Prerequisites

Prerequisites for upgrading

You must complete the system updates before you can update any packages. Download and install package updates only after you install all system updates.


Important

In a multihop upgrade, you must confirm that the applications have been updated successfully before you begin the next system update. If you skip to the next system update without first updating the applications, you will have to reimage your Cisco Catalyst Center appliance.

Note these points:

  • You cannot upgrade the packages individually. You must complete every step described in this guide.

  • Before you upgrade, ensure that the cluster link interface is connected to a switch port and is up. To confirm the interface state, complete these steps:

    1. In an SSH client, log in to Catalyst Center on your appliance.

    2. Run the ifconfig interface-name command, using the appropriate interface name for your appliance:

      Interface name Catalyst Center appliance

      enp94s0f1

      Medium second-generation appliance (DN2-HW-APL)

      Medium third-generation appliance (DN3-HW-APL)

      Large second-generation appliance (DN2-HW-APL-L)

      Large third-generation appliance (DN3-HW-APL-L)

      enp69s0f1

      Extra large second-generation appliance (DN2-HW-APL-XL)

      Extra large third-generation appliance (DN3-HW-APL-XL)

    3. Check the output's last line to verify that data has been received and transmitted. Nonzero values indicate that the interface is up and operational.

Review this list of prerequisites before upgrading your installed instance of Catalyst Center:

  • You must have SUPER-ADMIN-ROLE permissions to perform this procedure. For more information, see the Cisco Catalyst Center Administrator Guide.

  • Create a backup of your Catalyst Center database. For more information, see the Cisco Catalyst Center Administrator Guide.

  • If you have a firewall, allow Catalyst Center to access these URLs on each node in your cluster for all system and package downloads:

    Log in to the cluster and run the maglev catalog settings validate command to verify cloud connectivity with AWS. For more information, see the "Internet connectivity traffic" table in the Cisco Catalyst Center Appliance Installation Guide.

  • While the Catalyst Center GUI is compatible with these browsers that support HTTPS, we recommend that you use Chrome, not Firefox, during the upgrade:

    • Google Chrome: Version 93 or later (recommended for upgrade)

    • Mozilla Firefox: Version 92 or later (not recommended for upgrade)

  • Have the username and password for a cisco.com user account available during the upgrade. You might be prompted for the account credentials during package installations. This can be any valid cisco.com user account.

  • Allocate enough time for the upgrade. It can take more than 6 hours.

  • Use Catalyst Center's applications and tools only after the upgrade is complete.

  • Confirm that the minimum disk requirements are met:

    • The / partition has at least 2 GB of free space.

    • The /data partition has at least 35 GB of free space and is not more than 70% full.

    If you receive a storage validations failed error, contact Cisco TAC.

  • If the Catalyst Center download, update, or install procedures fail for any reason, retry the procedure a second time using the GUI.

  • If your environment uses Catalyst Center's disaster recovery implementation, see the "Implement Disaster Recovery" chapter in the Cisco Catalyst Center Administrator Guide for upgrade information specific to a disaster recovery setup.

  • Before you upgrade your disaster recovery system or update your Cisco IMC firmware, first place your system on pause. For more information, see the "Pause Your Disaster Recovery System" section in the Cisco Catalyst Center Administrator Guide.

In a 3-node cluster, you can trigger an upgrade of the entire cluster from the Catalyst Center GUI (the GUI represents the entire cluster and not just a single host). An upgrade triggered from the GUI automatically upgrades all hosts in the cluster.


Note

To upgrade a 3-node cluster, Service Distribution (or high availability) must be enabled.

Factors that affect the upgrade

Download times for upgrade

The download time for the Catalyst Center software upgrade, which is approximately 40 GB in size, depends on your internet bandwidth. The following table provides download time estimates for various common bandwidth speeds.


Note

These estimates are based on ideal conditions. Factors such as network congestion and connection stability can affect actual download times.

Table 1. Upgrade download times

Bandwidth (in megabits per second)

Estimated download time

25 Mbps

3 hours, 38 minutes

50 Mbps

1 hour, 49 minutes

100 Mbps

54 minutes

200 Mbps

27 minutes

Connection throttling

During the software upgrade process, many objects are downloaded. If a web security appliance limits connections based on criteria such as the total data transferred within a period or the number of concurrent connections, this throttling can interrupt the download process and may cause it to fail. To ensure a smooth software upgrade, configure exceptions for Catalyst Center traffic to prevent throttling.

Proxy and firewall

The proxy or firewall must allow the software management URLs that are listed in the Cisco Catalyst Center Appliance Installation Guide's "Required Internet URLs and Fully Qualified Domain Names" topic.

TLS intercept proxy

The TLS intercept proxy will disrupt the software download activity initiated by Catalyst Center if the TLS intercept proxy certificate is not installed on Catalyst Center. To add the TLS intercept proxy certificate, refer to the "Upload an SSL Intercept Proxy Certificate" topic in the Cisco Catalyst Center Administrator Guide.

Antimalware

The Catalyst Center software management system retrieves files from the Cisco connected catalog server and Docker images from a remote Docker registry. To prevent interruptions and failures in the software download process, exclude these compressed file formats from antimalware scans.

The following table provides application package data details.

Table 2. Application package data

Files

content-type

content-encoding

Notes

tar.gz

application/x-compressed

gzip

Commonly used for compressed archives. Also seen as application/x-gzip or application/x-compressed.

.json

application/json

None

Text-based format for representing structured data. Typically UTF-8 encoded.

The following table provides Docker image details.

Table 3. Docker images

Component

File extension

content-type

content-encoding

Docker image layers

.tar.gz

application/gzip

gzip

Docker image manifest

.json

application/json

None

Docker configuration object

.json

application/json

None

YAML configuration

.yaml/yml

text/yaml or application/x-yam

None

Docker image archive

.tar or .tar.gz

application/x-tar or application/gzip

None or gzip

Update the Cisco IMC firmware

To update your Cisco IMC firmware, review the Catalyst Center release notes for the release that you are installing. The “Supported Firmware” section of the release notes lists the Cisco IMC firmware version for your Catalyst Center release.

Then, see the Cisco Host Upgrade Utility User Guide for instructions on updating the firmware.

If your deployment uses a three-node cluster configuration, before you update the Cisco IMC firmware, shut down all nodes in the cluster. Alternatively, you can upgrade the nodes individually. See “Typical Cluster Node Operations” in the Cisco Catalyst Center High Availability Guide and follow the steps to shut down one or all nodes for maintenance.

Password policy

After you have deployed Catalyst Center, review these password policy requirements.

Fresh Catalyst Center deployments

This section describes password policies for new deployments.

  • The default password for the maglev user and admin superuser is P@ssword9.

    You are prompted to change the password for the admin superuser after you log in to the Catalyst Center GUI for the first time.

  • When you change any user's password or configure a new user, ensure their password complies with the new requirements.

Catalyst Center upgrades

This section explains password behavior during system upgrades.

  • Role-Based Access Control (RBAC) users configured in an earlier version of Catalyst Center can continue using their current password to log in to Catalyst Center 2.3.7.9 and later.

    For example, you upgraded an appliance from version 2.3.7.6 to 2.3.7.9. You then backed up the data from the appliance and later restored its backup file onto another appliance with Catalyst Center 2.3.7.9 installed. Existing RBAC users can log in using their current password.

  • When you change any user's password or configure a new RBAC user, ensure their password complies with the new requirements.

See Password requirements to learn the criteria your new password must meet.

Password requirements

Any user password you configure in Catalyst Center 2.3.7.9 or later must meet these requirements:

  • Is at least nine characters in length.

  • Includes characters from at least three of these categories:

    • Uppercase letters (A to Z)

    • Lowercase letters (a to z)

    • Numbers (0 through 9)

    • Special characters (such as !, $, and #)

  • Does not contain more than four consecutive characters on an English QWERTY keyboard.

    For example, 59Asdfpj! is not a valid password because it contains the characters a, s, d, and f in succession.

  • Does not contain two or more consecutive characters from the associated username.

  • Does not contain a complete word from any language.

  • Does not contain a phrase based on personal information.


Note

You can reuse a previous password only after you use 24 different passwords.

Supported upgrade paths for hot fixes

The Catalyst Center version that's displayed for your appliance in the CLI and GUI varies slightly. To determine the back-end version installed on your appliance (listed in the first column of the table), run the maglev release status command in an SSH client.

Table 4. Supported Catalyst Center upgrade paths
If your release is… You can upgrade to…

2.3.7.9.70301

2.3.7.9.70301.10

2.3.7.10.70209

2.3.7.9.70301

2.3.7.9.70301.10 (Recommended)

2.3.7.7.70047.30

2.3.7.9.70301.10 (Recommended)

2.3.7.7-70047-CSCwn89323.SMU

2.3.7.10.70209

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7-70047-CSCwn83603.SMU

2.3.7.7-70047-CSCwn35006.SMU

2.3.7.7.70047

2.3.7.6-70319-CSCwn08634.SMU

2.3.7.10.70209

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7.70047 > 2.3.7.7.70047-HF10

2.3.7.6-70319-CSCwm74579.SMU

2.3.7.6-70319-CSCwm79563.SMU

2.3.7.6-70319-CSCwn31915.SMU

2.3.7.6.70319

2.3.7.5.70434

2.3.7.4.70424

2.3.7.3.70332

2.3.7.0.70488

2.3.6.0.70351

2.3.6.0.70349

2.3.5.6-70143-CSCwn29942.SMU

2.3.5.6.70143-HF40

2.3.5.6.70143-HF30

2.3.5.6.70143-HF20

2.3.5.6.70143-HF10

2.3.5.6-70143-CSCwm60252.SMU

2.3.5.6.70143

2.3.5.5.70026-HF90

2.3.7.10.70209

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7.70047 > 2.3.7.7.70047-HF10

2.3.7.6.70319

2.3.5.5.70026-HF80

2.3.5.5.70026-HF72

2.3.5.5.70026-HF70

2.3.5.5.70026-HF61

2.3.5.5.70026-HF60

2.3.5.5.70026-HF53

2.3.5.5.70026-HF52

2.3.5.5.70026-HF51

2.3.5.5.70026-HF50

2.3.5.5.70026-HF40

2.3.5.5.70026-HF30

2.3.5.5.70026-HF20

2.3.5.5.70026-HF16

2.3.5.5.70026-HF15

2.3.5.5.70026-HF14

2.3.5.5.70026-HF13

2.3.5.5.70026-HF12

2.3.5.5.70026-HF11

2.3.5.5.70026-HF10

2.3.5.5.70026-HF2

2.3.5.5.70026-HF1

2.3.5.5.70026

2.3.5.4.70852-HF40

2.3.7.10.70209

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7.70047 > 2.3.7.7.70047-HF10

2.3.5.6.70143 > 2.3.5.6.70143-HF1

2.3.5.4.70852-HF20

2.3.5.4.70852-HF5

2.3.5.4.70852-HF4

2.3.5.4.70852-HF3

2.3.5.4.70852-HF2

2.3.5.4.70852

2.3.5.3.70194-HF20

2.3.5.3.70194-HF5

2.3.5.3.70194-HF4

2.3.5.3.70194-HF3

2.3.5.3.70194-HF2

2.3.5.3.70194-HF1

2.3.5.3.70194

2.3.5.0.70586

2.3.3.7.72328-HF6

2.3.7.7.70047 > 2.3.7.7.70047-HF10 (Recommended)

2.3.5.6.70143 > 2.3.5.6.70143-HF1

2.3.5.5.70026

2.3.3.7.72328-HF5

2.3.3.7.72328-HF4

2.3.3.7.72328-HF3

2.3.3.7.72328-HF2

2.3.3.7.72328-HF1

2.3.3.7.72328

2.3.3.7.72323

2.3.3.6.70045-HF2

2.3.3.6.70045-HF1

2.3.3.6.70045

2.3.3.5.70134-HF5

2.3.3.5.70134-HF4

2.3.3.5.70134-HF2

2.3.3.5.70134-HF1

2.3.3.5.70134

2.3.3.4.72142-HF2

2.3.3.4.72142

2.3.3.3.72139

2.3.3.0.70399
Table 5. Supported Catalyst Center on ESXi upgrade paths
If your release is… You can upgrade to…

2.3.7.9.70301

2.3.7.9.70301.10

2.3.7.10.70209

2.3.7.9.75335

2.3.7.10.70209

2.3.7.9.75403.10 (Recommended)

2.3.7.7-75902-CSCwn89323.SMU

2.3.7.10.70209

2.3.7.9.75403.10 (Recommended)

2.3.7.9.75335

2.3.7.7-75102-CSCwn84782.SMU

2.3.7.7.75051

2.3.7.7-75102-CSCwn84782.SMU

2.3.7.7.75051

2.3.7.10.70209

2.3.7.9.75403.10 (Recommended)

2.3.7.9.75335

2.3.7.7-75902-CSCwn89323.SMU

2.3.7.6.75360

2.3.7.10.70209

2.3.7.9.75403.10 (Recommended)

2.3.7.9.75335

2.3.7.7-75902-CSCwn89323.SMU

2.3.7.7.75051

2.3.7.5.75367

2.3.7.4.75326