Skip to main content
Cisco PSIRT publishes an advisory affecting the IOS-XE 17.x train running on twelve customer-edge ISR routers. The MSP needs the upgrade staged, approved, executed across twelve maintenance windows, validated, and documented — with the customer informed before, during, and after each window.

Systems involved

SystemRole
JiraSource change request from the security team.
FreshserviceCustomer-facing CR with approvals and CAB sign-off.
Studio inventoryThe twelve target hosts, organized by customer and site.
Cisco IOS-XEThe actual upgrade target.
TFTP / SCPImage staging path.
Slack #fleet-upgrade-q2Operational channel during each window.
ConnectWise PSA / NetBoxCMDB updated with new firmware version per device.
GmailPre- and post-window customer comms.

Walkthrough

1

Build the upgrade plan from Jira

Copilot reads the Jira CR, lists every host tagged cisco-edge in inventory matching the affected version, and drafts a per-customer table with current version, target version, and the right maintenance window.
2

Generate the customer-facing CR

The Freshservice connector creates one CR per customer. Each contains the affected device, the maintenance window, the rollback path, the contact tree, and the Jira advisory link. CAB approves five at a time.
3

Pre-window customer email

Copilot drafts a per-customer email through Gmail 24 hours before each window: scope, expected outage, contact phone, post-window verification commitment. You review and queue.
4

Stage the firmware image

Copilot pushes the IOS-XE image to the local SCP server and verifies the MD5 against Cisco’s published hash. If a customer’s edge can’t reach the central SCP, it picks the local jump host instead.
5

Open the war room

At T-15 minutes for each window, Copilot opens a Slack thread in #fleet-upgrade-q2, posts the device, the customer, the rollback command set, and the on-call name. Anyone joining sees the same context.
6

Run the upgrade procedure

The Cisco IOS-XE upgrade procedure runs against the host. Pre-checks: reachability, free flash, backup config to TFTP, save running-config. Stage commands appear in the staging panel for approval. After approval the upgrade runs, the device reloads, and the procedure waits for the OOB SSH path to come back.
7

Post-upgrade verification

Procedure runs show version, show ip interface brief, show bgp summary, and the customer-specific functional check. A diff of pre and post output is attached to the run.
8

Sync CMDB and close the CR

Copilot updates the ConnectWise/NetBox entry with the new firmware version and the upgrade timestamp. The Freshservice CR is closed with the diff artifact attached, and a closing email goes to the customer with the validation snippets.

Where Studio earns its keep

  • One procedure runs against twelve hosts the same way every time, so the worst window is the same as the best.
  • The pre-checks are non-negotiable — Studio refuses to push the image if free flash is short or the backup didn’t complete.
  • The war room thread captures the exact commands, decisions, and outputs without anyone copying terminal scrollback.
  • The CMDB and the customer email both update from the same source of truth, so no one is asking which version is now running.

Procedures

Build the IOS-XE upgrade procedure once and run it per host.

Shared sessions

Bring a peer into the upgrade window for two-person verification on the highest-risk devices.