The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco EPN Manager can transfer files to and from devices only if the SNMP read-write community strings configured on your devices match the strings that were specified when the devices were added to Cisco EPN Manager . In addition, devices must be configured according to the settings in How Often Is Inventory Collected?.
Note | While configuring software images on some Cisco IOS-XR devices, the SSH hardening removes the required SSH CBC (Cipher Block Chaining) ciphers thus causing several Software Image Management operations to fail. Ensure that you upgrade to the Cisco IOS-XR version that supports CTR (counter mode) ciphers. Alternatively, you can add CBC ciphers in the SSHD service. To do this, you must first configure the CBC ciphers in the ciphers line of the file in /etc/ssh/sshd_config (as shown in the example below), and then restart the sshd service using the service sshd stop/start command. Ciphers aes128-ctr,aes192-ctr,aes256-ctr, arcfour256,arcfour128,aes128-cbc,3des-cbc, cast128-cbc,aes192-cbc,aes256-cbc |
Note | Software Image Management is not supported in the NAT environment. This means that image management features such as image import, upgrade, distribution, and activation, will not function in the NAT environment. |
If you will be using FTP, TFTP, SFTP, or SCP make sure that it is enabled and properly configured. See Enable FTP/TFTP/SFTP Service on the Server.
Because collecting software images can slow the data collection process, by default, Cisco EPN Manager does not collect and store device software images in the image repository when it performs inventory collection. Users with Administration privileges can change that setting using the following procedure.
You can use Cisco.com to get information about recommended images based on criteria you provide. The following procedure shows how you can adjust those recommendations. The following table also lists the default settings.
Note | To use these features, the device must support image recommendations. |
Use this procedure to specify the default protocols Cisco EPN Manager should use when transferring images from the software image management server to devices. You can also configure Cisco EPN Manager to perform, by default, a variety of tasks associated with image transfers and distributions—for example, whether to back up the current image before an upgrade, reboot the device after the upgrade, continue to the next device if a serial upgrade fails, and so forth. Users with Administration privileges can change that setting using the following procedure.
This procedure only sets the defaults. You can override these defaults when you perform the actual distribute operation.
Note | Cisco EPN Manager does not support the TFTP protocol for distributions from the software image management server to devices. |
Step 1 | Choose , then choose . | |||||||||||||||
Step 2 | Specify the
default protocol
Cisco EPN Manager
should
use when transferring images in the Image Transfer Protocol Order. Arrange the
protocols in order of preference. If the first protocol listed fails,
Cisco EPN Manager
will
use the next protocol in the list.
| |||||||||||||||
Step 3 | Specify the default protocol Cisco EPN Manager should use when configuring images on devices in the Image Config Protocol Order area. Arrange the protocols in order of preference. | |||||||||||||||
Step 4 | Specify the
tasks that
Cisco EPN Manager
should
perform when distributing images:
| |||||||||||||||
Step 5 | Click Save. |
To distribute images to a group of devices, add a software image management server and specify the protocol it should use for image distribution. You can add a maximum of three servers.
When Cisco EPN Manager connects to Cisco.com to perform software image management operations (for example, to check image recommendations), it uses the credentials stored in the Account Settings page. You can change those settings using the following procedure.
Depending on your system settings, Cisco EPN Manager may copy device software images to the image repository during inventory collection (see Control Whether Images Are Saved to the Image Repository During Inventory Collection). If you need to perform this operation manually, use the following procedure, which imports software images directly from devices into the image repository.
Before you begin, ensure that images are physically present on the devices (rather than remotely loaded).
Note | If you are importing many images, perform this operation at a time that is least likely to impact production. |
To view a list of the images used by network devices, choose
.To list the top ten images use by network devices (and how many devices are using those images), choose Software Image Repository under Useful Links, then then click the Image Dashboard icon in the top-right corner of the page.
. ClickIf your device type supports image recommendations, you can use the following procedure to check if a device has the latest image from Cisco.com. Otherwise, use the Cisco.com product support pages to get this information.
Step 1 | Choose , then click the device name hyperlink to open the Device Details page. | ||
Step 2 | Click the
Image tab and scroll down to the Recommended Images
area.
Cisco EPN Manager
lists all of the images from Cisco.com that are recommended for the device.
For
Cisco NCS 2000 and Cisco ONS devices, this choice is displayed on the right
when you click the
Chassis View tab.
|
Use this procedure to list all of the software images saved in the image repository. The images are organized by image type and stored in the corresponding software image group folder.
Step 1 | Choose
Cisco EPN Manager
lists the images that are saved in the image repository within the
Software
Image Summary
panel.
. From here you can:
|
Step 2 | Click a software
image hyperlink to open the Image Information page that lists the file and
image name, family, version, file size, and so forth.
From here you can:
|
Step 1 | Choose Inventory > Device Management > Software Images. |
Step 2 | In the Software Image Summary panel, locate the image that you are interested in by expanding the image categories in the navigation area or entering partial text in one of the Quick Filter fields. For example, entering 3.1 in the Version field would list Versions 3.12.02S, 3.13.01S, and so forth. |
Step 3 | Click the image hyperlink to open the Software Image Summary page. Cisco EPN Manager lists all devices using that image in the Device Details area. |
If your devices support Cisco.com image recommendations, you can use this procedure to check which images your devices should be using.
Step 1 | Choose Inventory > Device Management > Software Images. |
Step 2 | Click Software Image Repository under Useful Links. |
Step 3 | Navigate to and select the software image for which you want to change requirements. |
Step 4 | Choose the devices which you want to distribute the image from the Device List drop-down list and click Distribution New Version. |
Step 5 | Choose one of
the following image sources:
|
Step 6 | Select the image to distribute, then click Apply. |
Step 7 | Choose the image name in the Distribute Image Name field to change your selection and pick a new image, then click Save. |
Step 8 | Specify Distribution Options. You can change the default options in Administration > System Settings >Inventory> Image Management. |
Step 9 | Specify schedule options, then click Submit. |
Depending on your device type, Cisco EPN Manager can narrow the list of available images by maintenance versions, feature sets, versions, and so forth (see Adjust Criteria for Cisco.com Image Recommendations).
Cisco EPN Manager will use the Cisco.com credentials that are set by the administrator. If default credentials are not set, you must enter valid credentials. (See Change Cisco.com Credentials for Software Image Operations).
Step 1 | Choose . | ||
Step 2 | Click the
Add/Import
tab.
| ||
Step 3 | In the Import Images dialog: | ||
Step 4 | Perform a manual download of the images by going to the Cisco.com Software Download site. Enter your credentials and follow the instructions. | ||
Step 5 | Import the newly-downloaded images into the image repository using the procedure in Add a Software Image from a Client Machine File System. | ||
Step 6 | Verify that the images are listed on the Software Images page ( ). |
Cisco EPN Manager displays the recommended latest software images for the device type you specify, and it allows you to download the software images directly from cisco.com. Cisco EPN Manager does not display deferred software images. For detailed information, see Cisco EPN Manager 2.1 Supported Devices list.
Note | In order to download a K9 software image from cisco.com, you must accept/renew the https://software.cisco.com/download/eula.html K9 agreement periodically. |
The following topics explain the different ways you can add software images to the image repository. For an example of how to troubleshoot a failed import, see Manage Jobs Using the Jobs Dashboard.
Note | For Cisco NCS and Cisco ONS devices, you can only import software images using the procedure in Add a Software Image from a Client Machine File System. |
This method retrieves a software image from a managed device and saves it in the image repository.
Note | When distributing an image to a device, use the most secure protocols supported by the device (for example, SCP instead of TFTP). TFTP tends to time out when transferring very large files or when the server and client are geographically distant from each other. If you choose SCP for the image distribution, ensure that the device is managed in Cisco EPN Manager with full user privilege (Privileged EXEC mode); otherwise the distribution will fail due to copy privilege error (SCP: protocol error: Privilege denied). Note that TFTP is supported only when copying images from the device to the server and not the other way around. |
Limitations:
For Cisco IOS-XR devices, direct import of images from the device is not supported by Cisco EPN Manager ; SMU and PIE imports are also not supported on these devices.
For Cisco IOS-XE devices, if the device is loaded with the 'packages.conf' file, then images cannot be imported directly from that device.
You can import software image from network-accessible IPv4 or IPv6 servers. The following file formats are supported: .bin, .tar, .aes, .pie, .mini, .vm, .gz, .ova, and .ros.
Cisco EPN Manager supports to import Non-Cisco standard image.
Step 1 | Choose Inventory > Device Management > Software Images. |
Step 2 | Click the Add/Import tab. |
Step 3 | In the Import
Images dialog:
|
Step 4 | To view the status of the job, click the job link in the pop-up message or choose Administration > Job Dashboard. |
Step 5 | Verify that the image is listed on the Software Images page ( ). |
Step 1 | Choose Inventory > Device Management > Software Images. |
Step 2 | Click the Add/Import tab. |
Step 3 | In the Import
Images dialog:
|
Step 4 | To view the status of the job, click the job link in the pop-up message or choose Administration > Job Dashboard. |
Step 5 | Verify that the image is listed on the Software Images page (Inventory > Device Management > Software Images). |
When you import the software image file, the browser session is blocked temporarily. If the upload operation exceeds the idle timeout limit of the browser session, then you will be logged out of Cisco EPN Manager and the file import operation will be aborted. So it is recommended that you increase the idle timeout limit before you begin with this import operation. To increase the idle timeout, see Configure the Global Timeout for Idle Users.
Step 1 | Choose Inventory > Device Management > Software Images. |
Step 2 | Click the Add/Import tab. |
Step 3 | In the Import Images dialog: |
Step 4 | To view the status of the job, click the job link in the pop-up message or choose Administration > Job Dashboard. |
Step 5 | Verify that the image is listed on the Software Images page (Inventory > Device Management > Software Images). |
Use this procedure to change the RAM, flash, and boot ROM requirements that a device must meet for a software image to be distributed to the device. These values are checked when you perform an upgrade analysis (see Verify That Devices Meet Image Requirements (Upgrade Analysis)).
Note | This operation is not supported on the Cisco NCS 2000 and Cisco ONS families of devices. |
Step 1 | Choose Inventory > Device Management > Software Images. |
Step 2 | In the Software Image Summary panel, locate and select the software image by clicking its associated hyperlink. |
Step 3 | Click the software image name hyperlink to open its image information. |
Step 4 | Adjust the device requirements: |
Step 5 | Click Save. |
Step 6 | Click Restore Defaults, if you want to retain the previous requirements. |
An upgrade analysis verifies that the device contains sufficient RAM or FLASH storage (depending on the device type), the image is compatible with the device family, and the software version is compatible with the image version running on the device. After the analysis, Cisco EPN Manager displays a report that provides the results by device. The report data is gathered from:
Note | Upgrade analysis is not supported on Cisco IOS-XR devices such as Cisco NCS 1000, Cisco NCS 4000, Cisco NCS 5000, Cisco NCS 5500, Cisco NCS 6000, Cisco ASR 9000, and so on. |
If you want to adjust the device requirements for an image, see Change the Device Requirements for Upgrading a Software Image.
The image distribution operation copies a new software image to a specified location on a device. You can distribute images for similar devices in a single deployment, adjusting your choices per device. When you create the job, you determine whether the job runs immediately or at a scheduled time.
Note | Cisco EPN Manager does not support using TFTP to distribute images from a server to devices. |
When you select an image to be distributed, Cisco EPN Manager only displays devices that are suitable for the image. When you create the distribution job, you specify whether Cisco EPN Manager should:
Activate the image in the same job or skip the activation. Delaying the activation lets you perform these tasks before activating the image:
(Cisco IOS XR only) Commit the image in the same job or skip the commit.
Limitations:
When you distribute image to Cisco IOS-XR devices (except Cisco ASR 9000 devices), the image is copied to the device storage before the install package is activated and committed. With Cisco ASR 9000 devices, however, the image is installed on the device directly from Cisco EPN Manager without being copied to the device storage.
During the distribution process, if the protocols used for distribution are not supported by the device, then distribution might fail. For example, if you use the SCP protocol to distribute an image to Cisco ASR 9000 devices, then the distribution fails, because copy of the image onto the device storage is not supported in the device's command line.
Note | The option to distribute an image directly to a device folder is supported only on Cisco ASR907 and Cisco NCS42xx devices. |
Cisco EPN Manager displays feedback and status as the operation proceeds. If you are distributing an image to many devices, you can stagger reboots so that service at a site is not completely down during the upgrade window. For image distribution to work efficiently, the device and server from which the distribution is performed must be in the same geographical location or site. The distribution job will return an error if the distribution takes more time due to network slowness or low speed.
Note | When distributing an image to a device, use the most secure protocols supported by the device (for example, SCP instead of TFTP). TFTP tends to time out when transferring very large files or when the server and client are geographically distant from each other. If you choose SCP protocol for the image distribution, ensure that the device is managed in Cisco EPN Manager with full user privilege (Privileged EXEC mode); otherwise the distribution will fail due to copy privilege error (SCP: protocol error: Privilege denied). |
Before You Begin
Step 1 | Choose Inventory > Device Management > Software Images. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 2 | Click the blue
Distribute icon
in the Software Image Management Lifecyle widget.
Cisco EPN Manager
displays the devices that are
appropriate for the images. You can configure the image for each device when
you create a distribution job.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 3 | From the Image Selection tab, select the image that you want to distribute on devices. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 4 | From the
Device
Selection
tab, select the devices for image distribution. You can
further adjust the distribution settings for each device.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 5 | From the Image Details Verification tab, select the file system on the device where the image must be distributed using the Distribute Location drop-down menu. This field displays the folders available on the device. To distribute the image to new folders, create the folder on the device manually, and return to this step. Alternatively, you can create a new folder during the distribution process automatically by choosing the 'swim_configuration.xml' file under '/opt/CSCOlumos/swim' and providing any new folder name of your choice. The folder is automatically created under this directory. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 6 | Configure the
distribution settings.
In the Image Deployment tab area, configure the behavior for the distribution job—for example, in a bulk distribution job, whether to continue the distribution if it fails on a device. (The preferences are populated according to defaults set by the administrator. For more information, see Adjust Image Transfer and Distribution Preferences).
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 7 | In the
Activate Job
Options window, choose the required settings:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 8 | Configure the
image activation settings.
The activation options are sometimes hidden because the ability to activate images during the distribution process has been disabled in the Admin settings. To activate images, please return to Inventory > Device Management > Software Images and click the Activate icon. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 9 | (Cisco IOS XR devices) Configure the image commit settings. To commit the image in this job, check Commit. If you want to commit the image later, do not check Commit and then use the procedure in Commit Cisco IOS XR Images Across Device Reloads. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 10 | In the Schedule Distribution area, schedule the job to run immediately, at a later time, or on a regular basis. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 11 | Click Submit. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Step 12 | Choose
Administration
>
Job
Dashboard to view details about the image distribution job.
|
If you encounter the following image distribution error, please configure the device with the commands listed and try again:
Problem: You encounter the error- 'ssh connections not permitted from this terminal'.
Cause: Device is configured incorrectly.
Solution: Configure the device with the following commands
line vty 0 <number available in the device> transport input ssh transport output ssh
<number available in the device> -represents the unique identifier that varies from 15 to over 100 depending on the IOS version running on the device.
Note | These commands are not supported on Cisco IOS-XR devices. |
Note | To activate Cisco IOS XR images, you can use this procedure or the procedure in Activate, Deactivate, and Remove Cisco IOS XR Images from Devices (which performs the deactivate operation on single devices). |
When a new image is activated on a device, it becomes the running image on the disk. Deactivated images are not removed when a new image is activated; you must manually delete the image from the device.
If you want to distribute and activate an image in the same job, see Distribute a New Software Image to Devices .
To activate an image without distributing a new image to a device — for example, when the device has the image you want to activate—use the following procedure. The activation uses the distribution operation but does not distribute a new image.
Before activating or reverting images on Cisco NCS 2000 devices, ensure that you disable all suppressed alarms on the device. To do this, navigate to the device’s Device Details page in Cisco EPN Manager , click the Configuration tab, and choose Alarm > Alarm Profile to uncheck the Suppress Alarm checkbox.
If you choose the ISSU option to activate an image that is in bundle mode, you need to reload the device after activation. To verify if the device is in bundle mode, run this command show version | in image to check if the image is of the format '.bin'. You can also check the format of the image by looking at the filename of the image in the Image tab of the Device Details view.
During activation using the ISSU option, if the device is in subpackage mode, for example, if the image is of the format ‘bootflash:ISSU/packages.conf’, ensure that you use the same folder to activate the image. Changing the folder location will cause a failure of the activate operation.
Step 1 | Choose Inventory > Device Management > Software Images. | ||||||||||||||||||||||||||||||||||||||||||
Step 2 | Click the Activate icon in the Software Image Management Lifecyle widget. | ||||||||||||||||||||||||||||||||||||||||||
Step 3 |
| ||||||||||||||||||||||||||||||||||||||||||
Step 4 | If you choose Activate from Completed Distribution Jobs, click the Activate Job Options tab. | ||||||||||||||||||||||||||||||||||||||||||
Step 5 | In the
Activate
Job Options window, choose the required settings and go to Step 10:
| ||||||||||||||||||||||||||||||||||||||||||
Step 6 | If you choose Activate from Library in the Activation Source tab, then click the Image Selection tab. | ||||||||||||||||||||||||||||||||||||||||||
Step 7 | If you choose Activate from Standby Image, then go to Step 9. | ||||||||||||||||||||||||||||||||||||||||||
Step 8 | In the Image Selection tab, choose the software images that you want to distribute. | ||||||||||||||||||||||||||||||||||||||||||
Step 9 | Click the
Device
Selection tab and choose the devices for which the image must be
activated.
By default, the devices for which the selected image is applicable are shown. For example, if you choose the Activate from Standby/Alternate Images option in Step 3, then the Device Selection tab displays only devices such as, Cisco NCS 2000, Cisco ONS 15454 devices, and Cisco ME1200 devices, which support activation of standby/alternate images. | ||||||||||||||||||||||||||||||||||||||||||
Step 10 | Click the
Activate
Image tab, and verify whether the selected devices and software
images are mapped correctly for activation. While using standby images for
activation, click the
Verify
Image Selection
tab.
| ||||||||||||||||||||||||||||||||||||||||||
Step 11 | Click the
Activate
Job Options tab, and choose the required Activate Job options.
If you choose the ISSU option from the Activate drop-down list, the software image in the device will get upgraded without need for rebooting the device. While activating a standby image, if the selected device supports a downgrade, then the Only image downgrade checkbox is displayed. Selecting this checkbox ensures that the devices are downgraded only if they support the downgrade operation (for example in case of Cisco NCS2000 devices) and any specified upgrade operation will fail. | ||||||||||||||||||||||||||||||||||||||||||
Step 12 | Click
Submit to activate the software image in the
selected devices.
See table below for information on Cisco devices and the protocols they support for image distribution:
|
You can perform activate, deactivate, and delete operations on specific devices from the Device Details page. That view lists all it becomes the running image on the disk.
Step 1 | Open the Device Details page and click the Image tab. |
Step 2 | Expand the Applied Images area to display all of the images that are installed on the device. |
Step 3 | Identify the image you want to manage, and double-click its Status field. The field changes to an editable row. |
Step 4 | Choose the operation you want to perform from the Status drop-down list, then click Save. Your options are Active, Deactivate, and Remove. |
Step 5 | Click Apply above the images table. |
Step 6 | Choose to view details about the image activation job. |
Note | For Cisco IOS XR devices, we recommend that you do not commit the package change until the device runs with its configuration for a period of time, until you are sure the change is appropriate. |
When you commit a Cisco IOS XR package to a device, it persists the package configuration across device reloads. The commit operation also creates a rollback point on the device which can be used for roll back operations.
If you want to distribute, activate, and commit an image in the same job, use the procedure described in Distribute a New Software Image to Devices .
To commit an activated image, use the following procedure.
Note | If you are only working on a single device, perform the commit operation from the Device Details page (click the Image tab, choose the image, and click Commit). |
Step 1 | Choose Inventory > Device Management > Software Images. |
Step 2 | Click the Commit icon in the Software Image Management Lifecyle widget. |
Step 3 | Select the devices with the image you want to commit and click Submit. (Images can only be committed if they have been activated.) |
Step 4 | Select the software image you want to activate, then click Submit. |
Step 5 | In the Schedule Distribution area, schedule the commit job to run immediately, at a later time, or on a regular basis. |
Step 6 | Click Submit. |
Step 7 | Choose Administration > Job Dashboard to view details about the image activation job. |
Rolling back a Cisco IOS XR image reverts the device image to a previous installation state—specifically, to an installation rollback point. If an image has been removed from a device, all rollback points associated with the package are also removed and it is no longer possible to roll back to that point.
A rollback job can only be performed on one device at a time. You cannot perform a rollback for multiple devices in the same job.
Note | The rollback feature is only supported on Cisco IOS-XR devices such as Cisco ASR 9000 devices. |
Step 1 | Choose , then click the device name hyperlink for the device with the image you want to roll back. |
Step 2 | Click the Image tab and expand the Rollback Info area. |
Step 3 | Select the software image Commit ID you want to roll back to, and click Rollback. The Rollback Scheduler opens. |
Step 4 | If you want to commit the image after the rollback operation completes, check Commit After Rollback. |
Step 5 | In the Schedule Rollback area, schedule the rollback job to run immediately or at a later time, and click Submit. |
To get historical information about device software image changes, check the Network Audit.For more information on the Network Audit feature, see .
Step 1 | Choose
Inventory
>
Network
Audit. To filter the results to show only image
management operations, enter
software
image in the Audit Component field.
| ||
Step 2 | Expand an event
drawer to get details about a device change. For example, if you expand the
drawer highlighted in the above figure, you can see that the image listed in
the job was successfully distributed to the device.
|
Software images can only be manually deleted from the image repository; Cisco EPN Manager does not perform any automatic purging of the image repository. If you have sufficient privileges, you can use the following procedure to delete software image files from the image repository.