traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/Periphery/Work/Nexus-upgrade.md
Administrator 3cdc574555 docs: update Periphery/Work/Nexus-upgrade
2026-04-27 15:18:38 +00:00

307 lines
No EOL
9.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Nexus Upgrade
description:
published: true
date: 2026-04-23T13:30:40.419Z
tags:
editor: markdown
dateCreated: 2026-04-12T21:16:47.704Z
---
# Cisco ESS9300 — IOS XE Software Upgrade Guide
---
## Platform Overview
The Cisco Embedded Services 9300 (ESS9300) is a ruggedized, embedded-form-factor switch running **Cisco IOS XE**. It shares its software lineage with the Catalyst 9300 family and uses the same IOS XE upgrade methodology. Software image files are stored on the system board flash device (`flash:`). The ESS9300 supports two boot modes:
- **Install Mode** *(recommended)* — software is expanded into discrete package files; supports rollback and clean uninstall
- **Bundle Mode** — the switch boots directly from a monolithic `.bin` file
> **Note:** All procedures in this guide use Install Mode. Cisco recommends Install Mode for all IOS XE upgrades on the ESS9300 platform. Verify your current boot mode before proceeding.
---
## 1. Pre-Upgrade Checks
### Verify Current Software Version and Boot Mode
```
show version
show boot
```
Confirm the `BOOT variable` points to `flash:packages.conf` (Install Mode). If it shows a `.bin` filename, you are in Bundle Mode — see the Bundle Mode section at the end of this document before proceeding.
### Check Switch Health
```
show module
show environment all
show logging last 100
```
Resolve any hardware faults, environmental alarms, or persistent log errors before proceeding.
### Check FPGA Version (xFSU Consideration)
If you intend to use Extended Fast Software Upgrade (xFSU) to minimize downtime, check FPGA eligibility:
```
show xfsu eligibility
```
> **Note:** `show xfsu eligibility` is available in IOS XE 17.8 and later. All fields must report `Yes` or `Eligible` for xFSU to proceed. If the FPGA is unsupported, a standard install with reload is required first.
### Verify Flash Space
IOS XE images for the ESS9300 platform typically require **11.5 GB** of free flash space. Check available space and remove inactive packages if necessary:
```
dir flash:
install remove inactive
```
### Backup the Running Configuration
```
copy running-config startup-config
copy running-config flash:backup-config.txt
```
---
## 2. Obtain the IOS XE Image
1. Navigate to [https://software.cisco.com](https://software.cisco.com) and log in. A valid Cisco service contract is required.
2. Go to **Downloads → Switches → Industrial Ethernet Switches → Embedded Services 9300 Series**.
3. Select the target IOS XE release. Download the appropriate `cat9k_iosxe.xx.xx.xx.SPA.bin` image.
4. Record the **MD5 checksum** from the download page for later verification.
> **Upgrade Path:** Confirm that your current IOS XE release and the target release form a supported direct upgrade path. Certain version combinations require an intermediate stepping-stone upgrade. Review the target release notes and the IOS XE Migration Guide for IIoT Switches before proceeding.
---
## 3. Transfer the Image to the Switch
### Option A — SCP from Windows PC (OpenSSH)
Verify the OpenSSH Server service is running on your PC:
```
net start sshd
```
From the switch CLI, pull the image from the Windows PC:
```
copy scp://YourUsername@<PC-IP>/C:/path/to/<image>.bin flash: vrf management
```
> **Tip:** Place the image in a short, space-free path such as `C:\ios\` to avoid syntax errors.
#### Accelerating SCP Transfers (IOS XE 17.2(1) and later)
By default, SCP transfers on IOS XE are processed through the user-space management stack, which is subject to control-plane rate limiting and can result in severely throttled throughput on large image files. Enabling SSH bulk mode moves the transfer into the kernel network stack, bypassing this restriction:
```
configure terminal
ip ssh bulk-mode
end
```
This can be left enabled permanently. Transfers typically run 45x faster than the default. To disable after the upgrade:
```
configure terminal
no ip ssh bulk-mode
end
```
### Option B — TFTP
From the switch CLI:
```
copy tftp://<TFTP-Server-IP>/<image>.bin flash: vrf management
```
### Option C — USB Drive
Format a USB drive as FAT32 and copy the image to the root. Insert into the switch USB port, then from the CLI:
```
copy usbflash0:<image>.bin flash:
```
Verify the USB is recognized:
```
dir usbflash0:
```
---
## 4. Verify the Image Integrity
Confirm the image is present on flash:
```
dir flash:
```
Verify the MD5 checksum against the value from the Cisco download page:
```
verify /md5 flash:<image>.bin
```
Do not proceed if the checksum does not match — re-transfer the image.
---
## 5. Set the Boot Variable (Install Mode)
Ensure the boot variable is correctly configured before proceeding:
```
configure terminal
no boot system
boot system flash:packages.conf
end
write memory
```
Verify:
```
show boot
```
The `BOOT variable` line must read `flash:packages.conf`.
---
## 6. Install and Activate the New Image
### Standard Install (Requires Reload)
Run the following command to stage, activate, and commit the new image. The switch will prompt for a reload — respond `y` to confirm:
```
install add file flash:<image>.bin activate commit
```
The process will:
1. Expand the `.bin` into package files on flash
2. Activate the new packages
3. Prompt for a reload
4. Commit the new version as the running baseline on first successful boot
> **Important:** Do not interrupt the process or remove power during installation or reload. The entire operation typically completes within 1015 minutes.
### Extended Fast Software Upgrade — xFSU (Reduced Downtime, IOS XE 17.8+)
If the switch passed the `show xfsu eligibility` check, xFSU can be used to minimize traffic downtime during the upgrade:
```
install add file flash:<image>.bin activate xfsu commit
```
> xFSU keeps the data plane forwarding during the control plane reload. Residual traffic loss is typically under 3 minutes. xFSU is not equivalent to ISSU — a brief reload still occurs.
For IOS XE 17.3 and 17.6 (pre-17.8 syntax):
```
install add file flash:<image>.bin activate reloadfast commit
```
---
## 7. Post-Upgrade Verification
After the switch reloads, confirm the upgrade was successful:
```
show version
show boot
show module
show environment all
show interface status
show logging last 50
```
Confirm that:
- The IOS XE version matches the target release
- `BOOT variable` still shows `flash:packages.conf`
- All modules, interfaces, and environmental readings are normal
- No new faults or errors appear in the system log
---
## 8. Clean Up Old Installation Files
Once the upgrade is confirmed stable, remove inactive packages to reclaim flash space:
```
install remove inactive
```
Confirm when prompted.
---
## Bundle Mode Upgrade (Alternative)
If the switch is currently running in Bundle Mode (boots from a `.bin` file), use the following procedure instead of the Install Mode steps above:
```
configure terminal
no boot system
boot system flash:<new-image>.bin
end
write memory
reload
```
After reloading, verify with `show version`. Bundle Mode does not support rollback. Cisco recommends transitioning to Install Mode going forward by setting the boot variable to `flash:packages.conf` and running `install add file flash:<image>.bin activate commit`.
---
## ROMMON Upgrade (If Required)
On the first boot of a new IOS XE release, the primary SPI flash ROMMON is upgraded automatically if a newer bootloader version is included in the release. This is expected behavior.
The golden SPI flash ROMMON requires a manual upgrade and is only necessary in specific recovery scenarios:
```
upgrade rom-monitor capsule golden switch active
```
The golden ROMMON update takes effect on the next reload. Refer to the release notes to determine whether a ROMMON upgrade is applicable to your target release.
---
## Emergency Recovery
If the switch fails to boot or is stuck at the ROMMON prompt, use the following recovery procedure:
1. Connect a terminal to the console port (RJ-45 or USB-mini, 9600 baud / 8N1).
2. Connect port **Gi1/3** to a PC running a TFTP server with a valid IOS XE image at the TFTP root.
3. If the switch is in a boot loop, hold the front-panel button for approximately 5 seconds to break the cycle and stop at the `switch:` prompt.
4. From the ROMMON prompt, configure network parameters and boot the recovery image:
```
switch: boot emgy0:<image>.SPA.bin
```
---
## Key Reminders
- Schedule upgrades during a **maintenance window**. The ESS9300 does not have a redundant supervisor — traffic will be interrupted during the reload unless xFSU is used.
- The boot loader (ROMMON) may be automatically upgraded on the first boot of a new IOS XE release. This is normal and does not indicate a failure.
- Smart Licensing Using Policy (SLUP) is enforced in newer IOS XE releases. Licenses remain in evaluation mode until the device is registered with Cisco Smart Software Manager (CSSM) or a satellite server.
- Starting with IOS XE 17.10, legacy SSH key exchange and MAC algorithms were removed from the default cipher list. If SSH access is disrupted post-upgrade, use the `ip ssh server algorithm kex` and `ip ssh server algorithm mac` commands to restore required algorithms.
- If the switch uses an FPGA profile (e.g., for PRP or CTS IPv6), review the FPGA profile behavior in the target release notes. Profile configurations may need to be reselected after upgrade before writing to startup-config.
Reference in a new issue View git blame Copy permalink