About Image Repository
Cisco DNA Center stores all of the software images, software maintenance updates (SMUs), subpackages, ROMMON images, and so on for the devices in your network. Image Repository provides the following functions:
-
Image Repository: Cisco DNA Center stores all the unique software images according to image type and version. You can view, import, and delete software images.
-
Provision: You can push software images to the devices in your network.
Before using Image Repository features, you must enable Transport Layer Security protocol (TLS) on older devices such as Cisco Catalyst 3000, 4000, and 6000. After any system upgrades, you must re-enable TLS. For more information, see “Configure Security for Cisco DNA Center” in the Cisco DNA Center Administrator Guide.
Integrity Verification of Software Images
The Integrity Verification application monitors software images that are stored in Cisco DNA Center for unexpected changes or invalid values that could indicate your devices are compromised. During the import process, the system determines image integrity by comparing the software and hardware platform checksum value of the image that you are importing to the checksum value identified for the platform in the Known Good Values (KGV) file to ensure that the two values match.
On the Image Repository window, a message displays if the Integrity Verification application cannot verify the selected software image using the current KGV file. For more information about the Integrity Verification application and importing KGV files, see the Cisco Digital Network Architecture Center Administrator Guide.
View Software Images
After you run Discovery or manually add devices, Cisco DNA Center automatically stores information about the software images, SMUs, and subpackages for the devices.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( The software images are organized and displayed based on the device type. By default, software images for physical devices are displayed. Toggle to the Virtual tab to view software images for virtual devices.
| ||
Step2 | In the Family column, click the downward arrow to view all the software images for the specified device type family. The Device(s) column indicates how many devices are using the specific image shown in the Image Name field. Click the number of devices to view the devices that are using the image. | ||
Step3 | In the Version column, click the Add On link to view the applicable SMUs, Subpackages, ROMMON, APSP, and APDP upgrades for the base image. Subpackages are the additional features that can be added to the existing base image. The subpackage version that matches the image family and the base image version is displayed here. AP Service Pack (APSP) and AP Device Pack (APDP) are images for upgrading APs associated with wireless controllers.
| ||
Step4 | In the Device Role column, select a device role for which you want to indicate that this is a "golden" software image. For more information, see About Golden Software Images and Specify a Golden Software Image. |
Use a Recommended Software Image
Cisco DNA Center displays and allows you to select Cisco-recommended software images for the devices that it manages.
![]() Note | Only the latest Cisco-recommended software images are available for download. |
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( |
Step2 | Verify that you have entered the correct credentials to connect to cisco.com. |
Step3 | In the Cisco DNA Center GUI, click the Menu icon ( Cisco DNA Center displays the Cisco-recommended software images according to device type. |
Step4 | Designate the recommended image as golden. See Specify a Golden Software Image for more information. |
Step5 | Push the recommended software image to the devices in your network. See Provision a Software Image for more information. |
Import a Software Image
You can import software images and software image updates from your local computer or from a URL.
Imported images are categorized based on different supervisors that are present in a specific device family. Categorization under different supervisors supports only the Cisco Catalyst 9400 series family.
If you use FTP to import an image from an FTP server, use the FTP standard:
ftp://username:password@ip_or_hostname/path
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( | ||
Step2 | Click Import. | ||
Step3 | Click Choose File to navigate to a software image or software image update stored locally. Alternately, enter the image URL to specify an HTTP or FTP source from which to import the software image or software image update. | ||
Step4 | If the image you are importing is for a third-party (non-Cisco) vendor, select Third Party under Source. Choose an Application Type, describe the device Family, and identify the Vendor. | ||
Step5 | Click Import. A window displays the progress of the import. | ||
Step6 | Click Show Tasks to verify that the image was imported successfully. If you imported a SMU, Cisco DNA Center automatically applies the SMU to the correct software image, and an Add-On link appears below the corresponding software image. | ||
Step7 | Click the Add-On link to view the SMU. | ||
Step8 | In the Device Role field, select the role for which you want to mark this SMU as golden. See Specify a Golden Software Image. You can only mark a SMU as golden if you previously marked the corresponding software image as golden.
|
Assign a Software Image to a Device Family
After importing a software image, you can assign or unassign it to available device families. The imported image can be assigned to multiple devices at any time.
To assign an imported software image to a device family:
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( | ||
Step2 | Click Imported Images. | ||
Step3 | Click Assign in the corresponding image name row. | ||
Step4 | In the Assign Device Family window, choose the Device Series from Cisco.com or All Device Series and click Assign link to which you want to map the image. Note: If cisco.com credentials are not set, specify the credentials in System > Settings > Cisco.com Credentials. | ||
Step5 | Select appropriate site from the Global hierarchy and click Assign and then click Save. | ||
Step6 | To unassign an image, choose a site from the Global hierarchy and click Unassign link in the Action column. The software image is assigned to the device family and the number of devices using that image are shown in the Device(s) column. After assigning the image, you can mark it as a golden image. See Specify a Golden Software Image. If the device family is marked as a golden image, you cannot delete that image from the device family.
|
Upload Software Images for Devices in Install Mode
The Image Repository page might show a software image as being in Install Mode. When a device is in Install Mode, Cisco DNA Center is unable to upload its software image directly from the device. When a device is in Install Mode, you must first manually upload the software image to the Cisco DNA Center repository before marking the image as golden, as shown in the following steps.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( |
Step2 | In the Image Name column, find the software image of the device that is running in Install Mode. |
Step3 | Click Import to upload the binary software image file for the image that is in Install Mode. |
Step4 | Click Choose File to navigate to a software image stored locally or Enter image URL to specify an HTTP or FTP source from which to import the software image. |
Step5 | Click Import. A window displays the progress of the import. |
Step6 | Click Show Tasks and verify that the software image you imported is green, indicating it has been successfully imported and added to the Cisco DNA Center repository. |
Step7 | Click Refresh. The Image Repository window refreshes. Cisco DNA Center displays the software image, and the Golden Image and Device Role columns are no longer dimmed. |
About Golden Software Images
Cisco DNA Center allows you to designate software images and SMUs as golden. A golden software image or SMU is a validated image that meets the compliance requirements for the particular device type. Designating a software image or SMU as golden saves you time by eliminating the need to make repetitive configuration changes and ensures consistency across your devices. You can designate an image and a corresponding SMU as golden to create a standardized image. You can also specify a golden image for a specific device role. For example, if you have an image for the Cisco 4431 Integrated Service Routers device family, you can further specify a golden image for those Cisco 4431 devices that have the Access role only.
You cannot mark a SMU as golden unless the image to which it corresponds is also marked golden.
Specify a Golden Software Image
You can specify a golden software image for a device family or for a particular device role. The device role is used for identifying and grouping devices according to their responsibilities and placement within the network.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( The software images are displayed according to device type. | ||
Step2 | From the Family column, select a device family for which you want to specify a golden image. | ||
Step3 | From the Image Name column, select the software image that you want to specify as golden. | ||
Step4 | If the software image that you specify as golden is already uploaded into the Cisco DNA Center repository, click the star icon in the Golden Image column. The software image is marked as golden. | ||
Step5 | If the software image that you specify as golden is not already uploaded into the Cisco DNA Center repository, click the download icon in the Golden Image column. This process might take some time.
| ||
Step6 | From the Download Image dialog box, do one of the following:
| ||
Step7 | In the Device Role column, select a device role for which you want to specify a golden software image. Even if you have devices from the same device family, you can specify a different golden software image for each device role. Note that you can select a device role for physical images only, not virtual images. |
Configure an Image Distribution Server
You can configure an external image distribution server to distribute software images.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( | ||
Step2 | Click Add to add a new image distribution server. | ||
Step3 | Configure the server settings:
| ||
Step4 | Click Save. | ||
Step5 | To edit the image distribution server settings, do the following:
|
Add Image Distribution Servers to Sites
You can associate SFTP servers located in different geographical regions to sites, buildings, and floors. All the devices under the network hierarchy use the associated image distribution server during a network upgrade.
Before you begin
You must configure an image distribution server. See Configure an Image Distribution Server.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( |
Step2 | In the left pane, choose the desired site to which you want to associate the image distribution server. |
Step3 | Click Add Servers. |
Step4 | In the Add Servers window, check the Image Distribution check box. |
Step5 | Click OK. |
Step6 | Click the Primary drop-down list and choose the image distribution server that you want to configure as primary. |
Step7 | Click the Secondary drop-down list and choose the image distribution server that you want to configure as secondary. |
Step8 | Click Save. |
Provision a Software Image
You can push software images to the devices in your network. Before pushing a software image to a device, Cisco DNA Center performs upgrade readiness prechecks on the device, such as checking the device management status, disk space, and so on. If any prechecks fail, you cannot perform the software image update. After the software image of the device is upgraded, Cisco DNA Center checks for the CPU usage, route summary, and so on, to ensure that the state of the network remains unchanged after the image upgrade.
![]() Note | You can perform prechecks on multiple devices. |
Cisco DNA Center compares each device's software image with the image that you have designated as golden for that specific device type. If there is a difference between the software image of the device and the golden image, Cisco DNA Center specifies the software image of the device as outdated. The upgrade readiness prechecks are triggered for those devices. If all the prechecks are cleared, you can distribute (copy) the new image to the device and activate it (that is, make the new image the running image). The activation of the new image requires a reboot of the device. Because a reboot might interrupt the current network activity, you can schedule the process for a later time.
If you have not designated a golden image for the device type, the device's image cannot be updated. See Specify a Golden Software Image.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( | ||
Step2 | From the Focus drop-down list, choose Software Images. Select the device whose image you want to upgrade.
| ||
Step3 | From the Actions drop-down list, choose Software Images > Update Image. The Image Upgrade window appears. | ||
Step4 | Analyze Selection: Choose the devices that you want to upgrade and click Next. | ||
Step5 | Distribute: Click Now to start the distribution immediately or click Later to schedule the distribution at a specific time. To choose the validators you want to run for the current workflow and add new custom checks, do the following:
| ||
Step6 | Click Next. | ||
Step7 | Activate: Click Now to start the activation immediately or click Later to schedule the activation at a specific time. To choose the validators you want to run for the current workflow and add new custom checks, do the following:
| ||
Step8 | Click Next. | ||
Step9 | Summary: Review the Image upgrade settings. Click Back if you want to make any changes otherwise click Submit. |
From the Actions drop-down list, choose Software Images > Image Update Status to check the status of the update.
Import ISSU Compatibility Matrix
In-Service Software Upgrade (ISSU) is a process that upgrades the image on a device without rebooting or with minimal interruption of service. For an example of the Cisco IOS XE ISSU compatibilty matrix for Catalyst Switches, see https://software.cisco.com/download/home/286315874/type/286326638/release/17.4.1. You can download and import the ISSU compatibility matrix in Cisco DNA Center when you want to upgrade devices with ISSU.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( |
Step2 | Click Import. The Import Image/Add-On window appears. |
Step3 | To import the ISSU compatibility matrix with a software image, do the following:
|
Step4 | (Optional) To import the ISSU compatibility matrix for software images that are already imported, do the following:
|
Step5 | Click Show Tasks to view the ISSU compatibility matrix file Import status. |
Upgrade a Software Image with ISSU
Upgrading devices using the In-Service Software Upgrade (ISSU) eliminates the need to reboot and reduces service interruption.
Before you begin
Before you upgrade a device using the ISSU, you must import the ISSU compatibility matrix file. See Import ISSU Compatibility Matrix.
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( | ||
Step2 | From the Focus drop-down list, choose Software Images. Select the device whose image you want to upgrade. | ||
Step3 | From the Actions drop-down list, choose Software Images > Update Image. The Image Upgrade window appears. | ||
Step4 | In the Analyze Selection page, enable the ISSU upgrade:
| ||
Step5 | From the Distribute page, click Now to start the image distribution immediately or Later to schedule the distribution at a specific time. To choose the validators you want to run for the current workflow and add new custom checks, do the following:
| ||
Step6 | Click Next. | ||
Step7 | From the Activate page, click Now to start the activation immediately or click Later to schedule the activation at a specific time. To choose the validators you want to run for the current workflow and add new custom checks, do the following:
| ||
Step8 | Click Next. | ||
Step9 | From the Summary page, review the image upgrade settings. Click Back if you want to make any changes; otherwise click Submit. |
From the Actions drop-down list, choose Software Images > Image Update Status to check the status of the update.
List of Device Upgrade Readiness Prechecks
Precheck | Description |
---|---|
File transfer check | Checks if the device is reachable through HTTPS and SCP. The default order of protocols is HTTPS first and then SCP. |
NTP clock check | Compares device time and Cisco DNA Center time to ensure successful Cisco DNA Center certificate installation. |
Flash check | Verifies if there is enough disk space for the update. If there is not enough disk space, a warning or error message is returned. For information about the supported devices for Auto Flash cleanup and how files are deleted, see Auto Flash Cleanup. |
Config register check | Verifies the config registry value. |
Crypto RSA check | Checks whether an RSA certificate is installed. |
Crypto TLS check | Checks whether the device supports TLS 1.2. |
IP Domain name check | Checks whether the domain name is configured. |
Startup config check | Checks whether the startup configuration exists for the device. |
NFVIS Flash check | Checks if the golden image is ready to be upgraded in the NFVIS device. |
Service Entitlement check | Checks if the device has valid license. |
View Image Update Status
Procedure
Step1 | In the Cisco DNA Center GUI, click the Menu icon ( |
Step2 | From the Focus drop-down list, choose Software Images. |
Step3 | From the Actions drop-down list, choose Software Images > Image Update Status. By default, the Image Update Status window shows all the recent image update tasks. You can click the down arrow and choose Failed, In-progress, or Success tasks. |
Step4 | Click the down arrow corresponding to each task and do the following to view details of the task:
|
Auto Flash Cleanup
During the device upgrade readiness precheck, the flash check verifies whether there is enough space on the device to copy the new image. If there is insufficient space:
-
For devices that support auto flash cleanup, the flash check fails with a warning message. For these devices, the auto cleanup process is attempted during the image distribution process to create the sufficient space. As a part of the auto flash cleanup, Cisco DNA Center identifies unused .bin, .pkg, and .conf files and delete them iteratively until enough free space is created on the device. Image distribution is attempted after the flash cleanup. You can view these deleted files in Sytem > Audit Logs.
Note
Auto flash cleanup is supported on all devices except Nexus switches and Wireless controllers.
-
For devices that do not support auto flash cleanup, the flash check fails with an error message. You can delete files from device flash to create required space before starting the image upgrade.