Upgrading the Software
The method that you use to upgrade your Cisco Cloud APIC software varies, depending on the situation:
-
If you are upgrading from a pre-5.0(1) release to Release 5.0(2), you will use a migration-based process to upgrade your software. Go to Migration-Based Upgrade for those instructions.
Note
The same migration-based procedures used for an upgrade can also be used for a system recovery, as described in Performing a System Recovery.
-
If you are upgrading from Release 5.0(1) to Release 5.0(2), you will use a policy-based process to upgrade your software. Go to Policy-Based Upgrade for those instructions.
Note
If the policy-based upgrade from Release 5.0(1) to Release 5.0(2) does not work for some reason, you can upgrade from Release 5.0(1) to Release 5.0(2) using the migration-based process as described in Migration-Based Upgrade.
Guidelines and Limitations For Upgrading the Software
Following are the guidelines and limitations that you must be aware of before upgrading the Cisco Cloud APIC software:
Beginning with release 5.0(2), the configuration drift feature became available as described in the "Configuration Drifts" chapter in the Cisco Cloud APIC for Azure User Guide, Release 5.0(x) or later. After you upgrade your Cisco Cloud APIC, if you had configuration drifts enabled prior to the upgrade, you will see that the configuration drift feature is restarted after the upgrade is completed. When the feature is restarted, the previous configuration drift analysis is cleared (no configuration drifts are shown after the upgrade) and a fresh analysis is started for the configuration drift when the feature is restarted after the upgrade. This is expected behavior.
Migration-Based Upgrade
Follow these procedures if you are upgrading from Release 4.2(4) or earlier to Release 5.0(2), where you will use a migration-based process to upgrade your software.
Note |
These migration-based procedures used for an upgrade can also be used for a system recovery, as described in Performing a System Recovery. |
Gathering Existing Cloud APIC Configuration Information
Before upgrading your Cisco Cloud APIC software, follow the instructions in this topic to locate the existing configuration information for certain fields and make a note of the entries for each of these fields. You will use the same entries for these fields below, in a step later in the following procedures, when you use the Release 5.0(2) recovery template to upgrade your Cisco Cloud APIC.
For each of the following fields, make a note of the entries that you entered as part of the original deployment that you performed in Deploying the Cloud APIC in Azure:
Subscription
-
Navigate to
. -
Locate the row for the tenant that has infra underneath the name in the Name column.
-
Note the value in the Azure Subscription column.
This is the Subscription entry for your Cisco Cloud APIC.
Resource Group
-
Navigate to
.The Virtual Machines window appears.
-
Locate and note the Cisco Cloud APIC VM in the VM list.
The value for the VM is typically shown with the format <vm_name>(<resource_group>), where:
-
<vm_name> is the virtual machine name, as described in Virtual Machine Name.
-
(<resource_group>) is the Resource Group entry for your Cisco Cloud APIC.
-
Location
-
Navigate to
.The Virtual Machines window appears.
-
Locate the Cisco Cloud APIC VM in the VM list.
-
Click the value for the Cisco Cloud APIC VM in the VM list.
A nav panel with details about the Cisco Cloud APIC VM slides in from the right side of the screen.
-
In the General area, locate and note the value in the Region field.
This is the Location entry for your Cisco Cloud APIC.
Fabric Name
-
SSH to your Cisco Cloud APIC through the CLI:
# ssh admin@<cloud_apic_ip_address>
Enter the password if prompted.
-
Enter the following in the CLI:
ACI-Cloud-Fabric-1# acidiag avread
-
Locate the FABRIC_DOMAIN area in the output:
Local appliance ID=1 ADDRESS=10.100.0.13 TEP ADDRESS=10.100.0.12/30 ROUTABLE IP ADDRESS=0.0.0.0 CHASSIS_ID=afe36d66-042a-11eb-ab21-7b2dc494b182 Cluster of 1 lm(t):1(zeroTime) appliances (out of targeted 1 lm(t):1(2020-10-01T21:15:48.743+00:00)) with FABRIC_DOMAIN name=ACI-Cloud-Fabric set to version=5.0(2i) lm(t):1(2020-10-01T21:15:48.746+00:00); discoveryMode=PERMISSIVE lm(t):0(zeroTime); drrMode=OFF lm(t):0(zeroTime); kafkaMode=OFF lm(t):0(zeroTime) appliance id=1 address=10.100.0.13 lm(t):1(2020-10-01T21:14:23.001+00:00) tep address=10.100.0.12/30 lm(t):1(2020-10-01T21:14:23.001+00:00) routable address=0.0.0.0 lm(t):1(zeroTime) oob address=10.100.0.29/28 lm(t):1(2020-10-01T21:14:26.723+00:00) version=5.0(2i) lm(t):1(2020-10-01T21:14:26.841+00:00) chassisId=afe36d66-042a-11eb-ab21-7b2dc494b182 lm(t):1(2020-10-01T21:14:26.841+00:00) capabilities=0X7EEFFFFFFFFF--0X2020--0X1 lm(t):1(2020-10-01T21:20:27.483+00:00) rK=(stable,present,0X206173722D687373) lm(t):1(2020-10-01T21:14:26.728+00:00) aK=(stable,present,0X206173722D687373) lm(t):1(2020-10-01T21:14:26.728+00:00) oobrK=(stable,present,0X206173722D687373) lm(t):1(2020-10-01T21:14:26.728+00:00) oobaK=(stable,present,0X206173722D687373) lm(t):1(2020-10-01T21:14:26.728+00:00) cntrlSbst=(APPROVED, E8E6DDB1D800) lm(t):1(2020-10-01T21:14:26.841+00:00) (targetMbSn= lm(t):0(zeroTime), failoverStatus=0 lm(t):0(zeroTime)) podId=1 lm(t):1(2020-10-01T21:14:23.001+00:00) commissioned=YES lm(t):1(zeroTime) registered=YES lm(t):1(2020-10-01T21:14:23.001+00:00) standby=NO lm(t):1(2020-10-01T21:14:23.001+00:00) DRR=NO lm(t):0(zeroTime) apicX=NO lm(t):1(2020-10-01T21:14:23.001+00:00) virtual=YES lm(t):1(2020-10-01T21:14:23.001+00:00) active=YES(2020-10-01T21:14:23.001+00:00) health=(applnc:255 lm(t):1(2020-10-01T21:16:16.514+00:00) svc's) --------------------------------------------- clusterTime=<diff=-1 common=2020-10-02T07:46:19.717+00:00 local=2020-10-02T07:46:19.718+00:00 pF=<displForm=0 offsSt=0 offsVlu=0 lm(t):1(2020-10-01T21:15:50.026+00:00)>> ---------------------------------------------
This is the Fabric Name entry for your Cisco Cloud APIC.
External Subnets
-
Navigate to
. -
Locate the EPG with the name ext-networks and click that EPG.
A nav panel slides in from the right side of the screen.
-
In the nav panel, click the Details icon ().
The Overview page for this EPG appears.
-
In the Endpoints area, locate the row for ext-Network1 and note the value in the Subnet column.
This is the External Subnets entry for your Cisco Cloud APIC. Note that a value of 0.0.0.0/0 meant that anyone is allowed to connect to your Cisco Cloud APIC.
Virtual Machine Name
-
Navigate to
.The Virtual Machines window appears.
-
Locate and note the value for the Cisco Cloud APIC VM in the list.
The value for the VM is typically shown with the format <vm_name>(<resource_group>), where:
-
<vm_name> is the Virtual Machine Name entry for your Cisco Cloud APIC.
-
(<resource_group>) is the resource group, as described in Resource Group.
-
Infra VNET Pool
For the infra VNET pool, you might have multiple infra subnet pools, so be sure to locate the information for the infra subnet that was used when you launched the original Cisco Cloud APIC through the ARM template as part of the procedures in Deploying the Cloud APIC in Azure.
-
In your Cisco Cloud APIC GUI, click the Intent icon ( ) and choose cAPIC Setup.
-
In the Region Management area, click Edit Configuration.
The Regions to Manage window appears.
-
Click Next.
The General Connectivity window appears.
-
In the Subnet Pools for Cloud Routers area underneath General, locate the row that has a System Internal value in the Created By column and note the value in the Subnet column.
This is the Infra VNET Pool entry for your Cisco Cloud APIC.
Storage Account Name
Navigate to the Storage accounts page in Azure under the resource group where the Cisco Cloud APIC was deployed previously:
-
Log into your Azure account for the Cloud APIC infra tenant and go to the Azure management portal, if you are not there already:
-
Under Services, select Storage accounts.
The Storage accounts page appears.
-
Locate and note the storage account name for your Cisco Cloud APIC resource group.
This is the Storage Account Name entry for your Cisco Cloud APIC.
What to do next
Follow the procedures in Performing Pre-Upgrade Procedures.
Performing Pre-Upgrade Procedures
Before you begin
Procedure
Step 1 |
Enable the encrypted passphrase control, if it is not enabled already. |
||
Step 2 |
Back up your existing Cisco Cloud APIC configuration. There are a number of different ways that you can back up your Cisco Cloud APIC configuration. See the Cloud APIC for Azure Users Guide for more information. Note that if you want to use a remote backup, you will also need to add a remote location first. |
||
Step 3 |
If you have non-home region CSRs in your deployment, remove the CSRs from all regions except the home region.
|
||
Step 4 |
Delete the Cisco Cloud APIC VM. |
What to do next
Follow the procedures in Downloading and Deploying the Recovery Template.
Downloading and Deploying the Recovery Template
Before you begin
Complete the procedures in Performing Pre-Upgrade Procedures before proceeding with these procedures.
Procedure
Step 1 |
Download the Release 5.0(2) recovery template for Cisco Cloud APIC. |
Step 2 |
Deploy the Release 5.0(2) recovery template in the Azure portal. |
Step 3 |
Use the recovery template to deploy the Cisco Cloud APIC VM in the same resource group. |
What to do next
Follow the procedures in Performing Post-Upgrade Procedures.
Performing Post-Upgrade Procedures
Before you begin
Complete the procedures in Downloading and Deploying the Recovery Template before proceeding with these procedures.
Procedure
Step 1 |
Give the contributor role to the Cisco Cloud APIC VM on the infra subscription. |
||
Step 2 |
Enable the same encryption passphrase. |
||
Step 3 |
Import the configuration that you backed up in Step 2 in Performing Pre-Upgrade Procedures. If you configured a remote location when you backed up your configuration, you might have to create the remote location again to access the backup. |
||
Step 4 |
Review the naming policy. |
||
Step 5 |
Wait for the non-home region CSRs to come up on the cloud, and ensure that all of the VGW tunnels are up with the newly-created CSRs and the configuration reconciliation is complete. In addition, you may see that the home region CSR is deleted and recreated at this point in the process if a CSR upgrade is required. Ignore these actions and any faults that might appear as a result, as they will clear up when you complete the following steps in this procedure. Wait until the home region CSRs are upgraded to the latest CSR version in this case. For example, for Release 5.0(2i), the latest CSR version would be 17_1. |
||
Step 6 |
(Optional) If you have intersite connectivity and you want to avoid a complete intersite traffic drop, reconfigure the non-home region intersite tunnels and bring up the tunnels through the ACI Multi-Site Orchestrator before bringing down the home region CSRs in the next step. This step is not necessary if you do not have intersite connectivity or if you have intersite connectivity but you're not concerned with traffic loss.
|
||
Step 7 |
Undeploy the home region CSRs.
|
||
Step 8 |
Redeploy the home region CSRs. The previously-configured home region CSRs are deleted and the new home region CSRs are re-created in this step. |
||
Step 9 |
(Optional) Complete the procedures in this step if intersite connectivity is required.
|
What to do next
If you want to migrate to Azure VNet peering for inter-VNet connectivity, follow the procedures in Migrating to VNet Peering (Optional).
Migrating to VNet Peering (Optional)
Follow the procedures in this task if you want to migrate to Azure VNet peering for inter-VNet connectivity rather than using the traditionial tunnel-based VPN connectivity through the CSRs. For more information on the VNet peering feature, see the Configuring VNet Peering for Cloud APIC for Azure document.
Note |
Migrating to VNet peering mode is a disruptive operation. Be aware that there will be traffic loss during the process. |
Before you begin
Complete the procedures in Performing Post-Upgrade Procedures before proceeding with these procedures.
Procedure
Step 1 |
In your Cisco Cloud APIC GUI, click the Intent icon ( ) and choose cAPIC Setup. |
||
Step 2 |
In the Region Management area, click Edit Configuration. The Regions to Manage window appears. |
||
Step 3 |
Locate the Connectivity for Internal Network area and verify that the Virtual Network Peering is available. |
||
Step 4 |
Click Virtual Network Peering to enable the Azure VNet peering feature. This enables VNet peering at the Cisco Cloud APIC level, deploying NLBs in all the regions with CSRs in the infra VNet. After you have enabled VNet peering at the Cisco Cloud APIC level, on each user cloud context profile, you will have to enable the VNet Peering option and disable the VNet Gateway Router option.
|
||
Step 5 |
In the left navigation bar, navigate to .The existing cloud context profiles are displayed. |
||
Step 6 |
Click Actions and choose Create Cloud Context Profile. The Create Cloud Context Profile dialog box appears. |
||
Step 7 |
Locate the VNet Gateway Router field and click to uncheck (disable) the VNet Gateway Router check box. |
||
Step 8 |
Locate the VNet Peering field and click to check (enable) the VNet Peering check box. |
||
Step 9 |
Click Save when finished. |
||
Step 10 |
Configure the Network Contributor role for both the infra and user tenant subscriptions.
In this situation, you will have to configure the following for peering to work between the user tenant and the infra VNets:
|
Policy-Based Upgrade
Use the procedures in the following sections to perform a policy-based upgrade of your Cisco Cloud APIC software, if you are upgrading from Release 5.0(1) to Release 5.0(2).
Downloading an Image
Procedure
Step 1 |
Log in to your Cisco Cloud APIC, if you aren't logged in already. |
Step 2 |
From the Navigation menu, choose . The Firmware Management window appears. |
Step 3 |
Click the Images tab in the Firmware Management window. |
Step 4 |
Click Actions, then choose Add Firmware Image from the scroll-down menu. The Add Firmware Image pop-up appears. |
Step 5 |
Determine if you want to add the firmware image from a local or a remote location.
|
Step 6 |
Click Select. |
Upgrading the Software Using the Policy-Based Upgrade Process
Use the procedures in the following sections to perform a policy-based upgrade of your Cisco Cloud APIC software, if you are upgrading from Release 5.0(1) to Release 5.0(2).
Before you begin
-
You have downloaded an image using the procedures provided in Downloading an Image.
Procedure
Step 1 |
Subscribe to the 17.1 image for the Cisco Cloud Services Router (CSR) 1000V - Bring Your Own License (BYOL) for Release 5.0(2). |
||
Step 2 |
Remove the CSRs from all regions except the home region.
|
||
Step 3 |
When the necessary CSRs have been completely removed, from the Navigation menu, choose the . The Firmware Management window appears. |
||
Step 4 |
Click Schedule Upgrade. The Schedule Upgrade pop-up appears. If you see a message that says that faults are present in your fabric, we recommend that you resolve these faults before performing a upgrade. See "Viewing Health Details Using the Cisco Cloud APIC GUI" in the Cisco Cloud APIC for Azure User Guide for more information. |
||
Step 5 |
In the Target Firmware field, choose a firmware image from the scroll-down menu. |
||
Step 6 |
In the Upgrade Start Time field, determine if you want to begin the upgrade now or later.
|
||
Step 7 |
In the Ignore Compatibility Check field, leave the setting in the default off (unchecked) setting, unless you are specifically told to disable the compatibility check feature. In Cloud APIC, there is a compatibility check feature that verifies if an upgrade path from the currently-running version of the system to a specific newer version is supported or not. The Ignore Compatibility Check setting is set to off by default, so the system automatically checks the compatibility for possible upgrades by default.
|
||
Step 8 |
Click Schedule Upgrade. You can monitor the progress of the upgrade in the main Firmware Management window, under the Upgrade Status area. |
||
Step 9 |
When the upgrade is completed, add the necessary CSRs back again. Verify that the home region CSR is stabilized before adding the CSRs in the other regions back again. |
||
Step 10 |
Determine if you want to migrate to Azure VNet peering for inter-VNet connectivity rather than using the traditionial tunnel-based VPN connectivity through the CSRs. For more information on the VNet peering feature, see the Configuring VNet Peering for Cloud APIC for Azure document.
Follow these instructions to enable the VNet peering feature: |