AMA: Cisco Catalyst Center Software Image Management (SWIM) - Page 2

Brooke Hammer · ‎06-18-2024

Ask Me Anything Event

Welcome to the Cisco Community Ask Me Anything conversation. Submit your questions from Friday, June 21, 2024 through Friday, July 12, 2024. Our colleagues Saurabh Khillare, and Absar UI Farooq will be waiting to assist you and resolve any questions that have not been clarified, or answer any new questions that you may have. We are waiting for you!

More about this event:

Join us for an Ask Me Anything (AMA) event where you can dive deep into Cisco Catalyst Center Software Image Management (SWIM)!

What is it?• Cisco Catalyst Center inventory offers various automation capabilities. One of them is Software Image upgrades using Software Image Management (SWIM).
• Using SWIM users can upgrade, downgrade or SMU patch their network devices managed on Catalyst Center inventory. In matter of few clicks we can perform image upgrades on upto 100 devices in a go.
• We can distribute the golden image on device flash during production hours too and schedule activation at non business hours or in maintenance window.

Get Expert Advice!
• This AMA session is your chance to get expert insights on this powerful feature.
• Whether you're a seasoned network pro or just starting out, feel free to ask any questions you have about SWIM, image repository or Cisco Catalyst Center in general.

Official Resources:

• SWIM Documentation

• Youtube: SWIM

Note: Please post your post as a comment below no later than July 12, 2024.

Post your question below by clicking "Reply"

(Answers will be processed depending on the availability of the experts)
Don't forget to thank the expert by giving it a helpful vote!

Our experts

Saurabh Khillare

Technical Consulting Engineer

Absar Ul Farooq

Technical Consulting Engineer

For more information, visit the Cisco Catalyst Center discussion forums . If you have questions or are experiencing technical problems with any of the Cisco products, post your question, request information or use the Cisco Community before opening a case with the TAC.

Leo Laohoo · ‎07-09-2024

@SaurabhKhillare wrote:
From any 17.x version, it is possible to upgrade to 17.12.x directly.

I challenge DNAC &/or the R&S BU to try it.

I upgraded an 1121X router, from 17.3.5, to 17.12.3 and it failed into a boot-crash-loop.

I manually upgraded the router to 17.9.5 (where the ROMMON got auto-upgraded) and then successfully upgraded to 17.12.3.

This behaviour is an "undocumented feature" because Release Notes do not specify 17.9.X as an intermediate release.

This is not just a "documentation bug" but a bug with DNAC as well. If the routers are going to fail from an upgrade from 17.3.5 (or earlier) to 17.12.3 (and later) then this logic needs to be coded into DNAC before something bad happens.

Torbjørn · ‎07-09-2024

Seconded! I have run into this issue on ISR 1100 & 4300 series routers. It is a real problem and a very unpleasant surprise.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Leo Laohoo · ‎07-09-2024

@Torbjørn wrote:
It is a real problem and a very unpleasant surprise.

Thanks for confirming.

This is a very expensive "surprise" because those routers will require special trip to fix or replace.

SaurabhKhillare · ‎07-11-2024

Hello Leo,

I understand the pain and effort involved in dealing with the unfortunate crash of your router. As of now Catalyst center does not have the capability to detect an unsupported version upgrade. It completely relies on the golden image marked under repository by user.

I tried the same scenario which you mentioned in last reply, where an 1121X router was upgraded from 17.3.5 to 17.12.3 but it failed and ended up in boot-crash. I performed SWIM for this upgrade and my device was successfully upgraded without ending up in boot failure nor needing an intermediate upgrade. router was running 17.5(1r) as ROMMON version in my case. attaching console logs of the router.

It is certain that you faced an issue with this upgrade path, it could be due to any reason. For investigation, you may raise a TAC case with platform team and TAC will assist you on it. On the enhancement for SWIM, I will discuss internally about it with concerned teams. However, you could also request for this feature from your CatC or from AHA request.

mmehtabu · ‎06-24-2024

does swim do image integrity check after pushing IOS bin image?

can we do it two step process?

push the image, validate the IOS file integrity
then activate and reload during mw.

auifaroo · ‎06-27-2024

Yes, Cisco DNA Center (DNAC) aka Catalyst Centre does support a two-step process for updating IOS images on network devices.

Two-Step Process:

Step 1: Push and Validate the Image

Push the Image:
- Using Cisco DNAC, you can deploy the IOS image to the network devices. This involves uploading the image to the DNA Center repository and then pushing it to the target devices.
Validate the Image:
- After the image is pushed, DNAC will perform an integrity check to confirm that the image file on the device matches the original file. This validation ensures that the file has been transferred correctly and is ready for activation.

Step 2: Activate and Reload

Schedule Activation and Reload:
- Once the image integrity is validated, you can schedule the activation of the new IOS image during a maintenance window (MW). This can be done through the DNAC interface, where you specify the time for the activation to minimize disruption.
Activate the Image:
- During the maintenance window, DNAC will activate the new image. This involves setting the new image as the boot image on the device.
Reload the Device:
- Finally, DNAC will reload the device to boot with the new image. This step is crucial to apply the new firmware and ensure the device operates with the updated software.

alexhunter · ‎06-24-2024

Hello,

I'm just wondering as we have a constant need to upgrade our Cisco switch estate IOS versions due to CareCerts, vulnerabilities, compliance etc. Is there any sort of plan to within the SWIM feature on Catalyst Centre to alert the user that there is a new Cisco recommended gold star image to download for that series of switch model in future releases?

SaurabhKhillare · ‎07-03-2024

Hello Alex,

As of now, Catalyst center development team does not have this feature in their roadmap. However, on your behalf we have raised a AHA request pitching the idea to product development team. Below is the link for same:

https://ciscospinfra.ideas.aha.io/ideas/CN-I-16629

You can subscribe to it and add your comments if any for the development team.

dmacieje · ‎06-26-2024

Hey everyone,

quick question: Does SWIM have a timeout? I would be attempting to upgrade images over WAN.

auifaroo · ‎06-27-2024

Yes, the SWIM distribution task has a timeout of 600 minutes. If the file is not copied to the device within this period, the distribution task will fail.

When upgrading over WAN, please ensure that network latency is low enough to support a smooth upgrade process.

Farooq-amir0697 · ‎06-27-2024

Are there any pre requisite we need to take care of before we upgrade via SWIM?

auifaroo · ‎06-27-2024

Before performing an image upgrade, the following pre-requisites should be reviewed.

1. Check the Minimum Software Releases Requirements on Devices

Cisco DNA Center requires the software releases on devices to meet the ones listed in Minimum Supported Software Version column of supported devices spreadsheet below: https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-device-support-tables-list.html

2. Devices have CLI /SNMP or HTTPS/SCP credentials.

Network devices should be in managed state or the administrators have CLI/SNMP or HTTPS/SCP credentials for Cisco DNA Center to discover them and bring them in managed state before performing a Software Image upgrade. This requirement is only for Day N scenario.

3. CCO Credentials

Though this is not a mandatory requirement for SWIM but its strongly recommended to add CCO credentials. Otherwise, certain features like ROMMON upgrade or suggested and latest image display list of images will not function. CCO Credentials is also required to download the KGV file for Integrity Verification of Software Images.

4. Integrity Verification of Software Images

The Integrity Verification application monitors software images that are stored in Cisco DNA Center for unexpected changes or invalid values that could indicate your devices are compromised. During the import process, the system determines image integrity by comparing the software and hardware platform checksum value of the image that you are importing to the checksum value identified for the platform in the Known Good Values (KVG) file to ensure that the two values match.

bdevi · ‎06-27-2024

Are there any specific ports that need to be opened to carry out the SWIM task?

auifaroo · ‎06-30-2024

Yes, TCP 22, 80, 443 should be open bidirectionally between DNAC and device as Software image download from Catalyst Center (aka DNAC) through HTTPS:443, SFTP:22, HTTP:80.

You can refer the best practices guide section Communication port for more details.
https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_cisco_catalyst_center_security_best_practices_guide.html#id_90444

bdevi · ‎06-27-2024

Does DNAC support the .bin format images for stack devices?