Manage Software Images

About Image Repository

Cisco DNA Center stores all of the software images, software maintenance updates (SMUs), subpackages, ROMMON images, and so on for the devices in your network. Image Repository provides the following functions:

  • Image Repository: Cisco DNA Center stores all the unique software images according to image type and version. You can view, import, and delete software images.

  • Provision: You can push software images to the devices in your network.

Before using Image Repository features, you must enable Transport Layer Security protocol (TLS) on older devices such as Cisco Catalyst 3000, 4000, and 6000. After any system upgrades, you must re-enable TLS. For more information, see “Configure Security for Cisco DNA Center” in the Cisco DNA Center Administrator Guide.

Integrity Verification of Software Images

The Integrity Verification application monitors software images that are stored in Cisco DNA Center for unexpected changes or invalid values that could indicate your devices are compromised. During the import process, the system determines image integrity by comparing the software and hardware platform checksum value of the image that you are importing to the checksum value identified for the platform in the Known Good Values (KGV) file to ensure that the two values match.

On the Image Repository window, a message displays if the Integrity Verification application cannot verify the selected software image using the current KGV file. For more information about the Integrity Verification application and importing KGV files, see the Cisco Digital Network Architecture Center Administrator Guide.

View Software Images

After you run Discovery or manually add devices, Cisco DNA Center automatically stores information about the software images, SMUs, and subpackages for the devices.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.

The software images are organized and displayed based on the device type. By default, software images for physical devices are displayed. Toggle to the Virtual tab to view software images for virtual devices.

Note 

When cisco.com credentials are not set, a warning alert is displayed. Click the Expand link to view the affected features.

Step 2

In the Image Name column, click the downward arrow to view all the software images for the specified device type family. The Using Image column indicates how many devices are using the specific image shown in the Image Name field. Click the number link to view the devices that are using the image.

Step 3

In the Version column, click the Add On link to view the applicable SMUs, Subpackages, ROMMON, APSP, and APDP upgrades for the base image.

Subpackages are the additional features that can be added to the existing base image. The subpackage version that matches the image family and the base image version is displayed here.

AP Service Pack (APSP) and AP Device Pack (APDP) are images for upgrading APs associated with wireless controllers.

  • When a new AP hardware model is introduced, APDP is used to connect to the existing wireless network.

  • For associated APs, critical AP bug fixes are applied through APSP.

Note 

If you tag any SMU as golden, it is automatically activated when the base image is installed.

You cannot tag a subpackage as golden.

For ROMMON upgrades, the cisco.com configuration is mandatory. When a device is added, the latest ROMMON details are retrieved from cisco.com for applicable devices. Also, when the base image is imported or tagged, the ROMMON image is automatically downloaded from cisco.com.

Step 4

In the Device Role column, select a device role for which you want to indicate that this is a "golden" software image. For more information, see About Golden Software Images and Specify a Golden Software Image.

Use a Recommended Software Image

Cisco DNA Center can display and allow you to select Cisco-recommended software images for the devices that it manages.


Note

Only the latest Cisco-recommended software images are available for download.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Cisco.com Credentials.

Step 2

Verify that you have entered the correct credentials to connect to cisco.com.
Step 3

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.

Cisco DNA Center displays the Cisco-recommended software images according to device type.

Step 4

Designate the recommended image as golden. See Specify a Golden Software Image for more information.

After you designate the Cisco-recommended image as golden, Cisco DNA Center automatically downloads the image from cisco.com.

Step 5

Push the recommended software image to the devices in your network. See Provision a Software Image for more information.

Import a Software Image

You can import software images and software image updates from your local computer or from a URL.

Imported Images are categorized based on different supervisors, that are present in a specific device family. Categorization under different supervisors supports only Catalyst 9400 series family.

If you use FTP to import an image from an FTP server, use the FTP standard:

ftp://username:password@ip_or_hostname/path

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.

Step 2

Click Import.

Step 3

Click Choose File to navigate to a software image or software image update stored locally or enter the image URL to specify an HTTP or FTP source from which to import the software image or software image update.

Step 4

If the image you are importing is for a third-party (not Cisco) vendor, select Third Party under Source. Then select an Application Type, describe the device Family, and identify the Vendor.

Step 5

Click Import.

A window displays the progress of the import.
Step 6

Click Show Tasks to verify that the image was imported successfully.

If you imported a SMU, Cisco DNA Center automatically applies the SMU to the correct software image, and an Add-On link appears below the corresponding software image.

Step 7

Click the Add-On link to view the SMU.

Step 8

In the Device Role field, select the role for which you want to mark this SMU as golden. See Specify a Golden Software Image for more information.

You can only mark a SMU as golden if you previously marked the corresponding software image as golden.

Assign a Software Image to a Device Family

After importing a software image, you can assign or unassign it to available device families. The imported image can be assigned to multiple devices at any time.

To assign an imported software image to a device family:

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.

Step 2

Click Imported Images.

Step 3

Click the Assign link.

Step 4

In the Assign Device Family window, choose the Device Series from Cisco.com or All Device Series and click Assign link to which you want to map the image.

Step 5

Select appropriate site from the Global hierarchy and click Assign and then click Save.

Step 6

To unassign an image, choose a site from the Global hierarchy and click Unassign link in the Action column.

The software image is assigned to the device family and the number of devices using that image are shown in the Using Image column. After assigning the image, you can mark it as a golden image. See Specify a Golden Software Image.

If the device family is marked as a golden image, you cannot delete that image from the device family.

Note 

For PnP devices, you can import a software image and assign it to a device family even before the device is available. You can also mark the image as a golden image. When the device is made available in the inventory, the image that is assigned to the device family is automatically assigned to the newly added devices of that device family.

When the image is imported and Cisco DNA Center has cisco.com credentials added, Cisco DNA Center provides the list of device families that are applicable for the image. You can select the required device family from the list.

When the image is not available in cisco.com or when credentials are not added in Cisco DNA Center, you must design the right device family for the image.

Upload Software Images for Devices in Install Mode

The Image Repository page might show a software image as being in Install Mode. When a device is in Install Mode, Cisco DNA Center is unable to upload its software image directly from the device. When a device is in install mode, you must first manually upload the software image to the Cisco DNA Center repository before marking the image as golden, as shown in the following steps.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.

Step 2

In the Image Name column, find the software image of the device that is running in Install Mode.

Step 3

Click Import to upload the binary software image file for the image that is in Install Mode.

Step 4

Click Choose File to navigate to a software image stored locally or Enter image URL to specify an HTTP or FTP source from which to import the software image.

Step 5

Click Import.

A window displays the progress of the import.
Step 6

Click Show Tasks and verify that the software image you imported is green, indicating it has been successfully imported and added to the Cisco DNA Center repository.

Step 7

Click Refresh.

The Image Repository window refreshes. Cisco DNA Center displays the software image, and the Golden Image and Device Role columns are no longer greyed out.

About Golden Software Images

Cisco DNA Center allows you to designate software images and SMUs as golden. A golden software image or SMU is a validated image that meets the compliance requirements for the particular device type. Designating a software image or SMU as golden saves you time by eliminating the need to make repetitive configuration changes and ensures consistency across your devices. You can designate an image and a corresponding SMU as golden to create a standardized image. You can also specify a golden image for a specific device role. For example, if you have an image for the Cisco 4431 Integrated Service Routers device family, you can further specify a golden image for those Cisco 4431 devices that have the Access role only.

You cannot mark a SMU as golden unless the image to which it corresponds is also marked golden.

Specify a Golden Software Image

You can specify a golden software image for a device family or for a particular device role. The device role is used for identifying and grouping devices according to their responsibilities and placement within the network.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.

The software images are displayed according to device type.
Step 2

From the Family column, select a device family for which you want to specify a golden image.

Step 3

From the Image Name column, select the software image that you want to specify as golden.

Step 4

In the Device Role column, select a device role for which you want to specify a golden software image. Even if you have devices from the same device family, you can specify a different golden software image for each device role. Note that you can select a device role for physical images only, not virtual images.

If the software image you specified as golden is not already uploaded into the Cisco DNA Center repository, this process might take some time to complete. Under the Action column on the Image Repository page, if the trash can icon is greyed out, the image is not yet uploaded to the Cisco DNA Center repository. Cisco DNA Center must first upload the software image to its repository, and then it can mark the image as golden. If the software image is already uploaded to the Cisco DNA Center repository, indicated by the active trash can icon in the Action column, then the process to specify a golden image completes faster.

Configure an Image Distribution Server

You can configure an external image distribution server to distribute software images.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > Device Settings > Image Distribution Servers.

Step 2

Click Add to add a new image distribution server.

Step 3

Configure the server settings:

  • Host: Hostname or IP address of the image distribution server.

  • Root Location: Working root directory for file transfers.

    Note 
    For Cisco AireOS Controllers, the image distribution fails if the configured path is more than 16 characters.

  • Username: Name that is used to log in to the image distribution server. The username must have read/write privileges on the working root directory on the server.

  • Password: Password that is used to log in to the image distribution server.

  • Port Number: Port number on which the image distribution server is running.

Step 4

Click Save.

Step 5

To edit the image distribution server settings, do the following:

  1. Click the Edit icon for the image distribution server where you want to change the configuration.

  2. Make the required changes in the Edit window.

  3. Click Save.

Add Image Distribution Servers to Sites

You can associate SFTP servers located in different geographical regions to sites, buildings, and floors. All the devices under the network hierarchy use the associated image distribution server during a network upgrade.

Before you begin

You must configure an image distribution server. See Configure an Image Distribution Server.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Settings.

Step 2

In the left pane, choose the desired site to which you want to associate the image distribution server.
Step 3

Click Add Servers.

Step 4

In the Add Servers window, check the Image Distribution check box.

Step 5

Click OK.

Step 6

Click the Primary drop-down list and choose the image distribution server that you want to configure as primary.

Step 7

Click the Secondary drop-down list and choose the image distribution server that you want to configure as secondary.

Step 8

Click Save.

Provision a Software Image

You can push software images to the devices in your network. Before pushing a software image to a device, Cisco DNA Center performs upgrade readiness prechecks on the device, such as checking the device management status, disk space, and so on. If any prechecks fail, you cannot perform the software image update. After the software image of the device is upgraded, Cisco DNA Center checks for the CPU usage, route summary, and so on, to ensure that the state of the network remains unchanged after the image upgrade.


Note

You can perform prechecks on multiple devices.

Cisco DNA Center compares each device's software image with the image that you have designated as golden for that specific device type. If there is a difference between the software image of the device and the golden image, Cisco DNA Center specifies the software image of the device as outdated. The upgrade readiness prechecks are triggered for those devices. If all the prechecks are cleared, you can distribute (copy) the new image to the device and activate it (that is, make the new image the running image). The activation of the new image requires a reboot of the device. Because a reboot might interrupt the current network activity, you can schedule the process for a later time.

If you have not designated a golden image for the device type, the device's image cannot be updated. See Specify a Golden Software Image.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Devices > Inventory.

Step 2

From the Focus drop-down list, choose Software Images. Select the device whose image you want to upgrade.

Note 

If the prechecks succeed for a device, the Outdated link in the Software Image column has a green tick mark. If any of the upgrade readiness prechecks fail for a device, the Outdated link has a red mark, and you cannot update the software image for that device. Click the Outdated link and correct the errors before proceeding. See List of Device Upgrade Readiness Prechecks.

Step 3

From the Actions drop-down list, choose Software Images > Update Image.

The Image Upgrade window appears.

Step 4

Analyze Selection: Choose the devices that you want to upgrade and click Next.

Step 5

Distribute: Click Now to start the distribution immediately or click Later to schedule the distribution at a specific time.

To choose the validators you want to run for the current workflow and add new custom checks, do the following:

  1. Hover your mouse over the info icon to view the validation criteria and the CLI commands that are used for validation.

  2. Click the on or off toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom pre checks and post checks, do the following:

    • Click add a new check link to launch the Add a New Custom Check window.
    • Enter the Name for the custom check.
    • Click the When drop-down arrow and choose pre, post, or both as required.
    • Click Select a Test Device drop-down arrow and choose a device for which you want to run these custom checks.
    • Click Open Command Runner and enter the CLI commands.
    • Expand the Additional Criteria area.
    • Click the Operation drop-down arrow and choose Distribution.
    • Click the Device Series drop-down arrow and choose the device series for which you want to run these custom checks.
    • Click Save.
    • If you want to edit a custom check, click the corresponding more icon, choose Edit, make the required changes, and click Save.
    • If you want to delete a custom check, click the corresponding more icon, choose Delete, and click Delete in the Confirm Delete message.
Note 

  • If you have associated external image distribution server to a network hierarchy, the image distribution to all the devices under the network hierarchy happens from the image distribution server. See Add Image Distribution Servers to Sites.

  • If the image is already distributed for the selected device, click Next.

  • If the SWIM Events for ITSM (ServiceNow) bundle is enabled, you need to update the image (distribute and activate) at a later time. Do not click Now to update the image. If you must update the image now, then the bundle and its integration workflow (image update schedule approval in ServiceNow) must first be disabled. To access the bundle, choose Platform > Manage > Bundles > SWIM Events for ITSM (ServiceNow). Click the Disable button in the SWIM Events for ITSM (ServiceNow) window. Wait a few seconds before proceeding to update the image, because the process to disable the bundle and workflow takes a few seconds.

Step 6

Click Next.

Step 7

Activate: Click Now to start the activation immediately or click Later to schedule the activation at a specific time.

To choose the validators you want to run for the current workflow and add new custom checks, do the following:

  1. Hover your mouse over the info icon to view the validation criteria and the CLI commands that are used for validation.

  2. Click the on or off toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom pre checks and post checks, do the following:

    • Click add a new check link to launch the Add a New Custom Check window.
    • Enter the Name for the custom check.
    • Click the When drop-down arrow and choose pre or post or both as required.
    • Click Select a Test Device drop-down arrow and choose a device for which you want to run these custom checks.
    • Click Open Command Runner and enter the CLI commands.
    • Expand the Additional Criteria area.
    • Click the Operation drop-down arrow and choose Activation.
    • Click the Device Series drop-down arrow and choose the device series for which you want to run these custom checks.
    • Click Save.
    • If you want to edit a custom check, click the corresponding more icon, choose Edit, make the required changes, and click Save.
    • If you want to delete a custom check, click the corresponding more icon, choose Delete, and click Delete in the Confirm Delete message.
Step 8

Click Next.

Step 9

Summary: Review the Image upgrade settings. Click Back if you want to make any changes otherwise click Submit.

From the Actions drop-down list, choose Software Images > Image Update Status to check the status of the update.

Import ISSU Compatibility Matrix

In-Service Software Upgrade (ISSU) is a process that upgrades an image to another image on a device without reboot or minimal interruption of service. For an example of the Cisco IOS XE ISSU compatibilty matrix for Catalyst Switches, see https://software.cisco.com/download/home/286315874/type/286326638/release/17.4.1. You can download and import the ISSU compatibility matrix in Cisco DNA Center when you want to upgrade devices with ISSU.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Image Repository.

Step 2

Click Import.

The Import Image/Add-On window appears.

Step 3

To import ISSU compatibility matrix with a software image, do the following:

  1. Click Choose File and browse to a software image or enter the image URL to specify an HTTP or FTP source from which to import a software image.

  2. If the image you are importing is for a third-party (non-Cisco) vendor, select Third Party under Source. Choose an Application Type, describe the device Family, and identify the Vendor.

  3. Under Select ISSU compatibility matrix, click Choose File and browse to the ISSU compatibility matrix file.

  4. Click Import.

Step 4

(Optional) To import ISSU compatibility matrix for software images that are already imported, do the following:

  1. Under Select ISSU compatibility matrix, click Choose File and browse to the ISSU compatibility matrix file.

  2. Click Import.

Step 5

Click Show Tasks to view the ISSU compatibility matrix file Import status.

Upgrade a Software Image with ISSU

Upgrading devices with ISSU eliminates the need to reboot and reduces the interruption of service.

Before you begin

Before you upgrade a device with ISSU, you must import ISSU compatibility matrix file. See Import ISSU Compatibility Matrix.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Devices > Inventory.

Step 2

From the Focus drop-down list, choose Software Images. Select the device whose image you want to upgrade.

Step 3

From the Actions drop-down list, choose Software Images > Update Image.

The Image Upgrade window appears.

Step 4

Analyze Selection: To enable ISSU upgrade, do the following:

  1. Choose the device that you want to upgrade with ISSU.

    Note 

    See the To Image column to know the ISSU validation status.

    • ISSU shown in amber: ISSU validation has failed because the selected to image is not ISSU compatible.

    • ISSU shown in gray: ISSU validation is success and the device supports ISSU.

  2. From the ISSU drop-down list, choose Enable ISSU Upgrade.

  3. Click Next.

Step 5

Distribute: Click Now to start the distribution immediately or click Later to schedule the distribution at a specific time.

To choose the validators you want to run for the current workflow and add new custom checks, do the following:

  1. Hover your mouse over the info icon to view the validation criteria and the CLI commands that are used for validation.

  2. Click the on or off toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom pre checks and post checks, do the following:

    • Click add a new check link to launch the Add a New Custom Check window.
    • Enter the Name for the custom check.
    • Click the When drop-down arrow and choose pre, post, or both as required.
    • Click Select a Test Device drop-down arrow and choose a device for which you want to run these custom checks.
    • Click Open Command Runner and enter the CLI commands.
    • Expand the Additional Criteria area.
    • Click the Operation drop-down arrow and choose Distribution.
    • Click the Device Series drop-down arrow and choose the device series for which you want to run these custom checks.
    • Click Save.
    • If you want to edit a custom check, click the corresponding more icon, choose Edit, make the required changes, and click Save.
    • If you want to delete a custom check, click the corresponding more icon, choose Delete, and click Delete in the Confirm Delete message.
Note 

  • If you have associated external image distribution server to a network hierarchy, the image distribution to all the devices under the network hierarchy happens from the image distribution server. See Add Image Distribution Servers to Sites.

  • If the image is already distributed for the selected device, click Next.

  • If the SWIM Events for ITSM (ServiceNow) bundle is enabled, you need to update the image (distribute and activate) at a later time. Do not click Now to update the image. If you must update the image now, then the bundle and its integration workflow (image update schedule approval in ServiceNow) must first be disabled. To access the bundle, choose Platform > Manage > Bundles > SWIM Events for ITSM (ServiceNow). Click the Disable button in the SWIM Events for ITSM (ServiceNow) window. Wait a few seconds before proceeding to update the image, because the process to disable the bundle and workflow takes a few seconds.

Step 6

Click Next.

Step 7

Activate: Click Now to start the activation immediately or click Later to schedule the activation at a specific time.

To choose the validators you want to run for the current workflow and add new custom checks, do the following:

  1. Hover your mouse over the info icon to view the validation criteria and the CLI commands that are used for validation.

  2. Click the on or off toggle button to uncheck the validators that you do not want to run for the current workflow.

  3. (Optional) To add new custom pre checks and post checks, do the following:

    • Click add a new check link to launch the Add a New Custom Check window.
    • Enter the Name for the custom check.
    • Click the When drop-down arrow and choose pre, post, or both as required.
    • Click Select a Test Device drop-down arrow and choose a device for which you want to run these custom checks.
    • Click Open Command Runner and enter the CLI commands.
    • Expand the Additional Criteria area.
    • Click the Operation drop-down arrow and choose Activation.
    • Click the Device Series drop-down arrow and choose the device series for which you want to run these custom checks.
    • Click Save.
    • If you want to edit a custom check, click the corresponding more icon, choose Edit, make the required changes, and click Save.
    • If you want to delete a custom check, click the corresponding more icon, choose Delete, and click Delete in the Confirm Delete message.
Step 8

Click Next.

Step 9

Summary: Review the Image upgrade settings. Click Back if you want to make any changes otherwise click Submit.

From the Actions drop-down list, choose Software Images > Image Update Status to check the status of the update.

List of Device Upgrade Readiness Prechecks

Precheck

Description

File transfer check

Checks if the device is reachable through HTTPS and SCP.

The default order of protocols is HTTPS first and then SCP.

NTP clock check

Compares device time and Cisco DNA Center time to ensure successful Cisco DNA Center certificate installation.

Flash check

Verifies if there is enough disk space for the update. If there is not enough disk space, a warning or error message is returned. For information about the supported devices for Auto Flash cleanup and how files are deleted, see Auto Flash Cleanup.

Config register check

Verifies the config registry value.

Crypto RSA check

Checks whether an RSA certificate is installed.

Crypto TLS check

Checks whether the device supports TLS 1.2.

IP Domain name check

Checks whether the domain name is configured.

Startup config check

Checks whether the startup configuration exists for the device.

NFVIS Flash check

Checks if the golden image is ready to be upgraded in the NFVIS device.

Service Entitlement check

Checks if the device has valid license.

View Image Update Status

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Devices > Inventory.

Step 2

From the Focus drop-down list, choose Software Images.

Step 3

From the Actions drop-down list, choose Software Images > Image Update Status.

By default, the Image Update Status window shows all the recent image update tasks. You can click the down arrow and choose Failed, In-progress, or Success tasks.

Step 4

Click the down arrow corresponding to each task and do the following to view details of the task:

  1. Click Show Scripts to view the precheck and postcheck status.

  2. Click View to view the precheck and postcheck details.

  3. Click View Diff to view the precheck and postcheck difference.

Auto Flash Cleanup

During the device upgrade readiness precheck, the flash check verifies whether there is enough space on the device to copy the new image. If there is insufficient space:

  • For devices that support auto flash cleanup, the flash check fails with a warning message. For these devices, the auto cleanup process is attempted during the image distribution process to create the sufficient space. As a part of the auto flash cleanup, Cisco DNA Center identifies unused .bin, .pkg, and .conf files and delete them iteratively until enough free space is created on the device. Image distribution is attempted after the flash cleanup. You can view these deleted files in Sytem > Audit Logs.


    Note

    Auto flash cleanup is supported on all devices except Nexus switches and Wireless controllers.

  • For devices that do not support auto flash cleanup, the flash check fails with an error message. You can delete files from device flash to create required space before starting the image upgrade.