switch# show version | include Mode You should see: INSTALL Mode (not BUNDLE Mode ). | Aspect | Manual extraction | Cisco expand command | |--------|------------------|------------------------| | Preserves crypto signatures | ❌ No | ✅ Yes | | Creates packages.conf | ❌ No | ✅ Yes | | Supports ISSU later | ❌ No | ✅ Yes | | TAC-supported | ❌ No | ✅ Yes | | Speed | Slow (copy errors) | Optimized | Part 4: Advanced “Better” Techniques – For Large Deployments Doing it on one device is fine. But what if you have 50 switches? Manually expanding BINs on each one is inefficient. Here’s how to convert BIN to PKG better at scale. Technique A: Offline Expansion Using a Virtual Machine Run Cisco’s IOS-XE in CML (Cisco Modeling Labs) or EVE-NG, expand once, then copy the PKG folder to all devices.
switch# install set-config active packages flash:packages.conf switch# install commit switch# write memory switch# reload After reload, verify: cisco convert bin to pkg better
Thus, “converting” is actually . Doing it better means doing it without corrupting crypto signatures, breaking dependencies, or losing boot capability. Part 2: The Wrong Ways – Common Mistakes When Converting BIN to PKG (And Why They Fail) Let’s clear the table of bad advice first. Mistake #1: Renaming .bin to .pkg Result: The device rejects it with “Digital signature verification failed.” Why: Cisco PKGs contain a special header and CMS signatures. Renaming doesn’t add those. Mistake #2: Using 7-Zip or WinRAR to Extract Result: You get garbage files, not bootable PKGs. Why: Cisco BINs are not standard archives. They use a proprietary packaging format (often with zip or xz compression inside, but not directly mountable). Mistake #3: Copying a PKG from Another Device Result: Dependency hell. The PKG may load but cause random crashes. Why: PKGs are hardware-specific and build-version locked. Mistake #4: Using Unsigned Third-Party Tools from Forums Result: Possibly malware, or at least an image that Cisco TAC will refuse to support. Why: Any modification breaks Cisco’s Secure Boot chain. switch# show version | include Mode You should
switch# request platform software package expand file flash:cat9k_iosxe.17.09.01.SPA.bin to flash: Manually expanding BINs on each one is inefficient
import paramiko import time devices = ["10.1.1.1", "10.1.1.2"] bin_file = "flash:cat9k_iosxe.17.09.01.SPA.bin"
Expanding file flash:cat9k_iosxe.17.09.01.SPA.bin Extracting packages: cat9k-cc_17.09.01.SPA.pkg ... OK cat9k-espbase_17.09.01.SPA.pkg ... OK cat9k-routing_17.09.01.SPA.pkg ... OK packages.conf (updated) ... OK Expansion completed successfully. Converting BIN to PKG is useless if you don’t change the boot variable: