03-13-2023 07:09 PM
I was wondering what the general consensus was in regard to upgrading switch/routers to the newest version of IOS released?
I know everyone has their own opinions on the matter. I have been a Network Engineer (Cisco centric) for over 20 years, so im sure recommendations have changed over time. It seems like new vulnerabilities are always being discovered, whether they are low, med, high, etc. The security team where I am currently working is requesting us to upgrade everytime a new vunerability is released, regardless of the severity (or if it really even pertains to our configurations). We are at the point where we are basically upgrading as soon as a new version is released and it's taking a lot of time and resources.
In the past at other employers, we typically didn't go to a new version for at least 3-6 months after it was released, and also had to provide a justification for the upgrade, whether the new code had a feature we wanted to implement, or we ran into a bug, or there was a critical vulnerability in the current version we were running. We never just upgraded for the sake of having the latest version available. However, I am basing this off the past, so maybe best practices have changed regarding software management.
Just curious on other opinions out in the field and how they navigate their internal upgrade processes.
03-13-2023 10:04 PM - edited 03-13-2023 10:06 PM
I have been a network engineer since 2010 and I have never been so busy finding bugs since the introduction of IOS-XE -- Read between the lines.
Pre-IOS-XE, I used to upgrade our routers, switches, WLC every 6 months.
03-14-2023 06:23 AM
I am currently working on a DoD (Dept of Defense) contract, so security is obviously a major priority. However, constantly upgrading IOS-XE, NX-OS, etc has caused more unplanned issues because the process is so rushed and never tested that it doesnt make much sense to me. I have worked other DoD contracts but I dont remember having to constantly upgrade IOS everytime a low vulnerability is released.
03-14-2023 10:11 PM
IOS-XE is more complicated than classic IOS.
Any router, switches, WLC running on IOS-XE means there are multiple CPUs. Monitoring each CPU is vastly different to monitoring a single CPU in classic IOS.
And memory leak is not an exception either.
If you are happy rebooting, every 4 to 6 months, any appliances running on IOS-XE, then there should be no problem upgrading the firmware.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide