Re: Upgrade Cisco ACI Environment

p.juarezponte · ‎02-21-2020

Hello community,

We have been recently asked about a new vulnerability detected on a few devices.

It affects Cisco ACI, and is related to CDP (CVE-2020-3120).

This is our topology, with two apics, five leafs and two spines.

apic1# show version
Role Id Name Version
---------- ---------- ------------------------ --------------------
controller 1 apic1 2.2(2k)
controller 2 apic2 2.2(2k)
spine 101 NX9-ACI-COREXXX n9000-12.2(2k)
spine 102 NX9-ACI-COREXXX n9000-12.2(2k)
leaf 103 NX9-ACI-XXX n9000-12.2(2k)
leaf 104 NX9-ACI-XXX n9000-12.2(2k)
leaf 105 NX9-ACI-XXX n9000-12.2(2k)
leaf 106 NX9-ACI-XXX n9000-12.2(2k)
leaf 107 NX9-ACI-XXX n9000-12.2(2k)

It seems that we should upgrade to 13.2(9b).

Could somebody point me in the good direction to know how to do this?

I mean:

Upgrade guide
Upgrade path: should I install an intermediate version?
Order: first apic, then spines, then leafs...
Anything we should keep in mind

I have been reading this link:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/all/apic-installation-upgrade-downgrade/Cisco-APIC-Installation-Upgrade-Downgrade-Guide/Cisco-APIC-Installation-Upgrade-Downgrade-Guide_chapter_011.html#id_74366

I have been working with Cisco for a few years but I am really newcomer with ACI.

Thanks,

rocky2024 · ‎02-21-2020

Also make odd even group of leaves to upgrade but make sure connectivity to servers and vmm are connected to odd even leaves otherwise no use. .

Claudia de Luna · ‎02-21-2020

hi @p.juarezponte,

Here is a good guide for you to review along with the Guide you are already reading.

With ACI 1.x uploading the files was a bit of a chore but you are on version 2 so you should be able to upload with the GUI just fine but if you do have problems the Unofficial Guide gives you good details on an alternative way.

Give everything enough time..don't be impatient!
Clear out as many faults as you can (if you have to leave any only leave minor)
I like to reboot the APICs before starting an upgrade just to make sure everything is fresh and synched. Also, if there are issues you probably don't want to start an upgrade. Make sure they all come back and are fully fit.

As @rocky2024 suggested you should have your fabric split into at least two groups. The common convention is odd and even. After you upgrade the APICs (once you initiate the upgrade on the APICs they will be upgraded as a system. I log in to all three and watch as I lose access to each one and as it comes back up), start with one of your maintenance groups (say odd). If all your hosts are redundantly connected and configured properly to fail over, the upgrade should be hitless.

Upgrading your ACI Fabric

https://unofficialaciguide.com/2018/04/03/upgrading-your-aci-fabric/

Keep in mind that CVE-2020-3119 and CVE-2020-3120 relate to CDP and that ACI uses LLDP. If your upgrade is not hitless you might look at where you have enabled CDP and disable it if its not needed as a short term option while you prepare for the upgrade. Here is where ACI really shines as you could go to your CDP_On policy and disable it as a short term stop gap if you determine if there are no critical dependencies on CDP.

p.juarezponte · ‎03-05-2020

Thanks,

I will take a look.