In today’s environment networks are providing critical services in many sectors from public safety, healthcare, utilities, infrastructure, manufacturing and more. This critical infrastructure needs to be up 24/7/365 and we have seen critical infrastructure come under increasing cyber-attacks recently. Keeping critical infrastructure patched and up to date is a critical business task in any IT organization. More than 65% of security breaches were possible due to unpatched and out of date systems. One of the challenges for both small and large organizations is getting the maintenance windows to do software upgrades which can take outwards of 20 minutes per switch and the fact that it can take days to weeks to upgrade the entire network can make it a big undertaking. The Cisco DNA Center platform can help automate this critical activity with the SWIM (Software Image Management) capability to deploy and manage software images. Cisco DNA Center stores all the unique software images according to the image type and version for the devices in your network. It allows you to view, import, and delete software images and push software images to the devices in your network. Software upgrades can also be scheduled for later date and time.
With this level of automation some organizations have seen upwards of 59% in reduced upgrade time compared to the manual upgrade approach. It has also been shown that the engineering time is vastly reduced as with SWIM the entire upgrade process is done with a few clicks. The SWIM process does a comprehensive pre-validation of the equipment before proceeding with any upgrade request to ensure everything meets the qualification for the upgrade. Additionally, the Cisco IOS XE has the ability to automatically fail back to the prior software image if any critical errors happen as a result of the upgrade.
With Cisco DNA Center’s SWIM automation and orchestration, equipment still needs to be reloaded to activate the new software images which in some environments require careful coordination and maintenance window scheduling. In recognizing this critical customer need and with Cisco’s commitment to ensure software is up to date with Software Maintenance Updates and Critical Security fixes, Cisco needed to be able to deploy and install hotpatches without taking down or having to reload equipment.
Several years ago, Cisco made an investment to move the Catalyst platform from its longtime beloved Cisco IOS® to the latest modular Cisco IOS XE platform. Cisco IOS XE provides many features and high availability features not previously available across all the platforms. One of the main benefits of the new IOS XE was the ability to push a patch to the device image without overwriting the whole image. This allows small changes, such as bug fixes and security patches, to be installed without having to overwrite the whole image. Moreover, in most cases, patches can be applied to an IOS XE device without rebooting. This means savings in time and no downtime for the switch. The ability to install hot patches without equipment reloads is very exciting and can change how we manage the networks. Keep in mind that often due to limited maintenance windows, organizations end up running several versions of code on their switches which carry several operational, compliance and security challenges, this can significantly help organizations maintain software compliance across their network and improve operational efficiency.
In order to accomplish that – Cisco’s XE capabilities and DNAC/SWIM functionality jointly are able to push SMU’s (software maintenance upgrades) for PSIRTS (Product Security Incident Response Team) and be able to hot patch the software on the XE powered Cisco 9000 switches reliably with no downtime. Today this functionality is available on Catalyst 9300, 9400 and 9500 Series switches and the process is fully automated and managed from Cisco DNA Center’s SWIM capability starting with Cisco DNA Center version 2.1.2.x or higher.
Let’s get geeky and demonstrate how straightforward and easy it is to deploy SMU’s for PSIRT’s and be compliant in minutes. Click here and search for the model of switch you own. Then look at the available upgrade: (Note that Cisco DNA Center will automatically alert you of any SMU or PSIRT the moment that they are available – right inside of the dashboard).
Once the base golden image is assigned in Cisco DNA Center for the switch family as shown below for the Catalyst 9300 Series.
The administrator can proceed to import the SMU or PSIRT into Cisco DNA Center SWIM, after the SMU import note that the golden image will show an available “Add On” as demonstrated below
Clicking on the “Add On” will open a window similar to the one below
Click on the Star shown in the red box to activate the SMU image for distribution
Now the SMU is marked as golden it is ready to be deployed to the network
Next from the Inventory page in Cisco DNA Center; any switches that need the newly added SMU will show as Non-Compliant
Simply select the devices, go to Actions->Software Image->Update Image
This is how simple it is to leverage the Cisco DNA Center SWIM functionality and the Cisco IOS XE hotpatching capabilities to quickly and easily deploy software maintenance packs across the network without any downtime, this is the power of automation, IBN and the commitment to uptime. It is always recommended that you verify that the switches are running the correct base image version as the SWIM process to bring the switch to compliance will install a new base image if the current image does not match the golden image which will cause a reload of the switch. With the correct base image, Cisco DNA Center will deploy the SMU or PSIRT and activates on the switch without any service disruption.
The ability to keep software current and maintain uptime is becoming more and more critical as with IoT the network is supporting critical operational aspects and it is imperative to keep the critical infrastructure software up to date from both software defects and security patching. This can now be done without having to request an outage and is a game changer for IT organizations.
Learn more about Cisco DNA Center.
Learn more about Cisco 9000 switches.
Learn more about PSIRTs.
Check out our Cisco Networking video channel
Subscribe to the Cisco Networking blog
Nice to read this article you wrote.
Great article! Software image management across the Enterprise has been a pain point for a long time.