Cisco Unified Computing System (UCS) is a complex collection of various
hardware components that run embedded firmware. This document describes best
practices for UCS firmware management.
Cisco recommends that you:
Have a working knowledge of Cisco UCS blade server software and
Be familiar with Cisco UCS Manager GUI
Understand the impact and implications of the different commands
described in this document
Be familiar with the UCS components and topology. Refer to the
Network Diagram section for a diagram of a typical
Ensure that you meet these requirements before you attempt this
The information in this document is based on Cisco UCS.
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a default configuration. If your network is live, make sure that you understand
the potential impact of any command.
This image shows a typical Cisco UCS topology:
Refer to the
Technical Tips Conventions for more information on document
Here are some best practices to consider when you manage images:
Before you perform firmware updates, use the UCS Manager image
management interfaces in order to download relevant images to the fabric
Cisco UCS Manager maintains an inventory of available firmware
Images are stored in /bootflash
partition in the fabric interconnect.
The /bootflash partition is dedicated
solely to firmware images managed by the UCS Manager.
Each fabric interconnect ships preloaded with one firmware
Faults are raised when the /bootflash
partition exceeds 70% and 90% capacity.
Each image represents an individual firmware package specific to one
hardware component. For example: IOM image, BMC image,UCS manager image, and so
Multiple images are bundled together to form an image package.
An image package is meant only for ease of distribution and
Unlike an individual image, image packages do not have
Cisco publishes both individual images and image packages.
Here are some best practices to consider when you download
Cisco UCS Manager allows you to download both individual images and
You can use these four protocols in order to transfer images to the
Cisco UCS: SCP, FTP, SFTP, and TFTP.
Image download can be initiated from the UCS CLI and GUI.
In order to download the image via the CLI, use the
download image command in scope
In the GUI, click Installed Firmware under
A download task is created that can be used to monitor the download
progress; use the show download-task command.
When you download a package, the package is unpacked, and individual
images are extracted from it.
The same image can be downloaded multiple times.
A failed (or successful) download tasks can be restarted.
In the CLI, use the restart command in
scope download-task mode or execute the same
download command again in order to start the download process.
In the GUI, click the Restart link under Download
Task in order to resume the download process.
Download tasks can be deleted at any time. When you delete a download
task, downloaded images are not deleted.
Special considerations must be taken into account when you download
images in a UCS high-availability cluster configuration with multiple fabric
Here are some best practices to consider when you download images to an
In a fabric interconnect cluster, images on both fabric interconnects
are automatically synced.
When you download images or packages during cluster setup, images are
automatically downloaded to both clustered fabric
When two previously separated fabric interconnects join to form a
cluster, all images are synced from the primary fabric interconnect to the
If images are deleted from the primary fabric interconnect when the
subordinate is down, the images will be removed from the subordinate when it
comes back up.
Here are some best practices to consider when you delete images:
You can use the UCS Manager GUI or the CLI in order to remove unused
Image deletion is asynchronous. When the administrator removes an
image, the object is marked as “Deleted." The delete process performed in the
In the case of an HA cluster, images are automatically deleted on
both fabric interconnects.
Packages are read only, and they cannot be deleted.
You can delete multiple images in either the UCS Manager GUI or CLI:
Select multiple images in GUI.
Execute the delete image command in the
You can delete by type or
version. For example, this command deletes all images
versioned as 1.1(0.47):
delete image version 1.1(0.47)
Cisco UCS Manager provides two different views of the catalog of
firmware images and their contents available on the fabric interconnect. The
two views are packages and images.
Here are some best practices to consider for packages and
The UCS Manager maintains inventory of all available images.
The image catalog contains a list of images and packages.
A package is a read-only object that is created when it is
A package does not occupy disk space. It represents a list or
collection of images that were unpacked as part of the package download.
A package cannot be deleted. Packages are automatically purged when
all the images that are part of the package are removed.
When an individual image is downloaded, the package name is the same
as the image name.
You can use the show image and
show package commands in order to view the contents
of a catalog.
The show image command is available at
each endpoint scope. Corresponding filters are applied.
For example, the show image command under
IOM scope displays all available IOM images.
The show system firmware expand command
displays firmware versions that run on all endpoints.
The show <endpoint>
firmware command displays all firmware details for that endpoint.
For example, the show server firmware
displays firmware details for all servers in the system.
Package view provides you with a read-only representation of the
packages that have been downloaded onto the fabric interconnect. By default
this view is sorted by image, not by the contents of the image. For bundle
images, you can use this view to see which component images exist in each
A package is comprised of these images:
Fabric-interconnect kernel and system images
UCS Manager image
IOM firmware image
BMC firmware image
Network-facing adapter firmware (UCS CNA M71KR)
Host-facing adapter firmware (applicable for UCS CNA M71KR adapter
QLogic option ROM
Emulex option ROM
LSI option ROM
You can use either of these methods to update the firmware:
Direct update—Direct update at the
Firmware policy—Updates to server
components through service profiles that include a host firmware package policy
and a management firmware package policy.
Cisco UCS Manager separates the direct update process into stages to
ensure that you can push the firmware to a component while the system runs
without affecting uptime on the server or other component. Because you do not
need to reboot the server until after you activate the firmware update, you can
perform that task overnight or during other maintenance windows.
These stages occur when you manually update firmware:
Update—During this stage, the system pushes the
selected firmware version to the component. The update process overwrites the
firmware in the backup slot on the component.
Activate—During this stage, the system sets the
backup slot as active and reboots the endpoint. When the endpoint is rebooted,
the backup slot becomes the active slot, and the active slot becomes the backup
slot. The firmware in the new active slot becomes the startup version and the
If the component cannot boot from the startup firmware, it defaults
to the backup version and raises an alarm.
Here are some best practices to consider for firmware updates:
Many of the components in UCS can store more than one firmware image.
The image with which the endpoint is booted is called the
The other non-active image is called the backup
The image with which the endpoint would boot next time is called the
The UCS Manager provides update operations to
push a new version of the firmware to replace the backup image.
The UCS Manager provides activate operations to
change the running version to a new version.
For some endpoints, you can use the
activation in order to set the component boot image without resetting the
device. The next reset will result in the component booting to the selected
For the fabric interconnect firmware and Cisco UCS Manager, no update
is needed as the image is already present locally.
LSI firmware, option ROM, host-facing adapter firmware, and BIOS
cannot be updated directly like other components. These components can be
updated only through firmware policies associated with the service profile.
Cisco UCS Manager provides interfaces to update and activate. There
is no ordering for endpoint resets during the activation.
While updates can be issued simultaneously, Cisco recommends that
software and firmware activations be issued in a logical, methodical order.
Firmware that is activated must pass compatability checks; otherwise,
the activation fails.
Cisco UCS Manager supports update for these components:
Fabric interconnect: Kernel image, system image, Cisco UCS Manager
Server: BIOS, BMC, adapters, LSI
Here are best practices to consider for kernel and system
Kernel and system image activation is disruptive to application I/O
and blade network connectivity as the fabric interconnect needs to be reset
after activation is complete.
In a cluster setup, each fabric interconnect can be activated
independently of the other.
After activation, fabric interconnect and all the IOMs connected to
it are automatically reset.
Although kernel and system images can be activated separately, Cisco
recommends that you activate them together to reduce downtime.
Here are best practices to consider for UCS Manager firmware:
UCS Manager on both fabric interconnects must run the same
UCS Manager activation brings down management for a brief period.
All the virtual shell (VSH) connections are disconnected.
In a cluster setup, UCS Manager on both fabric interconnects are
UCS Manager update does not affect server application I/O as fabric
interconnects do not need to be reset.
If UCS Manager is updated while subordinate is down, subordinate
fabric interconnect automatically updates when it comes back online.
Here are best practices to consider for I/O module (IOM)
Similar to other UCS components, each I/O module stores two images (a
running image and a backup image).
The update operation replaces the backup image of IOM with the new
The activate operation demotes the current startup image to a backup
image. A new startup image is put in its place, and the system is configured to
boot from this backup image.
option can be used to set only the active image; a reset does not occur. This
process can be used to upgrade multiple I/O modules and then simultaneously
reset them. If the fabric interconnect is updated and then activated, the
fabric interconnect reboots the corresponding I/O Module, reducing the
It is very important for the IOM and fabric interconnect to be
compatible with each other.
If the software that runs on the fabric interconnect detects an IOM
that runs an incompatible version, it performs an automatic update of the IOM
to bring it to the same version as the fabric interconnect system
UCS Manager raises fault to indicate this situation. In additon, the
discovery state of IOM displays Auto updating while the
automatic update is in progress.
The show firmware [detail] command at IOM
scope shows running, backup, and startup firmware versions.
In the UCS GUI, you can view the firmware at each chassis level on
the Installed Firmware tab.
Here are best practices to consider for I/O module (IOM)
There are two methods to update the server firmware:
Direct update—Manual method for
installing server firmware at each server component endpoint. The direct update
method is available only for BMC (adapter-network facing).
Firmware policy—Results in automatic
installation of the server firmware at a given endpoint when a service profile
is bound to that server. The firmware policy method is logical and used with a
service profile, which can be applied to any server.
If a firmware is set to update with a service profile, direct update
is not permitted.
Direct update is not available for BIOS, LSI firmware, option ROM,
and host-facing adapter firmware. These components can be updated only through
firmware policy (via a service profile).
The BMC server firmware is very similar to CMC in which it stores two
images: running and backup.
The update firmware command at scope BMC
replaces the backup firmware with new version.
The activate firmware command at scope BMC
configures the backup image as the running image and the previous running
version as the backup version.
The show firmware [detail] command at
scope BMC displays firmware details.
Here are best practices to consider for direct update:
Network-facing firmware of UCS CNA M71KR also stores two images:
running and backup.
The update firmware command at scope
adapter replaces the backup firmware with new version.
The activate firmware command at scope
adapter configures the backup image as the running image and the previous
running version as the backup version.
The show firmware [detail] command at
scope adapter displays firmware details.
UCS CNA M71KR includes host-facing firmware that is updated only
through the firmware policy method.
You can update firmware through the service profiles on the server and
adapter firmware, including the BIOS on the server. You must define these
policies and include them in the service profile associated with a
Two policies are supported:
Firmware Host pack—BIOS, LSI Firmware, LSI option ROM, Qlogic
option ROM, Emulex firmware, Emulex option ROM
Firmware Management Pack—BMC
Firmware packs can be created at the organization levels just like
any other management policy.
Each firmware pack can contain pack items that represent firmware per
Service profiles have two properties: one property for each type of
firmware pack. If those properties are set to a valid pack name, associations
trigger and firmware from the pack is applied to the server.
The same firmware pack name can be used for multiple service
profiles. Change in version of any of the pack items triggers reassociation of
all the affected service profiles to apply the new version.
There is currently no specific verify for this configuration
There is currently no specific troubleshooting information available
for this configuration.