cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2624
Views
0
Helpful
10
Replies
RicTodd89
Beginner

c3560 Upgrade Path

Hi,

I need to upgrade the software on several 3560s from IOS version 12.2(55)SE8 to 15.2(4)E6.

Can it be upgraded directly to that version?

10 REPLIES 10
Reza Sharifi
Hall of Fame Expert

Hi,

As long as you have the supported amount of DRAM and flash for the new IOS, you can upgrade directly.

HTH

Leo L
VIP Community Legend

What is the exact model of the switch?
If the switch is only FastEthernet ports then 12.2(55)SE is the "highest" version you can go. Actually it is 12.2958)SE but this train is so buggy it's not worth it.
If the switch has GigiabitEthernet then you can go direct to 15.2(4)E train. However, be warned that upgrading to this level will include a one-off microcode upgrade. This usually takes around 45 to 50 minutes. So don't freak out when the upgrade is taking its merry time.

"However, be warned that upgrading to this level will include a one-off microcode upgrade. This usually takes around 45 to 50 minutes. So don't freak out when the upgrade is taking its merry time."

As Leo notes, the microcode upgrades take quite a while. I recall if you have a console connection, there's some status information that at least let's you know, from time-to-time, something is happening. But if you do such an upgrade just via VTY, it's very disturbing when the 3750 doesn't come back on-line after routine reload time, again, when this isn't expected.

Also on the subject of console access vs. VTY, I came across a 3750 that someone else had upgraded, and part of the microcode upgrade had failed due to insufficient flash to decompress one of the microcode modules. I came across this after the 3750 was given a remote console connection, and I saw the error during a reload. I don't recall whether there was a way to verify the microcode upgrade without "seeing" console output. (NB: As far as I know the 3750 was working okay without that one microcode upgrade, but I corrected it anyway.)

So, the reason why we're doing these upgrades is to fix a DHCP Remote Code Execution Vulnerability that we were alerted to.  If the switch is Fast Ethernet, then does that mean we would not be able to do the upgrade?

The upgrade path depends on the switch model and the amount of flash:, I have numerous switches that are fast Ethernet with 32M flash: that are running 150-2.SE11. This is the highest level IOS that you can run on a 3560/3560G switch given they are 32M RAM

 

The same holds true for the 3560E, the highest IOS it will take is 150-2.SE11. The 3560X will take any IOS up to 15.2(4)E6.

 

Cheers,

Sam

Leo L
VIP Community Legend


@RicTodd89 wrote:

If the switch is Fast Ethernet, then does that mean we would not be able to do the upgrade?


What is the CVE of this vulnerability? 

My recommendation is to get TAC to confirm what version is suitable for both the 3560 and 3560G/E/X model. 

You will have to upgrade to 15.2(4)E6 to resolve this vulnerability which means you will have to have a 3560X to resolve it. You can look up the bugs on the Software Checker:

 

https://tools.cisco.com/security/center/softwarechecker.x

 

Cheers,

Sam

Okay, thank you for the insight.  

All of these 3560s are at branch offices so I will only be able to upgrade them remotely.  We have a lantronix at each office so that we can console into them.

Is there a back out plan you'd recommend in case the upgrade doesn't take?

There really is not backup plan for remote sites; at one point you will have to remove the existing image to make room for the new image. You are vulnerable from the time you delete the file to the time you finish uploading the new image. There really is no work around for this.

 

The 3560E switches can hold two images, you can copy the new image up to the switch > change the boot path > reboot > delete old image. This is purely by chance that the flash: on the E switches will hold two images.  The 3560/G/X you cannot do this.

 

Regards,

Sam

Leo L
VIP Community Legend


@RicTodd89 wrote:

Is there a back out plan you'd recommend in case the upgrade doesn't take?


Depends on what your definition of "upgrade" is.  There are three methods of upgrading the IOS of a switch.  

The first one is copying the BIN file.  Two other methods use the "archive" automation command. 

The first method is the most "dangerous" because there is no way to determine if the BIN file copied is either the correct for the platform and there is also no method of determining if the file copied is corrupt or not.  This method is only used for people who know what they're doing.  People who ask "how to upgrade the switch IOS" should never use this ("copy" command) method or it will be a long car/plane ride to fix a switch that has gone into ROMmon.  

The most reliable method of upgrading a switch IOS is use the "archive download-sw" automation command.  I'd like to repeat that is an AUTOMATED command.  Once invoked, the switch will unpack the contents of the TAR file into a folder.  When used with the default option, the platform will perform a "hardware check" (to make sure the TAR file is meant for the platform or not).  At the end of the process, the process will perform another verification to determine if the BIN file is corrupt or not.  

How to Upgrade IOS on Catalyst Switches - Easy as Pi