Manage Software Images

About Software Image Management

Catalyst Center stores all the software images, software maintenance updates (SMUs), subpackages, ROMMON images, and so on, for the devices in your network. Software Image Management provides these functions:

  • Software Image Management: Catalyst Center stores all the unique software images according to image type and version. You can view, import, and delete software images.

  • Provision: You can push software images to the devices in your network.

Before using Software Image Management features, you must enable Transport Layer Security protocol (TLS) on older devices such as Cisco Catalyst 3000, 4000, and 6000. After any system upgrades, you must re-enable TLS. For more information, see “Configure Security for Catalyst Center” in the Cisco Catalyst Center Administrator Guide.


Note

In Release 2.3.3 and later, Catalyst Center supports only internal bootflash as the primary boot option for Software Image Management (SWIM) and Software Maintenance Updates (SMUs) on the IE3x00 series, and IE9x00 series switches.

If you have an earlier release of Catalyst Center (before Release 2.3.3), and if an IE3x00, or IE9x00 device in your network is already booted with a Secure Digital (SD) flash memory module, then ensure that you set the internal bootflash as the primary boot option on the device, using the boot flash-primary command.

To save and synchronize a running configuration from SD flash to bootflash, use the sync command.

Integrity Verification of software images

The Integrity Verification application monitors software images that are stored in Catalyst Center for unexpected changes or invalid values that could indicate your devices are compromised. During the import process, the system determines image integrity by comparing the software and hardware platform checksum value of the image that you are importing to the checksum value identified for the platform in the Known Good Values (KGV) file to ensure that the two values match.

On the Software Image Management page, a message displays if the Integrity Verification application cannot verify the selected software image using the current KGV file. For more information about the Integrity Verification application and importing KGV files, see the Cisco Catalyst Center Administrator Guide.

View software images

After you run Discovery or manually add devices, Catalyst Center automatically stores information about the software images, SMUs, and subpackages for the devices.

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

The Overview tab consists of the following sections:

  • The top section displays the following details:

    • Images: Shows the number of images for device families along with critical and high advisories.

    • Devices: Shows the number of tagged images, images ready for update, failed update readiness, and failed image updates.

    • Updates: Shows the number of image updates that failed, in-progress, and are successful.

  • The Image Update Tools section at the bottom enables you to execute these tasks:

    • Schedule Image Update: Schedule the update of a software image at a specific date and time on selected devices. For more information, see Schedule Image Update.

    • Check Image Update Status: Click Check Update Status to trigger the precheck conditions and to resynchronize the image with the device. The Devices Updates slide-in pane shows the updates that are in-progress, waiting, terminated, successful, and failed.

      A table shows the details of device name, IP address, updated date, duration for the update, software image version, task name, status of the update, and actions. Click a device name to view more details. In the Actions column, you can click the Retry option for a device to re-run the update.

      Click Upcoming Tasks to view the scheduled updates.

    • Download Update Readiness Report: Click Download Readiness Report to download the device readiness results for all devices to a CSV file.

    • Import an Image: Click Import Image to import a software image or software image update. For more information, see Import a software image.

  • The Yet to be submitted Image Update flows section shows the upcoming tasks that are yet to be submitted. You can click the ellipsis icon in this section and choose to resume or delete the task.

Step 3

The Images tab consists of the following options.

  1. The Images section displays the number of total device families, images running, device families without standard, critical and high advisories.

    Click Show images summary or Hide images summary at the right to view or hide the summary.

  2. The bottom section displays the details of the product family name for the images, along with number of devices, images, images marked standard, and critical and high advisories for each device family.

    You can perform the following tasks:

    • Show imported images: Click to view the details about imported software images.

      In the Imported Image Family window, the Images table shows Image Name, Version, Device Series Assigned, and Action for all the imported software images.

      In the Action column, click Assign to assign a software image to a device family. For more information, see Manage software image assignment for a device family.

    • Show task: Click to view status of all the tasks that are related to software images.

      The Recent Tasks slide-in pane shows status of the last 50 tasks. From the Task Status drop-down list, choose All, Failed, In-Progress, or Successful to filter the tasks based on status.

    • Import images: Click to import a software image or software image update. For more information, see Import a software image.

From the Product Family Name column, click a device name to view more details.

  • A new window opens with all the available image for the selected device, displaying the image name and version.

  • The Attributes column shows the image details. You can download the image from Cisco.com for the image with the attribute as Recommended.

  • From the Actions column, you can choose to mark the images as standard and download them. For more information, see Mark a software image as standard.

    • Image details not available: Click to download a matching image.

    • Available for download: The image is available on Cisco.com for download. You can mark the image as standard and download it from Cisco.com.

    • Downloaded: The latest image is already downloaded. Click to mark the image as standard or standard with conditions.

    • Marked as standard: The image is marked as a standard one. Click the drop-down arrow to remove the standard tag or to edit the standard conditions.

Click the Sync Updates option at the top to view the latest status of the images.

Step 4

The Devices tab consists of the following options.

  1. The Devices section displays the number of total eligible devices and the number of devices with different image status. The image status are: image not tagged as standard, images ready for update, update readiness failed, failed images, image updates in progress, and devices running with standard image.

    Click Show devices summary or Hide devices summary at the right to view or hide the summary.

  2. The bottom section shows the details of the device name, tags, device family, software version, image status, image name, reachability, readiness check status, management address, latest update status, and image compatibility.

  3. Click Tag to create a new tag for a device or manage the existing tags. For more information, see Tag devices.

  4. Select one or more devices and click Check Image Update Readiness to trigger the precheck conditions and to resynchronize the image with the device. This option enables to display the latest resynchronized time, when you click the Ready option in the Devices tab. The Devices Updates slide-in pane shows the updates that are in-progress, waiting, terminated, successful, and failed.

  5. Click Download Update Readiness Report to download the device readiness results for all devices to a CSV file.

  6. Select the devices and click Update Devices to start the image upgrade process. This option redirects you to the Image Update window. This image upgrade procedure also allows you to schedule the image update at a specific date and time. For more information, see Schedule Image Update.

Click a device name to view more details of the device.

From the Device Family column, click a device name to view more details.

  • A new window opens with all the available image for the selected device, displaying the image name and version.

  • The Attributes column shows the image details. You can download the image from Cisco.com for the image with the attribute as Recommended.

  • From the Actions column, you can choose to mark the images as standard and download them. For more information, see Mark a software image as standard.

Click the Sync Updates option at the top to view the latest status of the images.

Step 5

The Updates tab shows the details of recent image updates that failed, are successful, are in-progress, and are scheduled. You can click the link to a task to view more information.

Step 6

If you have already configured the Cisco.com user, skip ahead to Step 3. If you haven't, complete these steps:

  1. Open an Incognito/private window in your browser (to avoid using previously cached credentials).

  2. Open another Catalyst Center GUI instance and log in.

  3. Open another instance of the Software Image Management page.

  4. Complete one of these tasks:

    If you... Then...

    completed a fresh installation of Catalyst Center,

    configure a new Cisco.com user by clicking the Add link in the Cisco.com ID field.

    upgraded to the latest version of Catalyst Center and want to use the same Cisco.com user that was configured previously,

    reauthenticate that user by clicking the Re-Authenticate link in the Cisco.com ID field.

    upgraded to the latest version of Catalyst Center and don't want to use the same Cisco.com user as before,

    		delete the old Cisco.com user and then configure a new one.

    1. Click the Delete link in the Cisco.com ID field.

    2. Confirm the operation by clicking Delete in the resulting dialog box.

    3. Click the Add link in the Cisco.com ID field.

  5. In the Information pop-up window, check one or both of these check boxes and then click Authenticate:

    • (Mandatory) I am in private or incognito mode

    • (Optional) Save credentials

  6. In the Activate your device pop-up window, confirm that an activation code is displayed and then click Next.

  7. In the Log in pop-up window, enter the cisco.com user's email address and then click Next.

  8. In the Verify with your password pop-up window, enter the cisco.com user's password and then click Verify.

    The Device activated pop-up window appears.

  9. Close the Device Activated pop-up window.

  10. Refresh the Software Image Management page.

  11. In the Cisco.com ID field, confirm that the email address you entered for the user displays. Also confirm that you see the Change link.

Step 7

Click Routers, Switches, Wireless Controllers, Security and VPN, Sensors, or Virtual Devices in the top of the window or click the search or filter icon in the Images tab to filter device families.

By default, the Images tab shows all the device families.

Note

 

Third-party (non-Cisco) devices are not shown in the Images window, because image activation and image update features are not supported for third-party devices.

Step 8

Click Sync Updates and then click OK in the subsequent warning message to synchronize image information from cisco.com for all managed devices in Catalyst Center.

If cisco.com credentials are not set, you are prompted to specify them.

You can view the progress of task in Show Tasks. After the task success, the image information updates for all device families.

Note

 

You can fetch image information only once in an hour.

Use a recommended software image

Catalyst Center displays and allows you to choose Cisco-recommended software images for the devices that it manages.


Note

Only the latest Cisco-recommended software images are available for download.

Procedure

Step 1

From the main menu, choose System > Settings > Cisco.com Credentials.

Step 2

Verify that you have entered the correct credentials to connect to cisco.com.

Step 3

From the main menu, choose Provision > Software Image Management.

Step 4

Click Images.

Catalyst Center displays each product family with its corresponding number of devices, images, images marked as standard, and so on.

Step 5

Under Product Family Name, click the product family to view all its available images.

This table lists some device types and their unsupported software images.

Device type

Limitations

APs managed by Catalyst Center

SWIM upgrade or downgrade is not supported.

Cisco Meraki devices

SWIM upgrade or downgrade is not supported.

Third-party devices

SWIM upgrade or downgrade is not supported.

Cisco Catalyst 9400 Series switches

Bootloader image upgrade or downgrade is not supported.

Cisco Catalyst 9800 Series switches

ROMMON image upgrade is supported. However, image downgrade is not supported.

Cisco ASR Series routers

Complex Programmable Logic Device (CPLD) image upgrade is not supported.

Cisco ISR Series routers

CPLD image upgrade is not supported.

Step 6

Mark the recommended image as standard.

For more information, see Mark a software image as standard.

Step 7

Provision the recommended software image on devices in your network.

For more information, see Provision a software image.

Import a software image

If Catalyst Center is deployed in an air-gapped environment or has no access to the cloud, you can import software images and software image updates from either your local computer or a URL. Otherwise, we recommend that you download software images from cisco.com.

Imported images are categorized based on different supervisors that are present in a specific device family. Categorization under different supervisors supports only the Cisco Catalyst 9400 series family.

If you use FTP to import an image from an FTP server, use the FTP standard:

ftp://username:password@ip_or_hostname/path

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click the Images tab and then click Import images.

Alternately, click the Overview tab and click Import Image in the Image Update Tools section.

Step 3

On the Import Image slide-in pane, import the software image by completing these steps.

  1. Under Upload Option, indicate how you want to upload the image.

    This table describes the upload options.

    Option

    Description

    Select from computer

    Upload a local software image or software image update file.

    Enter URL

    Import software image or software image updates from an HTTP or FTP source.

    Note

     

    Software images are compliant with the Federal Information Processing Standard (FIPS). If FIPS mode is enabled in Catalyst Center, you cannot import images from a URL. Import images from your computer or cisco.com.

    Select ISSU compatibility matrix

    Upload a local compatibility matrix file.

    The In-Service Software Upgrade (ISSU) compatibility matrix provides information about the compatibility between the current and target software versions, ensuring that the upgrade can proceed without issues.

  2. Upload the file based on the chosen option.

    If you chose...

    Then...

    Select from computer or Select ISSU compatibility matrix,

    you can either:

    • drag and drop the file, or

    • click Choose a file and choose the locally-stored file.

    Enter URL,

    in the Enter Image URL (http or ftp) field, enter the image URL.

  3. Under Source, indicate the source of the image.

    If the image that you are importing is for a third-party vendor, click Third party. Then choose an Application Type, describe the device Family, and identify the Vendor.

    Note

     

    Image activation and image update features are not supported for third-party devices.

  4. Click Import.

Step 4

Click Show Tasks to verify that the image was imported successfully.

If you imported an SMU, Catalyst Center automatically applies the SMU to the correct software image. To view the SMU, return to the All available images table and expand the image row with the SMU.

Note

 

Catalyst Center does not allow you to import software images for the FTD devices that are managed by FMC. When you add FMC to inventory and it goes to the Managed state, go to the Software Image Management page, click Images, and click the relevant hyperlinked product family name in the table to view the software images available for the FMC.

Manage software image assignment for a device family

After importing a software image from either your local computer or a URL (excluding cisco.com), you can assign or reassign it to an available device family. The imported image can be assigned to multiple devices at any time.

Before you begin

You have imported a software image from either your local computer or a URL (excluding cisco.com). For more information, see Import a software image.

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click Images.

Step 3

Click Show imported images.

Step 4

Manage the imported image using this table for instructions.

If you want to...

Then...

assign an imported image,

  1. Click Assign in the corresponding image name row.

  2. In the Assign Device Family slide-in pane, click Cisco Devices Series or All Device Series.

    Under All Device Series, you can filter the table by device type using the Select a device type drop-down list.

    Note

     

    Cisco Devices Series displays device series information only if there is internet connection.

  3. Check the check boxes for the device series to which you want to assign the software image.

    You can check the Device Series check box to choose all device series in the table.

  4. If the device series is not assigned to a site, click Select Site, and then in the Select Site dialog box, choose the appropriate site and click Select.

  5. Click Assign.

    Note

     

    • Assign is disabled if the device series is not assigned to a site.

    • If cisco.com credentials are not set, specify the credentials in System > Settings > Cisco.com Credentials.

reassign an imported image,

  1. Click Edit in the corresponding image name row.

  2. In the Assign Device Family slide-in pane, click Cisco Devices Series or All Device Series.

  3. Check the check boxes for the device series to which you want to reassign the software image.

  4. Click Select Site.

  5. In the Select Site dialog box, update the site assignment for this device family and then click Select.

  6. Click Assign.

Schedule Image Update

Use this procedure to schedule the update of a software image at a specific date and time on selected devices.

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click the Images tab. Choose the image to be upgraded and mark the image as standard. To mark the image, see Mark a software image as standard.

Step 3

In the Devices tab, select the devices that need to be updated with the image and click Update Devices.

Alternately, you can go to the Overview tab and click Schedule Update in the Image Update Tools section. You are redirected to the Image upgrade workflow.

Step 4

The Image Update window opens which prompts you with instructions to schedule the image update.

Step 5

In the Task Name window, enter a unique name for the scheduled update task and click Next.

Step 6

In the Select Devices window, select the location of the devices from the left panel. In the Devices section, check the checkboxes for the devices you want to schedule the image update and click Next.

Note

 

If the prechecks succeed for a device, the Outdated link in the Software Image column has a green check mark. If any of the upgrade readiness prechecks fail for a device, the Outdated link has a red check mark, and you cannot update the software image for that device. Click the Outdated link and correct the errors before proceeding. See List of Device Upgrade Readiness Prechecks.

Step 7

In the Software Distribution Checks window, you can enable pre-checks and post-checks for the software distribution and choose the check order. After choosing the distribution checks, click Next.

Note

 

If you associated the external image distribution server with a network hierarchy, the image distribution server distributes the image to all devices under the network hierarchy. See Add image distribution servers to sites.

To choose the validators that you want to run for the current workflow or add new custom checks, do these steps:

  1. Hover your mouse over the information icon to view the validation criteria and the CLI commands that are used for the validation.

  2. Click the toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom prechecks and postchecks, do these steps:

    1. Click add a custom check to launch the New Custom Check window.

    2. Enter the Name for the custom check.

    3. From the When drop-down list, choose pre, post, or both.

    4. From the Select a Test Device drop-down list, choose the device you want to check.

    5. Click Open Command Runner, and enter the CLI commands.

    6. Expand Add Known Command-Patterns to Ignore During Checks to add a command pattern that is used to ignore the matching output for the checks.

      To add a command pattern:

      • To create a new pattern, enter a desired name and string or pattern.

      • To use an existing pattern, click most commonly used patterns, select the desired pattern, and click Add Selected.

      • Click Test All Patterns.

    7. Expand the Additional Criteria area.

      From the Operation drop-down list, choose Distribution, Activation, or both.

    8. From the Device Series drop-down list, choose the desired device series and click Save.

Step 8

In the Software Activation Checks window, you can enable pre-checks and post-checks for the software activation and choose the check order. After choosing the activation checks, click Next.

Step 9

In the Device Activation Order window, you can use filters to sort devices and arrange the order of their activation in parallel or sequentially. After sorting the devices, you can reorder them sequentially. Click Next.

Step 10

In the Schedule Task and Clean Up window, schedule the following:

  • In the Software Distribution section, enable the checks for the software distribution.

  • In the Software Activation section, choose either Now or Later to schedule the update. If you choose Later, configure the start date and time, and choose the time zone for the update to start. By default, the time zone is set as the time zone of the selected site.

  • Check the Initiate Flash Cleanup After Activation checkbox to store only the running image and remove all previous images saved on the device.

After configuring the settings, click Next.

Step 11

The Summary window shows the summarized data of the scheduled update. Review the details and if required, you can click Edit to modify the settings. Click Submit.

Upload software images for devices in Install Mode

The Software Image Management page might show a software image as being in Install Mode. When a device is in Install Mode, Catalyst Center cannot upload its software image directly from the device. When a device is in Install Mode, you must first manually upload the software image to the Catalyst Center repository before marking the image as standard.

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click Images.

Step 3

Under Product Family Name, click the hyperlinked product family name to view its available images.

Step 4

Under Image Name, find the software image of the device that is running in Install Mode.

Step 5

From the Image details not available drop-down list, choose Import matching image.

Step 6

On the Import Image slide-in pane, import the image by completing these steps.

  1. Under Upload Option, indicate how you want to upload the image.

    This table describes the upload options.

    Option

    Description

    Select from computer

    Upload a local software image or software image update file.

    Enter URL

    Import software image or software image updates from an HTTP or FTP source.

    Note

     

    Software images are compliant with Federal Information Processing Standard (FIPS). If FIPS mode is enabled in Catalyst Center, you cannot import images from a URL. Import images from your computer or cisco.com.

    Select ISSU compatibility matrix

    Upload a local compatibility matrix file.

  2. Upload the file based on the chosen option.

    If you chose...

    Then...

    Select from computer or Select ISSU compatibility matrix,

    you can either:

    • drag and drop the file, or

    • click Choose a file and choose the locally-stored file.

    Enter URL,

    in the Enter Image URL (http or ftp) field, enter the image URL.

  3. Under Source, indicate the source of the image.

    If the image that you are importing is for a third-party vendor, click Third party. Then choose an Application Type, describe the device Family, and identify the Vendor.

    Note

     

    Image activation and image update features are not supported for third-party devices.

  4. Click Import.

Step 7

Click Show task and verify that the software image you imported is green, indicating it has been successfully imported and added to the Catalyst Center repository.

Step 8

Click Refresh.

The page for the device family and its available images is refreshed. Catalyst Center displays the software image.

About standard software images

Catalyst Center allows you to designate software images and SMUs as standard. A standard software image or SMU is a validated image that meets the compliance requirements for the particular device type. Designating a software image or SMU as standard saves you time by eliminating the need to make repetitive configuration changes and ensures consistency across your devices. You can designate an image and a corresponding SMU as standard to create a standardized image. You can also specify a standard image for a specific device role. For example, if you have an image for the Cisco 4431 Integrated Service Routers device family, you can further specify a standard image for those Cisco 4431 devices that have the Access role only.

You cannot mark a SMU as standard unless the image to which it corresponds is also marked standard.

Mark a software image as standard

You can mark a software image for a device family or device role as standard. The device role identifies and groups devices according to their responsibilities and placement within the network.

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click Devices.

Alternatively, you can click Images.

Step 3

Under Device Family, click the hyperlinked device family for which you want to mark a software image as standard.

Alternatively, if chose Images, click the hyperlinked product family under Product Family Name for which you want to mark a software image as standard.

Step 4

Mark the software image as standard with or without conditions.

Use this table to download and mark the image as standard based on if the image is uploaded to the Catalyst Center repository.

If the software image is...

And you want to...

Then...

uploaded into the Catalyst Center repository,

mark the image as standard with or without conditions,

  1. Under Image Name, locate the image that you want to mark as standard.

  2. From the corresponding Downloaded drop-down list for the image, choose Mark as standard or Mark as standard with conditions.

  3. In the Mark as standard slide-in pane, if required, configure the advanced settings to assign the image to a device role, device tags, or both. Then, click Confirm.

    • Device role: From the drop-down list, choose a role.

    • Device tags: From the drop-down list, check the device tag check boxes.

not uploaded into the Catalyst Center repository,

download the image and mark it as standard,

  1. Under Image Name, locate the image that you want to download and mark as standard.

  2. From the corresponding Available for download drop-down list for the image, choose Mark as standard.

  3. In the Mark as standard slide-in pane, click Confirm.

    The system automatically downloads the image and then marks it as standard. Under Actions, the software image download in-progress bar is displayed. This process might take some time.

    Note

     

    Importing software images from devices is not allowed.

not uploaded into the Catalyst Center repository,

only download the image,

  1. Under Image Name, locate the image that you want to mark as standard.

  2. From the corresponding Available for download drop-down list for the image, choose Download from Cisco.com.

  3. In the Download Image dialog box, click Save.

    Under Actions, the software image download in-progress bar is displayed. This process might take some time.

    Note

     

    Importing software images from devices is not allowed.

Note

 

If the image download fails, click Show task to view the Recent Tasks slide-in pane. From the Task Status drop-down list, choose Failed. Click See why? to view the failure details.

Step 5

If you want to download an add-on of the standard image, complete these steps:

  1. Under Image Name, locate the software image with the add-on and verify that the image is marked as standard.

    Note

     

    • If the software image with the add-on that you want to download is not marked as standard, you must first mark that image as standard.

    • The Add-ons column lists the number of add-ons for each software image.

  2. Expand the standard image row.

    The add-on is displayed in the expanded image row.

  3. From the corresponding Available for download drop-down list for that add-on, choose Download from Cisco.com.

    Note

     

    • Subpackages are only downloadable.

    • SMU, APSP, APDP, and PSIRT SMU upgrades for the base image are downloadable and can be marked as standard.

  4. In the Download Image dialog box, click Save.

    Re-expand the image row with the add-on to view the progress spinner under Actions. This process might take some time. When the download is completed, Downloaded is displayed under Actions.

Manage the standard software image

You can manage the software image that is marked as standard with or without conditions.

Before you begin

The software image must be marked as standard with or without conditions. For more information, see Mark a software image as standard.

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click Devices.

Step 3

Under Device Family, click the hyperlinked device family for which you want to manage its standard image.

Step 4

Manage the standard image with or without conditions using this table.

If you want to...

Then...

edit a standard software image with or without conditions,

  1. Under Image Name, locate the standard image.

  2. From the corresponding Marked as standard or Conditionally marked as standard drop-down lists for the image, choose Edit standard conditions.

  3. In the Mark as standard slide-in pane, update the advanced settings and then click Confirm.

    • Device role: From the drop-down list, choose a role.

    • Device tags: From the drop-down list, check or uncheck the device tag check boxes.

unmark a software image as standard without conditions

  1. Under Image Name, locate the standard image.

  2. From the corresponding Marked as standard drop-down list for the image, choose Remove standard.

    The image is now in the downloaded state.

Note

 

If the image is marked as standard with conditions, you must first mark it as standard without conditions (that is, remove the conditions). Then, you can unmark it as standard.

replace the standard software image,

When you mark a different software image as standard with or without conditions, the current standard image is replaced with the new one. For more information, see Mark a software image as standard.

Configure an image distribution server

An image distribution server helps in the storage and distribution of software images. You can configure up to three external image distribution servers to distribute software images. You can also set up one or more protocols for the newly added image distribution servers.

Procedure

Step 1

From the main menu, choose System > Settings > Device Settings > Image Distribution Servers.

Step 2

In the Image Distribution Servers window, click Servers.

The table displays details about the host, username, SFTP, SCP, and connectivity of image distribution servers.

Step 3

Click Add to add a new image distribution server.

The Add a New Image Distribution Server slide-in pane is displayed.

Step 4

Configure these image distribution server settings:

  • Host: Enter the hostname or IP address of the image distribution server.

  • Root Location: Enter the working root directory for file transfers.

    Note

     
    For Cisco AireOS Wireless Controllers, image distribution fails if the configured path is longer than 16 characters.

  • Username: Enter a username to log in to the image distribution server. The username must have read/write privileges in the working root directory of the server.

  • Password: Enter a password to log in to the image distribution server.

  • Port Number: Enter the port number on which the image distribution server is running.

Step 5

Click Save.

Step 6

Because some legacy wireless controller software versions support only weak ciphers (such as SHA1-based ciphers) for SFTP, Catalyst Center should enable SFTP compatibility mode for SFTP connections from wireless controllers for software image management and wireless assurance. You can temporarily enable support for weak ciphers on the Catalyst Center SFTP server for up to 90 days. To allow weak ciphers:

  1. Hover over the i icon next to the IP address of the SFTP server and click Click here.

  2. In the Compatibility Mode slide-in pane, check the Compatibility Mode check box and enter a duration (from 1 minute to 90 days).

  3. Click Save.

Step 7

(Optional) To edit the settings, click the Edit icon next to the corresponding image distribution server, make the required changes, and click Save.

Step 8

(Optional) To delete an image distribution server, click the Delete icon next to the corresponding image distribution server and click Delete.

Change the protocol order of an image distribution server

You can change the protocol order of an image distribution server. Protocol order helps in performing verification checks on the image distribution servers. By default, the software images are distributed using the first protocol in the protocol order.

Procedure

Step 1

From the main menu, choose System > Settings > Device Settings > Image Distribution Servers.

Step 2

In the Image Distribution Servers window, click the Preferences tab.

The default protocol order displays.

Step 3

In the Protocol Order area, click the On/Off protocol toggle button to enable or disable a protocol.

  • HTTPS—Catalyst Center logs in to the device and uses the copy https://<Catalyst-Center-IP-address>/<Catalyst-Center-image-path> command using TLS 1.2 with the Catalyst Center certificate authority. For any issues, see Troubleshoot HTTPS Error in Cisco Catalyst Center for SWIM.

  • SCP—Catalyst Center logs in to the device and uses the SCP://sftpuser:randomised-password@<Catalyst-Center-IP-address>/<Catalyst-Center-image-path> command. For any issues, you must open a TAC case.

  • SFTP—Catalyst Center logs in to the device and uses the SFTP://sftpuser:randomised-password@<Catalyst-Center-IP-address>/<Catalyst-Center-image-path> command. For any issues, you must open a TAC case.

Note

 

The HTTPS or SCP protocol must be enabled for image distribution. The SFTP protocol must be enabled for all protocol orders to support legacy devices.

If the HTTPS protocol is disabled or image distribution fails while using the HTTPS protocol, the software image is distributed using the SCP protocol.

Step 4

Drag and drop the protocols to change the protocol order.

Step 5

Click Save.

Add image distribution servers to sites

You can associate SFTP servers located in different geographical regions to sites, buildings, and floors. All the devices under the network hierarchy use the associated image distribution server during a network upgrade.

Before you begin

You must configure an image distribution server. See Configure an image distribution server.

Procedure

Step 1

From the main menu, choose Design > Network Settings > Servers.

Step 2

Expand the Image Distribution area to select SFTP servers to act as image distribution servers.

Step 3

Check the Add image distribution servers check box to view the fields.

Step 4

From the Primary drop-down list, choose the image distribution server that you want to configure as primary.

Step 5

Click the icon and from the Secondary drop-down list, choose the image distribution server that you want to configure as secondary.

Step 6

Click Save.

Provision a software image

Catalyst Center compares each device software image with the image that you have designated as standard for that specific device type. If there is a difference between the software image and the standard image, Catalyst Center specifies that the software image of the device is outdated. If this is the case, you can update the outdated software image.

Before pushing a software image to a device, Catalyst Center performs upgrade readiness prechecks on the devices, such as checking the device management status, disk space, and so on. If any prechecks fail, you cannot perform the software image upgrade. You need to correct any issues before you can upgrade the software image on the devices.

If all the prechecks succeed, you can distribute (copy) the new image to the device and activate it (that is, make the new image the running image). The activation of the new image requires a reboot of the device. Because a reboot might interrupt the current network activity, you can schedule the process for a later time.

After the software image is successfully upgraded, Catalyst Center performs upgrade postchecks, such as checking the CPU usage, route summary, and so on, to ensure that the state of the network remains unchanged.

Before you begin

  • Make sure the device type has a designated standard image. See Mark a software image as standard.

  • To upgrade the software image immediately, you must disable the Automation Events for ITSM (ServiceNow) bundle. To access the bundle, choose Platform > Manage > Bundles > Automation Events for ITSM (ServiceNow).

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click the Images tab. Choose the image to be upgraded and mark the image as standard. To mark the image, see Mark a software image as standard.

Step 3

In the Devices tab, select the devices that need to be updated with the image and click Update Devices.

Alternately, you can go to the Overview tab and click Schedule Update in the Image Update Tools section. You are redirected to the Image upgrade workflow.

Step 4

The Image Update window opens which prompts you with instructions to configure the image update.

Step 5

In the Task Name window, enter a unique name for the update task and click Next.

Step 6

In the Select Devices window, select the location of the devices from the left panel. In the Devices section, check the checkboxes for the devices you want to schedule the image update and click Next.

Note

 

If the prechecks succeed for a device, the Outdated link in the Software Image column has a green check mark. If any of the upgrade readiness prechecks fail for a device, the Outdated link has a red check mark, and you cannot update the software image for that device. Click the Outdated link and correct the errors before proceeding. See List of Device Upgrade Readiness Prechecks.

Step 7

In the Software Distribution Checks window, you can enable pre-checks and post-checks for the software distribution and choose the check order. After choosing the distribution checks, click Next.

Note

 

If you associated the external image distribution server with a network hierarchy, the image distribution server distributes the image to all devices under the network hierarchy. See Add image distribution servers to sites.

To choose the validators that you want to run for the current workflow or add new custom checks, do these steps:

  1. Hover your mouse over the information icon to view the validation criteria and the CLI commands that are used for the validation.

  2. Click the toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom prechecks and postchecks, do these steps:

    1. Click add a custom check to launch the New Custom Check window.

    2. Enter the Name for the custom check.

    3. From the When drop-down list, choose pre, post, or both.

    4. From the Select a Test Device drop-down list, choose the device you want to check.

    5. Click Open Command Runner, and enter the CLI commands.

    6. Expand Add Known Command-Patterns to Ignore During Checks to add a command pattern that is used to ignore the matching output for the checks.

      To add a command pattern:

      • To create a new pattern, enter a desired name and string or pattern.

      • To use an existing pattern, click most commonly used patterns, select the desired pattern, and click Add Selected.

      • Click Test All Patterns.

    7. Expand the Additional Criteria area.

      From the Operation drop-down list, choose Distribution, Activation, or both.

    8. From the Device Series drop-down list, choose the desired device series and click Save.

Step 8

In the Software Activation Checks window, you can enable pre-checks and post-checks for the software activation and choose the check order. After choosing the activation checks, click Next.

Step 9

In the Device Activation Order window, you can use filters to sort devices and arrange the order of their activation in parallel or sequentially. After sorting the devices, you can reorder them sequentially. Click Next.

Step 10

In the Schedule Task and Clean Up window, schedule the following:

  • In the Software Distribution section, enable the checks for the software distribution.

  • In the Software Activation section, choose either Now or Later to schedule the update. If you choose Later, configure the start date and time, and choose the time zone for the update to start. By default, the time zone is set as the time zone of the selected site.

  • Check the Initiate Flash Cleanup After Activation checkbox to store only the running image and remove all previous images saved on the device.

After configuring the settings, click Next.

Step 11

The Summary window shows the summarized data of the scheduled update. Review the details and if required, you can click Edit to modify the settings. Click Submit.

Import the ISSU compatibility matrix

In-Service Software Upgrade (ISSU) is a process that upgrades an image on a device with no or minimal service interruption. ISSU is supported only within or between long-lived releases, such as 17.3.x to 17.3.y or 17.3.x to 17.6.y. For an example of the Cisco IOS XE ISSU compatibility matrix for Catalyst Switches, see https://software.cisco.com/download/home/286315874/type/286326638/release/17.6.2. You can download and import the ISSU compatibility matrix that corresponds to the target release in Catalyst Center to upgrade devices with ISSU.

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

Click the Images tab and then click Import images.

Alternately, click the Overview tab and click Import Image in the Image Update Tools section.

Step 3

In the Import Image slide-in pane, click the Select ISSU compatibility matrix radio button and click Choose a file to navigate to an ISSU compatibility matrix file stored locally.

Step 4

Click Import.

Step 5

Click Show Tasks to view the ISSU compatibility matrix file import status.

Note

 

Starting from Catalyst Center 2.3.7 and later, compatibility matrix files are automatically downloaded for ISSUE-supported devices' running images and standard-tagged images available in cisco.com.

Upgrade a software image with ISSU

Upgrading devices using the In-Service Software Upgrade (ISSU) eliminates the need to reboot and reduces service interruption.

Before you begin

  • Before you upgrade a device using the ISSU, you must import the ISSU compatibility matrix file. See Import the ISSU compatibility matrix.

  • To upgrade the software image immediately, you must disable the Automation Events for ITSM (ServiceNow) bundle. To access the bundle, choose Platform > Manage > Bundles > Automation Events for ITSM (ServiceNow).

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

In the Devices tab, select the devices that need to be updated with the image and click Update Devices.

Alternately, you can go to the Overview tab and click Schedule Update in the Image Update Tools section. You are redirected to the Image upgrade workflow.

Step 3

The Image Update window opens which prompts you with instructions to configure the image update.

Step 4

In the Task Name window, enter a unique name for the update task and click Next.

Step 5

In the Select Devices window, select the location of the devices from the left panel. In the Devices section, check the checkboxes for the devices you want to schedule the image update and click Next.

Note

 

If the prechecks succeed for a device, the Outdated link in the Software Image column has a green check mark. If any of the upgrade readiness prechecks fail for a device, the Outdated link has a red check mark, and you cannot update the software image for that device. Click the Outdated link and correct the errors before proceeding. See List of Device Upgrade Readiness Prechecks.

Step 6

In the Software Distribution Checks window, you can enable pre-checks and post-checks for the software distribution and choose the check order. After choosing the distribution checks, click Next.

Note

 

If you associated the external image distribution server with a network hierarchy, the image distribution server distributes the image to all devices under the network hierarchy. See Add image distribution servers to sites.

To choose the validators that you want to run for the current workflow or add new custom checks, do these steps:

  1. Hover your mouse over the information icon to view the validation criteria and the CLI commands that are used for the validation.

  2. Click the toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom prechecks and postchecks, do these steps:

    1. Click add a custom check to launch the New Custom Check window.

    2. Enter the Name for the custom check.

    3. From the When drop-down list, choose pre, post, or both.

    4. From the Select a Test Device drop-down list, choose the device you want to check.

    5. Click Open Command Runner, and enter the CLI commands.

    6. Expand Add Known Command-Patterns to Ignore During Checks to add a command pattern that is used to ignore the matching output for the checks.

      To add a command pattern:

      • To create a new pattern, enter a desired name and string or pattern.

      • To use an existing pattern, click most commonly used patterns, select the desired pattern, and click Add Selected.

      • Click Test All Patterns.

    7. Expand the Additional Criteria area.

      From the Operation drop-down list, choose Distribution, Activation, or both.

    8. From the Device Series drop-down list, choose the desired device series and click Save.

Step 7

In the Software Activation Checks window, you can enable pre-checks and post-checks for the software activation and choose the check order. Click Next.

Step 8

In the Device Activation Order window, you can use filters to sort devices and arrange the order of their activation in parallel or sequentially. After sorting the devices, you can reorder them sequentially.

  1. Choose the device that you want to upgrade with ISSU.

    Note

     

    The To Image column shows the ISSU validation status.

    • ISSU shown in amber: ISSU validation failed because the selected image is not ISSU compatible.

    • ISSU shown in gray: ISSU validation succeeded and the device supports ISSU.

  2. From the ISSU drop-down list, choose Enable ISSU Upgrade.

  3. Click Next.

Step 9

In the Schedule Task and Clean Up window, schedule the following:

  • In the Software Distribution section, enable the checks for the software distribution.

  • In the Software Activation section, choose either Now or Later to schedule the update. If you choose Later, configure the start date and time, and choose the time zone for the update to start. By default, the time zone is set as the time zone of the selected site.

  • Check the Initiate Flash Cleanup After Activation checkbox to store only the running image and remove all previous images saved on the device.

After configuring the settings, click Next.

Step 10

The Summary window shows the summarized data of the scheduled update. Review the details and if required, you can click Edit to modify the settings. Click Submit.

List of device upgrade readiness prechecks

Precheck

Description

File transfer check

Checks if the device is reachable through HTTPS and SCP

The default order of protocols is HTTPS first and then SCP.

For Catalyst Center configured with FQDN, an error message is displayed if the name server associated with the device is unreachable.

NTP clock check

Compares device time and Catalyst Center time to ensure successful Catalyst Center certificate installation.

Flash check

Calculates the disk space required for upgrading to the standard image with add-on and performs flash clean up proactively before image distribution. If there is not enough disk space, a warning or error message is returned. For information about the supported devices for Auto Flash cleanup and how files are deleted, see Auto Flash Cleanup.

Config register check

Verifies the config registry value.

Crypto RSA check

Checks whether an RSA certificate is installed.

Crypto TLS check

Checks whether the device supports TLS 1.2.

Weak Crypto Check

Checks whether the device is configured with weak crypto like SNMP V3 user added with MD5 authentication. The image upgrade is blocked due to weak crypto for device with software image version 17.14 and later.

IP Domain name check

Checks whether the domain name is configured.

Startup config check

Checks whether the startup configuration exists for the device.

NFVIS Flash check

Checks whether the standard image is ready to be upgraded in the NFVIS device.

Service Entitlement check

Checks whether the device has a valid license.

Image Compatibility Check

Checks whether the standard image is compatible with the device.

Image Version Support

Checks whether the device is tagged with the compatible standard image version. If the tagged image version is below compatible version, it will fail.

ISSU Compatibility

Checks whether the matching compatibility matrix is available for the running image and standard image.

View image update status

Procedure

Step 1

From the main menu, choose Provision > Software Image Management.

Step 2

In the Overview tab you can view these updates:

  • Updates: Shows the number of image updates that failed, in-progress, and are successful.

  • In the Image Update Tools section, click Check Update Status to check the status of the image updates that are triggered. The Devices Updates slide-in pane shows the updates that are in-progress, waiting, terminated, successful, and failed.

    Click Upcoming Tasks to view the scheduled updates.

  • The Yet to be submitted Image Update flows section shows the upcoming tasks that are yet to be submitted. You can click the ellipsis icon in this section and choose to resume or delete the task.

Step 3

In the Devices tab, select the devices for which tasks failed by checking check boxes and click Retry to retry the image update.

Step 4

The Updates tab shows the details of recent image updates that failed, are successful, are in-progress, and are scheduled. You can click the link to a task to view more information.

View image update workflow

Procedure

Step 1

From the main menu, choose Provision > Software Image Management. In the Overview tab, click Schedule Update in the Image Update Tools section.

Alternately, you can also choose Workflows > Image Update.

Step 2

In the Task Name window, enter a unique name for the scheduled update task and click Next.

Step 3

In the Select Devices window, select the location of the devices from the left panel. In the Devices section, check the checkboxes for the devices you want to schedule the image update and click Next.

Note

 

If the prechecks succeed for a device, the Outdated link in the Software Image column has a green check mark. If any of the upgrade readiness prechecks fail for a device, the Outdated link has a red check mark, and you cannot update the software image for that device. Click the Outdated link and correct the errors before proceeding. See List of Device Upgrade Readiness Prechecks.

Step 4

In the Software Distribution Checks window, you can enable pre-checks and post-checks for the software distribution and choose the check order. After choosing the distribution checks, click Next.

Note

 

If you associated the external image distribution server with a network hierarchy, the image distribution server distributes the image to all devices under the network hierarchy. See Add image distribution servers to sites.

To choose the validators that you want to run for the current workflow or add new custom checks, do these steps:

  1. Hover your mouse over the information icon to view the validation criteria and the CLI commands that are used for the validation.

  2. Click the toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom prechecks and postchecks, do these steps:

    1. Click add a custom check to launch the New Custom Check window.

    2. Enter the Name for the custom check.

    3. From the When drop-down list, choose pre, post, or both.

    4. From the Select a Test Device drop-down list, choose the device you want to check.

    5. Click Open Command Runner, and enter the CLI commands.

    6. Expand Add Known Command-Patterns to Ignore During Checks to add a command pattern that is used to ignore the matching output for the checks.

      To add a command pattern:

      • To create a new pattern, enter a desired name and string or pattern.

      • To use an existing pattern, click most commonly used patterns, select the desired pattern, and click Add Selected.

      • Click Test All Patterns.

    7. Expand the Additional Criteria area.

      From the Operation drop-down list, choose Distribution, Activation, or both.

    8. From the Device Series drop-down list, choose the desired device series and click Save.

Step 5

In the Software Activation Checks window, you can enable pre-checks and post-checks for the software activation and choose the check order. After choosing the activation checks, click Next.

Step 6

In the Device Activation Order window, you can use filters to sort devices and arrange the order of their activation in parallel or sequentially. After sorting the devices, you can reorder them sequentially. Click Next.

Step 7

In the Schedule Task and Clean Up window, schedule the following:

  • In the Software Distribution section, enable the checks for the software distribution.

  • In the Software Activation section, choose either Now or Later to schedule the update. If you choose Later, configure the start date and time, and choose the time zone for the update to start. By default, the time zone is set as the time zone of the selected site.

  • Check the Initiate Flash Cleanup After Activation checkbox to store only the running image and remove all previous images saved on the device.

After configuring the settings, click Next.

Step 8

The Summary window shows the summarized data of the scheduled update. Review the details and if required, you can click Edit to modify the settings. Click Submit.

Auto flash cleanup

During the device upgrade readiness precheck, the flash check verifies whether there is enough space on the device to copy the new image. If there is insufficient space:

  • For devices that support auto flash cleanup, the flash check fails with a warning message. For these devices, the auto cleanup is attempted during the image distribution process to create the sufficient space. As a part of the auto flash cleanup, Catalyst Center identifies unused .bin, .pkg, and .conf files and deletes them iteratively until enough free space is created on the device. Image distribution is attempted after the flash cleanup. You can view these deleted files in Activities > Audit Logs.


    Note

    Auto flash cleanup is supported on all devices except Nexus switches and wireless controllers.

  • For devices that do not support auto flash cleanup, the flash check fails with an error message. You can delete files from the device flash to create space before starting the image upgrade.