Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2546
Views
15
Helpful
10
Replies

Upgrade Fabric Authentication Key + Make Fabric Site AVC Ready: downtime ?

m-avramidis
Level 1
Level 1

‎03-26-2020 03:59 AM

Hello, we wonder which impact and for how long (aprox) the downtime will be when we (1) apply the security fix (see the attached screen shot) and (2) make the fabric site AVC ready. Will the entire site be unavailable during this process? DNAc version used: 1.3.1.4

 

 

1 person had this problem
Labels:
Preview file
45 KB
0 Helpful
10 Replies 10

Preston Chilcote
Cisco Employee
Cisco Employee

‎03-26-2020 03:30 PM

Very reasonable questions.  Unfortunately, I don't a good time estimate, but I can tell you what it's doing under the covers. 

 

For the first alert, it's changing the lisp authentication keys.  How quickly it does that, or if it takes redundancy into account to minimize traffic disruption, I don't know.  I don't have a way to test that myself.

 

For the second alert, that's much more in your control.  You can use DNA's Software Image Management (SWIM) to upgrade the software of the routers on your own time frame. Just be sure you are moving to one of the images on the SDA compatibility matrix.

0 Helpful

m-avramidis
Level 1
Level 1
In response to Preston Chilcote

‎03-26-2020 11:21 PM

Thanks Preston, I will update this thread with the outcome. We are planning to these changes/fixes on the 7th of April.
0 Helpful

ChuckMcF
Level 1
Level 1
In response to m-avramidis

‎04-01-2020 09:47 AM

I am very interested in your outcome.

TIA,

Chuck McFadden

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee
In response to ChuckMcF

‎04-02-2020 09:55 AM

I talked to some folks internally who have been through this process before and want to share their advice.

 

You should plan a maintenance window for these changes, so that you can be sure everything is working when they're done.  If you are using Fabric wireless, a reload of the wlc and associated AP's is required for new LISP key to take affect.

 

If you don't apply the fix immediately, you need to be aware that the next fabric device provision that is done will push the new LISP authentication key only to that device.  That's going to put that device out of communication to the fabric.  Also, if you wait to apply the fix, the banner will remain and is very easy for another operator to click on outside of a planned m/w. 

 

So,  we recommend applying the fabric wide fix (via the banner the OP showed us) in the same maintenance window as the 1.3 upgrade, so that it can all be done at once.  It sounds like a quick process, under 10 minutes for an average size fabric I'd guess.  If you must wait, be careful not to do any provisioning of fabric devices.

0 Helpful

m-avramidis
Level 1
Level 1
In response to Preston Chilcote

‎04-02-2020 09:20 PM

Hell, many thanks for all of your answers and feedbacks. I am sorry that I was not clear on one thing; the sw used on the switches does not need to be upgraded, we only need to press the "make avc ready" button, all of the switches are/is running with the correct version. The change has been postponed due to other moore pressing and important changes in the pipe. This change will take place in early May. I will update this thread with the outcome, until then: many thanks for all of your feedback and for the tips and tricks you have been given me/us.

0 Helpful

ChuckMcF
Level 1
Level 1
In response to m-avramidis

‎04-03-2020 04:27 AM

m-avramidis,

What version of IOS XE are you running on your switches?

TIA,

Chuck McFadden

0 Helpful

m-avramidis
Level 1
Level 1
In response to m-avramidis

‎06-09-2020 10:21 PM

All, we applied the fix last night and everything went smoothly. A reload of the WLCs was not needed, the (fabric) wi-fi went down for aprox 30s.
0 Helpful

ChuckMcF
Level 1
Level 1
In response to m-avramidis

‎06-10-2020 02:53 AM

I'm a little confused why you only mention the WiFi devices. I was under the impression that this is going to update the LISP key on all NADs (Network Access Devices) throughout the fabric. Can you please help me understand your application?

TIA,

Chuck McFadden

m-avramidis
Level 1
Level 1
In response to ChuckMcF

‎06-10-2020 03:29 AM

Well, the key update did occur without any hitches nor glitches, zero downtime. It was interesting to see what the border switches did during the key update (cli), but the only thing that was noticed was that the fabric SSID went down for a couple of seconds that all that happened.

Fcrespo
Level 1
Level 1
In response to m-avramidis

‎11-17-2021 02:22 PM 

hello,

Tell them that for my part I have the following alerts in DNAC after updating to 2.1.2.7:

1. Fabric Authentication Key update - (Involves Reboot on WLCs.)
2. Flood behavior change
3. AVC change
4. Authentication on Extended Node and Critical VLAN features - (Network traffic is interrupted)

My question is if in your scenario I present any interruption in the network and how much of the downtime?
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card