From 3cdc574555792103526e4da1c1e0d39c4d57a686 Mon Sep 17 00:00:00 2001 From: Administrator Date: Thu, 23 Apr 2026 13:30:46 +0000 Subject: [PATCH] docs: update Periphery/Work/Nexus-upgrade --- Periphery/Work/Nexus-upgrade.md | 284 ++++++++++++++++++++++++-------- 1 file changed, 213 insertions(+), 71 deletions(-) diff --git a/Periphery/Work/Nexus-upgrade.md b/Periphery/Work/Nexus-upgrade.md index fe286d4..b960313 100644 --- a/Periphery/Work/Nexus-upgrade.md +++ b/Periphery/Work/Nexus-upgrade.md @@ -2,164 +2,306 @@ title: Nexus Upgrade description: published: true -date: 2026-02-19T20:37:41.384Z +date: 2026-04-23T13:30:40.419Z tags: editor: markdown -dateCreated: 2026-02-19T20:37:32.957Z +dateCreated: 2026-04-12T21:16:47.704Z --- -# Cisco Nexus C9300GX-CD — NX-OS Upgrade Guide +# Cisco ESS9300 — IOS XE Software Upgrade Guide + +--- + +## Platform Overview + +The Cisco Embedded Services 9300 (ESS9300) is a ruggedized, embedded-form-factor switch running **Cisco IOS XE**. It shares its software lineage with the Catalyst 9300 family and uses the same IOS XE upgrade methodology. Software image files are stored on the system board flash device (`flash:`). The ESS9300 supports two boot modes: + +- **Install Mode** *(recommended)* — software is expanded into discrete package files; supports rollback and clean uninstall +- **Bundle Mode** — the switch boots directly from a monolithic `.bin` file + +> **Note:** All procedures in this guide use Install Mode. Cisco recommends Install Mode for all IOS XE upgrades on the ESS9300 platform. Verify your current boot mode before proceeding. --- ## 1. Pre-Upgrade Checks -### Verify Current Version and Switch Health +### Verify Current Software Version and Boot Mode + ``` show version +show boot +``` + +Confirm the `BOOT variable` points to `flash:packages.conf` (Install Mode). If it shows a `.bin` filename, you are in Bundle Mode — see the Bundle Mode section at the end of this document before proceeding. + +### Check Switch Health + +``` show module -show environment +show environment all show logging last 100 ``` -### Check Bootflash Space -Ensure at least 2GB of free space is available: +Resolve any hardware faults, environmental alarms, or persistent log errors before proceeding. + +### Check FPGA Version (xFSU Consideration) + +If you intend to use Extended Fast Software Upgrade (xFSU) to minimize downtime, check FPGA eligibility: + ``` -dir bootflash: +show xfsu eligibility ``` -### Save Your Running Configuration +> **Note:** `show xfsu eligibility` is available in IOS XE 17.8 and later. All fields must report `Yes` or `Eligible` for xFSU to proceed. If the FPGA is unsupported, a standard install with reload is required first. + +### Verify Flash Space + +IOS XE images for the ESS9300 platform typically require **1–1.5 GB** of free flash space. Check available space and remove inactive packages if necessary: + +``` +dir flash: +install remove inactive +``` + +### Backup the Running Configuration + ``` copy running-config startup-config -copy running-config bootflash:backup-config.txt +copy running-config flash:backup-config.txt ``` -### Check Upgrade Compatibility -Verify your current and target NX-OS versions are a supported upgrade path using Cisco's [Nexus 9000 Upgrade and ISSU Matrix](https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/). Some versions require intermediate "stepping stone" upgrades. - --- -## 2. Download the NX-OS Image +## 2. Obtain the IOS XE Image -1. Go to [https://software.cisco.com](https://software.cisco.com) and log in (a valid service contract is required). -2. Navigate to **Downloads** → **Switches** → **Data Center Switches** → **Nexus 9000 Series**. -3. Select your target NX-OS release and download the appropriate image (e.g., `nxos64-cs.10.5.4.M.bin`). -4. Note the **MD5 checksum** listed on the download page for later verification. +1. Navigate to [https://software.cisco.com](https://software.cisco.com) and log in. A valid Cisco service contract is required. +2. Go to **Downloads → Switches → Industrial Ethernet Switches → Embedded Services 9300 Series**. +3. Select the target IOS XE release. Download the appropriate `cat9k_iosxe.xx.xx.xx.SPA.bin` image. +4. Record the **MD5 checksum** from the download page for later verification. + +> **Upgrade Path:** Confirm that your current IOS XE release and the target release form a supported direct upgrade path. Certain version combinations require an intermediate stepping-stone upgrade. Review the target release notes and the IOS XE Migration Guide for IIoT Switches before proceeding. --- ## 3. Transfer the Image to the Switch -### Option A: Using Windows OpenSSH Server (SCP) +### Option A — SCP from Windows PC (OpenSSH) -#### Verify OpenSSH Server is Running on Windows +Verify the OpenSSH Server service is running on your PC: -Open PowerShell or Command Prompt and run: ``` net start sshd ``` -Or in PowerShell: -```powershell -Start-Service sshd + +From the switch CLI, pull the image from the Windows PC: + +``` +copy scp://YourUsername@/C:/path/to/.bin flash: vrf management ``` -Confirm the firewall rule exists for port 22: +> **Tip:** Place the image in a short, space-free path such as `C:\ios\` to avoid syntax errors. + +#### Accelerating SCP Transfers (IOS XE 17.2(1) and later) + +By default, SCP transfers on IOS XE are processed through the user-space management stack, which is subject to control-plane rate limiting and can result in severely throttled throughput on large image files. Enabling SSH bulk mode moves the transfer into the kernel network stack, bypassing this restriction: + ``` -netsh advfirewall firewall show rule name="OpenSSH Server (sshd)" +configure terminal + ip ssh bulk-mode +end ``` -Find your PC's IP address: +This can be left enabled permanently. Transfers typically run 4–5x faster than the default. To disable after the upgrade: + ``` -ipconfig +configure terminal + no ip ssh bulk-mode +end ``` -#### Enable SCP Server on the Switch +### Option B — TFTP + +From the switch CLI: + ``` -feature scp-server +copy tftp:///.bin flash: vrf management ``` -#### Pull the File from the Switch CLI -From the switch, use the `copy` command to pull the file from your Windows PC: +### Option C — USB Drive + +Format a USB drive as FAT32 and copy the image to the root. Insert into the switch USB port, then from the CLI: + ``` - copy scp://Phil@192.168.0.3/C:/Users/Phil.SIL-PC49/Desktop/9300GX/nxos64-cs.10.5.4.M.bin bootflash: vrf management +copy usbflash0:.bin flash: ``` -> **Tip:** If the path is long or contains spaces, move the file to a simple location like `C:\nxos\` first: -> ``` -> copy scp://YourUsername@192.168.0.x/C:/nxos/nxos64-cs.10.5.4.M.bin bootflash: vrf management -> ``` +Verify the USB is recognized: - ---- - -## 4. Verify the Image - -Confirm the file is on bootflash: ``` -dir bootflash: -``` - -Verify the MD5 checksum matches what Cisco published: -``` -show file bootflash:nxos64-cs.10.5.4.M.bin md5sum +dir usbflash0: ``` --- -## 5. Pre-Install Compatibility Check +## 4. Verify the Image Integrity + +Confirm the image is present on flash: -Run the incompatibility check before upgrading to identify any configuration or feature conflicts: ``` -show incompatibility-all nxos bootflash:nxos64-cs.10.5.4.M.bin +dir flash: ``` -Review the output carefully and resolve any flagged issues before proceeding. +Verify the MD5 checksum against the value from the Cisco download page: + +``` +verify /md5 flash:.bin +``` + +Do not proceed if the checksum does not match — re-transfer the image. --- -## 6. Perform the Upgrade +## 5. Set the Boot Variable (Install Mode) + +Ensure the boot variable is correctly configured before proceeding: -### Disruptive Upgrade (Recommended — Requires Maintenance Window) -The switch will reload. This is the simplest and most reliable method: ``` -install all nxos bootflash:nxos64-cs.10.5.4.M.bin +configure terminal + no boot system + boot system flash:packages.conf +end +write memory ``` -### Non-Disruptive ISSU (In-Service Software Upgrade) -Data plane stays up; control plane resets (~120 seconds). Must confirm version compatibility first: +Verify: + ``` -install all nxos bootflash:nxos64-cs.10.5.4.M.bin non-disruptive +show boot ``` -> The `install all` command performs a final compatibility check and prompts for confirmation before making any changes. +The `BOOT variable` line must read `flash:packages.conf`. + +--- + +## 6. Install and Activate the New Image + +### Standard Install (Requires Reload) + +Run the following command to stage, activate, and commit the new image. The switch will prompt for a reload — respond `y` to confirm: + +``` +install add file flash:.bin activate commit +``` + +The process will: +1. Expand the `.bin` into package files on flash +2. Activate the new packages +3. Prompt for a reload +4. Commit the new version as the running baseline on first successful boot + +> **Important:** Do not interrupt the process or remove power during installation or reload. The entire operation typically completes within 10–15 minutes. + +### Extended Fast Software Upgrade — xFSU (Reduced Downtime, IOS XE 17.8+) + +If the switch passed the `show xfsu eligibility` check, xFSU can be used to minimize traffic downtime during the upgrade: + +``` +install add file flash:.bin activate xfsu commit +``` + +> xFSU keeps the data plane forwarding during the control plane reload. Residual traffic loss is typically under 3 minutes. xFSU is not equivalent to ISSU — a brief reload still occurs. + +For IOS XE 17.3 and 17.6 (pre-17.8 syntax): + +``` +install add file flash:.bin activate reloadfast commit +``` --- ## 7. Post-Upgrade Verification +After the switch reloads, confirm the upgrade was successful: + ``` show version +show boot show module -show environment +show environment all show interface status +show logging last 50 ``` -Confirm the new NX-OS version is running and all modules/interfaces are healthy. +Confirm that: +- The IOS XE version matches the target release +- `BOOT variable` still shows `flash:packages.conf` +- All modules, interfaces, and environmental readings are normal +- No new faults or errors appear in the system log --- -## 8. Clean Up Old Images (Optional) +## 8. Clean Up Old Installation Files + +Once the upgrade is confirmed stable, remove inactive packages to reclaim flash space: -Once you have confirmed a successful upgrade, remove the old image to free bootflash space: ``` -delete bootflash:nxos64-cs..bin +install remove inactive +``` + +Confirm when prompted. + +--- + +## Bundle Mode Upgrade (Alternative) + +If the switch is currently running in Bundle Mode (boots from a `.bin` file), use the following procedure instead of the Install Mode steps above: + +``` +configure terminal + no boot system + boot system flash:.bin +end +write memory +reload +``` + +After reloading, verify with `show version`. Bundle Mode does not support rollback. Cisco recommends transitioning to Install Mode going forward by setting the boot variable to `flash:packages.conf` and running `install add file flash:.bin activate commit`. + +--- + +## ROMMON Upgrade (If Required) + +On the first boot of a new IOS XE release, the primary SPI flash ROMMON is upgraded automatically if a newer bootloader version is included in the release. This is expected behavior. + +The golden SPI flash ROMMON requires a manual upgrade and is only necessary in specific recovery scenarios: + +``` +upgrade rom-monitor capsule golden switch active +``` + +The golden ROMMON update takes effect on the next reload. Refer to the release notes to determine whether a ROMMON upgrade is applicable to your target release. + +--- + +## Emergency Recovery + +If the switch fails to boot or is stuck at the ROMMON prompt, use the following recovery procedure: + +1. Connect a terminal to the console port (RJ-45 or USB-mini, 9600 baud / 8N1). +2. Connect port **Gi1/3** to a PC running a TFTP server with a valid IOS XE image at the TFTP root. +3. If the switch is in a boot loop, hold the front-panel button for approximately 5 seconds to break the cycle and stop at the `switch:` prompt. +4. From the ROMMON prompt, configure network parameters and boot the recovery image: + +``` +switch: boot emgy0:.SPA.bin ``` --- -## Key Tips +## Key Reminders -- Always schedule upgrades during a **maintenance window**, even for ISSU, as the C9300GX has a single supervisor. -- In a **vPC pair**, upgrade the **secondary switch first**, then the primary. -- Never interrupt power during the upgrade process. -- Keep a backup of your configuration before starting. +- Schedule upgrades during a **maintenance window**. The ESS9300 does not have a redundant supervisor — traffic will be interrupted during the reload unless xFSU is used. +- The boot loader (ROMMON) may be automatically upgraded on the first boot of a new IOS XE release. This is normal and does not indicate a failure. +- Smart Licensing Using Policy (SLUP) is enforced in newer IOS XE releases. Licenses remain in evaluation mode until the device is registered with Cisco Smart Software Manager (CSSM) or a satellite server. +- Starting with IOS XE 17.10, legacy SSH key exchange and MAC algorithms were removed from the default cipher list. If SSH access is disrupted post-upgrade, use the `ip ssh server algorithm kex` and `ip ssh server algorithm mac` commands to restore required algorithms. +- If the switch uses an FPGA profile (e.g., for PRP or CTS IPv6), review the FPGA profile behavior in the target release notes. Profile configurations may need to be reselected after upgrade before writing to startup-config. \ No newline at end of file