Table of Contents:
- Introduction
- What happens when you upgrade to cAPIC 25.0.3
- AWS: Upgrading CSRs to CCRs
3.a AWS: Subscribe to Cisco Catalyst 8000V Edge Software – BYOL
3.b AWS: Start The Upgrade
3.c AWS: Will need to change role/permissions for ApicAdmin/ApicAdminFullAccess in AWS
3.d AWS: Verify Upgrade - Azure: Upgrading CSRs to CCRs
4.a Azure: Subscribe to Cisco Catalyst 8000V Edge Software – BYOL
4.b Azure: Start The Upgrade
4.c Azure: Verify Upgrade - References
Introduction
From cAPIC release 25.0.3 the Cloud CSR 1KV – BYOL routers have now changed to Catalyst 8000V Edge Router – BYOL (Bring Your Own License).
The rationale behind this change is performance. As an example, if you look at pure IPSec packet performance numbers, they have gone up to almost 1Kbps at 1400 byte mtu. That equates to a lot of extra encapsulated data packets. Further, multiple IPSec tunnels do not effect performance.
π Note: Another Side effect of the C8KV is that for a POC if you don’t want to license the C8KV you will get 10Mbps throughput as opposed to CSR1KV that only gave you 1Mbps throughput without license.
What happens when you upgrade to cAPIC 25.0.3
After upgrading cAPIC to version 25.0.3, if you looked at the status of the Cloud Routers from Infrastructure/Inter-Region Connectivity you will see that they will say incompatible but they will still be working.
Figure 1: After Upgrading to cAPIC 25.0.3
If you looked at Firmware Management, you will now see CCRs instead of CSRs. This will also show you the incompatible status and Update Status Pending.
Figure 2: Looking at Status from Firmware Management after upgrade to cAPIC 25.0.3
π Note: Even though it says incompatible everything will still be functioning fine. However you should upgrade.
Upgrading CSR to CCR
Upgrading is a very simple step and entails no downtimes (though you should always follow best practices, such as: maintenance windows, backups first )
In Marketplace, Subscribe to Cisco Catalyst 8000V Edge Software – BYOL
This is no different than when you did your initial install of cAPIC in AWS (the very first time). The only difference is that you will have to subscribe to Cisco Catalyst 8000V Edge Software – BYOL instead of the Cisco CSR 1000V – BYOL.
Go to Market Place/Discover products and type in catalyst 8000v. Choose Cisco Catalyst 8000V Edge Software – BYOL
Figure 3. Selecting Catalyst 8000V Edge Software – BYOL from Marketplace.
Just follow through and Accept the terms. Do not try to spin up the router. That is cAPIC’s job !
Figure 4: Finish off subscribing. Do not spin up the router
Start the upgrade
All you have to do is click on the Upgrade CCRs button from Firmware Management Screen.
Figure 5: Start the upgrade from CSR1KV to C8Kv
The upgrade process will upgrade 1 Cloud Router at a time, so your dataplane will still be working (just at lower capacity)
Figure 6: One Router upgrades at a time
You can confirm this from the AWS console also. You will notice that 1 router will get terminated at a time.
Figure 7: Watching from AWS console
Will need to change role/permissions for ApicAdmin/ApicAdminFullAccess in AWS
At this time you will notice that the CCR Status shows Sam Access Denied message, you will have to change the Roles/permissions for ApicAdmin/ApicAdmin fullAccess from AWS console.
π Note: You can do this step from the beginning also. However, I am showing this step here to highlight the fault that you will get without this step completed.
Figure 8: You will need to add Roles/permissions for ApicAdmin/ApicAdmin fullAccess
For this, on AWS console, go to Roles/permissions for ApicAdmin/ApicAdmin fullAccess as shown in the figure below.
Figure 9a: Going to the ApicAdmin Role to modify the ApicAdminFullAccess Policy
Click on "Edit policy" to edit the policy as shown below:
Figure 9b: Click on "Edit Policy" to start editing the policy
Next, click on "JSON" option to edit the JSON policy.
Figure 9c: Choosing the JSON option
Based on the error Message you received, please put in the role accordingly. The only thing you need to modify is the Resource Name. You should include this as the last block of the existing json policy.
Figure 10: Modifying Role/Policy for ApicAdmin/ApicAdminFullAccess
π Note: you can just copy and paste the below. Just modify the Resource value accordingly for the region where your CCR will reside (Infra Region(s)).
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:us-east-1::parameter/aws/service/marketplace/*"
}
π Note, if you have multiple Infra Regions, you will have to add this block multiple times, each time with the Resource Value with your Infra Region. To get around that you could just add the region with a wildcard as shown below.
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:*::parameter/aws/service/marketplace/*"
}
After making the policy changes, click on "Review policy" as shown below:
Figure 10a: Reviewing the edited policy
Make sure to save the changed Policy by clicking on "Save changes".
Figure 10c: Saving the changed Policy.
Verify Upgrade
Once the role is modified and submitted, your new CCRs will start spinning up and the Fault will clear.
Figure 11: CCRs will now spin up (replacing CSRs)
Once, done you will see that the Update Status will show Success and Compatibility Status will show Compatible
Figure 12: CCRs spun up fine, repacing CSRs
You can ssh into the CCR and verify that it is a Cisco Catalyst 8000V Edge router
Figure 13: viewing CCR Inventory
Azure: Upgrading CSRs to CCRs
Upgrading is a very simple step and entails no downtimes (though you should always follow best practices, such as: maintenance windows, backups first )
Azure: Subscribe to Cisco Catalyst 8000V Edge Software – BYOL
This is no different than when you did your initial install of cAPIC in Azure (the very first time). The only difference is that you will have to subscribe to Cisco Catalyst 8000V Edge Software β BYOL instead of the Cisco CSR 1000V β BYOL.
Go to Market Place/Discover products and type in catalyst 8000v. Choose Cisco Catalyst 8000V Edge Software β BYOL
π Note: Unlike the AWS case, when subscribing to the CCR image, you also have to choose the correct version of the Catalyst 8KV Router. The information can be found in the install guide in CCO. Please look at install guide for your release at: Cloud APIC Documentation
For cAPIC release 25.0.3 for Azure, you will need Cisco Catalyst 8000V Edge Software-BYOL-17.07.01a
As shown in the figure below:
- a) please go to Azure Market Place and search for Catalyst 8000
- b) Select Cisco Catalyst 8000V Edge Software (donβt click on create)
- c) Select Cisco Catalyst 8000V Edge Software-BYOL-17.07.01a
- d) Click on Get started (donβt click on create)
- e) Enable for your Azure Subscriptions where you will install cAPICs (infra accounts), then click on Save
Figure 14a: please go to Azure Market Place and search for Catalyst 8000
Figure 14b: Select Cisco Catalyst 8000V Edge Software (donβt click on create)
Figure 14c: Select Cisco Catalyst 8000V Edge Software-BYOL-17.07.01a
Figure 14d: Click on Get started (donβt click on create)
Figure 14e: Enable for your Azure Subscriptions where you will install cAPICs (infra accounts), then click on Save
Azure: Start The Upgrade
All you have to do is click on the Upgrade CCRs button from Firmware Management Screen.
Figure 15: Start the upgrade from CSR1KV to C8Kv
The upgrade process will upgrade 1 Cloud Router at a time, so your dataplane will still be working (just at lower capacity)
Azure: Verify Upgrade
Figure 16: Upgrade to CCR Completed
You can ssh into the CCR and verify that it is a Cisco Catalyst 8000V Edge router
Figure 17: viewing CCR Inventory