cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3469
Views
1
Helpful
2
Comments
oharcour
Cisco Employee
Cisco Employee

   In cases of software vulnerabilities or bugs, we know that urgent software upgrades could be costly and network impacting causing network downtime of about 10 to 15 minutes on average. Additionally, software upgrades are known to be time consuming and costly to the network, impacting the network as a whole or even causing security risks to an organization. Instead of performing a full software upgrade, a software maintenance upgrade file or Patch file can be used, depending on the urgency and type of vulnerability, without having to change the existing IOS-XE image running on the switch.

   A software maintenance upgrade, popularly known as SMU, is a software 'patch' delivery unit or package that, once installed and activated, provides a 'point-fix' for a critical issue in a given software release. This process is otherwise known as Patching.

   This modular nature allows for software images to be patched for specific features without the need to reload the entire switch depending on the nature of the fix.

oharcour_0-1686855867776.png

 

   SMUs are built on an image-by-image basis, to address the defects or vulnerabilities of a specific release. That means, an SMU package for a 17.06.03 release will differ from one for a 17.06.06 release. SMU-resolved defects are automatically included in future maintenance releases.

Some major characteristics of SMUs are:

  • They are IOS-XE release specific.
  • SMUs are not a substitute for extended maintenance releases. They are a method for fixing bugs and implementing a PSIRT fix in each release.
  • SMUs are only supported on extended maintenance releases EMR.
  • Unlike ISSU, SMUs are NOT a way to upgrade from one software release to another.
  • It is important to note that not all IOS-XE features can be patched.
  • SMU is supported only when switches are operating in install mode.

There are two methods of performing a software maintenance upgrade called Hot Patching and Cold Patching.

   With Hot Patching, installing, and activating the SMU does not necessitate a system reboot or the restart of client-impacting services. Cold Patching, on the other hand, necessitates a system reload or reboot of the system, which usually disrupts the flow of traffic.

   The nature of a bug or vulnerability to be fixed determines whether a hot or cold SMU will be performed on a switch. Ultimately, we want to perform hot patching where traffic is not disrupted and bug fixes are applied seamlessly, but some features may require a reload for bug fixes to be applied, so a cold SMU will be required.

   Now, customers can obtain SMU packages in the form of a Bundle SMU, which contains and applies multiple SMU fixes on the backend, as opposed to an Independent SMU, which contains and applies a single SMU file tailored to address a specific bug or vulnerability. Currently, the catalyst 9000 switching platform has more than 300 SMU files available for download at software.cisco.com.

SMU can be applied via CLI, API. or Ansible. On the CLI, it can be performed using two ways:

  • Three step process: use three commands run separately providing control on the upgrade process with the ability to rollback shown below:

       Install add file flash:<smu filename>

       Install activate file flash:<smu filename>

       Install commit

  • One step process: This offers a simple one-way process for installing SMU with one command.

       Install add file flash:<smu filename> activate commit

    Now, using Cisco DNAC, we can perform Software Maintenance Upgrades seamlessly on our switches without the need for CLI over a simple number of steps. All we have to do is, locate our switch on the DNAC platform, add our SMU file to the current image on our switch, and with a few clicks, perform the upgrade. 

Screenshot 2023-06-15 at 1.04.26 PM.png

Screenshot 2023-06-15 at 1.02.30 PM.png

    In conclusion, performing Software Maintenance Upgrades are a great way to urgently address vulnerabilities and security needs of software images adversely reducing network outages or business loss. With these patch fixes specifically tailored to address vulnerabilities, the use of SMU file eliminates the need of performing a full software upgrade which are well-known for being difficult, costly, time-consuming, and traffic-intensive, eventually leading to business loss. Cisco also offers a more seamless method of performing patch fixes with its DNAC orchestrator, distributing, and activating the patch fix all at once, thereby fixing vulnerabilities .

2 Comments
Leo Laohoo
Hall of Fame
Hall of Fame

MAJOR GOTCHA:  SMU patching is not supported in Bundle Mode.  

Martin L
VIP
VIP

thanks for sharing!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: