Log in to your existing Multi-Site Orchestrator.

Backup existing deployment configuration.

1. From the left navigation pane, select Operations > Backups & Restore.

2. In the main window, click New Backup.

   A New Backup window opens.

3. In the Name field, provide the name for the backup file.

   The name can contain up to 10 alphanumeric characters, but no spaces or underscores (_).

4. Choose Local for the Backup Location.

5. Click Save to create the backup.

Download the backup file from the existing Orchestrator.

Deploy a Nexus Dashboard release 2.1.1e or later cluster and configure fabric connectivity.

Ensure that your Nexus Dashboard cluster is appropriately scaled based on the fabric sizes and number of applications.

Install the NDO service in your Nexus Dashboard.

On-board all sites to the Nexus Dashboard.

1. From the left navigation menu, select Sites.

2. In the top right of the main pane, select Actions > Add Site.

If adding an ACI site, provide the following information:

1. For Site Type, select ACI or Cloud ACI depending on the type of ACI fabric you are adding.

2. Provide the controller information.

   You need to provide the Host Name/IP Address, User Name, and Password. for the APIC controller currently managing your ACI fabrics. If NDO is the only application you plan to host, you can specify either the in-band or out-of-band address of the on-premises APIC; however, if you plan to host other applications, such as Nexus Insights, you must specify the in-band address.

   Note

   By default, the in-band or out-of-band address of the on-premises APIC that you use to on-board the fabric must be reachable from the Nexus Dashboard's data interface. If you want to use the Nexus Dashboard's management interface for NDO traffic, you must configure a static route from the Nexus Dashboard cluster to the fabric's IP from the management interface. For more information, see the Infrastructure Management > Cluster Configuration chapter of the Nexus Dashboard User Guide.

   For on-premises ACI sites managed by Cisco APIC, if you plan to use this site with Day-2 Operations applications such as Nexus Insights, you must also provide the In-Band EPG name used to connect the Nexus Dashboard to the fabric you are adding. Otherwise, if you will use this site with Nexus Dashboard Orchestrator only, you can leave this field blank.

3. Click Add to finish adding the site.

   At this time, the sites will be available in the Nexus Dashboard, but you still need to enable them for Nexus Dashboard Orchestrator management as described in the following steps.

4. Repeat this step to add all the sites from your existing Multi-Site deployment.

Add any remote authentication servers you had configured in your Multi-Site Orchestrator to the Nexus Dashboard.

Add any proxy configuration you had configured in your Multi-Site Orchestrator to the Nexus Dashboard.

Disconnect the existing Multi-Site Orchestrator cluster.

Ensure that the new Nexus dashboard cluster is up and running and the NDO service is installed.

Log in to your Nexus Dashboard GUI.

Ensure that all the sites are on-boarded to Nexus Dashboard.

Open your new Nexus Dashboard Orchestrator service.

Add remote location for configuration backups.

1. From the left navigation pane, select Operations > Remote Locations.

2. In the top right of the main window, click Add Remote Location.

   An Add New Remote Location screen appears.

3. Provide the name for the remote location and an optional description.

   Two protocols are currently supported for remote export of configuration backups:

   • SCP

   • SFTP

   Note	SCP is supported for non-Windows servers only. If your remote location is a Windows server, you must use the SFTP protocol

4. Specify the host name or IP address of the remote server.

   Based on your Protocol selection, the server you specify must allow SCP or SFTP connections.

5. Provide the full path to a directory on the remote server where you will save the backups.

   The path must start with a slash (/) characters and must not contain periods (.) or backslashes (\). For example, /backups/ndo.

   Note	The directory must already exist on the remote server.

6. Specify the port used to connect to the remote server.

   By default, port is set to 22.

7. Specify the authentication type used when connecting to the remote server.

   You can configure one of the following two authentication methods:

   • Password—provide the username and password used to log in to the remote server.

   • SSH Private Files—provide the username and the SSH Key/Passphrase pair used to log in to the remote server.

8. Click Save to add the remote server.

Import the backup file to your new Nexus Dashboard Orchestrator cluster.

1. From the left navigation pane, select Operations > Backups & Restore.

2. In the main pane, click Upload.

3. In the Upload from file window that opens, click Select File and choose the backup file you want to import.

   This is the backup of your existing MSO configuration that you created and downloaded in previous section.

4. From the Remote Location dropdown menu, select the remote location.

5. (Optional) Update the remote location path.

   The target directory on the remote server, which you configured when creating the remote backup location, will be displayed in the Remote Path field.

   You can choose to append additional subdirectories to the path. However, the directories must be under the default configured path and must have been already created on the remote server.

6. Click Upload to import the file.

   Importing a backup will add it to the list of the backups displayed the Backups page. Note that even though the backups are shown on the NDO UI, the files are stored only on the remote server and not directly on the cluster nodes.

Restore the configuration.

1. In the main window, click the actions (…) icon next to the backup you created prior to the upgrade and select Rollback to this backup.

   This opens the Restore from this backup warning dialog.

2. In the Restore from this backup dialog window, click Restore to confirm that you want to restore the backup you selected.

   When the configuration is restored, any sites previously managed by Multi-Site Orchestrator and on-boarded to the Nexus Dashboard will be enabled for NDO management in the GUI. If the configuration backup contains sites that are not on-boarded to your Nexus Dashboard, backup restore will fail with a Pre-restore check failed error and you will need to repeat the procedure after on-boarding any missing sites.

   Depending on the size of your configuration, the database rollback may take several minutes to complete.

3. After the database is restored, click Ok to proceed.

   Release 3.7(2) added database optimization to the configuration rollback workflow, which is automatically triggered as the final stage of restoring configuration.

   Simply click Ok to view the database update progress:

   

Update the password.

Verify that backup was restored successfully and all objects and configurations are present.

1. In the Sites page, verify that all sites are listed as Managed.

   

2. In the Tenants and Schemas pages, confirm that all tenants and schemas from your previous Multi-Site Orchestrator cluster are present.

3. Navigate to Infrastructure > Site Connectivity and confirm that intersite connectivity is intact.

   In the main pane, click Show Connectivity Status next to each site and verify that the underlay and overlay connectivity is still successfully established.

4. In the main pane, click Configure to open Fabric Connectivity Infra screen and verify External Subnet Pool addresses.

   You can view the external subnet pools by selecting General Settings > IPsec Tunnel Subnet Pools tab of the Fabric Connectivity Infra screen and verify that the External Subnet Pools previously configured in Cloud APIC have been imported from the cloud sites.

   These subnets are used to address the IPsec tunnel interfaces and loopbacks of the Cloud Routers used for on-premises connectivity and had to be configured directly in the Cloud APIC in earlier Nexus Dashboard Orchestrator releases.

Upgrade cloud sites.

1. Upgrade a site's Cloud APIC.

   You can upgrade Cloud APIC as you typically would using the process detailed in the "Performing a System Upgrade, Downgrade or Recovery" chapters of Cisco Cloud APIC for Azure Installation Guide or Cisco Cloud APIC for AWS Installation Guide.

   Note that after the Cloud APIC upgrade, any existing public IP tunnels will remain intact and intersite connectivity via public IPsec will not be interrupted .

2. Upgrade that site's CSR.

   Starting with Cloud APIC release 5.2(1) , CSRs upgrade does not happen automatically as it used to in earlier releases, so you must manually trigger CSR upgrade after Cloud APIC is upgraded. You must upgrade the site's CSRs before moving on to upgrading the next site.

   You can upgrade Cloud APIC CSRs using the process detailed in the "Performing a System Upgrade, Downgrade or Recovery" chapters of Cisco Cloud APIC for Azure Installation Guide or Cisco Cloud APIC for AWS Installation Guide.

   As you upgrade CSRs in each site, the following will occur:

   • As each CSR is upgraded, its existing /30 tunnels will be recreated and the traffic will continue to flow.

   • Tunnel-management and all Infra configuration changes from Nexus Dashboard Orchestrator are disabled for as long as any of the cloud sites are still running any Cloud APIC or CSR releases prior to 5.2(1).

   • If the last site you upgrade is an AWS cloud site, the following will occur for that site's CSRs only:

     • The last cloud site's tunnel endpoints will be deleted by Cloud APIC and NDO will delete the corresponding tunnels that use the endpoint

     • NDO will delete the tunnels originating from CSRs in the last cloud site

     • New hcloudInterCloudSiteTunnel MO will be created and Nexus Dashboard Orchestrator's tunnel management will allocate /31 addresses for the new tunnels

     • The CSRs in this site and the CSRs in another cloud site peering with it will establish /31 tunnels.

     If the last upgraded site is an Azure site, the same /30 tunnel will be created on the CSRs and the above four bullet points are not relevant.

   For any CSRs you add or any underlay configuration changes to existing CSRs after the migration process is completed, all new tunnels created by NDO will be /31 tunnel.

   Note	If you do not see BGP sessions within 5 minutes of CSRs upgrade finishing and CSRs coming up, refresh the site's infra connectivity in the Nexus Dashboard Orchestrator Infra Configuration screen.

3. Repeat this step for each cloud site one at a time.

Verify Cloud APIC and CSR upgrades have completed.

1. In each site's Cloud APIC, check that the hcloudReconcileDone MO shows reconcileState=steadyState.

   You can check the MO by navigating to https://<cloud-apic-ip>/visore.html and searching for hcloudReconcileDone in the Class or DN or URL field.

   

2. In Nexus Dashboard Orchestrator, navigate to Infrastructure > Site Connectivity and confirm that intersite connectivity is intact.

   In the main pane, click Show Connectivity Status next to each site and verify that connectivity is healthy in the Overlay Status and Underlay Status tabs.

3. In Nexus Dashboard Orchestrator's Site Connectivity page, click Configure and confirm that the External Subnet Pools previously configured in Cloud APIC have been imported and are present.

   You can view the external subnet pools by selecting General Settings > IPSec Tunnel Subnet Pools tab of the Fabric Connectivity Infra screen.

4. In Nexus Dashboard Orchestrator's Fabric Connectivity Infra screen, select a cloud site, click the Inter-Site Connectivity tab in the right-hand sidebar, and confirm that underlay connectivity using public IPs is preserved for existing sites.

Log in to your new Nexus Dashboard Orchestrator.

In the left navigation menu, select Infrastructure > Site Connectivity.

In the main pane, click Configure.

In the left sidebar, select General Settings.

Provide the OSPF Area ID field.

Add IPN Devices information.

1. Select the IPN Devices tab.

2. Click Add IPN Device.

3. Provide the Name and the IP Address of the on-premises IPN devices.

   You must provide the IP addresses of the devices in your on-premises sites that are used as the tunnel peer address from the Cloud APIC's CSRs, not the IPN device's management IP address.

4. Click the check mark icon to save the device information.

5. Repeat this step for any additional IPN devices you want to add.

Update Underlay Configuration for inter-site connectivity between on-premises and cloud sites.

1. In the left pane, under Sites, select the on-premises site.

2. In the right <Site> Settings pane, select the Underlay Configuration tab.

3. Click +Add IPN Device to specify an IPN device.

4. From the dropdown, select one of the IPN devices you defined previously.

   The IPN devices must be already defined in the General Settings > IPN Devices list, as described in the previous step.

From the dropdown at the top of the screen, select Deploy to re-deploy the Infra configuration.

Check for configuration drifts using the API.

1. Ensure that you are logged in to you Orchestrator UI.

   The API uses the authentication token from the Orchestrator UI login.

2. From the Help menu in the top right corner of the window, choose Help Center.

   

3. In the Help Center's Programming tile, click REST API.

4. From the dropdown at the top of the page, select Nexus Dashboard Orchestrator to show NDO APIs.

   

5. Scroll down to the /api/v1/schemas/template-modified-policy-states API and click Run.

   

   Depending on the number of templates and the size of the configuration, this may take a few minutes, and the Run button will be grayed out during this process.

6. Note down all the templates returned by the API call.

   

Check for configuration drifts using the GUI.

1. In your Nexus Dashboard Orchestrator, navigate to Application Management > Schemas.

2. Select the first schema and check its templates for configuration drifts.

   You will repeat the following steps for every schema and template in your deployment

   You can check for configuration drifts in one of the following two ways:

   • Check the template deployment status icon for each site to which the template is assigned:

     

   • Select the template and click Deploy to sites to bring up the configuration comparison screen to check which objects contain configuration drifts:

     

For every template that contains a configuration drift, resolve the conflicts.

1. Close the template deployment dialog to return to the Schema view.

   Deploying any templates at this point would push the values in the Orchestrator database and overwrite any existing settings in the fabrics.

2. From the template's Actions menu, select Reconcile Drift.

   

   The Drift Reconciliation wizard opens.

3. In the Drift Reconciliation screen, compare the template-level configurations for each site and choose the one you want.

   

   Template-level properties are common across all sites associated to the template. You can compare the template level properties defined on Nexus Dashboard Orchestrator with the configuration rendered in each site and decide what should become the new configuration in the Nexus Dashboard Orchestrator template. Selecting the site configuration will modify those properties in the existing Nexus Dashboard Orchestrator template, whereas selecting the Nexus Dashboard Orchestrator configuration will keep the existing Nexus Dashboard Orchestrator template settings as is

4. Click Go to Site Specific Properties to switch to site-level configuration.

   

   You can choose a site to compare that specific site's configuration. Unlike template-level configurations, you can choose either the Nexus Dashboard Orchestrator-defined or actual existing configurations for each site individually to be retained as the template's site-local properties for that site.

   Even though in most scenarios you will make the same choice for both template-level and site-level configuration, the drift reconciliation wizard allows you to choose the configuration defined in the site's controller at the "Template Properties" level and the configuration defined in Nexus Dashboard Orchestrator at the "Site Local Properties" level or vice versa.

5. Click Preview Changes to verify your choices.

   The preview will display full template configuration adjusted based on the choices picked in the Drift Reconciliation wizard. You can then click Deploy to sites to deploy the configuration and reconcile the drift for that template.