Hello,
My apologies for a delayer answer!
In your situation, I believe that the proper way of doing the upgrade is to steer the traffic away from one switch, upgrade and reload it, then migrate the traffic onto it while steering it away from the other neighbor, and upgrade that one.
This process has two aspects: L3 routing, and L2 switching.
For the L3 routing, this is where you need to get creative somewhat. You said that these vPC peers have about 10 BGP peerings each. You would need to make modifications to the BGP attributes of the received and advertised routes so that the traffic stops being routed through a particular switch. I cannot suggest any particular set of steps since I do not know your BGP setup. I believe I would need to see the configuration to understand more, and to be able to suggest any particular sequence of steps.
For the L2 switching, steering the traffic away from one switch should be fairly simple: Since you are using vPC, you would simple start shutting down the physical ports of the vPCs on one switch, which would have all switched traffic move over to the second vPC peer. The routing on the second vPC peer would already need to be set up so that it would not send the packets through the peer-link back to the original vPC peer you want to isolate. You would upgrade the switch, reload it, and once it is back up and running, you would reverse the procedure and make the same steps with the remaining vPC peer.
There are documents out there that describe a replacement procedure for a vPC peer switch - the steps you would need to go through are rather similar. Check them out:
https://www.cisco.com/c/en/us/support/docs/interfaces-modules/nexus-7000-series-supervisor-1-module/119033-technote-nexus-00.html
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/n5k_vpc_ops.html#pgfId-425202
Please be sure to make yourself acquainted with them, and feel welcome to ask further!
Best regards,
Peter
