The release-naming conventions for the current, primary Cisco IOS XE Software release trains include components that map to and identify the version and type of each software release.
They include a train identifier, a major release number, and release version and rebuild numbers. However, they also include an identifier that indicates which version of the IOSd is included in the release. This modular architecture increases network resiliency by distributing operating responsibility among separate processes.
Figure 7. The release notes and other documentation for some products also provide a mapping table that indicates which version of the IOSd is included in specific releases of Cisco IOS XE Software:. A package contains the components that support a specific set of features or functions, such as routing, security, or modular services card MSC support.
Every supported device includes a basic set of required packages, which are contained in a Cisco IOS XR Software Core Bundle for the device, and additional, optional packages that can be added to and activated on the device to enable additional specific features.
Unlike Cisco IOS Software, where feature sets are defined at image build time and remain static while the system is in operation, Cisco IOS XR Software can dynamically load and unload software packages that deliver one or more features. In addition, Cisco IOS XR Software packages are created in versions and can be upgraded or patched as necessary to add features or resolve problems, which allows system enhancement and maintenance to take place without requiring a system restart or disrupting traffic that is traversing the system.
To upgrade a package, administrators activate a newer version of the package. To patch a package, administrators activate the patch. Note that SMUs have slightly different naming conventions because they are designed to be release-specific, platform-specific patches. The key differences are the file format and an additional value that indicates which bug an SMU addresses. SMUs are released as software maintenance upgrade. This ID is inserted between the release and architecture values in the filename.
Cisco NX-OS Software is a data-center-class operating system that provides high availability with a modular design. To integrate fixes for high-severity issues that should be addressed on an accelerated schedule, Cisco may also release a rebuild of a Cisco NX-OS Software release. This type of release, sometimes referred to as a support patch , reduces the possible impact on customers who have already certified and deployed a release.
The name of each release contains a major release number, a minor release number, a maintenance release number, and, if appropriate, a rebuild identifier. There are two sets of release-naming conventions for the software:. Figure The following table Table 6 shows valid values for the platform designator in this naming convention.
All applicable features, functions, and fixes in the platform-independent code are present in each platform-dependent release. Cisco IOS Software uses software packaging models and architectures that are designed to meet the requirements of specific service and market categories and to simplify the selection process for software images.
The Cisco IOS Software packaging model is designed to simplify the image selection process and the deployment of critical functionality. It does so by consolidating packages to reduce the total number of packages and by using consistent package names across all hardware products. The packages provide similar functionality and logical feature parity across platforms, while also meeting the unique requirements of each platform. This feature is an orchestrated collection of processes and components that enables administrators to activate specific Cisco IOS Software feature sets by obtaining and validating Cisco software licenses for those feature sets.
With the Cisco Software Activation feature, administrators can enable licensed features and register licenses by using the Cisco Product License Registration portal, issuing EXEC commands directly on a device, or using Cisco License Manager to register, obtain, and install licenses in a bulk fashion for network-wide deployments. Consequently, these switches and routers ship with a single, universal Cisco IOS Software image that contains all available features.
Administrators can then obtain specific licenses to enable the corresponding feature sets. There are two types of universal software images:. Within each universal software image, features are grouped into feature sets. Administrators activate specific feature sets by using technology package licenses via Cisco Software Activation licensing keys.
The feature sets are:. Cisco IOS Software for other models of Cisco switches and routers can use any of seven different software packages, depending on the model, to meet the requirements of different market categories. The software packages are:. The name of a software image indicates which software package the image contains and whether the image includes strong cryptography features.
If an image name contains the k9 designation, the image includes strong cryptography features. For example, if an image name contains adventerprisek9 , the image contains an Advanced Enterprise Services package that includes strong cryptographic features. A consolidated package is a single software image that contains a collection of software subpackages.
A subpackage is an individual software file that provides a specific set of functionality or controls a different element or elements of a router or switch. The diagram also shows how each subpackage provides a different set of functionality that complements or supports the functionality provided by one or more other subpackages in the same consolidated package. The consolidated package architecture enables administrators to install and upgrade the software by using a holistic or modular approach.
Administrators can install and run all the subpackages in a consolidated package or only specific subpackages in a consolidated package. In addition, administrators can upgrade the software by performing a single, complete upgrade process that upgrades all the subpackages in a consolidated package or they can upgrade each software subpackage independently.
For more information about the advantages and disadvantages of running individual subpackages or complete consolidated packages, and the process of extracting individual subpackages from a consolidated package, see the Cisco ASR Series Aggregation Services Routers Software Configuration Guide. For information about which consolidated packages are available for a specific release of Cisco IOS XE Software, see the release notes for the release.
Each package contains components that support a specific set of features or functions, such as routing, security, or modular services card MSC support. Administrators can then add and activate additional optional packages and software maintenance updates SMUs on the device as necessary to provide additional specific features and to address issues.
Note: The Image Verification feature does not check the integrity of the image running in memory. Cisco IOS software image file verification using this feature can be accomplished using the following commands:. Note: Only the file verify auto global configuration command and the verify privileged EXEC command will be covered in this document.
Network administrators can use the file verify auto global configuration command to enable verification of all images that are either copied using the copy privileged EXEC command or loaded using the reload privileged EXEC command.
These images are automatically verified for image file integrity. The following example shows how to configure the file verify auto Cisco IOS feature:. This argument must be used each time an image is copied to or reloaded on a Cisco IOS device if the global configuration command file verify auto is not present.
Network administrators can also use the verify privileged EXEC command, originally introduced for the "MD5 File Validation" feature and updated by the "Image Verification" feature, to verify the integrity of image files that are stored locally on a device. The following example demonstrates how to use the updated verify command on a Cisco IOS device:. In the preceding output, three MD5 hash values are displayed by the verify command.
The following is an explanation of each MD5 hash value:. In certain circumstances, network administrators may consider moving an existing Cisco IOS software image file from a Cisco IOS device to an administrative workstation. Once on the administrative workstation, independent tools can be used to calculate the MD5 hash of the file. Two options are available for administrators to perform this task.
One option allows the administrator to use the Cisco IOS software in use on the device to copy the stored Cisco IOS software image file to an administrative workstation. If this process is being carried out for security reasons, administrators are advised to use a secure protocol such as SCP to transfer the file. This process is accomplished using the copy command as illustrated in the following example:.
A second and recommended option, one that provides an additional level of security, is to restart a Cisco IOS device using a known-good version of Cisco IOS software from a trusted location. Administrators can accomplish this task using the boot system global configuration command as illustrated in the following example:.
Once the network device has been restarted with a known-good Cisco IOS image, a network administrator can verify the locally stored image using the verify command or by copying the Cisco IOS software image to a remote file server for offline verification.
For additional information about copying, loading, and maintaining system images, reference the Cisco IOS Configuration Fundamentals Configuration Guide.
Once a file is stored on an administrative workstation, a network administrator can verify the MD5 hash for that Cisco IOS image file using an MD5 hashing utility. The following example demonstrates the MD5 calculation and file size display for Linux-based systems:. The following example shows the use of the fsum utility and the dir command on a Windows system:.
Note: The use of the fsum utility is for illustrative purposes only and should not be interpreted as an endorsement of the tool. Once the MD5 hash and file size for a Cisco IOS software image has been collected, network administrators can verify authenticity of the image using information provided by the Cisco IOS Upgrade Planner tool during the download process.
Network administrators must identify their Cisco IOS software release this can be done by using information obtained from output provided by the show version command and navigate through the Cisco IOS Upgrade Planner tool to locate the image in use on the Cisco IOS device. Best practices require that network administrators know and trust the tools that can be used to verify the authenticity of a Cisco IOS software image. This document explains those tools and highlights methods to minimize risk.
Control traffic also includes module programming between the VSS active supervisor engine and switching modules on the VSS standby switch.
For example, if an access switch is dual-homed attached with an MEC terminating on both VSS switches , the VSS transmits packets to the access switch using a link on the same switch as the ingress link. Traffic on the VSL is load-balanced with the same global hashing algorithms available for EtherChannels the default algorithm is source-destination IP. All Layer 2 protocols in VSS work similarly in standalone mode. The following sections describe the difference in behavior for some protocols in VSS:.
The VSS defines a common device identifier for both chassis. A new PAgP enhancement has been defined for assisting with dual-active scenario detection.
For additional information, see the "Dual-Active Detection" section. The only exception is that the native VLAN on isolated trunk ports must be configured explicitly. All layer 3 protocol packets are sent to and processed by the VSS active supervisor engine.
Both member switches perform hardware forwarding for ingress traffic on their interfaces. If possible, to minimize data traffic that must traverse the VSL, ingress traffic is forwarded to an outgoing interface on the same switch.
When software forwarding is required, packets are sent to the VSS active supervisor engine for processing. After a switchover, the original router MAC address is still used.
The router MAC address is configurable and can be chosen from three options: virtual-mac derived from domainId , chassis-mac preserved after switchover , and user-configured MAC address. The supervisor engine on the VSS active switch runs the IPv4 routing protocols and performs any required software forwarding. The VSS active supervisor engine generates all routing protocol packets to be sent out over ports on either VSS member switch.
Hardware forwarding is distributed across both members on the VSS. Packets intended for a local adjacency reachable by local ports are forwarded locally on the ingress switch. Packets intended for a remote adjacency reachable by remote ports must traverse the VSL.
If a switchover occurs, software forwarding is disrupted until the new VSS active supervisor engine obtains the latest CEF and other forwarding information. In virtual switch mode, the requirements to support non-stop forwarding NSF match those in standalone redundant mode of operation. From a routing peer perspective, Multi-Chassis EtherChannels MEC remain operational during a switchover only the links to the failed switch are down, but the routing adjacencies remain valid. On both member switches, all multicast routes are loaded in hardware with replica expansion table RET entries programmed for only local outgoing interfaces.
Both member switches are capable of performing hardware forwarding. For packets traversing VSL, all Layer 3 multicast replication occurs on the egress switch.
If there are multiple receivers on the egress switch, only one packet is replicated and forwarded over the VSL, and then replicated to all local egress ports.
Software features run only on the VSS active supervisor engine. The following sections describe system monitoring and system management for a VSS:. Environmental monitoring runs on both supervisor engines. The VSS active switch gathers log messages for both switches. File system access on VSS is the same as it is on dual supervisor standalone system. All files on a standby switch are accessible with slave prefix as following:. All file or directory name with prefix "slave" show VSS standby files.
Bootup diagnostics are run independently on both switches. Online diagnostics can be invoked on the basis of virtual slots, which provide accessibility to modules on both switches. Use the show switch virtual slot-map command to display the virtual to physical slot mapping. Because the management plane of the two switches are common that is, both switches in a VSS can be configured and managed from active switch itself , you do not require access to the standby console.
However, the consoles of both switches are available by connecting console cables to both supervisor engine console ports. Availability of the standby console does not imply that you can configure the switch from standby console as well. Config mode is not available on the standby switch and show commands are limited in availability. Observe that all show commands, even for remote ports, are available on the active switch. The console on the VSS standby switch will indicate that switch is operating in VSS standby mode by adding the characters "-stdby" to the command line prompt.
You cannot enter configuration mode on the VSS standby switch console. Remote console the console on the standby switch can be accessed from the Local active switch. This is available on a standalone system and works similarly on VSS. To access the remote console from the active switch, you can use the remote login command with a VSS-Standby module number.
Observe that the module number is a virtual slot and it would be an In-Chassis-Active supervisor module number on the remote chassis. Because the standby console is not available in config mode and only partially available in EXEC mode, distributed features like Netflow and Wireshark have special exemptions for respective commands that is, these commands are allowed.
When you copy a file to a bootflash on the active switch, it is not automatically copied to the standby bootflash. This means that when you perform an ISSU upgrade or downgrade, both switches must receive the files individually. This behavior matches that on a dual-supervisor standalone system. Similarly, the removal of a file on one switch does not cause the removal of the same file on the other switch.
When you do this, the VSL link becomes "busy. On VSS, copying a large file from one switch to another may take several minutes. Hence, you should do this only when needed. Consider a wait of several minutes before file transfer completes. To ensure that switchover occurs without delay, the VSS standby switch assumes the VSS active switch has failed and initiates switchover to take over the VSS active role.
This situation is called a dual-active scenario. The VSS must detect a dual-active scenario and take recovery action. PAgP uses messaging over the MEC links to communicate between the two switches through a neighbor switch. The dual-active detection and recovery methods are described in the following sections:.
Only switches in virtual switch mode send the new TLV. For dual-active detection to operate successfully, one or more of the connected switches must be able to process the new TLV. Catalyst , Catalyst X, and Catalyst 49 xx series switches have this capability. This switch initiates recovery actions as described in the "Recovery Actions" section.
An VSS active switch that detects a dual-active condition shuts down by err-disabling all of its non-VSL interfaces to remove itself from the network, and waits in recovery mode until the VSL links have recovered. You might need to intervene directly to fix the VSL failure.
When the shut down switch detects that VSL is operational again, the switch reloads and returns to service as the VSS standby switch. Loopback interfaces are also shut down in recovery mode.
The loopback interfaces are operationally down and not err-disabled. Note If the running configuration of the switch in recovery mode has been changed without saving, the switch will not automatically reload. In this situation, you must write the configuration to memory and then reload manually using the reload command.
Only configuration changes applied to VSL ports on the switch can be saved. All other configuration changes are discarded as the node reboots as VSS standby. When a switch becomes active either due to dual-active scenario or otherwise , the IP address configured for fa1 management interface is associated with the active switch. By default, the switch in recovery mode will not have any IP address for the fa1 interface on its supervisor engine.
To ensure IP connectivity to the switch during recovery, you ca n configure an recovery IP address. IP address configuration is mandatory if you want IP connectivity while switch is in recovery. When a switch enters recovery mode, the IP address for the management interface on its supervisor engine is associated with the recovery IP address. The recovery IP address for a management interface can be verified in the output of commands such as show ip interface brief and show interfaces.
The recovery IP address is the IP address that is used for the fa1 interface of a switch while in recovery mode. To configure the recovery IP address for the fa1 interface, perform the following task:. Switch config switch virtual domain domain-id. Switch config-vs-domain [ no ] dual-active recovery [switch n ] ip address recovery-ip-address recovery-ip-mask.
The following example shows how to set a recovery IP address By default, ip address is not configured for recovery mode. So, the switch-fa1 interface is not associated with an IP address while the switch is in recovery mode. This ensures that two devices do not respond to the same IP address. Without the switch n option, the same recovery ip address is used by either switch when it enters recovery mode. By definition, there is only one switch in a given VSS system in recovery mode at a time, making one recovery ip address sufficient.
If the two switches must use different IP addresses when the respective switch is in recovery mode, use the switch n option. You can configure recovery IP addresses without the switch n option and with the switch n option simultaneously for a total of three IP addresses, one global and one per switch. When done, the per-switch IP address takes precedence. If no per-switch IP address exists, the global IP address is used.
Following are two examples:. In this scenario, if switch 1 enters recovery mode, it will use IP1 for the fa1 interface on switch 1. Conversely, if switch 2 enters recovery mode, it will use IP2 for the fa1 interface on switch2. In this scenario, if switch 1 enters recovery mode, it will use IP1 for the fa1 interface on the switch 1. Conversely, if switch 2 enters recovery mode, it will use GIP for the fa1 interface on switch2.
The peer switch communicates over the VSL to negotiate the switches' roles. If only one switch becomes operational, it assumes the VSS active role. The VSLP includes the following protocols:. LMP identifies and rejects any unidirectional links. VSL moves the control traffic to another port if necessary.
During the startup sequence, the VSS standby switch sends virtual switch information from the startup-config file to the VSS active switch. The VSS active switch ensures that the following information matches correctly on both switches:. There are various ways to recover from this situation. You can make the necessary changes afterwards and reboot the switch and ensure VSL links are connected and not put in shutdown mode. This method requires that no traffic flows through this switch. Once the switch is in standalone mode, you can convert it to VSS and then reboot it.
If these conditions are unsatisfied, the VSS stops booting and ensures that the forwarding plane is not performing forwarding. Because both switches need to be assigned their role VSS active or VSS standby before completing initialization, VSL is brought online before the rest of the system is initialized. The initialization sequence is as follows:. If VSS is either forming for the first time or a mismatch exists between VSL information sent by the standby switch and what is on the active switch, the new configuration is absorbed in the startup-config.
This means that if the active switch was running prior to the standby switch and unsaved configurations existed, they would be written to the startup-config if the standby switch sends mismatched VSL information. If priority is configured, the higher priority switch becomes active. When you subsequently boot the other switch, the VSL links become active, and the new switch boots as the VSS standby switch. Because preemption is not supported, if a VSS active is already running, the peer switch would always receive the VSS standby role, even if its priority is higher than that of the active switch.
If the VSL is down when both switches try to boot up, the situation is similar to a dual-active scenario. One of the switch becomes VSS active and the other switch initiates recovery from the dual-active scenario. For further information, see the "Configuring Dual-Active Detection" section. The following sections describe restrictions and guidelines for VSS configuration:.
The responsibility of bandwidth availability for a given network requirement lies with the network operator. Also, all VSL links configured on one module may cause a Dual-Active operation, if the module goes down. When both supervisor engines are converted, they could be inserted in the chassis. A combination of converted and non-converted supervisor engines in a chassis is not supported and it may disrupt the network. This will cause continuous reloads on the standby supervisor engine.
To mitigate this, you can reduce the policer rate. In a more restrictive case, a rate of 50 Mbps might be necessary to achieve a maximum of Mbps. In a more liberal case, where conforming action of Mbps is not a problem, policing rate could be kept to Mbps. When configuring dual-active detection, note the following guidelines and restrictions:. For module redundancy, the two ports can be on different modules in each switch, and should be on different modules than the VSL ports, if feasible.
The VSS combines two standalone switches into one virtual switch, operating in virtual switch mode. Note Preferably, conversion to VSS should be done on a maintenance window. If you plan to use the same port channel number for VSL, default the existing port channel configurations that are available on standalone switches.
To convert two standalone switches into a VSS, you perform the following major activities:. In virtual switch mode, both switches use the same configuration file.
When you make configuration changes on the VSS active switch, these changes are automatically propagated to the VSS standby switch. The tasks required to convert the standalone switch to a VSS are detailed in the following sections:. In the procedures that follow, the example commands assume the configuration shown in Figure Note The port channels 10 and 20 mentioned in the config steps below are merely exemplary.
You can configure any port channel number from for VSL port channel. Save the configuration files for both switches operating in standalone mode. You need these files to revert to standalone mode from virtual switch mode. Switch-1 copy startup-config disk0:old-startup-config. Switch-2 copy startup-config disk0:old-startup-config. You must configure the same virtual switch domain number on both switches of the VSS. The virtual switch domain is a number between 1 and , and must be unique for each VSS in your network the domain number is incorporated into various identifiers to ensure that these identifiers are unique across the network.
Within the VSS, you must configure one switch to be switch number 1 and the other switch to be switch number 2. To configure the virtual switch domain and switch number on both switches, perform this task on Switch Note The switch number is not stored in the startup or running configuration, because both switches use the same configuration file but must not have the same switch number.
The VSL is configured with a unique port channel on each switch. To avoid this situation, check that both port channel numbers are available on both of the switches. Check the port channel number with the show running-config interface port-channel command. The command displays an error message if the port channel is available for VSL.
For example, the following command shows that port channel 20 is available on Switch Note The port channels 10 and 20 mentioned in the configuration steps below are exemplary only.
You must add the VSL physical ports to the port channel. Tip For line redundancy, we recommend configuring at least two ports per switch for the VSL. For module redundancy, the two ports can be on different switching modules in each chassis.
Conversion to virtual switch mode requires a restart for both switches. A backup copy of the startup configuration file is saved in bootflash. This file is assigned a default name, but you are also prompted to override the default name if you want to change it.
After you enter the command, you are prompted to confirm the action. Enter yes. The system creates a converted configuration file, and saves the file to the bootflash. Note After you confirm the command by entering yes at the prompt , the running configuration is automatically saved as the startup configuration and the switch reboots.
When switches are being converted to VSS, you should not set them to ignore startup-config. If done, the switch can be enabled to parse the startup-config at the rommon prompt.
Ignoring startup-config in VSS mode, causes a switch to boot in a semi-VSS mode, which can only be corrected by a reboot and by enabling the parsing of startup-config. Note You cannot configure or provision modules on VSS. When switches form initial VSS relationships, they send module information to each other and this information is pushed to the configuration and used subsequently for provisioning, provided the switch is booting and the peer is down or not present.
These commands are not available to the user and that various numbers used in these commands are internal to the system and used to identify a module. These commands are written to the startup-config when a switch detects a given module while it is running in VSS mode.
When reconverted to standalone mode, these commands are removed from the startup-config. You need to complete the VSS conversion process on two member switches separately. Step 1: Define a Virtual Switch Domain number. Step4 : Final step in the process of VSS conversion. Step 1: Define a Virtual Switch Domain number on switch 2. Step4 : Final step in the process of VSS conversion on switch 2. Displays the virtual switch domain number, and the switch number and role for each of the switches.
Displays the role, switch number, and priority for each of the switch in the VSS. Most routers will select the first filename that they find on the flash memory so in our case, it means it would boot the older IOS image. We can change this with the boot sytem command:. Above we can see we booted the new Cisco IOS image.
We also checked how to verify the integrity of the file with the MD5 checksum and how to configure your router to boot the new IOS image. Hi Rene! When we upgrade IOS of router what about configuration? Is it still the same? Ask a question or join the discussion by visiting our Community Forum.
Skip to content Search for: Search. Lesson Contents. Newer routers also support copying from USB sticks. This will show up as usbflash: in the filesystem overview.
0コメント