為什么您不應該害怕升級您的 ACI 織物.pdf

《為什么您不應該害怕升級您的 ACI 織物.pdf》由會員分享，可在線閱讀，更多相關《為什么您不應該害怕升級您的 ACI 織物.pdf（94頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveTakuya KishidaTechnical Leader,Technical Market EngineeringBRKDCN-2910The Handbook!Why You Shouldnt Fear Upgrading Your ACI Fabric 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex A

2、pp to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023

3、Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-2910Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicUpgrade ArchitectureACI Firmware Upgrade TypesUpgrade Architecture APICUpgrade Architecture Switches(Bonus)Upgrade EnhancementsBest PracticesBest Practices W

4、orkflow ReviewBest Practices Configurations“Pre-Upgrade Checklist”Review and Execution“Dos and Donts”BRKDCN-29104ACI Firmware Upgrade Types 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive6ACI Firmware Upgrade TypesBRKDCN-2910Software Maintenance Upgrade(SMU)EPLD/FPGA Upgr

5、ade(Only Switches)Regular Upgrade 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive7ACI Firmware Upgrade Types(Regular)BRKDCN-2910Software Maintenance Upgrade(SMU)EPLD/FPGA Upgrade(Only Switches)Regular UpgradeAPIC UpgradeSwitch Upgrade(through APIC)Base OS firmware upgrade

6、In principle,all APICs and switches should be on the same version 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive8Different versions in the same fabric?BRKDCN-2910In principle,this should be avoided.What if I cannot finish upgrades in a single upgrade window?Available opt

7、ionsAPIC firmwareAll APICs must be on the same versionSwitch firmwareSwitches can be on different versions with limited operations.Supported Operationswith different switch versionsCreate,update and delete BDs,EPGs,BDs,EPGs,contracts,L3Outs,VMM domains,contracts,L3Outs,VMM domains,Access Policies Ac

8、cess Policies Collect configuration backups,configuration backups,techsupportstechsupports,or troubleshoot with SPANSPANPhysical operations such as enabling disabling interfaces,replacing a node interfaces,replacing a node See Upgrade Guide for the complete list:https:/ 2023 Cisco and/or its affilia

9、tes.All rights reserved.Cisco Public#CiscoLive9ACI Firmware Upgrade Types(SMU)BRKDCN-2910Software Maintenance Upgrade(SMU)EPLD/FPGA Upgrade(Only Switches)Regular UpgradeSMU forall APICsSMU forspecific switches(through APIC)5.2(1)5.2(1)A patch for a specific defectNo need to upgrade the entire fabric

10、.You can apply it only to APICs or affected switch nodesNo need to upgrade other switches 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive10ACI Firmware Upgrade Types(EPLD/FPGA)BRKDCN-2910Software Maintenance Upgrade(SMU)EPLD/FPGA Upgrade(Only Switches)Regular UpgradeHardw

11、are related firmwareEach ACI switch version has the desired EPLD/FPGA version.Automatically upgraded via Regular Upgrade through APIC.No user configurationsWhat if a switch is new and didnt go through Regular Upgrade via APIC?5.2(1)got you coveredAPICUpgrade ArchitectureNote:for 4.0 or newer APICs 2

12、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive12APIC Upgrade ArchitectureBRKDCN-2910A user uploads the APIC image on one of APICsA user uploads the APIC image on one of APICsAfter md5sum check,the image is copied to After md5sum check,the image is copied to other APICsoth

13、er APICsImage UploadImage UploadTriggerInstallAPIC APIC ImageImageAuto SyncAuto SyncAuto SyncAuto SyncData Conversion&Reboot 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive13APIC Upgrade ArchitectureBRKDCN-2910Set the target version on all APICsSet the target version on a

14、ll APICsAPIC1 informs shards on all APICs of upgradesAPIC1 informs shards on all APICs of upgradesImage UploadTriggerTriggerInstallPrepare all shards for upgradePrepare all shards for upgradeEach shard has 3 replicas across APICs.Prepare all replicas for upgrade.Shard user configurations and data sp

15、read across APICsReplica back up for each shardEstimated TimeEstimated TimeA few min.Data Conversion&RebootNo disruptive operations from this point.(details in later slides)(details in later slides)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive14APIC Upgrade Architecture

16、BRKDCN-2910Install APIC OS in a backup partitionInstall APIC OS in a backup partitionAll APICs perform this in parallelAll APICs perform this in parallelImage UploadTriggerInstallInstallInstall APIC OS in parallel.No reboot,no impact yet.Estimated TimeEstimated TimeA few min.Data Conversion&Reboot 2

17、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive15APIC Upgrade ArchitectureBRKDCN-2910Convert user configurations and data to the Convert user configurations and data to the target version formattarget version formatConversion happens one APIC at a timeConversion happens on

18、e APIC at a timeImage UploadTriggerInstallData ConversionData Conversion&RebootRebootWait until lower numbered APICs finish data conversion and reboot.Convert data starting from APIC 1,then reboot.After reboot,APIC1s upgrade is considered completed.Estimated TimeEstimated TimeDepends on the size of

19、data.A fair estimation would be 40 min per APIC(potentially more or less)ACI SwitchUpgrade Architecture 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe switch downloads the image from APICThe switch downloads the image from APICThe download is via infra TEPThe download

20、 is via infra TEP17ACI Switch Upgrade FlowBRKDCN-2910Download the imageImage Image DownloadDownloadQueuingPreparationRebootBoot UpNo Traffic ImpactNo Traffic Impact 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe switch receives approval from APICThe switch receives ap

21、proval from APICControls switches that are upgraded in Controls switches that are upgraded in parallelparallel18ACI Switch Upgrade FlowBRKDCN-2910Image DownloadQueuingQueuingPreparationRebootBoot UpOne leaf at a time in each vPC pairOne leaf at a time in each vPC pairNot all spines in each pod if No

22、t all spines in each pod if graceful option is usedgraceful option is usedSince APIC 4.1(1)Since APIC 4.1(1)Upgrade Token(Approval)No Traffic ImpactNo Traffic Impact 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe switch extracts the image.The switch extracts the image

23、.The switch sets the boot var and so on.The switch sets the boot var and so on.19ACI Switch Upgrade FlowBRKDCN-2910Image DownloadQueuingPreparationPreparationRebootBoot UpPreparationNo Traffic ImpactNo Traffic Impact 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWipe the

24、 config and reboot(i.e.clean reboot)Wipe the config and reboot(i.e.clean reboot)Traffic failover relies on link failureTraffic failover relies on link failure20ACI Switch Upgrade FlowBRKDCN-2910Image DownloadQueuingPreparationRebootRebootBoot UpReboot 100 msec Traffic Impact 100 msec Traffic Impacti

25、n the best casein the best caseISIS detectsthe tunnel downFail over with the link downDepends on other conditions Depends on other conditions such as:Link failure detection time on external devicesRouting protocol and so on 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveV

26、arious traffic flow optimizationsVarious traffic flow optimizations(Continue to next slides)(Continue to next slides)21ACI Switch Upgrade FlowBRKDCN-2910Image DownloadQueuingPreparationRebootBoot UpBoot UpBoot Up 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVarious traf

27、fic flow optimizationsVarious traffic flow optimizations22ACI Switch Upgrade Flow(Boot Up Sequence)BRKDCN-2910Boot UpBoot UpBring up fabric linksBring up APIC connected down linksAdmin down other down links02030401Bring upfabric ports050607No Traffic Flow ChangeNo Traffic Flow Change 2023 Cisco and/

28、or its affiliates.All rights reserved.Cisco Public#CiscoLiveVarious traffic flow optimizationsVarious traffic flow optimizations23ACI Switch Upgrade Flow(Boot Up Sequence)BRKDCN-2910An APIC discovers the switch via DHCP/LLDPThe same TEP IP is assignedBring up fabric linksBring up APIC connected down

29、 linksAdmin down other down linksTEP IP is restoredBoot UpBoot Up02030401050607No Traffic Flow ChangeNo Traffic Flow Change 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVarious traffic flow optimizationsVarious traffic flow optimizations24ACI Switch Upgrade Flow(Boot Up

30、 Sequence)BRKDCN-2910An APIC discovers the switch via DHCP/LLDPThe same TEP IP is assignedISIS overload mode is activatedISIS advertises the TEP IP with a large metricISIS does not advertise BD mcast groups to joinBring up fabric linksBring up APIC connected down linksAdmin down other down linksInfr

31、a reachability is restoredBoot UpBoot Up02030401050607No Traffic Flow ChangeNo Traffic Flow Change 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISIS overload mode is activatedISIS advertises the TEP IP with a large metricISIS does not advertise BD mcast groups to joinVa

32、rious traffic flow optimizationsVarious traffic flow optimizations25ACI Switch Upgrade Flow(Boot Up Sequence)BRKDCN-2910An APIC discovers the switch via DHCP/LLDPThe same TEP IP is assignedStarts downloading configurations from an APICBring up fabric linksBring up APIC connected down linksAdmin down

33、 other down linksConfig from APIC(Takes several min)Boot UpBoot Up02030401050607No Traffic Flow ChangeNo Traffic Flow Change 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISIS overload mode is activatedISIS advertises the TEP IP with a large metricISIS does not advertise

34、 BD mcast groups to joinVarious traffic flow optimizationsVarious traffic flow optimizations26ACI Switch Upgrade Flow(Boot Up Sequence)BRKDCN-2910An APIC discovers the switch via DHCP/LLDPThe same TEP IP is assignedStarts downloading configurations from an APICBring up fabric linksBring up APIC conn

35、ected down linksAdmin down other down linksISIS multicast overload mode completes(i.e.flood)vPC peer is established at the same timeISIS multicast overload timerLeaf nodes Fixed 1minSpine nodes When FTAG tree is created(Fixed 1 min prior to Switch 14.2(1)Flood traffic starts coming but no impact bec

36、ause downlinks are admin-downBoot UpBoot Up02030401050607No Traffic Flow ChangeNo Traffic Flow Change 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive27Spine ISIS multicast overload timer(CSCvp79708)BRKDCN-2910Why not a fixed 1 min?BD 1BD 1BD 1 mcast group joinBD 1 mcast g

37、roup joinBD 1BD 1BD 1BD 1BD 1 mcast group joinBD 1 mcast group joinBD 1BD 1Booted up but not part of FTAG tree(the blue lines)yetRebootingThenISIS mcast overload doneIt may be elected to be the designated receiver for BD1 mcast group even though even though FTAG is not readyFTAG is not ready.Then,IP

38、N would send BD1 flood traffic to this not-ready spine.IPNIPNFTAG Tree LinksIPN sends BD1 flood traffic to this spine 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISIS overload mode is activatedISIS advertises the TEP IP with a large metricISIS does not advertise BD mca

39、st groups to joinVarious traffic flow optimizationsVarious traffic flow optimizations28ACI Switch Upgrade Flow(Boot Up Sequence)BRKDCN-2910An APIC discovers the switch via DHCP/LLDPThe same TEP IP is assignedStarts downloading configurations from an APICBring up fabric linksBring up APIC connected d

40、own linksAdmin down other down linksISIS multicast overload mode completes(i.e.flood)vPC peer is established at the same timeFull configuration has been downloadedBring up access links(downlinks)and vPC ports after vPC restore delay timer expiresReady to receive trafficReady to receive trafficVLANs

41、are deployedFor VMM,depends on Resolution ImmediacyContracts are deployedDepends on Deployment ImmediacySpine-Proxy is readyFlood handling(FTAG)is readyvPC restore delay timer is fixed to 120s since Switch 12.0(2)vPC restore delay timer starts when vPC peer is established.Boot UpBoot Up0203040105060

42、7 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFull configuration has been downloadedBring up access links(downlinks)and vPC ports after vPC restore delay timer expiresISIS overload mode is activatedISIS advertises the TEP IP with a large metricISIS does not advertise B

43、D mcast groups to join29ACI Switch Upgrade Flow(Boot Up Sequence)BRKDCN-2910Various traffic flow optimizationsVarious traffic flow optimizationsAn APIC discovers the switch via DHCP/LLDPThe same TEP IP is assignedStarts downloading configurations from an APICBring up fabric linksBring up APIC connec

44、ted down linksAdmin down other down linksISIS multicast overload mode completes(i.e.flood)vPC peer is established at the same timeISIS unicast overload mode completesThe TEP IP is advertised with a normal metricTraffic flow is back to the previous statusISIS unicast overload timer-10 min fixed for a

45、ll nodesBoot UpBoot Up02030401050607ACI Switch Upgradewith Graceful Option(a.k.a.Graceful Upgrade)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWipe the config and reboot(i.e.clean reboot)Wipe the config and reboot(i.e.clean reboot)Traffic failover relies on link failure

46、Traffic failover relies on link failure31ACI Switch Upgrade with graceful optionBRKDCN-2910Image DownloadSchedulerPreparationRebootRebootBoot UpGraceful Option is to gracefully Graceful Option is to gracefully isolate the switch before the isolate the switch before the switch goes down for the switc

47、h goes down for the upgradeupgradeThe rest is the same as without graceful option.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWipe the config and reboot(i.e.clean reboot)Wipe the config and reboot(i.e.clean reboot)Traffic failover relies on link failureTraffic failover

48、 relies on link failure32ACI Switch Upgrade with graceful optionBRKDCN-2910Image DownloadSchedulerPreparationRebootRebootBoot UpGraceful Option is to gracefully Graceful Option is to gracefully isolate the switch before the isolate the switch before the switch goes down for the switch goes down for

49、the upgradeupgradeThe rest is the same as without graceful option.Older APIC GUIOlder APIC GUI 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive1.Wipe the config and reboot(i.e.clean reboot)2.Traffic failover relies on user configured link failure mechanism33Enhanced reboot

50、 sequence with graceful optionBRKDCN-2910Reboot Graceful option disableddisabled1.Put the switch into MMode(Maintenance Mode)1.ISIS Overload Mode enabled2.Graceful Shutdown on Routing ProtocolsLeaf-BGP,EIGRP,OSPF for L3OutSpine BGP,OSPF for IPN,GOLF3.vPC informs its peer that this switch is going do

51、wn4.LACP sends PDUs with aggregation bit zero(starting from 3.1(2)External devices can exclude the link from the port-channel before the link physically goes down.5.Shutdown front panel portsLeaf all down links including APIC connected linksSpine all IPN links2.Wipe the config and reboot(i.e.clean r

52、eboot)Reboot Graceful option enabledenabled 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive34Traffic Disruption without Graceful UpgradeBRKDCN-2910OSPF DR reboot example10.0.0.0/8OSPFOSPF(broadcast)(broadcast)DRBDR10.0.0.0/810.0.0.0/8 L3 SwitchL3 SwitchL3 Switch(SVI)10.0.

53、0.0/810.0.0.0/8 L3 SwitchL3 SwitchOSPFhold timer expiresDR leaf upgrade(reboot)10.0.0.0/8OSPFOSPF(broadcast)(broadcast)BDRDROTHERL3 Switch(SVI)10.0.0.0/810.0.0.0/8 L3 SwitchL3 Switch10.0.0.0/8OSPFOSPF(broadcast)(broadcast)DRBDRL3 Switch(SVI)10.0.0.0/810.0.0.0/8SPF RecalculationSPF RecalculationNo Tr

54、affic Impact 100 msec Traffic ImpactA few seconds lossDue to failover with link failureUntil the external router re-sends OSPF LSA for 10.0.0.0/8DROTHER 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive35With Graceful UpgradeBRKDCN-2910OSPF DR reboot example10.0.0.0/8OSPFOS

55、PF(broadcast)(broadcast)DRBDR10.0.0.0/810.0.0.0/8 L3 SwitchL3 SwitchL3 Switch(SVI)10.0.0.0/810.0.0.0/8 L3 SwitchL3 Switch10.0.0.0/8OSPFOSPF(broadcast)(broadcast)BDRDROTHERL3 Switch(SVI)10.0.0.0/810.0.0.0/8 L3 SwitchL3 Switch10.0.0.0/8OSPFOSPF(broadcast)(broadcast)DRBDRL3 Switch(SVI)10.0.0.0/810.0.0.

56、0/8 L3 SwitchL3 SwitchNo Traffic ImpactDROTHEROSPF will _not_ lose existing routes due to SPF recalculation Inventory Fabric Membership Auto Firmware Update=5.1(1)=5.1(1)Admin Firmware Infrastructure Nodes Enforce Bootscript Version Validation 5.1(1)5.2)42APIC UpgradeAPIC UpgradeSwitch UpgradeSwitch

57、 Upgrade(through APIC)Upload ImagesUpload Images1.Upload target APIC image to APICs2.Upload target switch images to APICs1.Upgrade APIC cluster1.Download the switch images from APICs to switches2.Upgrade switchesBRKDCN-2910 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveU

58、pgrade ProcedureSpecific to pre-6.0(2)-6.0(2)or later(ex.5.2-6.0.2)43APIC UpgradeAPIC Upgrade1.Upload target APIC image to APICs2.Upload target switch images to APICsSwitch UpgradeSwitch Upgrade(through APIC)Upload ImagesUpload Images1.Upgrade APIC cluster1.Upload target switch images to APICs Do no

59、t upload switch images(16.0(2)or later)until APICs are upgraded2.Download the switch images from APICs to switches3.Upgrade switchesACI Upgrade Guide:https:/ Enhancements 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Upgrade Enhancement Quick Summary4.1(1)4.1(1)4.2(*

60、)4.2(*)4.2(5)4.2(5)5.0/5.15.0/5.15.2(1)5.2(1)5.2(3)5.2(3)6.0(2)6.0(2)Switch versionSwitch versionrequirementsrequirementsSwitch Image Pre-download14.1(1)or laterMulti-Pod Parallel Switch UpgradeNo requirementsUnlimited Parallel Switch Upgrade By DefaultNo requirementsAPIC Detailed Install StageN/ASw

61、itch Image Download Progress14.5(1)or laterBuilt-in Pre-Upgrade ValidationNo requirementsPre-Upgrade Validator App*No requirementsSMU Support15.2(1)or laterAuto EPLD/FPGA upgrade15.2(1)or laterNXOS to ACI auto conversion via POAP15.2(3)or laterAuto Firmware Update for APICN/AAuto Firmware Update for

62、 switchesNo requirements*Need to download pre-upgrade validator app from Supported APIC versionsBRKDCN-291045Upgrade Time OptimizationVisibilityOperationOptimization 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUpgrade Time ReductionSwitch Image Downloadfrom APIC to swi

63、tchesUpgrade multiple pods/switches in parallelBRKDCN-291046 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSwitch Image Pre-Download with a schedulerNew label in ACI 14.2(5).The functionality of pre-download has been the same since ACI 4.1.Prior to 14.2(5),it was labeled

64、 as“Schedule for Later”with the same functionality.1.Schedule for a long time ahead just to trigger pre-download of a switch image.2.During the actual maintenance window,come back to this same window(maintenance group)and select“Now”to trigger the upgrade on demand.Switches dont need to re-download

65、images and can proceed with the upgrade immediately.Long time ahead4.1(1)4.1(1)BRKDCN-291047 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive48Switch Image Download ProgressBRKDCN-2910New in ACI 4.2(5),download progress(switches need to be 14.2(5)for this functionality)All

66、 switches(regardless of pods or vPC)in the update group download the switch image from APICs in parallel.During this period,the Upgrade Progress remains 0%.With the new Download Progress bar,users can see whether switches finished the download and ready to upgrade.With the new Download Progress bar,

67、users can see whether switches finished the download and ready to upgrade.If it was triggered with a scheduler,all switches wait after they completed their download.If it was triggered with“Upgrade Now”,each switch proceed with the upgrade as soon as it has completed its download.4.2(5)4.2(5)2023 Ci

68、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive49Switch Image Pre-Download(built-in)5.1(1)5.1(1)Pre-Download is built-inInstallation will not start until you manually trigger installation after the download has completed.BRKDCN-2910 2023 Cisco and/or its affiliates.All rights re

69、served.Cisco Public#CiscoLive50Switch Image Download Progress5.1(1)5.1(1)Progress of each step(download and install)BRKDCN-2910 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive51Switch Image Download Progress(APIC 4.2(5),Switch 14.2(4)BRKDCN-2910Remain emptyDownload Progre

70、ss will not be displayed when switches are older than 14.2(5)even if APIC is 4.2(5)or later 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive52Upgrade multiple pods/switches in parallelBRKDCN-2910 One Pod at a time(14.2(5)has an update)(14.2(5)has an update)When triggered w

71、ith“Upgrade Now”,20 switches at a time(14.2(5)has an update)(14.2(5)has an update)When a vPC pair leaf nodes are in the same group,only one of the pair at a timeOne pod at a timeWhen the actual upgrade starts,APICs allow each switch to upgrade based on the following rules;OLD 2023 Cisco and/or its a

72、ffiliates.All rights reserved.Cisco Public#CiscoLive53Unlimited Parallel UpgradeBRKDCN-2910All pods at onceFrom APIC 14.2(5)or later,any switches in any pods can be upgraded in parallel“Upgrade Now”is no longer limited to 20 switches at a time4.2(5)4.2(5)Agenda 2023 Cisco and/or its affiliates.All r

73、ights reserved.Cisco PublicUpgrade ArchitectureACI Firmware Upgrade TypesUpgrade Architecture APICUpgrade Architecture Switches(Bonus)Upgrade EnhancementsBest PracticesBest Practices Workflow ReviewBest Practices Configurations“Pre-Upgrade Validation”Review and Execution“Dos and Donts”BRKDCN-291054

74、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRecommended GuidesCisco ACI Upgrade Checklist Important Starting Point55BRKDCN-2910!ACI Upgrade Checklist:ACI Upgrade Checklist:https:/ Upgrade Guide(the basis for Detailed Upgrade Guide(the basis for this presentation)this p

75、resentation)https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Firmware Upgrade Best Practice Checklist56BRKDCN-2910Determine Desired Software and Check Support MatrixReview Upgrade Architecture and“dos and donts”Discover and Clear any issues raised from“pre-upgra

76、de validations”Review and Implement Best Practice Configurations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive4ACI Software Life CycleCisco Recommended Software Cisco Recommended Software ReleasesReleaseshttps:/ ACI Release NotesCisco ACI Release Noteshttps:/ ACI Upgrad

77、e/Downgrade Cisco ACI Upgrade/Downgrade Support MatrixSupport Matrixhttps:/ if Multi-Step Upgrade is RequiredBRKDCN-291057 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Upgrade OverviewReview the ACI Upgrade/Downgrade Guide!Review the ACI Upgrade/Downgrade Guide!http

78、s:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNew Release CadenceKey objectivesPredictable software release cadence|Reach maintenance mode quicklyNo short-lived and long-lived release tagsFourth release is a maintenance release(MR),target for golden starThree feature

79、 releases from FCS date,including FCS releaseHardware lifecycle is defined by multiple release and not tied to a single releaseTotal release lifecycle of four yearsDay 01Y2Y3Y4Y5Y6.1.17.0.16.0.1Development cycleMaintenance cycleExtended support with PSIRT fixesTAC support Legend15 months15 months15

80、months15 months15 months15 months12 months12 months12 months6 months6 months6 months59BRKDCN-2910 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Firmware Upgrade Best Practice Checklist60BRKDCN-2910Determine Desired Software and Check Support MatrixReview Upgrade Arch

81、itecture and“dos and donts”Discover and Clear any issues raised from“pre-upgrade validations”Review and Implement Best Practice ConfigurationsCIMC Compatibility 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive62CIMC Version Compatibilityhttps:/ 1:Support MatrixOption 2:API

82、C Release NoteBRKDCN-2910Back Up Configuration 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive64Back Up Configuration with AES File EncryptionBRKDCN-2910ACI v4.0.1 and later Location:ACI v4.0.1 and later Location:System System Settings Global AES Passphrase Encryption Set

83、tingsPre ACI v4.0.1 SPre ACI v4.0.1 Se etting Location:tting Location:Admin AAA AES Encryption Passphrase and Keys for Config Export(and Import)Setting Global AES Encryption allows all the secure properties of the configuration(like credentials)to be successfully imported when restoring the fabricTh

84、e AES passphrase that generates the encryption keys cannot be recovered or read by an ACI administrator or any other user.The AES passphrase is not stored.Copy your passphrase somewhere safe!Setup automatic backups on a scheduler to maintain a consist and up to date backup at all times.Always export

85、 it to a remote location.In case of upgrade failure,AES backup can be used to recover the system non-disruptively as worst case scenario.!Technote For Import/Export:https:/ Groups 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI is a solution to manage multiple switches

86、 as if its one huge switchACI is a solution to manage multiple switches as if its one huge switch APIC(i.e.SUP of the fabric)can be upgraded non-disruptively.Each switch(i.e.modules of the fabric)can intelligently choose appropriate switch nodes for non-disruptive traffic flowAPICSpine(Fabric Card)(

87、Supervisor)Consider the fabric as Consider the fabric as one modular switchone modular switchACI Firmware Upgrade Best Practice 101Always keep hardware redundancy Always keep hardware redundancy to achieve zeroto achieve zero-toto-minimum traffic disruptionminimum traffic disruption1.Upgrade GreenGr

88、een switch groups2.Upgrade BlueBlue switch groups Leaf(Line Card)BRKDCN-291066 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive67Switch Upgrade Advanced OptionsBRKDCN-2910Upgrade GroupNameNode ID ListTarget Firmware VersionSchedulerIgnore Compatibility CheckIgnore Compatib

89、ility CheckGraceful optionGraceful optionRun ModeRun ModeAdvanced OptionsAdvanced Options Ignore Compatibility Check Ignore Compatibility Check(default:disabled)Enable only in a lab where you would like to ignore the supported upgrade path.Graceful option Graceful option(default:disabled)Only used w

90、hen sub-100ms routing protocol convergence is required.Never enable this when hardware redundancy is not ensured.(single spine/leaf pod)Run Mode Run Mode(default=5.1:dont pause upon upgrade failure)By default,APIC scheduler will stop putting new switches into queue ifa)APIC cluster is not fully-fitb

91、)The upgrade of previous switches in the same upgrade group failed.Ex.)You have 20 leafs in a group.If 1 fails,it will pause all remaining switches that are still queued.If other 19 leafs already started upgrade procedure,those will not be paused.Change defaults only when you must.Rule of ThumbRule

92、of ThumbIS-IS Metric Policy for Multi-Pod and Multi-Site 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHelpful Tips for Multi-Pod/Multi-Site ISIS Metric Policy Configuration69BRKDCN-2910Node Upgrade Group 1(in hold down)IPNNode Upgrade Group 1(in hold down)ISIS Overload

93、in processISIS Overload in processDefault fabric wide IS-IS metric is set at 63(max value)During upgrade,spines set the overload mode while policy is being downloaded.If fabric-wide value is already at max,the overload functionality is ineffective.This can create unexpected traffic interruption if l

94、eaf sends traffic to a spine which is not fully upgraded.Settings ISIS Policy(Default Config)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHelpful Tips for Multi-Pod/Multi-Site ISIS Metric Policy Configuration70BRKDCN-2910Node Upgrade Group 1(in hold down)IPNNode Upgrade

95、 Group 1(in hold down)ISIS Overload in processISIS Overload in processBy Lowering the Value,Remote POD TEP Routes will be preferred through the remaining spines in each POD.Once Overload is completed,the spine which was upgraded will advertise these routes using the metric configured.This results in

96、 ECMP between all spines after the upgrade has completed.Set this value to ISIS Policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHelpful Tips for Multi-Pod/Multi-Site Verify Spines are Exchanging Routes to the IPN after upgrade71BRKDCN-2910Remaining spines Remaining

97、spines sending pod TEP routes to IPNsending pod TEP routes to IPNNode Upgrade Group 1(Rebooting)IPNNode Upgrade Group 1(Rebooting)Node Upgrade Group 1Spine 1,4Node Upgrade Group 2Spine 2,3Node Upgrade Group 1Spine 1,4When Node Upgrade Group 1 finishes,Spines may show as“completed”in upgrade UI but r

98、outes towards IPN/ISN may still be in hold down period(up to 10 min)Before starting Spine Node Upgrade Group 2,verify that TEP routes of pods/sites are being sent/received from newly upgraded spines in Group 1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHelpful Tips fo

99、r Multi-Pod/Multi-Site Verify Spines are Exchanging Routes to the IPN after upgrade72BRKDCN-2910 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Firmware Upgrade Best Practice Checklist73BRKDCN-2910Determine Desired Software and Check Support MatrixReview Upgrade Archi

100、tecture and“dos and donts”Discover and Clear any issues raised from“pre-upgrade validations”Review and Implement Best Practice Configurations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFaults,and the Impact on UpgradesFaults raised but functioning normally.After upgra

101、de,previous working config can be changed to“faulted”config.Faults can be raised if there is an overlap,or invalid config.After an upgrade the switch requests its configuration“fresh”from APIC.This is the“stateless”behavior of ACI.If Logical Config(APIC)has conflicts,the“faulted”config can get pushe

102、d before the previously working config.L2 Port Config(F0467 port-configured-as-l3)L3 Port Config(F0467 port-configured-as-l2)Config On APIC Connected Port(F0467 port-configured-for-apic)etc.L2 Port Config(F0467 port-configured-as-l3)L3 Port Config(F0467 port-configured-as-l2)Config On APIC Connected

103、 Port(F0467 port-configured-for-apic)etc.BRKDCN-291074 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive75Pre-Upgrade ValidationBRKDCN-2910APIC 3.2,4.0,4.1APIC 3.2,4.0,4.1APIC 4.2(1)APIC 4.2(1)4.2(3)4.2(3)Prior to 4.2,the APIC upgrade simply warned about the number of all c

104、ritical and major faultsOn 4.2(1)4.2(3),the APIC upgrade warned aboutconfig related critical faultssome specific faults that are known to cause issues during upgrades.On 4.2(4),the APIC upgrade warns about config related critical faultssome specific faults that are known to cause issues during upgra

105、desA few nonoptimal configurations that may disrupt traffic during the upgrade.Additional validation items are being added on each release.APIC 4.2(4)APIC 4.2(4)3.2 3.2-continuingcontinuing 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePre-Upgrade Validation(AppCenter Ap

106、p)https:/ goal of the appTo be able to apply the latest validations on older APIC versions via AppCenter appWhat happens if Cisco adds additional checks?BRKDCN-291076 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFuture*Pre-Upgrade Validation(AppCenter App)PrePre-Upgrade

107、 Validation UpdatesUpgrade Validation UpdatesCisco Cisco IntersightIntersight:Can be directly from Internet(Intersight)orHTTP/LocalHTTP/Local:Download only the validations from to your local server/laptop,then to your APICs(Air-Gapped)App Supported on 5.2.Pre-Packaged in 6.0(2)*BRKDCN-291077*Update

108、capability will be coming soonWhat if Im on 4.2?What if apps are not allowed?What if Im on 4.2?What if apps are not allowed?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePre-Upgrade Validation Scripthttps:/ the script may be a better choice?:Supports older versionsGithub

109、 script is updated more frequentlyWith Github account,you can submit issues or features directlyThe goal of the scriptTo be able to apply the latest validations on any APIC versions via a scriptBRKDCN-291078Both app and script are fully supported by TACBoth app and script are fully supported by TAC

110、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive79Pre-Upgrade Validation Script(Preferred)BRKDCN-2910adminapic1:techsupport python aci-preupgrade-validation-script.py=2021-11-16T08-45-58-0500=Enter username for APIC login :adminEnter password for corresponding User :Checki

111、ng current APIC version(switch nodes are assumed to be on the same version).3.2(10e)Gathering APIC Versions from Firmware Repository.1:aci-apic-dk9.4.2.7f.binWhat is the Target Version?:1You have chosen version aci-apic-dk9.4.2.7f.bin”Check 1/37 APIC Target version image and MD5 hash.Checking fab3-a

112、pic1.DONEPASSCheck 2/37 Target version compatibility.PASSCheck 3/37 Gen 1 switch compatibility.PASS.Check 19/37 L2 Port Config(F0467 port-configured-as-l3).FAIL-OUTAGE WARNING!Fault Pod Node Tenant AP EPG Port Recommended Action-F0467 pod-1 node-101 jrap1 epg1 eth1/6 Resolve the conflict by removing

113、 this config or other configs using this port as L3Failure Details are ProvidedIssue should be corrected(Script Re-Run to validate)before performing upgrade.User Selects Target VersionChecks that require target version leverage this input.User Enters CredentialsChecks that require login leverage thi

114、s input 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCheck 32/37 BGP Peer Profile at node level without Loopback.PASSCheck 33/37 L3Out Route Map import/export direction.PASSCheck 34/37 Intersight Device Connector upgrade status.Connector reporting InternalServerError,No

115、n-Upgrade issue PASSCheck 35/37 EP Announce Compatibility.PASSCheck 36/37 Eventmgr DB size defect susceptibility.PASSCheck 37/37 Contract Port 22 Defect Check.PASS=Summary Result=PASS :28FAIL-OUTAGE WARNING!:4FAIL-UPGRADE FAILURE!:2MANUAL CHECK REQUIRED :1N/A :2ERROR!:0TOTAL :37Pre-Upgrade Check Com

116、plete.Next Steps:Address all checks flagged as FAIL,ERROR or MANUAL CHECK REQUIREDResult output and debug info saved to below bundle for later reference.Attach this bundle to Cisco TAC SRs opened to address the flagged checks.Result Bundle:/data/techsupport/Scripts/pre-upgrade/preupgrade_validator_2

117、021-11-16T08-45-58-0500.tgzSummary is ProvidedAll“FAIL”Categories need remediation.Detailed Recommendations to Remediate are in the Upgrade Guide!Log Bundle is CreatedUpload this to any TAC Case if Necessary.80Pre-Upgrade Validation Script(Preferred)BRKDCN-2910 2023 Cisco and/or its affiliates.All r

118、ights reserved.Cisco Public#CiscoLive81Nexus Dashboard Insights(Optional)BRKDCN-2910Pre-Update Verifications and AlertingDetailed list of bugs addressed in the upgradePost-upgrade Delta analysis of Anomalies,Edits and Operations changes in the upgrade processBenefit of Nexus InsightsDoes both a pre-

119、check and a post-check to alert on effects and changes in the upgrade window 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Firmware Upgrade Best Practice Checklist82BRKDCN-2910Determine Desired Software and Check Support MatrixReview Upgrade Architecture and“Dos and

120、Donts”Review and Implement Best Practice ConfigurationsDiscover and Clear any issues raised from“pre-upgrade validations”2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDos and DontsIf at any point in time you believe the upgrade/downgrade has either stalled or failed,foll

121、ow the guidelines below:DoDo View the APIC Faults and Installer Logs.View the APIC Faults and Installer Logs.DoDo Collect the Tech Support Files.Collect the Tech Support Files.DoDo Contact Cisco TAC if Needed.Contact Cisco TAC if Needed.adminapic1:logs pwdpwd/firmware/logs/firmware/logsadminapic1:lo

122、gs ls ls-l l2021-04-15T07:42:57-50 2021-05-28T10:18:33-50 adminapic1:logs ls ls-l./2021l./2021-0505-28T10:18:3328T10:18:33-5050atom_installer.logatom_installer.loginsieme_4x_installer.loginsieme_4x_installer.logleaf101#pwd/mntmnt/psspssleaf102#ls installer_detail.loginstaller_detail.loginstaller_det

123、ail.logBRKDCN-291083adminapic1:techsupport local 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDos and DontsIf at any point in time you believe the upgrade/downgrade has either stalled or failed,it is critical that you do not take any of the actions listed below:DontDont

124、 reload any APIC in the cluster manually.reload any APIC in the cluster manually.DontDont decommission any APIC in the cluster.decommission any APIC in the cluster.DontDont change the firmware target version back to the original version.change the firmware target version back to the original version

125、.Version XVersion XVersion YVersion YBRKDCN-291084 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFinal TipWhen in Doubt,Contact Cisco SupportYouve read the“Dos and Donts”With Proper Backups,Recovery is Always an OptionBRKDCN-291085 2023 Cisco and/or its affiliates.All ri

126、ghts reserved.Cisco Public#CiscoLiveACI Firmware Upgrade Best Practice ChecklistDetermine Desired Software and Check Support MatrixReview and Implement Best Practice ConfigurationsDiscover and Clear any issues raised from“pre-upgrade validations”Review Upgrade Architecture and“dos and donts”BRKDCN-2

127、91086 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicKey points to rememberAlways make sure you are performing a supported upgrade.Best Practice Configuration and Backups are Critical to SuccessACI Pre-Upgrade Validations will prevent known issues from impacting the upgrade.Never p

128、erform a disruptive procedure during an upgrade without help from Cisco.BRKDCN-291087 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicReferenceCisco APIC Installation and ACI Upgrade and Downgrade Guide https:/ ACI Upgrade Checklist https:/ APIC Release Notes https:/ Notes for Cisco

129、 Nexus 9000 Series Switches in ACI Mode https:/ Started Guide(NX-OS to ACI POAP Auto-conversion)https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicReferenceCisco APIC Installation and ACI Upgrade/Downgrade Guide https:/ ACI Upgrade Checklist https:/ APIC Release Notes https:/ N

130、otes for Cisco Nexus 9000 Series Switches in ACI Mode https:/ ACI Upgrade Matrixhttps:/ Pre-Upgrade Validation Scripthttps:/ us at Share Your Experience Booth#214 in the DevNet ZoneWin prizes by participating in hands on activities about API quality and insights while working with Crosswork Automati

131、on,ACI&NDFC.Find us in the center of the DevNetZone 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!91

132、BRKDCN-2910These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive