Solved: Upgrading 100+ C9300 Switches from 17.06.03 to 17.9.4a

sohaibrh · ‎01-25-2024

Hi everyone,

We have around 30 C9300-48UN switch stacks giving a total of 100+ switches running 17.06.03

I was tasked to come up with an efficient solution to upgrade them all if needed, I have a few questions for the community:

How necessary is the upgrade from 17.06.03 to 17.9.4a ?
Is there a better way to do this rather than manually upgrading each switch (30+ maintenance windows is a lot!!)

Any piece of useful information would be highly appreciated!

liviu.gheorghe · ‎01-25-2024

Hello @sohaibrh ,

In my opinion, if you don't have a good reason to upgrade, like a software bug or a feature that is missing in the current software release, don't do it.

For the second point, like M02@rt37 suggested, you can use Ansible to automate the delivery of the new IOS to the switch stacks, but there's no way around the maintenance windows as the switch must reboot in order to run the new IOS.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

M02@rt37 · ‎01-25-2024

Hello @sohaibrh

Using ansible or python for network automation is a great approach to efficiently manage and upgrade multiple network devices. Ansible ans Python are an open-source automation tool that allows you to define and manage the configuration of systems in a declarative way. You would find a lot of documentation about these tools.

You could upgrade to 17.6.5 first. It is a suggested release as 17.9.4.a but minor upgrade for you.

https://software.cisco.com/download/home/286315874/type/282046477/release/Cupertino-17.9.4a

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

liviu.gheorghe · ‎01-25-2024

Hello @sohaibrh ,

In my opinion, if you don't have a good reason to upgrade, like a software bug or a feature that is missing in the current software release, don't do it.

For the second point, like M02@rt37 suggested, you can use Ansible to automate the delivery of the new IOS to the switch stacks, but there's no way around the maintenance windows as the switch must reboot in order to run the new IOS.

Regards, LG
*** Please Rate All Helpful Responses ***

sohaibrh · ‎01-25-2024

Honestly, I don't see the value in upgrading as the equipment is running smoothly.

We have C9500 running 16.12.04, I think those need to be upgrade for sure, but we have less than 10 so it's a much easier problem to solve.

Leo Laohoo · ‎01-25-2024

@sohaibrh wrote:
How necessary is the upgrade from 17.06.03 to 17.9.4a ?

I am in the middle of upgrading all our routers, switches and WLC to 16.12.10a (3850) or 17.9.4a due to Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature. Currently, this vulnerability is currently being exploited in the wild and this information is highly critical because decision makers do not necessarily take the notion of network outage (due to software upgrade) too kindly.

Another reason why a lot of network administrator are reluctant to upgrade because they've never done an upgrade before and it is a terrifying truth nobody wants to admit in public.

I have about 800 stacks of 9300 and about 120 x 9500 (VSS and standalone). I have completed the upgrade to about 60% of the 9300 (Install Mode) and 40% of the 9500 (Install Mode). The upgrade were all done "by hand", i. e. no automation involved (no DNAC, no PI, no Python script, no Ansible, etc.). Success rate is 100%.

And the outage time is 14 minutes.

I unpack the packages during business hours and then schedule the reboot at, say, 7:00 the next morning.

Leo Laohoo · ‎01-25-2024

@sohaibrh wrote:
Is there a better way to do this rather than manually upgrading each switch (30+ maintenance windows is a lot!!)

This made me laugh.

Last 21 December 2023, I logged into 100 stacks 9300 and 9500. It took me two hours to unpack the packages and set the reload for 07:00 AEDST, 03 January 2024.