The idea for this post came from someone I was working with recently. Thanks Fan (and Carson, and Shree) :-)

In Service Software Upgrade (ISSU) is a method of upgrading software on a switch without interrupting the flow of traffic through the switch. The conditions for successfully completing an ISSU are usually pretty strict and if you don't comply, the hitless upgrade can all of a sudden become impacting.

The conditions for ISSU on the Nexus 5000 are pretty well documented ( link) however, there are a couple bits of knowledge that are not. This post is a reminder of the ISSU conditions you need to comply with and a call out to the bits of information that aren't so well documented.

The two major ISSU conditions on the n5k are:

  1. You must unconfigure all Layer 3 features
  2. The n5k must not have any Spanning Tree (STP) ports in Designated state unless the port is an Edge port.

The first one is easy: the switch cannot be doing any routing. Even if the switch is Layer 2 only, this condition will still fail if any of the following are true:

  • Any Layer 3 features are enabled (even if not configured, just having them enabled is enough to fail)
  • Any Layer 3 licenses are installed (this includes LAN_BASE_SERVICES_PKG and LAN_ENTERPRISE_SERVICES_PKG)

To satisfy condition #1, you must:

  • Unconfigure all Layer 3 features
  • Remove the feature xxx line(s) related to Layer 3 features from the running config
  • Uninstall both Layer 3 licenses
  • If either license was installed, reboot the switch

The last bullet is worth emphasizing. The switch must be reloaded after uninstalling the Layer 3 licenses in order to satisfy condition #1. This is not well documented, but it's true.

The second condition says that there can be no non-Edge ports in the Designated role. Here's an example:

ISSU STP Topology for Failure

  • D is a Designated port
  • R is a Root port
  • DE is a Designated Edge port

The n5ks have ports in the Designated role because there is a downstream switch connected to a non-Edge port. This breaks the ISSU condition.

However the ports on the n2ks are fine because they are β€” by default β€” configured as Edge ports so even though they are in the Designated role, the condition is satisfied.

Resolving this condition in a topology such as the one shown above needs to be done with care. If not done carefully, you could be trading one problem for another or cause some crazy problems in the network.

  • Make sure the n5k is not the STP Root in any VLAN
  • Don't connect a switch downstream of the n5k
  • Connect a switch downstream, but do so with a vPC and make the port-channel interface an Edge port

When you think you've satisfied the conditions for an ISSU, use the show install command to verify. When you see the impact will be non-disruptive for each module then, and only then, will the upgrade be hitless.

Compatibility check is done:
Module  bootable          Impact  Install-type
------  --------  --------------  ------------
     1       yes  non-disruptive         reset
   101       yes  non-disruptive       rolling
   102       yes  non-disruptive       rolling

If you cannot resolve both conditions, then you cannot perform a hitless upgrade.

Disclaimer: The opinions and information expressed in this blog article are my own and not necessarily those of Cisco Systems.