Upgrading the Cisco Virtual Security Gateway and Cisco Virtual Network Management Center
This chapter describes how to install and complete an upgrade for the Cisco Virtual Security Gateway (VSG) and the Cisco Virtual Network Management Center (VNMC).
This chapter includes the following sections:
•Information About Cisco VSG Upgrades
•Information About Cisco VNMC Upgrades
•Upgrade Procedure in Sequence
•Upgrade Compatibility Matrix
Information About Cisco VSG Upgrades
The upgrade procedure for a standalone Cisco VSG is hitful, which means that you must manually reload the Cisco VSG for the new image to become effective. In HA mode, the upgrade is hitless, which means that the standby Cisco VSG is upgraded first and then after a switchover, the previously active Cisco VSG is upgraded.
Because license information is not stored with the Cisco VSG, but is maintained between the Virtual Supervisor Module (VSM) and Virtual Ethernet Module (VEM), if packets are received at the Cisco VSG, that means that the license is valid and the packets are processed.
An upgrade, there affects two bin files: one is the kickstart file and the other is the system file.
An upgrade does not erase any of the existing information. When the Cisco VSG comes online, everything is as is. Because the Cisco VSG is stateless, it gets all this information from the Cisco VNMC at bootup.
Information About Cisco VNMC Upgrades
When you upgrade the Cisco VNMC software, to all current (command-line interface) CLI and (graphical user interface) GUI sessions are interrupted, which means that you must restart any CLI or GUI sessions.
Upgrade Procedure in Sequence
This section describes the upgrade procedure.
Note We highly recommend that you use the following order for upgrading your Cisco VSG and Cisco VNMC.
•Upgrading a Cisco VSG Pair
•Upgrading the VSM Pair
•Using the copy running-config startup-config Command on the Active VSM
•Upgrading the VEM
•Upgrading Cisco VNMC
•Upgrading the VSM-PA
•Upgrading the Cisco VSG-PA
Note An upgraded Policy Agent (PA) without an upgraded Cisco VNMC will not be supported.
Upgrading a Cisco VSG Pair
You can upgrade a Cisco VSG pair using the following procedure.
Note Although you might see the install command on the Cisco VSG CLI, the command is not operational for the current release. Please follow the steps provided in this section to upgrade your Cisco VSG software.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You have already copied the new software files into the bootflash file system.
•You have confirmed that the system is in high availability (HA) mode for an HA upgrade using the show system redundancy status command.
SUMMARY STEPS
1. configure
2. no boot system
3. no boot kickstart
4. boot system bootflash: system-filename
5. boot kickstart bootflash: kickstart-filename
6. (Optional) show boot
7. copy running-config startup-config
8. reload module standby_module_no
9. system switchover
DETAILED STEPS
|
|
|
Step 1 |
configure Example: vsg# configure vsg(config)# |
Places you in global configuration mode. |
Step 2 |
no boot system Example: vsg(config)# no boot system |
Removes the existing system boot variable. |
Step 3 |
no boot kickstart Example: vsg(config)# no boot kickstart |
Removes the existing kickstart boot variable. |
Step 4 |
boot system bootflash: system-filename Example: vsg(config)# boot system bootflash: system-filename |
Adds the new system boot variable. |
Step 5 |
boot kickstart bootflash: kickstart-filename Example: vsg(config)# boot kickstart bootflash: kickstart-filename |
Adds the new kickstart boot variable. |
Step 6 |
show boot Example: vsg(config)# show boot |
(Optional) Displays the system and kickstart variables for verification. |
Step 7 |
copy running-config startup-config Example: vsg(config)# copy running-config startup-config |
Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. This step also initiates an image synchronization to the standby and the boot variable is synchronized to the standby. |
Step 8 |
reload module standby_module_no Example: vsg(config)# reload module 2 |
If the primary Cisco VSG is active, the standby module number is 2. If the secondary Cisco VSG is active, the standby module number is 1. Make sure that the standby module has reloaded successfully and the HA pair is established. |
Step 9 |
system switchover Example: vsg(config)# system switchover |
Reloads the active Cisco VSG to come up with the new image. Wait for HA synchronization to complete. |
Upgrading the VSM Pair
Upgrade the VSM pair according to the procedures in the Cisco Nexus 1000V Software Upgrade Guide, Release 4.2(1)SV1(4a).
Using the copy running-config startup-config Command on the Active VSM
Before continuing with the rest of the upgrade, you must use the copy running-config startup-config command on the active VSM.
Note It is critical that you enter the copy running-config startup-config command at this stage to keep your data flowing correctly.
Upgrading the VEM
Upgrade the VEM according to the procedures in the Cisco Nexus 1000V Software Upgrade Guide, Release 4.2(1)SV1(4a).
Upgrading Cisco VNMC
You can upgrade the Cisco VNMC by using the following procedure.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in as admin to the CLI in EXEC mode.
•You have already copied the new software files into the bootflash file system.
•You must have the Cisco VNMC Release 1.0.1 installed.
SUMMARY STEPS
1. connect local-mgmt
2. (Optional) show version
3. copy scp://example-server-ip/example-dir/filename bootflash:/
4. dir bootflash:/
5. update bootflash:/filename
6. (Optional) show version
DETAILED STEPS
|
|
|
Step 1 |
connect local-mgmt Example: vnmc# connect local-mgmt vnmc(local-mgmt)# |
Places you in local management mode. |
Step 2 |
show version Example: vnmc(local-mgmt)# show version |
(Optional) Displays the version information for the Cisco VNMC software. |
Step 3 |
copy scp://example-server-ip/example-dir/ filename bootflash:/ Example: vnmc(local-mgmt)# copy scp://<example-server-ip>/example1-dir/vnmc .1.2.0.635.bin bootflash:/ |
Copies the Cisco VNMC software file to the VM. |
Step 4 |
dir bootflash:/ Example: vnmc(local-mgmt)# dir bootflash:/ |
Verifies that the desired file is copied in the directory. |
Step 5 |
update bootflash: filename Example: vnmc(local-mgmt)# update bootflash:/vnmc.1.2.0.635.bin |
Begins the update of the Cisco VNMC software. |
Step 6 |
show version Example: vnmc(local-mgmt)# show version |
(Optional) Allows you to verify that the Cisco VNMC software version is updated. |
This example shows how to connect to the local-mgmt CLI:
Cisco Virtual Network Management Center
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
This example shows how to display version information for the Cisco VNMC:
vnmc(local-mgmt)# show version
---- ------- ------- ----
core Base System 1.0(1m) 1.0(1m)
service-reg Service Registry 1.0(1m) 1.0(1m)
policy-mgr Policy Manager 1.0(1m) 1.0(1m)
resource-mgr Resource Manager 1.0(1m) 1.0(1m)
vm-mgr VM manager 1.0(1m) none
This example shows how to copy the Cisco VNMC software to the VM:
vnmc(local-mgmt)# copy scp://<example-server-ip>/example1-dir/vnmc.1.2.0.635.bin
bootflash:/
100% 143MB 11.9MB/s 00:12
This example shows how to see the directory information for the Cisco VNMC:
vnmc(local-mgmt)# dir bootflash:/
891 Jun 10 05:52 vnmc-dplug.1.0.1m.bin
21M Jun 8 21:01 vnmc-vsgpa.1.0.1m.bin
20M Jun 8 21:01 vnmc-vsmpa.1.0.1m.bin
144M Jun 16 21:32 vnmc.1.2.0.635.bin
This example shows how to start the update for the Cisco VNMC:
vnmc(local-mgmt)# update bootflash:/vnmc.1.2.0.635.bin
It is recommended that you perform a full-state backup before updating any VNMC component.
Press enter to continue or Ctrl-c to exit.
This example shows how to display the updated version for the Cisco VNMC:
vnmc(local-mgmt)# show version
---- ------- ------- ----
core Base System 1.2(0.635) 1.2(0.635)
service-reg Service Registry 1.2(0.635) 1.2(0.635)
policy-mgr Policy Manager 1.2(0.635) 1.2(0.635)
resource-mgr Resource Manager 1.2(0.635) 1.2(0.635)
vm-mgr VM manager 1.2(0.635) none
Upgrading the VSM-PA
Obtain the new VSM-PA from the Cisco VNMC download page. You can upgrade the VSM-PA by using the following procedure.
PROCEDURE
Step 1 Copy the image on the VSM in the bootflash directory.
vsg# copy scp://<example-server-ip>/example1-dir/vnmc-vsmpa.1.2.1b.bin bootflash:
Step 2 Uninstall the existing VNM-PA on the Cisco VSM.
vsm(config)# vnm-policy-agent
vsm(config-policy-agent)# no policy-agent-image
Step 3 Install the new VNM-PA image on the Cisco VSM.
vsm(config-policy-agent)# policy-agent-image vnmc-vsmpa-image-name
vsm(config-policy-agent)# exit
Step 4 Verify if the installation was successful.
VNM Policy-Agent status is - Installed Successfully. Version 1.2(1b)
Step 5 Copy the running configuration to the startup configuration.
vsm# copy running-config startup-config
[########################################] 100%
Upgrading the Cisco VSG-PA
You can upgrade the Cisco VSG-PA by using the following procedure.
PROCEDURE
Step 1 Copy the image on the Cisco VSG in the bootflash directory.
vsg# copy scp://<example-server-ip>/example1-dir/vnmc-vsgpa.1.2.1b.bin bootflash:
Step 2 Uninstall the existing VNM-PA on the Cisco VSG.
vsg(config)# vnm-policy-agent
vsg(config-policy-agent)# no policy-agent-image
Step 3 Install the new VNM-PA image onthe Cisco VSG.
vsg(config-policy-agent)# policy-agent-image vnmc-vsgpa-image-name
vsg(config-policy-agent)# exit
Step 4 Verify if the installation was successful.
VNM Policy-Agent status is - Installed Successfully. Version 1.2(1b)
Step 5 Copy the running configuration to the startup configuration.
vsg# copy running-config startup-config
[########################################] 100%
Upgrade Compatibility Matrix
Table 7-1 shows how the components of a Cisco VSG and a Cisco VNMC upgrade work during the complete upgrade process.
Note We highly recommend that you upgrade the Cisco VSG and the Cisco VNMC in the order provided. Any deviation from the ordered steps could cause disruption of your connectivity and data communication.
Table 7-1 CIsco VSG and Cisco VNMC Upgrade Compatibility Matrix
|
|
Phase 1: VSG Upgrade (with old PA)
|
Phase 2: VSM/VEM Upgrade (with old PA)
|
|
VSG |
Release 4.2(1)VSG1(1) |
Release 4.2(1)VSG1(2) (bin upgrade for HA or reassociated for standalone) |
Release 4.2(1)VSG1(2) |
Release 4.2(1)VSG1(2) |
VSM/ VEM |
Old |
Old |
New |
New |
VNMC |
Release 1.0.1 |
Release 1.0.1 |
Release 1.0.1 |
Release 1.2 |
VSM Policy- Agent |
Old |
Old |
Old |
New |
VSG Policy- Agent |
Old |
Old |
Old |
New |
Supported Operations |
All |
•Existing data sessions (offloaded) •New data sessions •Short disruption in new data session establishment during Cisco VSG upgrade •Allows Cisco Nexus 1000V switch (non-vn-service) operations including non-vn-service port profiles •Cisco VSG failover |
•Reestablishment of existing sessions •New data sessions •Cisco VSG failover |
•Existing data sessions (offloaded) •Allows Cisco Nexus 1000V switch (non-vn-service) operations •Once upgraded, all operations supported |
Restricted Operations |
None |
•No Cisco VNMC policy configuration change (silent drops) •No VSM/VEM vn-service VM operations (shutdown/bring up existing vn-service VMs, bring down net adapters, and so on) •No new vn-service VMs brought up •No bootstrap of devices (Cisco VNMC, Cisco VSG, VSM) •No vMotion of vn-service firewalled VMs on Cisco Nexus 1000V Switch •No vn-service port profile operations or modifications (toggles, removal, changing the port profiles on VSM) •All VSM to Cisco VNMC to Cisco VSG control operations are restricted |
•No Cisco VNMC policy configuration change (silent drops) •Allows Cisco Nexus 1000V switch (non-vn-service) operations, including non-vn service port profiles •No VSM/VEM vn-service VM operations (shutdown/bring up existing vn-service VMs, bring down net adapters, and so on) •No new vn-service VMs brought up •No bootstrap of devices (Cisco VNMC, Cisco VSG, VSM) •No vMotion of vn-service firewalled VMs on Cisco Nexus 1000V Switch •No vn-service port profile operations or modifications (toggles, removal, changing the port profiles on VSM) •All VSM to Cisco VNMC to Cisco VSG control operations are restricted |
None |