Install Fleet Upgrade

This section covers the following topics:

Meeting installation prerequisites

Cisco Crosswork Network Controller (CNC) Fleet Upgrade is a pre-built use case that enables users to manage, distribute, and commit software image upgrades on multiple network devices at the same time.

Fleet Upgrade is automated, usable out of the box, and provides strong error checking. It is customizable, extensible, and supports devices from Cisco and other vendors.

Installing Fleet Upgrade requires installation of Cisco Crosswork Network Controller (CNC), Crosswork Data Gateway (CDG), and Cisco Network Services Orchestrator (NSO). Fleet Upgrade leverages the capabilities of CNC Workflow Automation. By following the installation instructions in this document, you should be able to meet the additional hardware, software and other requirements detailed below. You will want to refer to this requirements as a checklist if you experience issues with your installation.

Server hardware

To install CNC Workflow Automation and Fleet Upgrade, you must install the CNC Premier Package on a server equipped with CNC cluster. Note that the requirements given in the table are for Cisco CNC installed in cluster deployments with the CNC Premier package.

As a general guideline, users should select high-specification computing hardware for Workflow Manager Solutions installations. Installation of the CNC OVA on VMware requires vCenter 8 and ESXi 8 hosts. Due to their high performance, solid state drives (SSDs) are preferred over traditional hard disk drives (HDDs). If you are using HDDs, their minimum speed should be over 15000 RPM. The VM data store(s) must have disk-access latency less than 10 ms or greater than 5000 IOPS.

Table 1. Server hardware requirements
Component Software form Size vCPUs Memory Disk (SSD) Swap disk

Cisco CNC Cluster 7.1.0

VMware vCenter or KVM VMs

Minimum 3 hybrid + 2 worker nodes

Varies with your choice of hypervisor. For details, see Cisco Crosswork Network Controller 7.1 Installation Guide topic, Identify the Resource Footprint.

Cisco Workflow Manager 2.0 OVA XLarge profile 24 128GB 1TB n/a
Cisco NSO 6.4.1 Tar / signed binary n/a 16 256GB 1TB 256GB

Server software

Fleet Upgrade runs on the following minimum versions of server software:

  • Cisco Crosswork Network Controller (CNC) 7.1 with Cisco Crosswork Data Gateway (CDG) 7.1

  • CNC Premier Package bundle cw-na-cncpremier-7.1.0-582-develop-250319.tar.gz

  • Cisco NSO version 6.4.1, with the following additional requirements:

    • The NSO installation must be a System install, NOT a Local install. For details on the distinction, see Ways to Deploy NSO.

    • Python 3.9 or later installed on the NSO host.

    • Python package textfsm installed on the NSO host.

    • Java 17 or later installed on the NSO host.

    • Ubuntu 22 or RHEL 8 installed on the NSO host.

    • NSO host ports open for 8080 or 8888 (HTTP/HTTPS for RESTCONF), and 20243 for Device Lifecycle Management.

Fleet Upgrade supported NOS and devices

The Fleet Upgrade workflow has been tested with and is known to work with the network operating systems and devices shown in the following table.

Table 2. Fleet Upgrade network OS and device support
Network OS Device

Cisco IOS-XR Versions:

7.8.2, 7.9.2, 7.10.1, 7.11.1, 24.1.1, 24.2.2

Cisco NCS 540, Cisco C8000 (VXR), ASR9903, NCS 5501, XR LNDT and eXR platforms

Cisco IOS-XE Versions: IOS-XE 17.09, IOS-XE 17.12

ASR 1000 series, Catalyst 9000 series

Juniper JunOS versions 18.1R1.9, 21.1R3.11

Juniper MX960

Additional requirements

Supported browsers: Google Chrome (Version 131.0.x or later) and Mozilla Firefox (134.0.1 or later). For full functionality, browsers must have JavaScript and cookies enabled.

Site preparation: The user network environment and additional requirements vary with your choice of CNC cluster hypervisor. For guidance, see:


Note


CNC Workflow Automation and Fleet Upgrade do not currently support installation using the AWS EC2 cluster hypervisor option.


Install NSO, CNC and CDG

As explained in Meeting installation prerequisites, installing Fleet Upgrade requires that you have previously installed Cisco Crosswork Network Controller (CNC), Crosswork Data Gateway (CDG), and Cisco Network Services Orchestrator (NSO). If you have not already installed these three foundational applications, or upgraded them to the required versions, you will want to do so before continuing.

For help installing or upgrading CNC and CDG, see the Cisco Crosswork Network Controller 7.1 Installation Guide. Ensure that you perform a cluster install, on either the VMware or AWS platforms.

For help installing NSO, see the System Install documentation for NSO 6.4.1. For help upgrading, see the 6.4.1 Upgrade NSO document.

Create CNC Providers and Credential Profiles

A Crosswork Network Controller (CNC) Provider is a helper application that lets CNC perform special functions. Cisco Network Services Orchestrator (NSO) is a type of CNC Provider. Its special function is accessing and controlling your network devices.

CNC Credential Profiles store login user names and passwords in a secure fashion. CNC uses them to let Fleet Upgrade and CNC Providers authenticate when they attempt to access your devices.

Before continuing, follow the instructions in the Cisco Crosswork Network Controller Administrator Guide topic Create Credential Profiles to create two or more CNC Credential Profiles like these:

  1. NSO Credential Profile: Name it NSO-Credential or any other unique name you find meaningful. Give it a Connectivity type protocol of SSH, and a Username and Password that match the username and password of a user with administrator privileges on your NSO server.

  2. Device Credential Profile: Name it devices-profile or any other unique name. Add to it as many Connectivity type protocols (SSH, NETCONF, HTTP, HTTPS, and so on), with corresponding usernames and passwords, as appropriate for the devices you intend to manage using Fleet Upgrade. You can create multiple device Credential Profiles if you have groups of devices using the same protocols but with different credentials.

Once you have created these Credential Profiles, follow the instructions in the Cisco Crosswork Network Controller Administrator Guide topic Add a Cisco NSO Provider to add an NSO provider that uses the NSO credential profile you created above. This will allow Fleet Upgrade to authenticate with NSO.

If you already have created Credential Profiles and an NSO Provider, consider modifying them to use the parameters given here.

Install the Crosswork Premier application package

This topic explains how to install CNC Workflow Automation and Fleet Upgrade applications on cluster installations of Cisco Crosswork Network Controller (CNC)

CNC)applications are offered as Essentials, Advantage, Premierand Add-on packages. Each package contains one or more installable CNC applications, stored in a format unique to Crosswork known as a CAPP (Crosswork APPlication).

To download and install the CAPPs in a CNC application package:

  1. Download and decompress the signed version of the CNC application package file.

  2. Use Python to verify the extracted files.

  3. Add the CAPPs to CNC.

  4. Install the CAPPs.

  5. Activate the installed CAPPs.

The following steps provide detail on how to perform each of these tasks.

Procedure


Step 1

Download and decompress the signed application package file:

  1. Navigate to cisco.com and download to an accessible storage location the signed CNC package. For example:

  2. Decompress the signed CNC package and extract its files using a command like this: tar -xvf <signature file>

    For example:

    cd <folder where tar was downloaded>
    tar -xvf signed-cw-na-cncpremier-7.1.0-85-release700-.tar.gz 
    README
    cw-na-cncpremier-7.1.0-85-release700-.tar.gz
    cw-na-cncpremier-7.1.0-85-release700-240823.tar.gz.signature
    CW-CCO_RELEASE.cer
    cisco_x509_verify_release.py3
    cisco_x509_verify_release.py

Step 2

Use Python to validate the extracted files:

Note

 

Use python --version to find out the version of Python on your machine.

If you do not have python installed, go to python.org and download the version of python that is appropriate for your environment.

If you are using Python 2.x, use the following command to validate the file:

python cisco_x509_verify_release.py -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

If you are using Python 3.x, use the following command to validate the file:

python cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

Step 3

Add the CAPPs to CNC:

  1. Log into CNC and select Administration > Crosswork Manager. The Crosswork Summary page is displayed with Crosswork Cluster and Crosswork Platform Infrastructure tiles.

  2. Click on Application Management and select the Applications tab.

  3. Click on the Add File (.tar.gz) option to add the application package that contains the CAPP files.

    When adding a CNC application package, there is no need to untar the package. You can add the package tarball to CNC as is. The CAPP applications within the application package are all automatically added when you add the package. You can then install the individual applications as needed.

  4. In the Add File dialog box, enter the relevant information and click Add.

    The add operation progress is displayed on the Applications screen. You can also view the installation progress in the Job History tab.

    When adding a CNC application package, the loading process may stop at 50 percent for awhile, depending on the resources your host platform has available.

    CNC displays the newly added CAPPs as tiles on the Applications screen.

Step 4

Install the CAPPs:

Click on the Install prompt on each of the application tiles in the following sequence only:

  1. Element Management Functions (available in Essentials, Advantage, and Premium)

  2. Optimization Engine (available in Advantage and Premium)

  3. Active Topology (available in Advantage and Premium)

  4. Service Health (available in Advantage and Premium)

  5. Workflow Manager (available in Premier only)

  6. Workflow Manager Solutions (available in Premier only)

  7. Change Automation (available in Add-On only)

  8. Health Insights (available in Add-On only)

You can also install by clicking the more icon on the tile, and then selecting the Install option from the drop down list.

Once an application is installed, you will see changes in the applicaton tile. All the related resources, UI screens and menu options are dynamically loaded in the Crosswork UI. The 90-day evaluation period will also start. You can register the application with your Cisco Smart Account in the the Smart License tab.

Step 5

Activate the installed CAPPs:

To become functional, an installed CAPP must be activated. Unless a problem occurs, activation is automatic the first time you install a CAPP. Later re-installs (when, for example, upgrading to a higher license tier) require manual activation. To manually activate a CAPP, click the more icon on the application tile, then select Activate.

Step 6

(Optional) Once all CAPPs are installed and activated, check the health of the environment to make sure all the applications are healthy. Click the more icon on the application tile and select the View Details option to view details of the installed application. Note that it can take up to an hour for all the processes to launch and for the applications to report as healthy. If a newly installed application is not healthy after an hour, contact your Cisco Customer Experience team.


Deploy the NSO Function Packs

Use the Crosswork Network Controller (CNC) NSO Deployment Manager to deploy the CNC Premier NSO function packs on NSO. These function packs will provide the basic inventory management and other NSO capabilities needed to use CNC Workflow Automation and Fleet Upgrade. You will also need to log in to NSO to ensure that NACM is enabled and that other NSO settings are properly configured.

Before you begin

Ensure you have added NSO as a provider as explained in Create CNC Providers and Credential Profiles

Procedure


Step 1

Log in to CNC and choose Administration > Crosswork Manager > NSO Deployment Manager.

Step 2

Under NSO Deployment Manager, choose the NSO function pack bundles tab and click the check box next to CWM SOLUTIONS FP. Then click the Deploy button to start the deployment process.

NSO Deployment Manager

Step 3

When prompted on the first Provide credentials page, provide the SSH User name, password and Sudo password credentials.

Providing Credentials

Step 4

On the Deployment target page, select Non-HA in the High Availability column, as shown below.

Deployment Target

Step 5

When prompted on the Review & Deploy page, click Deploy.

Step 6

Click the Job History tab to monitor the NSO deployment as it proceeds. You will see the packages listed in the Job Details window for the running job.

Job Details for the Function Pack Bundles

Step 7

When the job is listed as Succeeded, click the Installed NSO function packs tab and expand the NSO provider to verify that the packages are all installed.

The package list should look like the illustration below.

Installed NSO Function Pack List

You can also verify that all the packages are installed correctly by running the show packages command on NSO and comparing the command output with the list shown below.

admin1@ncs% run show packages package oper-status | tab
                                                                                                         PACKAGE
                           PROGRAM                                                                       META     FILE
                           CODE     JAVA           PYTHON         BAD NCS  PACKAGE  PACKAGE  CIRCULAR    DATA     LOAD   ERROR
NAME                   UP  ERROR    UNINITIALIZED  UNINITIALIZED  VERSION  NAME     VERSION  DEPENDENCY  ERROR    ERROR  INFO   WARNINGS
------------------------------------------------------------------------------------------------------------------------------------------
cisco-ios-cli-6.107    X   -        -              -              -        -        -        -           -        -      -      -
cisco-iosxr-cli-7.62   X   -        -              -              -        -        -        -           -        -      -      -
cisco-ztp              X   -        -              -              -        -        -        -           -        -      -      -
dlm-svc                X   -        -              -              -        -        -        -           -        -      -      -
fleet-upgrade          X   -        -              -              -        -        -        -           -        -      -      -
goldenconfig           X   -        -              -              -        -        -        -           -        -      -      -
inventory              X   -        -              -              -        -        -        -           -        -      -      -
inventory-junos        X   -        -              -              -        -        -        -           -        -      -      -
juniper-junos-nc-4.18  X   -        -              -              -        -        -        -           -        -      -      -
resource-manager       X   -        -              -              -        -        -        -           -        -      -      -
 
[ok][2025-04-22 12:06:26]
 
[edit]
admin1@ncs% run show packages package package-version  | tab
                       PACKAGE
NAME                   VERSION
--------------------------------
cisco-ios-cli-6.107    6.107.2
cisco-iosxr-cli-7.62   7.62
cisco-ztp              2.0.0
dlm-svc                7.1.0
fleet-upgrade          2.0.0
goldenconfig           2.0.0
inventory              2.0.0
inventory-junos        2.0.0
juniper-junos-nc-4.18  4.18.8
resource-manager       4.2.9

Step 8

If you haven't already done so, log in to NSO and set the following device global settings in configuration mode. These NSO settings are required for Fleet Upgrade.

admin@ncs% set devices global-settings connect-timeout 600
admin@ncs% set devices global-settings read-timeout 600
admin@ncs% set devices global-settings write-timeout 600
admin@ncs% set devices global-settings ssh-algorithms public-key ssh-rsa
admin@ncs% set devices global-settings trace pretty
admin@ncs% set devices global-settings ned-settings cisco-iosxr read admin-show-running-config false
admin@ncs% commit
 
admin@ncs% show devices global-settings
connect-timeout 600;
read-timeout    600;
write-timeout   600;
ssh-algorithms {
    public-key [ ssh-rsa ];
}
trace           pretty;
ned-settings {
    cisco-iosxr {
        read {
            admin-show-running-config false;
        }
    }
}

Step 9

Note that NACM is required for NSO. Ensure the Linux user has ncsadmin rights to perform functions on NSO.

admin@ncs% set nacm groups group ncsadmin user-name admin
admin@ncs% commit
 
 
admin@ncs% show nacm
read-default     deny;
write-default    deny;
exec-default     deny;
groups {
    group ncsadmin {
        user-name [ admin private ];
    }
    group ncsoper {
        user-name [ public ];
    }
}

Step 10

Copy the ncs_backup.sh, ncs_restore.sh and get_technical_support_data.sh scripts from the provided bundle to the scripts directory under the NCS_RUN_DIR, and update the permissions of the copied scripts to make them executable.

# Locate the NCS_RUN_DIR using the following command
cat /etc/systemd/system/ncs.service | grep NCS_RUN_DIR=
 
# Update the permissions
chmod +x ncs_backup.sh ncs_restore.sh get_technical_support_data.sh

What to do next

Follow the steps in Get Started With Fleet Upgrade.