traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/Work/Ducky/ess9300_upgrade.md
John Smith 1a98eb6402 docs: add all untracked content
2026-04-01 02:54:27 +00:00

8.7 KiB
Raw Blame History

title description published date tags editor dateCreated
Voyager SW10GG Upgrade Cisco ESS 9300 true 2026-03-19T15:24:41.320Z markdown 2026-03-19T15:24:35.613Z

Cisco ESS9300 — IOS XE Software Upgrade Guide

Platform Overview

The Cisco Embedded Services 9300 (ESS9300) is a ruggedized, embedded-form-factor switch running Cisco IOS XE. It shares its software lineage with the Catalyst 9300 family and uses the same IOS XE upgrade methodology. Software image files are stored on the system board flash device (flash:). The ESS9300 supports two boot modes:

  • Install Mode (recommended) — software is expanded into discrete package files; supports rollback and clean uninstall
  • Bundle Mode — the switch boots directly from a monolithic .bin file

Note: All procedures in this guide use Install Mode. Cisco recommends Install Mode for all IOS XE upgrades on the ESS9300 platform. Verify your current boot mode before proceeding.

1. Pre-Upgrade Checks

Verify Current Software Version and Boot Mode

show version
show boot

Confirm the BOOT variable points to flash:packages.conf (Install Mode). If it shows a .bin filename, you are in Bundle Mode — see the Bundle Mode section at the end of this document before proceeding.

Check Switch Health

show module
show environment all
show logging last 100

Resolve any hardware faults, environmental alarms, or persistent log errors before proceeding.

Check FPGA Version (xFSU Consideration)

If you intend to use Extended Fast Software Upgrade (xFSU) to minimize downtime, check FPGA eligibility:

show xfsu eligibility

Note: show xfsu eligibility is available in IOS XE 17.8 and later. All fields must report Yes or Eligible for xFSU to proceed. If the FPGA is unsupported, a standard install with reload is required first.

Verify Flash Space

IOS XE images for the ESS9300 platform typically require 11.5 GB of free flash space. Check available space and remove inactive packages if necessary:

dir flash:
install remove inactive

Backup the Running Configuration

copy running-config startup-config
copy running-config flash:backup-config.txt

2. Obtain the IOS XE Image

  1. Navigate to https://software.cisco.com and log in. A valid Cisco service contract is required.
  2. Go to Downloads → Switches → Industrial Ethernet Switches → Embedded Services 9300 Series.
  3. Select the target IOS XE release. Download the appropriate cat9k_iosxe.xx.xx.xx.SPA.bin image.
  4. Record the MD5 checksum from the download page for later verification.

Upgrade Path: Confirm that your current IOS XE release and the target release form a supported direct upgrade path. Certain version combinations require an intermediate stepping-stone upgrade. Review the target release notes and the IOS XE Migration Guide for IIoT Switches before proceeding.

3. Transfer the Image to the Switch

Option A — SCP from Windows PC (OpenSSH)

Verify the OpenSSH Server service is running on your PC:

net start sshd

From the switch CLI, pull the image from the Windows PC:

copy scp://YourUsername@<PC-IP>/C:/path/to/<image>.bin flash: vrf management

Tip: Place the image in a short, space-free path such as C:\ios\ to avoid syntax errors.

Option B — TFTP

From the switch CLI:

copy tftp://<TFTP-Server-IP>/<image>.bin flash: vrf management

Option C — USB Drive

Format a USB drive as FAT32 and copy the image to the root. Insert into the switch USB port, then from the CLI:

copy usbflash0:<image>.bin flash:

Verify the USB is recognized:

dir usbflash0:

4. Verify the Image Integrity

Confirm the image is present on flash:

dir flash:

Verify the MD5 checksum against the value from the Cisco download page:

verify /md5 flash:<image>.bin

Do not proceed if the checksum does not match — re-transfer the image.

5. Set the Boot Variable (Install Mode)

Ensure the boot variable is correctly configured before proceeding:

configure terminal
 no boot system
 boot system flash:packages.conf
end
write memory

Verify:

show boot

The BOOT variable line must read flash:packages.conf.

6. Install and Activate the New Image

Standard Install (Requires Reload)

Run the following command to stage, activate, and commit the new image. The switch will prompt for a reload — respond y to confirm:

install add file flash:<image>.bin activate commit

The process will:

  1. Expand the .bin into package files on flash
  2. Activate the new packages
  3. Prompt for a reload
  4. Commit the new version as the running baseline on first successful boot

Important: Do not interrupt the process or remove power during installation or reload. The entire operation typically completes within 1015 minutes.

Extended Fast Software Upgrade — xFSU (Reduced Downtime, IOS XE 17.8+)

If the switch passed the show xfsu eligibility check, xFSU can be used to minimize traffic downtime during the upgrade:

install add file flash:<image>.bin activate xfsu commit

xFSU keeps the data plane forwarding during the control plane reload. Residual traffic loss is typically under 3 minutes. xFSU is not equivalent to ISSU — a brief reload still occurs.

For IOS XE 17.3 and 17.6 (pre-17.8 syntax):

install add file flash:<image>.bin activate reloadfast commit

7. Post-Upgrade Verification

After the switch reloads, confirm the upgrade was successful:

show version
show boot
show module
show environment all
show interface status
show logging last 50

Confirm that:

  • The IOS XE version matches the target release
  • BOOT variable still shows flash:packages.conf
  • All modules, interfaces, and environmental readings are normal
  • No new faults or errors appear in the system log

8. Clean Up Old Installation Files

Once the upgrade is confirmed stable, remove inactive packages to reclaim flash space:

install remove inactive

Confirm when prompted.

Bundle Mode Upgrade (Alternative)

If the switch is currently running in Bundle Mode (boots from a .bin file), use the following procedure instead of the Install Mode steps above:

configure terminal
 no boot system
 boot system flash:<new-image>.bin
end
write memory
reload

After reloading, verify with show version. Bundle Mode does not support rollback. Cisco recommends transitioning to Install Mode going forward by setting the boot variable to flash:packages.conf and running install add file flash:<image>.bin activate commit.

ROMMON Upgrade (If Required)

On the first boot of a new IOS XE release, the primary SPI flash ROMMON is upgraded automatically if a newer bootloader version is included in the release. This is expected behavior.

The golden SPI flash ROMMON requires a manual upgrade and is only necessary in specific recovery scenarios:

upgrade rom-monitor capsule golden switch active

The golden ROMMON update takes effect on the next reload. Refer to the release notes to determine whether a ROMMON upgrade is applicable to your target release.

Emergency Recovery

If the switch fails to boot or is stuck at the ROMMON prompt, use the following recovery procedure:

  1. Connect a terminal to the console port (RJ-45 or USB-mini, 9600 baud / 8N1).
  2. Connect port Gi1/3 to a PC running a TFTP server with a valid IOS XE image at the TFTP root.
  3. If the switch is in a boot loop, hold the front-panel button for approximately 5 seconds to break the cycle and stop at the switch: prompt.
  4. From the ROMMON prompt, configure network parameters and boot the recovery image:
switch: boot emgy0:<image>.SPA.bin

Key Reminders

  • Schedule upgrades during a maintenance window. The ESS9300 does not have a redundant supervisor — traffic will be interrupted during the reload unless xFSU is used.
  • The boot loader (ROMMON) may be automatically upgraded on the first boot of a new IOS XE release. This is normal and does not indicate a failure.
  • Smart Licensing Using Policy (SLUP) is enforced in newer IOS XE releases. Licenses remain in evaluation mode until the device is registered with Cisco Smart Software Manager (CSSM) or a satellite server.
  • Starting with IOS XE 17.10, legacy SSH key exchange and MAC algorithms were removed from the default cipher list. If SSH access is disrupted post-upgrade, use the ip ssh server algorithm kex and ip ssh server algorithm mac commands to restore required algorithms.
  • If the switch uses an FPGA profile (e.g., for PRP or CTS IPv6), review the FPGA profile behavior in the target release notes. Profile configurations may need to be reselected after upgrade before writing to startup-config.