Ahh upgrades….in production. Don’t you just love taking the entire companies Core down? :)

I DO! …well not really :)


Everyone usually gets nervous when it comes time for Core upgrades — or any upgrade for that matter. You never know what your gonna hit or if your maintenance window will be longer than it has to! Luckly your you reading this blog post, I’ll have setup by step instructions on what I did to get my Nexus 5ks upgraded to the latest suggested code as of this writing — Release 5.2(1)N1(7).

First, before any upgrade is done, you want to ensure you read the Release Notes for your particular version..

Next, I think most — if not all, Nexus setups have at LEAST vPC setup. I mean, why buy the Ferrari if you’re not gonna gun it? Because of this, it’s a good idea to read up on how to do ISSU upgrade. Refer to my YouTube channel > CCNA DC playlist for more info on this.

As usually, read up on this straight from the horses mouth before attempting the upgrade (aka  the Upgrade/Downgrade Guide).

1. Download the Kickstart and System Image

Next, one thing that is different from IOS is that we now have two images that we need instead of one. The Kickstart and System Image. Go to the Cisco site and download the system and kickstart images.


2. Upload the images via FTP/SFTP/SCP,etc

Just like we did in IOS, we’ll TFTP (or FTP, SCP or SFTP, whatever tickles your fancy) the image over to the bootflash of the 5k.

CORE-01# copy bootflash:
Enter source filename: n5000-uk9.5.2.1.N1.7.bin
Enter vrf (If no input, current vrf ‘default’ is considered): 
Enter username: william
[################ ] 8.80MB

Little bit different from the IOS, if the interface your using is in a different VRF than the default, change it here.

3. Who holds the vPC Primary Role?

Once those two are in place, find out whose the primaryvPC Peer. vPC setups are outside the scope of this blog post, but once again, hitup the YouTube channel > CCNA DC Playlist for a video on this. A simple #sh vpc b will tell you whose who.  Notice the vPC Role line state this 5k is PRIMARY. This is the one we want to upgrade first.  Funny since most setups the vendor wants you to upgrade the secondary first, but according to this Cisco is is the recommended path.

CORE-02# sh vpc
(*) – local vPC is down, forwarding via vPC peer-link

vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status: success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary, operational primary
Number of vPCs configured : 10
Peer Gateway : Enabled
Peer gateway excluded VLANs : –
Dual-active excluded VLANs : –
Graceful Consistency Check : Enabled

#sh vpc role for skimmed version of this.

Note that the control panel communication still goes on even during the upgrade thanks to ISSU — except during a reboot of the switch.


4. Run Pre-Installation Checks

New to some of us who are familiar with IOS, are some NX-OS pre-install commands to run before the actual install are….these are kind of like scripts that run in the background to see if your box is “good” for the upgrade, and if not — shows potential issues to you.

sh install all status

sh incompatibility system ?

sh install impact all

sh install impact all impact system bootflash:///

sh install impact all impact kickstart bootflash://

show spanning-tree issu-impact

sh lacp issu-impact 

Once all those checks out, we can go ahead and do the installation!


5. Installing the New Images

Time to install the images. Get your approved downtime and run the following command off the Primary vPC Peer…

install all system bootflash:///n5000-uk9.5.2.1.N1.7.bin kickstart bootflash:///n5000-uk9-kickstart.5.2.1.N1.7.bin

Thats it,  once that loads on the primary, run #sh install all status to verify everything went through smoothly. Note this process takes a good 10-15 minutes to do and rebooting and whatnot.

Once thats done, run the same command on the second 5k. Notice when you run a #sh vpc b you’ll get the two devices appearing as “Primary”. Just hang tight for the vPC peer link to come back up and eventually you’ll finish where you started with the primary being the primary and secondary being the secondary.


What if I have 2ks/FEXs?

If  you have FEX that are hopefully dual homed to the vPC domain, these guys will reboot. Not only will they reboot, but the 5k pushes down the new code to the 2k so an estimate 5-10 minutes of downtime per FEX is required. Use #sh fex a the end of an update to ensure the FEX is fully online.


Final Thoughts

Also don’t be so fast to call TAC if the port-channels or vPC peer status shows down. I had to wait a good 10 minutes just for the peers to see each other and for the peer links and port-channels to slowly come back up. During my ping -t window, I only saw a few missed pings here and there. The biggest “downtime” was the primary 5k which was down for a few minutes but didn’t matter since the secondary took over.

Hope that helps someone out there doing this for the first time!

William Zambrano

William Zambrano

NYC networkers is run by William Zambrano, a passionate network engineer who has been in the IT industry for eight years who posts up blog articles, YouTube videos, and holds meetup.com events in the NYC area. He lives in Queens, New York and has consulted in various different companies in the NY area. Previously William worked as a Cisco Certified Systems Instructor (CCSI) but now currently works for Arista Networks serving as a Systems Engineer. William can be reached by email at willzambrano@gmail.com

More Posts - Website

Follow Me: