Prerequisites

Prerequisites for upgrading

You must complete the system updates before you can perform package updates. Do not download or install any package updates until all system updates have been installed.


Important

In a multihop upgrade, you must confirm that the applications have been updated successfully before you begin the next system update. If you skip to the next system update without first updating the applications, you will have to reimage your Cisco Catalyst Center appliance.

Note the following points:

  • You cannot upgrade the packages individually. You must follow all of the steps that are described in this guide.

  • Before you upgrade, make sure that the cluster link interface is connected to a switch port and is in the up state. To confirm that the interface is up, complete these steps:

    1. In an SSH client, log in to Catalyst Center on your appliance.

    2. Run the ifconfig interface-name command, using the appropriate interface name for your appliance:

      Interface name Catalyst Center appliance

      enp94s0f1

      Medium second-generation appliance: Cisco part number DN2-HW-APL

      Medium third-generation appliance: Cisco part number DN3-HW-APL

      Large second-generation appliance: Cisco part number DN2-HW-APL-L

      Large third-generation appliance: Cisco part number DN3-HW-APL-L

      enp69s0f1

      Extra large second-generation appliance: Cisco part number DN2-HW-APL-XL

      Extra large third-generation appliance: Cisco part number DN3-HW-APL-XL

    3. In the resulting output, check the last line and verify that data has been received and transmitted. Nonzero values indicate that the interface is up and operational.

Review the following list of prerequisites before upgrading your installed instance of Catalyst Center:

  • Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see the Cisco Catalyst Center Administrator Guide.

  • Create a backup of your Catalyst Center database. For more information, see the Cisco Catalyst Center Administrator Guide.

  • If you have a firewall, allow Catalyst Center to access the following URLs on each node in your cluster for all system and package downloads:

    To ensure that you have cloud connectivity to AWS, log in to the cluster and enter the following CLI command: maglev catalog settings validate. For more information, see the Internet Connectivity Traffic table in the Cisco Catalyst Center Appliance Installation Guide.

  • While the Catalyst Center GUI is compatible with the following HTTPS-enabled browsers, we recommend that you use Chrome, not Firefox, during the upgrade:

    • Google Chrome: Version 93 or later (recommended for upgrade)

    • Mozilla Firefox: Version 92 or later (not recommended for upgrade)

  • Have the username and password for a cisco.com user account available during the upgrade. You might be prompted, once, for the account credentials during package installations. This can be any valid cisco.com user account.

  • Allocate enough time for the upgrade process. Upgrading can take longer than 6 hours to complete.

  • We strongly recommend that you do not use Catalyst Center or any of its applications or tools while the upgrade is in process.

  • Confirm that the minimum disk requirements are met:

    • The / partition has at least 2 GB of free space.

    • The /data partition has at least 35 GB of free space and is not more than 70% full.

    If you receive a storage validations failed error, contact the Cisco TAC.

  • If the Catalyst Center download, update, or install procedures fail for any reason, always retry the procedure a second time using the GUI.

  • If your environment uses Catalyst Center's disaster recovery implementation, see the "Implement Disaster Recovery" chapter in the Cisco Catalyst Center Administrator Guide for upgrade information specific to a disaster recovery setup.

  • Before you upgrade your disaster recovery system or update your Cisco IMC firmware, first place your system on pause. For more information, see the "Pause Your Disaster Recovery System" section in the Cisco Catalyst Center Administrator Guide.

In a three-node cluster, you can trigger an upgrade of the entire cluster from the Catalyst Center GUI (the GUI represents the entire cluster and not just a single host). An upgrade triggered from the GUI automatically upgrades all hosts in the cluster.


Note

To upgrade a three-node cluster, Service Distribution (or high availability) must be enabled.

Factors that affect the upgrade

Download times for upgrade

The download time for the Catalyst Center software upgrade, which is approximately 40 GB in size, depends significantly on your internet connection's bandwidth. The following table provides estimates of the expected download times based on various common bandwidth speeds.

These estimates are based on ideal conditions. Factors such as network congestion and connection stability can affect actual download times.

Bandwidth

Estimated download time

25 Mbps

3 hours, 38 minutes

50 Mbps

1 hour, 49 minutes

100 Mbps

54 minutes

200 Mbps

27 minutes

Connection throttling

During the software upgrade process, many objects are downloaded. If a web security appliance is in place that limits connections based on various criteria, such as the total amount of data transferred within a specific period or the number of concurrent connections, this throttling can interrupt the download process, potentially leading to failure. To ensure a smooth software upgrade, we recommend that you configure exceptions for Catalyst Center traffic to prevent it from being throttled.

Proxy/firewall

The proxy or firewall must allow the software management URLs that are listed in "Required Internet URLs and Fully Qualified Domain Names" in the Cisco Catalyst Center Appliance Installation Guide.

TLS intercept proxy

The TLS intercept proxy will disrupt the software download activity initiated by Catalyst Center if the TLS intercept proxy's certificate is not installed on Catalyst Center. To add the TLS intercept proxy certificate, see "Upload an SSL Intercept Proxy Certificate" in the Cisco Catalyst Center Administrator Guide.

Antimalware

The Catalyst Center software management system retrieves files from Cisco's connected catalog server and retrieves Docker images from a remote Docker registry. To prevent interruptions and failures in the software download process, the following compressed file formats must be excluded from antimalware scans.

Application package data

Files

content-type

content-encoding

Notes

tar.gz

application/x-compressed

gzip

Commonly used for compressed archives. Also seen as application/x-gzip or application/x-compressed.

.json

application/json

None

Text-based format for representing structured data. Typically UTF-8 encoded.

Docker images

Component

File extension

content-type

content-encoding

Docker image layers

.tar.gz

application/gzip

gzip

Docker image manifest

.json

application/json

None

Docker configuration object

.json

application/json

None

YAML configuration

.yaml/yml

text/yaml or application/x-yam

None

Docker image archive

.tar or .tar.gz

application/x-tar or application/gzip

None or gzip

Update the Cisco IMC firmware

To update your Cisco IMC firmware, first see the release notes for the corresponding release of Catalyst Center that you are installing. In the release notes, the “Supported Firmware” section shows the Cisco IMC firmware version for your Catalyst Center release.

Then, see the Cisco Host Upgrade Utility User Guide for instructions on updating the firmware.

In a three-node cluster configuration, we recommend that you shut down all three nodes in the cluster before updating the Cisco IMC firmware. However, you can upgrade the cluster nodes individually if that's what you prefer. See “Typical Cluster Node Operations” in the Cisco Catalyst Center High Availability Guide and follow the steps provided to shut down one or all of the nodes for maintenance.

Password policy

After you have deployed Catalyst Center 2.3.7.9 or later, keep these points regarding password policy in mind:

Fresh Catalyst Center deployments

  • The default password for the maglev user and admin superuser is P@ssword9.

    You are prompted to change the admin superuser's password after you log in to the Catalyst Center GUI for the first time.

  • When you change any user's password, or configure a new user, their password must comply with the new requirements.

Catalyst Center upgrades

  • RBAC users configured in an earlier version of Catalyst Center can continue using their current password to log in to Catalyst Center 2.3.7.9 and later.

    For example, say you upgraded an appliance from version 2.3.7.6 to 2.3.7.9. Then you backed up this appliance's data. And later, you restored its backup file onto another appliance that has Catalyst Center 2.3.7.9 installed. Existing RBAC users will be able to log in using their current password.

  • When you change any user's password, or configure a new RBAC user, their password must comply with the new requirements.

See Password requirements for a description of the criteria that newly created user passwords must meet.

Password requirements

Any user password you configure in Catalyst Center 2.3.7.9 or later must meet these requirements:

  • It is at least nine characters in length.

  • It contains characters from at least three of these categories:

    • Uppercase letters (A–Z)

    • Lowercase letters (a–z)

    • Numbers (0 through 9)

    • Special characters (such as !, $, and #)

  • It doesn't use more than four consecutive characters on an English QWERTY keyboard.

    For example, 59Asdfpj! is not a valid password because it contains the characters a, s, d, and f in succession.

  • It doesn't contain two or more consecutive characters from the associated username.

  • It doesn't contain a complete word found in any language or a phrase that's based on personal information.


Note

You can reuse a previous password only after 24 different passwords have been used.

Supported upgrade paths for hot fixes

The Catalyst Center version that's displayed for your appliance in the CLI and GUI vary slightly. To determine the back-end version that's currently installed on your appliance (the version listed in the table's first column), run the maglev release status command in an SSH client.

Table 1. Supported Catalyst Center upgrade paths
If your release is… You can upgrade to…

2.3.7.9.70301

2.3.7.9.70301.10 (Recommended)

2.3.7.7.70047.30

2.3.7.9.70301.10 (Recommended)

2.3.7.7-70047-CSCwn89323.SMU

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7-70047-CSCwn83603.SMU

2.3.7.7-70047-CSCwn35006.SMU

2.3.7.7.70047

2.3.7.6-70319-CSCwn08634.SMU

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7.70047 > 2.3.7.7.70047-HF10

2.3.7.6-70319-CSCwm74579.SMU

2.3.7.6-70319-CSCwm79563.SMU

2.3.7.6-70319-CSCwn31915.SMU

2.3.7.6.70319

2.3.7.5.70434

2.3.7.4.70424

2.3.7.3.70332

2.3.7.0.70488

2.3.6.0.70351

2.3.6.0.70349

2.3.5.6-70143-CSCwn29942.SMU

2.3.5.6.70143-HF40

2.3.5.6.70143-HF30

2.3.5.6.70143-HF20

2.3.5.6.70143-HF10

2.3.5.6-70143-CSCwm60252.SMU

2.3.5.6.70143

2.3.5.5.70026-HF90

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7.70047 > 2.3.7.7.70047-HF10

2.3.7.6.70319

2.3.5.5.70026-HF80

2.3.5.5.70026-HF72

2.3.5.5.70026-HF70

2.3.5.5.70026-HF61

2.3.5.5.70026-HF60

2.3.5.5.70026-HF53

2.3.5.5.70026-HF52

2.3.5.5.70026-HF51

2.3.5.5.70026-HF50

2.3.5.5.70026-HF40

2.3.5.5.70026-HF30

2.3.5.5.70026-HF20

2.3.5.5.70026-HF16

2.3.5.5.70026-HF15

2.3.5.5.70026-HF14

2.3.5.5.70026-HF13

2.3.5.5.70026-HF12

2.3.5.5.70026-HF11

2.3.5.5.70026-HF10

2.3.5.5.70026-HF2

2.3.5.5.70026-HF1

2.3.5.5.70026

2.3.5.4.70852-HF40

2.3.7.9.70301.10 (Recommended)

2.3.7.9.70301

2.3.7.7.70047 > 2.3.7.7.70047-HF10

2.3.5.6.70143 > 2.3.5.6.70143-HF1

2.3.5.4.70852-HF20

2.3.5.4.70852-HF5

2.3.5.4.70852-HF4

2.3.5.4.70852-HF3

2.3.5.4.70852-HF2

2.3.5.4.70852

2.3.5.3.70194-HF20

2.3.5.3.70194-HF5

2.3.5.3.70194-HF4

2.3.5.3.70194-HF3

2.3.5.3.70194-HF2

2.3.5.3.70194-HF1

2.3.5.3.70194

2.3.5.0.70586

2.3.3.7.72328-HF6

2.3.7.7.70047 -> 2.3.7.7.70047-HF10 (Recommended)

2.3.5.6.70143 > 2.3.5.6.70143-HF1

2.3.5.5.70026

2.3.3.7.72328-HF5

2.3.3.7.72328-HF4

2.3.3.7.72328-HF3

2.3.3.7.72328-HF2

2.3.3.7.72328-HF1

2.3.3.7.72328

2.3.3.7.72323

2.3.3.6.70045-HF2

2.3.3.6.70045-HF1

2.3.3.6.70045

2.3.3.5.70134-HF5

2.3.3.5.70134-HF4

2.3.3.5.70134-HF2

2.3.3.5.70134-HF1

2.3.3.5.70134

2.3.3.4.72142-HF2

2.3.3.4.72142

2.3.3.3.72139

2.3.3.0.70399
Table 2. Supported Catalyst Center on ESXi upgrade paths
If your release is… You can upgrade to…

2.3.7.9.75335

2.3.7.9.75403.10 (Recommended)

2.3.7.7-75902-CSCwn89323.SMU

2.3.7.9.75403.10 (Recommended)

2.3.7.9.75335

2.3.7.7-75102-CSCwn84782.SMU

2.3.7.7.75051

2.3.7.7-75102-CSCwn84782.SMU

2.3.7.7.75051

2.3.7.9.75403.10 (Recommended)

2.3.7.9.75335

2.3.7.7-75902-CSCwn89323.SMU

2.3.7.6.75360

2.3.7.9.75403.10 (Recommended)

2.3.7.9.75335

2.3.7.7-75902-CSCwn89323.SMU

2.3.7.7.75051

2.3.7.5.75367

2.3.7.4.75326