System Software
  IOS (tm) C3750 Software (C3750-I5-M), Version 12.1(19)EA1d, RELEASE SOFTWARE (fc1)
  Copyright (c) 1986-2004 by cisco Systems, Inc.
  Compiled Mon 05-Apr-04 22:06 by antonino
  Image text-base: 0x00003000, data-base: 0x009206D8
  ROM: Bootstrap program is C3750 boot loader
  BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(14r)EA1a, RELEASE SOFTWARE (fc1)
  2224-3750-037000137 uptime is 23 hours, 52 minutes
  System returned to ROM by power-on
  System restarted at 09:02:42 GMT Thu Aug 11 2005
  System image file is "flash:c3750-i5-mz.121-19.EA1d/c3750-i5-mz.121-19.EA1d.bin"
  cisco WS-C3750G-24TS (PowerPC405) processor (revision H0) with 118776K/12288K bytes of memory.
  Processor board ID CAT0904X00B
  Last reset from power-on
  Bridging software.
  1 Virtual Ethernet/IEEE 802.3 interface(s)
  28 Gigabit Ethernet/IEEE 802.3 interface(s)
  The password-recovery mechanism is enabled.
  512K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address : 00:13:1A:65:50:00
  Motherboard assembly number : 73-7058-12
  Power supply part number : 341-0045-01
  Motherboard serial number : CAT090400A0
  Power supply serial number : LIT09020266
  Model revision number : H0
  Motherboard revision number : A0
  Model number : WS-C3750G-24TS-E
  System serial number : CAT0904X00B
  Hardware Board Revision Number : 0x09
  Switch Ports Model SW Version SW Image
  * 1 28 WS-C3750G-24TS 12.1(19)EA1d C3750-I5-M
  Configuration register is 0xF
  Switch 2:
  Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(25)SEB2, RELEASE SOFTWARE (fc1)
  Copyright (c) 1986-2005 by Cisco Systems, Inc.
  Compiled Wed 08-Jun-05 01:19 by yenanh
  ROM: Bootstrap program is C3750 boot loader
  BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(14r)EA1a, RELEASE SOFTWARE (fc1)
  2224-3750-037000138 uptime is 59 minutes
  System returned to ROM by power-on
  System image file is "flash:c3750-ipservices-mz.122-25.SEB2/c3750-ipservices-mz.122-25.SEB2.bin"
  cisco WS-C3750G-24TS (PowerPC405) processor (revision L0) with 118784K/12280K bytes of memory.
  Processor board ID CAT0925Z0WZ
  Last reset from power-on
  1 Virtual Ethernet interface
  28 Gigabit Ethernet interfaces
  The password-recovery mechanism is enabled.
  512K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address : 00:14:A8:71:CA:00
  Motherboard assembly number : 73-7058-13
  Power supply part number : 341-0045-01
  Motherboard serial number : CAT09251J90
  Power supply serial number : PHI09220165
  Model revision number : L0
  Motherboard revision number : A0
  Model number : WS-C3750G-24TS-E
  System serial number : CAT0925Z0WZ
  Hardware Board Revision Number : 0x09
  Switch Ports Model SW Version SW Image
  * 1 28 WS-C3750G-24TS 12.2(25)SEB2 C3750-IPSERVICES-M
  Configuration register is 0xF

• How to check if 3750 switch is using sslv3

  Hi Everyone,
  i an trying to https to 3750 switch using firefox below is error message
  Firefox cannot guarantee the safety of your data on 10.0.0.4 because it uses SSLv3, a broken security protocol.
  Advanced info: ssl_error_no_cypher_overlap
  Learn More…
  ip http secure-server ---- is configured on 3750.
  i checked config on 3750 switch it does not show if sslv3 is enabled.
  is there any command i can use to check ssl config on 3750 switch?
  Regards
  Mahesh

  Hi Mahesh,
  Try running nmap against your switch: http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
  nmap --script ssl-enum-ciphers -p 443 <switch_name>
  There is an open Cisco bug for this vulnerabilty:
  https://tools.cisco.com/bugsearch/bug/CSCur23656
  ...which implies that this vulnerabilty is not fixed in any version of IOS!? If you are concerned, use the CLI and drop the HTTP(S) access.
  cheers,
  Seb.

• AAA configuration on switches 2960

  Hi
  I have introduced the following configuration of AAA in the switches of series 2950 and works very well,
  but when I do the same in switches 2960, the local password does not work and it is obligatory to introduce the switch in the ACS to have management of the switch.
  Is needed some additional configuration of AAA in switches 2960?
  Thanks.
  tacacs-server host y.y.y.y
  tacacs-server key xxxxx
  aaa new-model
  aaa authentication login acceso-consola group tacacs+ line
  aaa authentication login acceso-telnet group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  line con 0
  exec-timeout 0 0
  login authentication acceso-consola
  line vty 0 4
  login authentication acceso-telnet

  Maria
  Perhaps some clarification of your environment might help us. In particular it would help to understand how you produce the "without ACS" environment.
  Clearly the switch is still configured for ACS. And clearly there is connectivity from the switch to the ACS. And the ACS is responding to the authentication request from the switch. I am not sure what the errno 254 represents or what on the ACS server causes it. Perhaps you can help us understand that?
  I had a situation at one point that may have been similar to your situation. Our devices were sending requests to ACS. But ACS was not able to communicate with the external DB because one of the services on ACS was not running. ACS responded with an error indicating unable to process. But the IOS devices were not interpreting that as an error that should send them to the backup authentication method.
  If you are stopping something on the ACS server then I would suggest that a better test would be to break IP connectivity between the switch and the ACS so that the switch receives no response to its request or to change the configured IP address for the server in the switc and point to some device not running ACS so that the switch receives a port unreachable response to its request. Those would give you a better test of without ACS.
  HTH
  Rick

• QoS Questions for 3750 Switches

  2x3750 switches are stacked and we are trying to simulate traffic congestion at the UTP ports by using Smartbit 6000C. The objective of the test is to see if the QoS setting works in reality even though we see from Wireshark that the packets are marked with DSCP for voice traffic.
  Setup is as follows :
  Smartbit<->Avaya IP Phone<->3750 switches<->6509 switch.
  Please note that the configuration is set on the 3750 switch port as well as trusted on the Cat 6 switch port. However, when I set to continuous traffic with byte size of 64. Even though its a 100Mbps port, the Avaya IP Phone is already acting weird with hanged symptom. Just side note is that performing "show mls qos inter gi2/0/7 statistic" shows that data and voice traffic are marked on the different priority which seemed correct.
  1) Is this the right way to test? If not, what should be the correct way?
  2) The port that's connected to Smartbit is configured and it seemed that with the continuous traffic, even other IP Phones are hanged even though I have set Smartbit to hit on the IP address of the CAT6 Switch port. This is not normal right as this is supposed to be unicast traffic. Any idea what could be the reason?

  Hello Brandon,
  I understand your concern and how you want to test, but with the VoIP services you need to understand that there are 2 points (telephones if you want) involved. Your local one, where you might have taken all the necessary steps to protect and prioritize your voice traffic, and the oposite end which also need to have the voice packets prioritized.
  Now, from your description, I understand that the packets (voice and data) marked correctly (I believe on C3750), but that's not enough. You need to use CBWFQ together with LLQ to give priority to the Voice traffic over data in case of congestion. Do you have such configuration? Can you show us some excerpt from it?
  Next, during the testing, you said that your phone hang-up...where you in a call?
  To respond to your questions:
  1. The start is ok, but we need more details. You are pushing traffic from Smarbit, this is your local end, but where is the traffic pushed to (remote end), who is receiving the traffic?
  2. In theory, you shouldn't have any impact over voice if links are 100Mbit, only if you have such a power packet generator that could fill 100Mbit. What do you mean by "This is not normal right as this is supposed to be unicast traffic"? VoIP is also unicast traffic...
  I can see that you are determined to solve this issue, and this is OK as it will help you back with gained knowledge, but I have to warn you that troubleshooting QoS / Voice related problems may be more tricky than you think, as it will involve a strong know-how in these areas.
  We will help, but you have to come back with more precise details.
  Good luck!
  Calin

• WAAS Configuration for 3750 Switch

  I am configuring a 3750 switch with 12.2(52)SE according to:
  (from https://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/3750_scg.pdf )
  This example shows how to configure SVIs and how to enable the web cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the web server and is configured as an access port in VLAN 299. VLAN 300 is created and configured with an IP address of 172.20.10.30. Gigabit Ethernet port 2 is connected to the application engine and is configured as an access port in VLAN 300. VLAN 301 is created and configured with an IP address of 175.20.30.50. Fast Ethernet ports 3 to 6, which are connected to the clients, are configured as access ports in VLAN 301. The switch redirects packets received from the client interfaces to the application engine.
  Note Only permit ACL entries are being used in the redirect-list; deny entries are unsupported.
  Switch# configure terminal
  Switch(config)# ip wccp web-cache 80 group-list 15
  Switch(config)# access-list 15 permit host 171.69.198.102
  Switch(config)# access-list 15 permit host 171.69.198.104
  Switch(config)# access-list 15 permit host 171.69.198.106
  Switch(config)# vlan 299      WEB  SERVER
  Switch(config-vlan)# exit
  Switch(config)# interface vlan 299
  Switch(config-if)# ip address 175.20.20.10 255.255.255.0
  Switch(config-if)# exit
  Switch(config)# interface gigabitethernet1/0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 299
  Switch(config)# vlan 300 WAE
  Switch(config-vlan)# exit
  Switch(config)# interface vlan 300
  Switch(config-if)# ip address 171.69.198.100 255.255.255.0
  Switch(config-if)# exit
  Switch(config)# interface gigabitethernet1/0/2
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 300
  Switch(config-if)# exit
  Switch(config)# vlan 301 CLIENTS
  Switch(config-vlan)# exit
  Switch(config)# interface vlan 301
  Switch(config-if)# ip address 175.20.30.20 255.255.255.0
  Switch(config-if)# ip wccp web-cache redirect in
  Switch(config-if)# exit
  Switch(config)# interface gigabitethernet1/0/3 - 6
  Switch(config-if-range)# switchport mode access
  Switch(config-if-range)# switchport access vlan 301
  Switch(config-if-range)# exit
  ===================================================================
  Question:  How do I configure my WAE to play nicely with this switch?

  Hi James,
  Here is the link to WCCP config part on WAE:
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/configuration/guide/traffic.html#wp1041742
  In your case, if my understanding is right, VLAN300 is where you want to connect WAE and WAE is also L2 adjacent. if that is true, here is the config you need on WAE:
  wccp router-list 1 171.69.198.100
  wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign l2-return
  wccp version 2
  Please note that 3750 supports L2 redirection only with redirect IN statements on 3750 interfaces connected to servers and clients.
  Hope this helps.
  Regards.

• How can I mirror all ports on CISCO 3750 switches to one Gigabyte port?

  Hi,
  I have a requirement to mirror all the ports on my 7 CISCO 3750 switches, which are in 3 separate stacks, to one single Gigabyte Ethernet port.
  Does anyone know how I can do that?
  Thanks in advance.

  Vlad, thanks a heap for your response.
  I want to apply to my sitation. Please let me know if I get them right in the following:
  Catalyst A
  vlan 901
  remote-span
  monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on the CISCO 3725)
  monitor session 1 destination remote vlan 901
  Catalyst B
  vlan 901
  remote-span (If I don't need to monitor this switch, do I still need to put anything into this switch at all?)
  Catalyst C
  vlan 901
  remote-span
  monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on this switch as well)
  monitor session 1 source remote vlan 901
  monitor session 1 destination interface gigabitethernet 3 (There are 4 Gigabit Ethernet Uplink in CISCO 3750, I want all the traffic to go to port 3, is this the right way to do?)
  Thanks in advance.

• Catalyst 3750 Switch

  How many total Vlans can you create in Catalyst 3750 Switch ? I read a document about Catalyst 3750 Switch. This document is said that "Although the switch stack supports a total of 1005 (normal-range and extended-range) VLANs, the
  number of routed ports". However, I am not sure. Can you confirm for me ? Thanks

  this link should be of some help to answer your question.
  http://www.cisco.com/en/US/products/hw/switches/ps5532/products_command_reference_chapter09186a00803ec324.html#wp1031710
  HTH-Cheers,
  Swaroop

• 3750 switch stacks

  I am new to the networking world and have some questions.
  I have 1 stack of six 3750 switches with a 10.50.3.10 ip address
  On the first stack (.10)I have int 6/0/19 , 20 and 21 assigned.
  I have a second ip scheme with one switch with an ip of 10.50.3.11
  Do I use a smartwise cable to connect the switches even though they have different ip schemes? Or do I use a only a cat 5 to connect the 2 differenet stacks. Also, do I need to configure the 6/0/19, 20 and 21 ports on the second ip scheme. I don't think it is possible now that I am writing this if the smartwise cables are not used. Any help would be appreciated.

  I apologize but I am not following you entirely. If you stack the 3750, you must use the stacking port and use the stackwise cable.
  You said: I have 1 stack of six 3750 switches with a 10.50.3.10 ip address
  >> This would mean you stacked them using the stackwise cable and all these six switches are seen as one single device.
  What do you mean by you have int 6/0/19-21 assigned? Assigned them what?
  You said: I have a second ip scheme with one switch with an ip of 10.50.3.11
  >> Sounds like you have another stack? Because the device will complaint if you address two different interfaces in teh same switch/router to the same subnet (10.50.3.10 and 10.50.3.11), unless these addresses are masked as host but I doubt that.

• CLI Template to run Archive Command to upgrade 3750 Switch in Prime

  Does anyone have or know how to write a template to upgrade a mixed stack of 3750 switches in Prime Infrastructure 2.0?  Prime does not support upgrading a mixed stack yet, but it can be done from command line.
  the command line would be:
  archive download-sw /allow /overwrite tftp://10.30.2.14/3750efilename  tftp://10.30.2.14/3750filename

  Hi,
  Please check:
  1. You need to download the correct .tar image file;
  2. Copy it to the root of your FTP or TFTP server;
  3. Upload, extract and install the .tar file to the switches (I always use the /imageonly option, because I don’t need the html files for management);
  4. Reload the switch stack;
  Please use this command:
  sw-stack#archive download-sw /imageonly /overwrite /allow-feature-upgrade ftp://user:password@/image-file.tar
  The boot parameters are automatically changed to the new IOS firmware. You can check the boot parameters with the show boot command.
  Regards
  Dont forget to rate helpful posts.