Online Upgrade

Context

In one of the following scenarios, you can upgrade the SA-SDB in online mode:

Direct upgrade: A switch communicates with the upgrade center through the Internet. In this scenario, the switch directly sends upgrade packets to the upgrade center, and you need to configure a security policy on the switch to allow HTTP and FTP packets to pass through.
Proxy upgrade: A switch communicates with the upgrade center through a proxy server. In this scenario, the switch sends upgrade packets to the proxy server, and you need to configure a security policy on the switch to allow HTTP packets to pass through.

There are two ways for online upgrade:

Scheduled upgrade

The switch periodically sends request packets to the upgrade center to check whether a new SA-SDB version is available. If so, the switch automatically downloads the latest SA-SDB and updates the local SA-SDB at the specified time.
Immediate upgrade

When users find that a new SA-SDB version is available on the network, they can upgrade the SA-SDB immediately if the scheduled SA-SDB upgrade time is not reached or scheduled upgrade is not enabled on the switch, the immediate upgrade can be used. The SA-SDB download address and upgrade process of immediate upgrade are the same as those of scheduled upgrade.

Procedure

Configure the upgrade center.
1. Run system-view
  The system view is displayed.
2. Run update server { domain domain-name | ip ip-address } [ port port-number ]
  Information about the upgrade center is configured.
  
  The default domain name is sec.huawei.com.
(Optional) Run update download-server aging-time age-time
The aging time of the download server is configured.

The download server is a server dedicated by the upgrade center to provide download services.

By default, the aging time of the download server is seven days.

The aging time of the download server takes effect only for HTTPS upgrade but not HTTP upgrade.
(Optional) Run update online-mode { http | https }
The protocol for online upgrade through the upgrade center is configured.

By default, HTTPS is used for online upgrade through the upgrade center. That is, the switch uses the HTTPS protocol to send upgrade requests and download the SA-SDB.

HTTP upgrade may bring risks, and therefore HTTPS upgrade is recommended.
(Optional) Configure a proxy server.
Perform this step when the switch connects to the upgrade center through a proxy server.
1. Run update proxy enable
  Proxy upgrade of the SA-SDB is enabled.
2. Run update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-name [ password password ] ]
  The domain name (or IP address), user name, and password of the proxy server are configured.
(Optional) Configure a DNS server.
If the domain name of the upgrade center or proxy server is configured, DNS must be configured to resolve the domain name.
1. Run dns resolve
  The dynamic domain name resolution function is enabled.
2. Run dns server ip-address
  An IP address is configured for the DNS server.
(Optional) Specify the source IP address of online upgrade request packets.
Run update host source { interface-type interface-number | ip ip-address [ vpn-instance vpn-instance ] }

The source IP address of online upgrade request packets is specified.
- When you do not specify the source IP address of online upgrade request packets, the system searches for the IP address of the upgrade server in routing entries, and uses the IP address of the outbound interface as the source IP address of the upgrade request packets.
- If the outbound interface has multiple IP addresses, run the update host source ip ip-address command to specify the source IP address of upgrade request packets and ensure that the switch can receive response packets. Otherwise, online upgrade may fail.
If the switch connects to an extranet through a VPN instance, you must configure the update host source ip ip-address command to ensure successful upgrade.
- Before running the update host source interface-type interface-number command on an interface, ensure that the interface has been bound to the corresponding VPN instance.
- When running the update host source ip ip-address command, the vpn-instance vpn-instance parameter must be specified in the command.
Select scheduled upgrade or immediate upgrade.
- Scheduled upgrade
1. Run update schedule sa-sdb enable
  Scheduled upgrade of the SA-SDB is enabled.
2. Run update schedule sa-sdb { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time
  The scheduled SA-SDB upgrade time is configured.
The SA-SDB upgrade frequency can be adjusted, and once a week is recommended.

Scheduled upgrade may fail due to some reasons. If the upgrade fails, the system tries to upgrade the SA-SDB periodically. You can adjust the SA-SDB re-download and re-loading intervals for scheduled upgrade. To configure the SA-SDB re-download interval (3600 seconds by default), run the update schedule retry-download interval interval-value command in the system view. To configure the SA-SDB re-loading interval (3600 seconds by default), run the update schedule retry-load interval interval-value command.
- Immediate upgrade
1. Run update online sa-sdb
  The latest SA-SDB is downloaded.
If the service performance of the switch is affected due to a low speed of network access after a scheduled or immediate upgrade, you can run the update abort command to terminate the SA-SDB upgrade operation. Wait till the network environment is improved and then run the update online sa-sdb command to continue the latest SA-SDB download.
(Optional) Configure the mode in which a new SA-SDB takes effect.
There are two modes available:
- Download only: The switch only downloads the SA-SDB and you need to manually install the new SA-SDB.
- Download and installation: The switch downloads the SA-SDB and automatically installs it.
By default, the system uses the download and installation mode.

If the download only mode is required, enable the installation confirmation function and install the SA-SDB manually.
1. Run update confirm sa-sdb enable
  The SA-SDB installation confirmation function is enabled.
2. Run update apply sa-sdb
  The downloaded SA-SDB is installed.