Upgrade or downgrade with APIC release 6.2 or later using the GUI


Note

Ensure that you check and follow these guidelines:

Note

Beginning with Cisco APIC release 6.2(1), policy-based downgrade is not supported when you select pre 6.2(1) image as the target firmware.

Access the dashboard

The dashboard shows you the firmware status of the APIC nodes and switches in your fabric. The dashboard also shows the usage of firmware repository on each APICs.

Procedure

Navigate to Admin > Firmware > Dashboard.

Download APIC, APIC CIMC, switch and additional rules for pre-upgrade validation on APICs

This procedure downloads images to the Cisco APIC firmware repository from an external file server or your local machine. The supported image types are listed below:

  • Cisco APIC firmware image

  • Cisco ACI swtich firmware image

  • Cisco CIMC HUU image for APIC CIMC

  • External additional rules for pre-upgrade validations

If you are downgrading the software on the Cisco APICs, the process is identical to the process for upgrading the software, except that the target release that you choose will be earlier than the currently installed release. The text for dialogs, fields, buttons, and other controls in the Cisco APIC GUI specify "upgrade" even though you are downgrading the software.


Note

In the Cisco APIC release 6.0(2) and later, download both the 32-bit and 64-bit Cisco ACI-mode switch images to the Cisco APIC. Downloading only one of the images may result in errors during the upgrade process. For more information, see Guidelines and limitations for upgrading or downgrading.

In the Cisco ACI-mode switch 16.x releases, the 64-bit switch software has the same image name as the 32-bit software when installed on the switch. To verify which version is running on the switch, use the md5sum command against the image file on switch. Compare this md5sum hash to the switch image contained in the /firmware/fwrepos/fwrepo directory of the Cisco APIC. On subsequent upgrades, the 64-bit and 32-bit image names are differentiated on the switch.

Follow these steps to download APIC, APIC CIMC, switch and additional rules for pre-upgrade validation on APICs:

Procedure

Step 1

Download the desired target version from the Cisco Software Download site (for example, 5.2(1g) release) to your file server or local machine.

Step 2

On the menu bar, choose Admin > Firmware.

The Dashboard window appears, which provides general information one the controllers and the leaf and spine switches (nodes).

Step 3

Click Images in the left navigation bar.

The Image window appears, which shows the images that you downloaded previously.

Step 4

Click the Actions icon and select Add Firmware from the drop-down menu.

The Add Firmware Image popup window appears.

Step 5

Determine if you want to import the firmware image from a local or a remote location.

  • If you want to import the firmware image from your computer, in the Location field, click the Local radio button. Click the Choose File button, then navigate to the folder on your local system with the firmware image that you want to import. Go to Step 6.

  • If you want to import the firmware image from a remote location, click either Secure copy or HTTP, depending on the method that you want to use to import the firmware image from the remote location:

    • If you selected the Secure copy radio button, enter the Secure Copy Protocol (SCP) source that you want to use to download the software image:

      1. In the URL field, enter the URL from where the image will be downloaded.

        The format for the SCP source is:

        <SCP server IP or FQDN>:/<path>/<filename>

        An example URL is 10.1.2.3:/path/to/the/image/aci-apic-dk9.6.2.1a.iso.

      2. In the Username field, enter your username for secure copy.

      3. In the Authentication Type field, select the type of authentication for the download. The type can be:

        • Password

        • Ssh Public Private Files

        The default is Password.

        • If you selected Password, in the Password field, enter your password for secure copy.

        • If you selected Ssh Public Private Files, enter the following information:

          • Ssh Key Contents: The SSH private key content.

          • Ssh Key Passphrase: The SSH key passphrase that is used for generating the SSH private key.

            Note

             

            Based on the provided SSH private key, the Cisco APIC internally creates a temporary SSH public key just for this transaction to establish a connection with the remote server. You must ensure that the remote server has the corresponding public key as one of the "authorized_keys". After the authentication check is performed, the temporary public key on the Cisco APIC is deleted.

            You can generate an SSH private key (~/.ssh/id_rsa) and a corresponding SSH public key (~/.ssh/id_rsa.pub) on one of the Cisco APICs by entering the following: 

            ssh-keygen -t rsa -b 2048 -C "<username>@<apic_name>"

            Or you can generate them on another machine. For either method, you need to provide the generated private key for each download configuration.

    • If you selected the HTTP radio button, enter the http source that you want to use to download the software image.

      The format for the HTTP source is:

      <HTTP server IP or FQDN>:/<path>/<filename>

      An example URL is 10.1.2.3:/path/to/the/image/aci-apic-dk9.6.2.1a.iso.

Step 6

Click Submit.

The Cisco APICs begins downloading the specified firmware images from the configured source. The download progress is shown in the Download Status column

Upgrade or downgrade the Cisco APIC CIMC from releases 6.2 or later

Use this procedure to upgrade or downgrade the Cisco APIC CIMC from releases 6.2 or later using the APIC user interface workflow.

Starting with Cisco ACI release 6.2(1), the system includes an integrated, orchestrated CIMC upgrade workflow. This feature allows you to upgrade CIMCs of APICs in a cluster directly from the APIC user interface.

Prior to upgrading the Cisco APIC software in your Cisco ACI fabric, you may also need to update the CIMC version running on your fabric. To ensure compatibility, review the Cisco APIC Release Notes for a list of supported CIMC software versions for each release. The Cisco APIC Release Notes can be found on the APIC documentation page.

Before you begin

Ensure that you check and follow these guidelines:


Note
CIMC upgrades through APIC are supported only with specific CIMC HUU versions listed in the catalog object compatRsSuppHw . For example, when your APIC model is APIC-G5 (apicg5) and the APIC version is 6.2(1), the only CIMC HUU version supported by the APIC CIMC upgrade workflow is C225M8 6.0(1.250131). An example output of the catalog object is listed below. The APIC release notes may list additional supported CIMC HUU versions. If you need to use one of these other versions, you must upgrade CIMC through the CIMC user interface. 

                        admin@apic1:~> moquery -d 'uni/fabric/compcat-default/ctlrfw-apic-6.2(1)/rssuppHw-[uni/fabric/compcat-default/ctlrhw-apicg5]' | egrep '#|cimc|dn'
                        # compat.RsSuppHw
                        cimcFamily   : C225M8
                        cimcVersion  : 6.0(1.250131)
                        dn           : uni/fabric/compcat-default/ctlrfw-apic-6.2(1)/rssuppHw-[uni/fabric/compcat-default/ctlrhw-apicg5]

Procedure

Step 1

Go to the Admin > Firmware section in the APIC user interface.

Step 2

Select Controllers from the navigation pane.

The Controller & CIMC upgrade tab is pre-selected, which allows you to upgrade components based on your selection.

Step 3

In the Upgrade Component area, choose CIMC .

Step 4

Your APIC nodes show up in the table below along with the current CIMC version and its Status . When the corresponding CIMC version is available in the APIC's firmware repository, the Status column shows Upgrade Available . Click Validate for each APIC with the Upgrade Available status. The Validate CIMC firmware slider appears.

In the Validate CIMC firmware slider, provide the CIMC Username , Password and IP address along with the target CIMC HUU image version, then click Validate .

This will validate whether the APIC has access to the CIMC to perform the CIMC upgrade with the provided image.

Step 5

Once all APIC nodes show Validated in the Status column, click Next .

If some of your APIC nodes are already running the compatible CIMC version, the Status column shows Upgraded and you do not need to validate it to click Next .

Step 6

The Step 2 - Validation Results view appears. Wait for the pre-upgrade validations to complete.

Make sure that all validations are passed. If there is a validation that failed with severity Catastrophic, you must fix it to proceed to the next step

Step 7

The Step 3 - Summary view appears. Review your selections then click Submit to start the CIMC upgrade.

Step 8

The Progress view appears. Monitor it and wait until it shows Completed for all steps.

Upgrade or downgrade Cisco APIC from release 6.2 or later

Starting with Cisco ACI release 6.2(1), the APIC upgrade process has been enhanced with a streamlined and orchestrated processing compared to the previous upgrade process with each APIC node upgrading semi-individually without a central orchestration point. Optimized APIC reboot process enables faster upgrade experience.


Note

Downgrading Cisco APICs from Cisco APIC 6.2 or newer releases to a release older than 6.2(1) is not supported. See Best practice for downgrade checklists and procedures for details.

The pre-upgrade validation step was also enhanced with the additional rules that can be imported separately, which always provides the latest and greatest rule sets.

In the new process, APIC 1 acts as the central orchestration point of the entire cluster for the upgrade. For this reason, to perform the APIC cluster upgrade, you must be on the APIC1's user interface.

See ACI Upgrade or Downgrade Architecture section for the details of the upgrade processes behind the scenes.

External Validation Rules

Prior to ACI release 6.2(1), it was recommended for users to manually download and run the python script from ACI Pre-Upgrade Validation Script. This script should be used in addition to, and separately from, the built-in validations performed during the upgrade workflow in the APIC GUI

Starting with ACI release 6.2(1), the upgrade workflow in the APIC GUI can load the additional external rules equivalent to ACI Pre-Upgrade Validation Script and run them along with the built-in rules.

There are two options to load the external rules.

  • Manually download the rule bundle image (a tar ball file) from cisco.com and upload it by following the instructions in Download APIC, APIC CIMC, switch and additional rules for pre-upgrade validation on APICs section. APIC looks for the image during the upgrade workflow.

  • Integrate and fetch the script directly from Intersight.

    During the upgrade workflow, APIC automatically tries to download the rule bundle image (a tar ball file) from Cisco Intersight if the APIC is claimed by Cisco Intersight and has IP reachability. See Cisco APIC and Intersight Device Connector for details about the connectivity to Cisco Intersight.

    You must have the external rule bundle image from either option to proceed with the actual upgrade.

During the pre-upgrade validation step in the APIC upgrade workflow, APIC always attempts to use the Cisco Intersight option first. If it can download the external rules, it compares the version to any other external rules in its local firmware repository and uses the latest version. Using Cisco Intersight is highly recommended, as it ensures your APIC always has the most up-to-date rules without requiring you to manually check cisco.com.

Before you begin

Ensure that you check and follow these guidelines:

Follow these steps to upgrade or downgrade Cisco APIC from release 6.2 or later:

Procedure

Step 1

Go to the Admin > Firmware section in the APIC user interface.

Step 2

Select Controllers from the navigation pane.

The Controller & CIMC upgrade tab is pre-selected, which allows you to upgrade components based on your selection.

Step 3

In the Upgrade Component area, choose either Controller.

Step 4

To upgrade or downgrade the main firmware, select Regular Upgrade, choose the desired firmware image from the Firmware Image drop-down.

Step 5

The Step 2 - Validation view appears.

APIC runs the built-in pre-upgrade validations along with the external validation rules. Make sure that all validations are passed or make sure that appropriate actions were performed for the failed validations. If there is a validation that failed with severity Catastrophic, you must fix it to proceed to the next step.

As mentioned in the step above, you can select the external validation rules. External validations are additional checks to your cluster and the rules are curated by your organization. External validation must be authored by your organization, and Cisco APIC only runs external rules.

Step 6

Click Next to proceed to the installation.

Step 7

The Step 3 - Installation view appears.

Click Install to start the installation process.

Step 8

You can monitor the upgrade or downgrade status in the Step 4 - Status view.

  1. From the Step 4 - Status view, you can also monitor the upgrade logs.

  2. To view the upgrade history, click the History tab.

    Note

     

    You can view the history only for the upgrade or downgrade from Cisco ACI 6.2(1) release and later releases.

All controllers in the cluster are upgraded or downgraded to the target firmware version. The APIC cluster becomes fully fit and operational on the new release.

What to do next

After completion, verify cluster health and review upgrade logs or audit trails for any additional actions or validations.

Upgrade or downgrade leaf and spine switches through APIC running release 6.2x or later

You can use APIC running release 6.2x or later to manage switch software versions by upgrading or downgrading leaf and spine switches through the APIC controller interface.

  • Supports both upgrade and downgrade operations for leaf and spine switches.

  • Requires APIC running release 6.2x or later.

Pre-download images to the leaf and spine switches

This procedure enables you to download switch images to leaf and spine switches at your own timing without performing the actual software installation. During this operation, switches remain up and no reboot is performed.


Note

When you upgrade a switch from one release to the next release, the fault code F1821 is displayed as the bootflash memory increases. Ignore this fault as it is auto cleared after the switch upgrade.

If you are downgrading the software on the Cisco Application Policy Infrastructure Controllers (APICs), the process is identical to the process for upgrading the software, except that the target release that you choose will be earlier than the currently installed release. The text for dialogs, fields, buttons, and other controls in the Cisco APIC graphical user interface (GUI) specify "upgrade" even though you are downgrading the software.

Before you begin

Ensure that you check and follow these guidelines:

Follow these steps to pre-download images to the leaf and spine switches:

Procedure

Step 1

On the menu bar, choose Admin > Firmware.

The Dashboard window appears, which provides general information one the controllers and the leaf and spine switches (nodes).

Step 2

In the left navigation window, click Switches.

The Switches window appears, which provides firmware information for the upgrade groups of leaf and spine switches.

Step 3

Click the Actions icon and select Create Update Group from the scroll down menu.

Step 4

In the Setup Switch Update Group window appears, enter a name for the Upgrade Group Name.

Step 5

In the Switch Selection step, click the Add Switches button, then select the switches that need to be upgraded / downgraded and then click OK, then click Next.

Step 6

In the Version Selection step, select an Update Type, then in the Select Firmware section select an image that you want to upgrade/downgrade.

Step 7

(Optional) If you need any of the advanced options listed below, click Advanced Settings to bring up the Advanced Settings window.

Note that typically there is no need to set these advanced options. We recommend that you disable the options or use the default values.

In the Advanced Settings window, perform any of the following actions if needed:

  • In the Compatibility Check field, leave the setting in the default Enforced setting, unless you are specifically told to disable the compatibility check feature.

    Note

     

    A compatibility check verifies if an upgrade path from the currently running version of the system to a specific newer version is supported or not based on catalog that is embedded in Cisco APIC image. If you choose to disable the compatibility check feature by entering a check mark in the box next to the Compatibility Check field, you run the risk of making an unsupported upgrade to your system, which could result in your system going to an unavailable state.

  • Graceful Upgrade (Graceful Check)

    Enable this option to perform a Graceful Upgrade when the firmware installation is triggered. By default, this setting is Unenforced.

    See Graceful Upgrade or Downgrade of ACI Switches for details and make sure to follow the guidelines when enabling this option. Otherwise, your upgrade may fail.

  • In the Run Mode field, choose the run mode to proceed automatically to the next set of nodes after the set of nodes has gone through the maintenance process successfully.

    The options are:

    • Pause Upon Upgrade Failure: The update group does not approve further switch upgrades if there is an upgrade failure in one of the switches, or if the APIC cluster status becomes not Fully Fit, which may happen (for example, when all APIC-connected leaf switches are upgraded at the same time, which is not recommended in Guidelines for ACI switch upgrades and downgrades).

    • Pause Upon Install Failure: The update group does not approve further switch upgrades if there is an install failure in one of the switches.

    • Never Pause: The update group approves further switch upgrades even if there are upgrade failures.

Step 8

Click Update.

The download process begins. You can monitor the download progress by viewing the Progress column in the table.

If the download fails for some nodes, you can remove the failed nodes from this upgrade group so that you can move forward with the upgrade for the nodes that were successful in the download phase, click the pencil icon next to any node that you want to manually remove from this upgrade group and click Remove.

What to do next

See Common reasons for download failure for troubleshooting.

When you see the status of Download Complete for all the nodes in your group, you will see Ready to Install at the top of the screen.

Install images to the leaf and spine switches

After the pre-download on all switches is done and their upgrade status show Ready to Install, perform the procedure to trigger the upgrade, which will install the firmware and reboot the switches.

Typically, you would perform a pre-download hours or days before this procedure. Make sure that you did not violate any validations since the pre-upgrade validations were performed at the time of pre-download. To perform pre-upgrade validations again at this point, use the Script because the APIC built-in pre-upgrade validator will result in the re-downloading of the switch image.

Before you begin

Ensure that you check and follow these guidelines:

You must first finish the pre-download procedures in Pre-download images to the leaf and spine switches.

Follow these steps to install firmware images and upgrade leaf and spine switches:

Procedure

Step 1

When you have a maintenance window where you are able to have the nodes reboot as part of the upgrade process, click Actions, then Begin Install to begin the software installation.

You can monitor the progress of the upgrade for the nodes in the upgrade group in the Node Firmware Update window. You can also close this window and click Nodes in the left navigation window to check the overall status of the upgrade group in the Status column in the table.

Step 2

When all of the nodes are shown with a status of Completed, click Done and proceed with the next update group.