Upgrading or Downgrading with APIC Release 6.2 or Later Using the GUI


Note

Ensure that you check and follow these guidelines:

Note

Beginning with Cisco APIC release 6.2(1), policy-based downgrade is not supported when you select the 6.2(1) image as the target firmware.

Accessing the Dashboard

You can access the dashboard, which shows you the firmware status of the APIC nodes and switches in your fabric, by navigating to Admin > Firmware > Dashboard.

The dashboard also shows the usage of firmware repository on each APICs.

Download APIC, APIC CIMC, Switch and additional rules for pre-upgrade validation on APICs

This procedure downloads images to the Cisco APIC firmware repository from an external file server or your local machine. The supported image types are listed below:

  • Cisco APIC firmware image

  • Cisco ACI swtich firmware image

  • Cisco CIMC HUU image for APIC CIMC

  • External additional rules for pre-upgrade validations

If you are downgrading the software on the Cisco APICs, the process is identical to the process for upgrading the software, except that the target release that you choose will be earlier than the currently installed release. The text for dialogs, fields, buttons, and other controls in the Cisco APIC GUI specify "upgrade" even though you are downgrading the software.


Note

In the Cisco APIC release 6.0(2) and later, download both the 32-bit and 64-bit Cisco ACI-mode switch images to the Cisco APIC. Downloading only one of the images may result in errors during the upgrade process. For more information, see Guidelines and limitations for upgrading or downgrading.

In the Cisco ACI-mode switch 16.x releases, the 64-bit switch software has the same image name as the 32-bit software when installed on the switch. To verify which version is running on the switch, use the md5sum command against the image file on switch. Compare this md5sum hash to the switch image contained in the /firmware/fwrepos/fwrepo directory of the Cisco APIC. On subsequent upgrades, the 64-bit and 32-bit image names are differentiated on the switch.

Procedure

Step 1

Download the desired target version from the Cisco Software Download site (for example, 5.2(1g) release) to your file server or local machine.

Step 2

On the menu bar, choose Admin > Firmware.

The Dashboard window appears, which provides general information one the controllers and the leaf and spine switches (nodes).

Step 3

Click Images in the left navigation bar.

The Image window appears, which shows the images that you downloaded previously.

Step 4

Click the Actions icon and select Add Firmware from the drop-down menu.

The Add Firmware Image popup window appears.

Step 5

Determine if you want to import the firmware image from a local or a remote location.

  • If you want to import the firmware image from your computer, in the Location field, click the Local radio button. Click the Choose File button, then navigate to the folder on your local system with the firmware image that you want to import. Go to Step 6.

  • If you want to import the firmware image from a remote location, click either Secure copy or HTTP, depending on the method that you want to use to import the firmware image from the remote location:

    • If you selected the Secure copy radio button, enter the Secure Copy Protocol (SCP) source that you want to use to download the software image:

      1. In the URL field, enter the URL from where the image will be downloaded.

        The format for the SCP source is:

        <SCP server IP or FQDN>:/<path>/<filename>

        An example URL is 10.1.2.3:/path/to/the/image/aci-apic-dk9.6.2.1a.iso.

      2. In the Username field, enter your username for secure copy.

      3. In the Authentication Type field, select the type of authentication for the download. The type can be:

        • Password

        • Ssh Public Private Files

        The default is Password.

        • If you selected Password, in the Password field, enter your password for secure copy.

        • If you selected Ssh Public Private Files, enter the following information:

          • Ssh Key Contents: The SSH private key content.

          • Ssh Key Passphrase: The SSH key passphrase that is used for generating the SSH private key.

            Note

             

            Based on the provided SSH private key, the Cisco APIC internally creates a temporary SSH public key just for this transaction to establish a connection with the remote server. You must ensure that the remote server has the corresponding public key as one of the "authorized_keys". After the authentication check is performed, the temporary public key on the Cisco APIC is deleted.

            You can generate an SSH private key (~/.ssh/id_rsa) and a corresponding SSH public key (~/.ssh/id_rsa.pub) on one of the Cisco APICs by entering the following: 

            ssh-keygen -t rsa -b 2048 -C "<username>@<apic_name>"

            Or you can generate them on another machine. For either method, you need to provide the generated private key for each download configuration.

    • If you selected the HTTP radio button, enter the http source that you want to use to download the software image.

      The format for the HTTP source is:

      <HTTP server IP or FQDN>:/<path>/<filename>

      An example URL is 10.1.2.3:/path/to/the/image/aci-apic-dk9.6.2.1a.iso.

Step 6

Click Submit.

The Cisco APICs begins downloading the specified firmware images from the configured source. The download progress is shown in the Download Status column

Upgrade or Downgrade the Cisco APIC CIMC From Releases 6.2 or later

Starting with Cisco ACI release 6.2(1), the system includes an integrated, orchestrated CIMC upgrade workflow. This feature allows you to upgrade CIMCs of APICs in a cluster directly from the APIC user interface.

Prior to upgrading the Cisco APIC software in your Cisco ACI fabric, you may also need to update the CIMC version running on your fabric. To ensure compatibility, review the Cisco APIC Release Notes for a list of supported CIMC software versions for each release. The Cisco APIC Release Notes can be found on the APIC documentation page.

Before you begin

Ensure that you check and follow these guidelines:


Note
CIMC upgrades through APIC are supported only with specific CIMC HUU versions listed in the catalog object compatRsSuppHw. For example, when your APIC model is APIC-G5 (apicg5) and the APIC version is 6.2(1), the only CIMC HUU version supported by the APIC CIMC upgrade workflow is C225M8 6.0(1.250131). An example output of the catalog object is listed below. The APIC release notes may list additional supported CIMC HUU versions. If you need to use one of these other versions, you must upgrade CIMC through the CIMC user interface. 
```
admin@apic1:~> moquery -d 'uni/fabric/compcat-default/ctlrfw-apic-6.2(1)/rssuppHw-[uni/fabric/compcat-default/ctlrhw-apicg5]' | egrep '#|cimc|dn'
# compat.RsSuppHw
cimcFamily   : C225M8
cimcVersion  : 6.0(1.250131)
dn           : uni/fabric/compcat-default/ctlrfw-apic-6.2(1)/rssuppHw-[uni/fabric/compcat-default/ctlrhw-apicg5]
```

Procedure

Step 1

Go to the Admin > Firmware section in the APIC user interface.

Step 2

Select Controllers from the navigation pane.

The Controller & CIMC upgrade tab is pre-selected, which allows you to upgrade components based on your selection.

Step 3

In the Upgrade Component area, choose CIMC.

Step 4

Your APIC nodes show up in the table below along with the current CIMC version and its Status. When the corresponding CIMC version is available in the APIC's firmware repository, the Status column shows Upgrade Available. Click Validate for each APIC with the Upgrade Available status. The Validate CIMC firmware slider appears.

In the Validate CIMC firmware slider, provide the CIMC Username, Password and IP address along with the target CIMC HUU image version, then click Validate.

This will validate whether the APIC has access to the CIMC to perform the CIMC upgrade with the provided image.

Step 5

Once all APIC nodes show Validated in the Status column, click Next.

If some of your APIC nodes are already running the compatible CIMC version, the Status column shows Upgraded and you do not need to validate it to click Next.

Step 6

The Step 2 - Validation Results view appears. Wait for the pre-upgrade validations to complete.

Make sure that all validations are passed. If there is a validation that failed with severity Catastrophic, you must fix it to proceed to the next step

Step 7

The Step 3 - Summary view appears. Review your selections then click Submit to start the CIMC upgrade.

Step 8

The Progress view appears. Monitor it and wait until it shows Completed for all steps.

Upgrade or downgrade Cisco APIC from release 6.2 or later

Starting with Cisco ACI release 6.2(1), the APIC upgrade process has been enhanced with a streamlined and orchestrated processing compared to the previous upgrade process with each APIC node upgrading semi-individually without a central orchestration point. Optimized APIC reboot process enables faster upgrade experience.


Note

Downgrading Cisco APICs from Cisco APIC 6.2 or newer releases to a release older than 6.2(1) is not supported. See Checklists for Downgrade for details.

The pre-upgrade validation step was also enhanced with the additional rules that can be imported separately, which always provides the latest and greatest rule sets.

In the new process, APIC 1 acts as the central orchestration point of the entire cluster for the upgrade. For this reason, to perform the APIC cluster upgrade, you must be on the APIC1's user interface.

See ACI Upgrade or Downgrade Architecture section for the details of the upgrade processes behind the scenes.

External Validation Rules

Prior to ACI release 6.2(1), it was recommended for users to manually download and run the python script from ACI Pre-Upgrade Validation Script. This script should be used in addition to, and separately from, the built-in validations performed during the upgrade workflow in the APIC GUI

Starting with ACI release 6.2(1), the upgrade workflow in the APIC GUI can load the additional external rules equivalent to ACI Pre-Upgrade Validation Script and run them along with the built-in rules.

There are two options to load the external rules.

  • Manually download the rule bundle image (a tar ball file) from cisco.com and upload it by following the instructions in Download APIC, APIC CIMC, Switch and additional rules for pre-upgrade validation on APICs section. APIC looks for the image during the upgrade workflow.

  • Integrate and fetch the script directly from Intersight.

    During the upgrade workflow, APIC automatically tries to download the rule bundle image (a tar ball file) from Cisco Intersight if the APIC is claimed by Cisco Intersight and has IP reachability. See Cisco APIC and Intersight Device Connector for details about the connectivity to Cisco Intersight.

    You must have the external rule bundle image from either option to proceed with the actual upgrade.

During the pre-upgrade validation step in the APIC upgrade workflow, APIC always attempts to use the Cisco Intersight option first. If it can download the external rules, it compares the version to any other external rules in its local firmware repository and uses the latest version. Using Cisco Intersight is highly recommended, as it ensures your APIC always has the most up-to-date rules without requiring you to manually check cisco.com.

Before you begin

Ensure that you check and follow these guidelines:

Procedure

Step 1

Go to the Admin > Firmware section in the APIC user interface.

Step 2

Select Controllers from the navigation pane.

The Controller & CIMC upgrade tab is pre-selected, which allows you to upgrade components based on your selection.

Step 3

In the Upgrade Component area, choose either Controller.

Step 4

To upgrade or downgrade the main firmware, select Regular Upgrade, choose the desired firmware image from the Firmware Image drop-down.

Step 5

The Step 2 - Validation view appears.

APIC runs the built-in pre-upgrade validations along with the external validation rules. Make sure that all validations are passed or make sure that appropriate actions were performed for the failed validations. If there is a validation that failed with severity Catastrophic, you must fix it to proceed to the next step.

As mentioned in the External Validation Rules section, APIC can get the external rules either from Cisco Intersight or from its local firmware repository.

Note

 

APICs must have external rules from either Cisco Intersight or local firmware repository to proceed with the next step.

Step 6

Once you have addressed all failed validations in Step 2 - Validation, click Next.

Step 7

In the Step 3 - Upgrade view, review your selections then click Submit.

Step 8

Monitor the controller and cluster upgrade/downgrade status.

  • Controllers upgrade or downgrade one at a time to maintain cluster availability.

  • While APIC1 is rebooting, you are navigated to the monitoring view on APIC2. Except for this particular period, you must be always on APIC1 to monitor the progress.

    There are three types of progress bars:

    • Upgrade - The entire upgrade progress

    • Cluster Wide - Steps and progress for the cluster level operation

    • Node X - Steps and progress for the individual APIC node

    You can expand Cluster Wide and Node progress to see the details.

  • Wait for all controllers to complete and report Fully Fit status.

Step 9

To view the upgrade details for the previous upgrades, select the History tab.

  1. Select the Upgrade instance from the drop-down and select a previous upgrade for the Controller. You can view the previous upgrade details such as the Upgrade Type, From Version, To Version, Start Time, Updated Time and so on for the Controller.

    You can also see the number of stages/steps of node-level and cluster wide for the previous upgrade. Click on the number to see the details of each stage and their start and update (end) time.

    Note

     

    You can view the history only for the upgrade or downgrade from Cisco ACI 6.2(1) release and later releases.

All controllers in the cluster are upgraded or downgraded to the target firmware version. The APIC cluster becomes fully fit and operational on the new release.

What to do next

After completion, verify cluster health and review upgrade logs or audit trails for any additional actions or validations.

Upgrade or Downgrade the Leaf and Spine Switches through APIC running release 6.2x or later

Pre-Download Images to the Leaf and Spine Switches

This procedure describes how to download switch images to leaf and spine switches from APIC’s firmware repository at your own timing without starting the actual upgrade (i.e. software installation) or downgrade. This is called pre-download.

During this operation, switches will remain up and no reboot will be performed.


Note

When you upgrade a switch from one release to the next release, the fault code F1821 is displayed as the bootflash memory increases. Ignore this fault as it is auto cleared after the switch upgrade.

If you are downgrading the software on the Cisco APICs, the process is identical to the process for upgrading the software, except that the target release that you choose will be earlier than the currently installed release. The text for dialogs, fields, buttons, and other controls in the Cisco APIC GUI specify “upgrade” even though you are downgrading the software.

Before you begin

Ensure that you check and follow these guidelines:

Procedure

Step 1

On the menu bar, choose Admin > Firmware.

The Dashboard window appears, which provides general information one the controllers and the leaf and spine switches (nodes).

Step 2

In the left navigation window, click Switches.

The Switches window appears, which provides firmware information for the upgrade groups of leaf and spine switches.

Step 3

Click the Actions icon and select Create Update Group from the scroll down menu.

Step 4

In the Setup Switch Update Group window appears, enter a name for the Upgrade Group Name.

Step 5

In the Switch Selection step, click the Add Switches button, then select the switches that need to be upgraded / downgraded and then click OK, then click Next.

Step 6

In the Version Selection step, select an Update Type, then in the Select Firmware section select an image that you want to upgrade/downgrade.

Step 7

(Optional) If you need any of the advanced options listed below, click Advanced Settings to bring up the Advanced Settings window.

Note that typically there is no need to set these advanced options. We recommend that you disable the options or use the default values.

In the Advanced Settings window, perform any of the following actions if needed:

  • In the Compatibility Check field, leave the setting in the default Enforced setting, unless you are specifically told to disable the compatibility check feature.

    Note

     

    A compatibility check verifies if an upgrade path from the currently running version of the system to a specific newer version is supported or not based on catalog that is embedded in Cisco APIC image. If you choose to disable the compatibility check feature by entering a check mark in the box next to the Compatibility Check field, you run the risk of making an unsupported upgrade to your system, which could result in your system going to an unavailable state.

  • Graceful Upgrade (Graceful Check)

    Enable this option to perform a Graceful Upgrade when the firmware installation is triggered. By default, this setting is Unenforced.

    See Graceful Upgrade or Downgrade of ACI Switches for details and make sure to follow the guidelines when enabling this option. Otherwise, your upgrade may fail.

  • In the Run Mode field, choose the run mode to proceed automatically to the next set of nodes after the set of nodes has gone through the maintenance process successfully.

    The options are:

    • Pause Upon Upgrade Failure: The update group does not approve further switch upgrades if there is an upgrade failure in one of the switches, or if the APIC cluster status becomes not Fully Fit, which may happen (for example, when all APIC-connected leaf switches are upgraded at the same time, which is not recommended in Guidelines for ACI switch upgrades and downgrades).

    • Do not pause on failure and do not wait on cluster health: The update group does not stop switch upgrades of the entire group just because one of the switches had an upgrade failure or a temporary APIC cluster issue.

    We recommend that you choose Do not pause on failure and do not wait on cluster health because it is recommended to group switches that should be upgraded at the same time in one update group instead of letting each update group to dynamically decide which set of switches within the same group to be upgraded (for instance, with the concurrent capacity setting). When following such best practices, Pause Upon Upgrade Failure does not provide much value.

Click Done when you have finished performing any of the actions in the Advanced Settings window. You are then returned to the main Firmware page.

Step 8

When you have verified that everything in the Version Selection step is correct, click Next.

The Validation step appears.

Step 9

Review the information provided in the Validation step.

Any faults or issues that might affect your upgrade are displayed in this page. We recommend that you address any faults or issues that you see displayed before proceeding with the upgrade.

See the Pre-Upgrade/Downgrade Checklists for details.

After you have addressed the faults or issues raised in the Validation step, click Next to go to the Confirmation step.

Step 10

In the Confirmation step, verify that the information is correct, then click Begin Download.

The system begins downloading the software to all of the nodes that you selected in the previous screen, and displays the download status for each node.

Note

 

If you are upgrading nodes in different upgrade groups from a pre-5.1x release using the instructions provided in Upgrading or Downgrading the Leaf and Spine Switches Through a Cisco APIC Running Releases 4.x or 5.0 and you made the following selections previously:

  • Now in the Upgrade Start Time field

  • unlimited in the Maximum Running Time field

Then you might see the following behavior:

  • First upgrade group: When you click on Begin Download in these procedures, the software begins the image download and then automatically installs the software on the nodes in the first upgrade group after the image download is complete. This is unexpected behavior.

  • Second upgrade group: When you click on Begin Download in these procedures, the software begins the image download but does not automatically install the software on the nodes in the second upgrade group after the image download is complete. This is expected behavior - you will install the software using the information in Installing Images to the Leaf and Spine Switches in these procedures.

While the behavior for the first upgrade group is unexpected, it is not harmful. Be aware that the nodes in the first upgrade group will reboot as part of the software installation process that happens automatically in this scenario.

Step 11

Verify that the download was completed successfully for all of the nodes that you want to upgrade in the group.

If any nodes are shown as Failed in the Status column, you have several options:

  • Click Retry All at the bottom of the page to retry the download for all the nodes in the upgrade group.

  • Click Cancel All at the bottom of the page to cancel the downloads for the nodes in the upgrade group.

  • If you want to manually remove the failed nodes from this upgrade group so that you can move forward with the upgrade for the nodes that were successful in the download phase, click the pencil icon next to any node that you want to manually remove from this upgrade group and click Remove.

See Common Reasons for Download Failure for troubleshooting.

When you see the status of Download Complete for all the nodes in your group, you will see Ready to Install at the top of the screen.

Installing Images to the Leaf and Spine Switches

After the pre-download on all switches is done and their upgrade status show Ready to Install, you can perform the procedure to trigger the upgrade, which will install the firmware and reboot the switches.

Typically, you would perform a pre-download hours or days before this procedure. Make sure that you did not violate any validations since the pre-upgrade validations were performed at the time of pre-download. If you want to perform pre-upgrade validations again at this point, use the Script because the APIC built-in pre-upgrade validator will result in the re-downloading of the switch image.

Before you begin

Ensure that you check and follow these guidelines:

You must first finish the pre-download procedures in Pre-Download Images to the Leaf and Spine Switches.

Procedure

Step 1

When you have a maintenance window where you are able to have the nodes reboot as part of the upgrade process, click Actions, then Begin Install to begin the software installation.

You can monitor the progress of the upgrade for the nodes in the upgrade group in the Node Firmware Update window. You can also close this window and click Nodes in the left navigation window to check the overall status of the upgrade group in the Status column in the table.

Step 2

When all of the nodes are shown with a status of Completed, click Done and proceed with the next update group.