Re: LIfecycle, patch and vulnerability managem for Cisco devices

atsukane · ‎05-03-2024

Hi all,

I work for a mid sized financial firm with a total network device count of less than 100, mostly consisting of catalyst 9k (core and access switches), with handful of nexus 9k, MDS 9k, ISR4k, a pair of WLC5520s in SSO (AP3802s), and a dozen FTDs managed by a FMCv.

We traditionally relied on Cisco vulnerability notifications and our partner's reports for upgrading software, as/when required basis and didn't have a set patching schedule. And upgrade method is logging on (SSH) to each device and run upgrade.

As this is very reactive and time consuming, I want to move to a more proactive way to manage our estate, and started looking at DNAC, and soon realised that it's not like FMC that just spin up a VM, connect devices and start managing them.

Our partner has suggested Melaki dashboard as an alternative for smaller firm like us, and while it has its own limitation it seems to be good enough to cover software upgrade for CAT switches, and wireless part sounded good too. (We'll decom 5520s and move on to 9800 while APs are still supported). So we are planning on demo and POC soon.

Unfortunately it doesn't have a feature to flag vulnerabilities against the running software images of the managed devices, nor manage non cat devices, this is same for DNAC apparently. Since the number of Nexus and MDS, ISRs are low, I'm not too bothered about this, and FMC/FTD upgrade is relatively simple job.

So just wondered what/how other people at this community are doing to manage software upgrade and upgrade cycle, vulnerability mitigation, and how to review EOL products.

Vendor's like Solarwinds and Managed Engine seem have do NCM which do some of these things and may be even do better than Cisco product. (Though I found upgrade on Managed Engine's NCM not very user friendly and require some getting used to)

Many thanks,

Ramblin Tech · ‎05-03-2024

You might consider an engagement with Cisco's Advanced Services organization, as they offer support services that are proactive in nature rather than reactive, break-fix which is the purpose of TAC. Services like bug scrubs, PSIRT vulnerability assessments, EOL tracking, comparison of your own h/w failure rates against MTBF (ie, your deployment's reliability ratio), and on-going consulting with your senior network Ops staff can be included in an engagement.

Might be worth a couple of hour's time to get your account team to bring in somebody from Services/CX to brief you on the packages available. Advanced Services engagements are common among Cisco's largest SP and enterprise customers, but you should be able to tailor a package for your network size and budget.

Disclaimer: I am long in CSCO

Leo Laohoo · ‎05-03-2024

I use various RSS feeds to give us heads-up of Cisco Security Bulletin when they get published. This has been working flawless for the last 10 years.

Even though we have DNAC, I update the firmware of our routers, switches, WLC are exclusively done manually because of a hack that I employ. Cisco's recommended method to upgrade IOS-XE means that there is no way to facilitate the routers, switches, WLC to unpack the packages now but reboot the platform at a later date. My hack (aka One-Hit-Wonder) allows me to do this with 100% success rate -- And I am talking about >800 stacks of switches and about a hundred routers.

In two weeks, we will be migrating all our WLC and switches, from 17.9.5, to 17.12.3. This entire exercise will all be done manually.

atsukane · ‎05-08-2024

@Leo Laohoo When you say "done manually", I don't suppose you mean to ssh onto each device and run the upgrade process.

I'd be very interested to know the hack that you developed!

Leo Laohoo · ‎05-08-2024

One-Hit-Wonder