The article you are trying to access is permanently deleted.
08-28-2018 11:35 AM - edited 03-08-2019 04:01 PM
Hi,
I need to upgrade the software on several 3560s from IOS version 12.2(55)SE8 to 15.2(4)E6.
Can it be upgraded directly to that version?
08-28-2018 01:13 PM
Hi,
As long as you have the supported amount of DRAM and flash for the new IOS, you can upgrade directly.
HTH
08-28-2018 03:33 PM
08-29-2018 03:49 AM
08-30-2018 11:52 AM
So, the reason why we're doing these upgrades is to fix a DHCP Remote Code Execution Vulnerability that we were alerted to. If the switch is Fast Ethernet, then does that mean we would not be able to do the upgrade?
08-30-2018 12:52 PM
The upgrade path depends on the switch model and the amount of flash:, I have numerous switches that are fast Ethernet with 32M flash: that are running 150-2.SE11. This is the highest level IOS that you can run on a 3560/3560G switch given they are 32M RAM
The same holds true for the 3560E, the highest IOS it will take is 150-2.SE11. The 3560X will take any IOS up to 15.2(4)E6.
Cheers,
Sam
08-30-2018 03:37 PM
@RicTodd89 wrote:
If the switch is Fast Ethernet, then does that mean we would not be able to do the upgrade?
What is the CVE of this vulnerability?
My recommendation is to get TAC to confirm what version is suitable for both the 3560 and 3560G/E/X model.
08-30-2018 05:26 PM
You will have to upgrade to 15.2(4)E6 to resolve this vulnerability which means you will have to have a 3560X to resolve it. You can look up the bugs on the Software Checker:
https://tools.cisco.com/security/center/softwarechecker.x
Cheers,
Sam
08-31-2018 02:03 PM
Okay, thank you for the insight.
All of these 3560s are at branch offices so I will only be able to upgrade them remotely. We have a lantronix at each office so that we can console into them.
Is there a back out plan you'd recommend in case the upgrade doesn't take?
08-31-2018 04:02 PM
There really is not backup plan for remote sites; at one point you will have to remove the existing image to make room for the new image. You are vulnerable from the time you delete the file to the time you finish uploading the new image. There really is no work around for this.
The 3560E switches can hold two images, you can copy the new image up to the switch > change the boot path > reboot > delete old image. This is purely by chance that the flash: on the E switches will hold two images. The 3560/G/X you cannot do this.
Regards,
Sam
08-31-2018 06:16 PM
@RicTodd89 wrote:
Is there a back out plan you'd recommend in case the upgrade doesn't take?
Depends on what your definition of "upgrade" is. There are three methods of upgrading the IOS of a switch.
The first one is copying the BIN file. Two other methods use the "archive" automation command.
The first method is the most "dangerous" because there is no way to determine if the BIN file copied is either the correct for the platform and there is also no method of determining if the file copied is corrupt or not. This method is only used for people who know what they're doing. People who ask "how to upgrade the switch IOS" should never use this ("copy" command) method or it will be a long car/plane ride to fix a switch that has gone into ROMmon.
The most reliable method of upgrading a switch IOS is use the "archive download-sw" automation command. I'd like to repeat that is an AUTOMATED command. Once invoked, the switch will unpack the contents of the TAR file into a folder. When used with the default option, the platform will perform a "hardware check" (to make sure the TAR file is meant for the platform or not). At the end of the process, the process will perform another verification to determine if the BIN file is corrupt or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide