Before You
Begin
Read the following information carefully, before you begin an upgrade.
- Review Supported Upgrade Paths
- Review Time Taken for Upgrade
- Review Available Cisco APIC-EM Ports
- Securing the Cisco APIC-EM
- Back Up the Controller Database and Files
- Configure the Authenticate Timeout Value for Users
Review Supported Upgrade Paths
You can directly upgrade to Cisco APIC-EM, Release 1.4.0.x from any of the following releases:
Note | The Cisco APIC-EM, Release 1.4.0.x does not support VLAN termination and Network Interface Card (NIC) bonding. If you are using Cisco APIC-EM, Release 1.3.3.x with these features, you cannot upgrade to Release 1.4.0.x. |
If you using a release version earlier than the above Cisco APIC-EM releases, then you must first upgrade to one of the releases listed above (with the latest patch) and then upgrade to Release 1.4.0.x.
Review Time Taken for Upgrade
The upgrade process for the Cisco APIC-EM may take up to approximately 60 minutes to complete. The actual time taken for an upgrade varies depending upon a number of factors, including the scale of your network deployment, number of endpoints involved, and applications in use (EasyQoS, IWAN, and Network Plug and Play).
Note | Services will be restarted at different times during the upgrade process and for this reason, not all the applications will start up at once. |
The Cisco APIC-EM controller will be inoperable during the upgrade process, and for this reason we recommend that you schedule the upgrade during your network off-peak hours or a maintenance time period.
Review Available Cisco APIC-EM Ports
The following tables list the Cisco APIC-EM ports that permit incoming traffic, as well as the Cisco APIC-EM ports that are used for outgoing traffic. You should ensure that these ports on the controller are open for both incoming and outgoing traffic flows.
The following table lists Cisco APIC-EM ports that permit incoming traffic into the controller.
Port Number |
Permitted Traffic |
Protocol (TCP or UDP) |
---|---|---|
22 |
SSH |
TCP |
80 |
HTTP |
TCP |
123 |
NTP |
UDP |
162 |
SNMP |
UDP |
443 |
HTTPS |
TCP |
500 |
ISAKMP In order for deploying multiple hosts across firewalls in certain deployments, the IPSec ISAKMP ( (Internet Security Association and Key Management Protocol) UDP port 500 has to be allowed to be traversed. |
UDP |
16026 |
SCEP |
TCP |
The following table lists Cisco APIC-EM ports that are used for outgoing traffic from the controller.
Port Number |
Permitted Traffic |
Protocol (TCP or UDP) |
||
---|---|---|---|---|
22 |
SSH (to the network devices) |
TCP |
||
23 |
Telnet (to the network devices) |
TCP |
||
53 |
DNS |
UDP |
||
80 |
Port 80 may be used for an outgoing proxy configuration. Additionally, other common ports such as 8080 may also be used when a proxy is being configured by the Cisco APIC-EM configuration wizard (if a proxy is already in use for your network).
|
TCP |
||
123 |
NTP |
UDP |
||
161 |
SNMP agent |
UDP |
||
443 |
HTTPS |
TCP |
||
500 |
ISAKMP In order for deploying multiple hosts across firewalls in certain deployments, the IPSec ISAKMP ( (Internet Security Association and Key Management Protocol) UDP port 500 has to be allowed to be traversed. |
UDP |
Securing the Cisco APIC-EM
The Cisco APIC-EM provides many security features for the controller itself, as well as the hosts and network devices that it monitors and manages. We strongly suggest that the following security recommendations be followed when deploying the controller.
Back Up the Controller Database and Files
Before performing an upgrade, you should back up your controller's database and files using the Backup & Restore window of the GUI.
Note | In a multi-host cluster, the database and files are replicated and shared across three hosts. When backing up and restoring in a multi-host cluster, you need to first back up on only one of the three hosts in the cluster. For detailed information about both back up and restore, see the Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide. |
You must have administrator (ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to ALL) or an RBAC scope that contains all of the resources that you want to group. For example, to create a group containing a specific set of resources, you must have access to those resources (custom RBAC scope set to all of the resources that you want to group).
For information about the user permissions required to perform tasks using the Cisco APIC-EM, see the chapter, Managing Users and Roles in the Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide.
Configure the Authenticate Timeout Value for Users
You can configure authentication timeouts that require the user to log back into the controller with their credentials (username and password) using the Authentication Timeout window in the Cisco APIC-EM GUI.
Prior to beginning the software update process for the Cisco APIC-EM, we recommend that you configure the idle timeout value in the Authentication Timeout window of the GUI for at least an hour. If a user is logged out due to an idle timeout during the software update process, then this process will fail and need to be re-initiated again.
You must have administrator (ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to ALL) or an RBAC scope that contains all of the resources that you want to group. For example, to create a group containing a specific set of resources, you must have access to those resources (custom RBAC scope set to all of the resources that you want to group).
For information about the user permissions required to perform tasks using the Cisco APIC-EM, see the chapter, Managing Users and Roles in the Cisco Application Policy Infrastructure Controller Enterprise Module Administrator Guide.
Step 1 | In the Home window of the controller's GUI, click either admin or the Settings icon (gear) at the top right corner of the screen. |
Step 2 | Click the Settings link from the drop-down menu. |
Step 3 | In the Settings navigation pane, click Authentication Timeout to view the Authentication Timeout window. |
Step 4 | Configure the
idle timeout value using the
Idle
Timeout drop-down menu.
You should configure the idle timeout to a value greater than one hour. |
Step 5 | (Optional)
Configure the session timeout value using the
Session
Timeout drop-down menu.
You can configure the session timeout value in increments of 30 minutes, up to 24 hours. The default value is six hours. |
Step 6 | Click the Apply button to apply your configuration to the controller. |