How many people continually upgrade IOS verisons?

Cory Dryden · ‎09-15-2011

Hi there,

I have recently started a new job where the IOS on the 1841 routers is version 12.4. These are from 2006 mainly, probably when the routers were bought. My question is should I upgrade to 15.0? Mainly just to plug security holes that cisco have found?

How many people continually upgrade the IOS?

Thanks

Reza Sharifi · ‎09-15-2011

Cory,

If you have no issues in your current environment, there is no need to upgrade. You should only upgrade if you need to deploy specific features that you current IOS does not support and have issues with IOS bugs and not because other people are upgrading. IOS 12.4 is not very old, but if you are planing to upgrade, make sure to read the release notes and go over bug fixes. New does not always mean better.

HTH

Leo Laohoo · ‎09-15-2011

How many people continually upgrade IOS verisons?

I do. And I do it everytime Cisco releases a new IOS.

It's no longer "my" argument but "our" argument as a team. In the past, I would "quietly" upgrade the IOS (supervisor approval, of course). Then our team would get emails from security saying "blah, blah, blah PSIRT". Ever since I've been progressively upgrading the IOS, we've been shooting back responses to the security team with "blah, blah, blah IOS upgraded XX weeks before your email."

It's not just bug fixes but new features too. Zero-Touch AutoSmartport, smartport macros, energywise ... I have no issues with constantly upgrading IOS.

Jon Marshall · ‎09-15-2011

Cory

Agree with Reza on this. There is no need to upgrade unless -

1) you need new features

2) you are running features in which there is a bug that could affect you ie. if you aren't using BGP for example then you don't need to worry about issues in the BGP code

Having said that, if there was a general security issue ie. a malformed packet can cause the router to crash, then this may be worth upgrading simply because a "curious" internal user could cause a device failure.

But generally with network devices, if it isn't broke then leave well alone is my motto.

Jon

Cory Dryden · ‎09-15-2011

Thanks for the quick responses. The security guy here basically wants to make sure it is all secure. I have gone through the released stuff from cisco and he believes there are some things that may be vulnerable.

I generally do agree, if it aint broke dont touch it. Might just have to upgrade and leave it at that??

Leo Laohoo · ‎09-15-2011

Might just have to upgrade and leave it at that??

Upgrading ONCE and "leave it at that" doesn't mean you're out of the woods. Bugs and exploits are discovered on a daily basis. Upgrade if you have to but don't upgrade-and-walk-away because you don't know what's around the corner.

I get regular Cisco PSIRT RSS feeds to keep me up-to-date with the latest security issues.

Cory Dryden · ‎09-15-2011

Do you trust the ED IOS'??? Is there an easier way to find out when new releases are out?

Leo Laohoo · ‎09-15-2011

Is there an easier way to find out when new releases are out?

You can try MyCisco Software Alerts.

Jon Marshall · ‎09-15-2011

Cory

To be fair a lot depends on the environment you work in. The last place i worked it was very difficult to get an outage at all so i got used to leaving well alone unless absolutely necessary. If i could have got more outages i may well have upgraded more often but bear in mind each IOS upgrade can cause it's own problems eg. 6500s require you to make sure module support hasn't been removed for certain linecards etc.

Jon