03-11-2009 01:22 PM - edited 03-06-2019 04:31 AM
Not sure if this is the right thread to ask this on, but I'm wondering what the proper theory on applying IOS updates is. Is it the right thing to do to load the newest version of the IOS on my devices?
Is that something you should continually do or do you stick with the version you have unless there is some kind of problem?
I have Cisco switches, routers, AP's, firewalls.
Solved! Go to Solution.
03-11-2009 01:42 PM
Security devices often need the newer IOS as the older ones possess vulnerabilities.
If the level of risk is high by running an affected IOS, by all means, upgrade.
If the level of risk is medium to low and there are workarounds, keep the old code.
Always check the Release Notes and PSIRT page for vulnerabilities on IOS releases.
03-11-2009 01:26 PM
The old saying
If it ain't broke don't fix it
Applies here. Only upgrade if you have an issue or need a feature not in your current code base.
03-11-2009 01:27 PM
stick with the version you have unless there is some kind of problem?
This is the right approach.
You may also need to upgrade to a newer version if you add a new module or if there is a feature that you need on the newer version.
Other than that, stick with the old version as long as you can.
It's nice to see those routers with 3 years uptime :)
__
Edison.
03-11-2009 01:39 PM
Thanks for the replies. But let me take it one step farther.
Does it matter about the device?
For example, I have always had the feeling that you should leave the switches alone, but when a new release comes out for the ASA I should upgrade.
Am I thinking right?
03-11-2009 01:42 PM
Security devices often need the newer IOS as the older ones possess vulnerabilities.
If the level of risk is high by running an affected IOS, by all means, upgrade.
If the level of risk is medium to low and there are workarounds, keep the old code.
Always check the Release Notes and PSIRT page for vulnerabilities on IOS releases.
03-11-2009 01:46 PM
Only thing i would add to this is that sometimes the latest code for a security device could introduce new bugs. So you should not automatically upgrade even security devices unless either you need new features or you are fixing a serious flaw.
Jon
03-11-2009 03:05 PM
As a general rule I do not upgrade right away to a new software unless I for some reason realy have to.
These are the steps I want to follow for upgrading software.
1) select a version that should be stable.
2) wait for others to find out bugs in the software and in the meantime play around with it and try different commands to se if you can provoke the software into doing something wrong to find out all the quirks in the software
3) test the software towards your running configurations of all your platforms that it is to be used at.
4) test for incompatibility issues.
5) testupgrade a part of the machine park.
6) full scale rollout
And ofcourse if it fails any of these levels use another software.
First let me confess that it is quite seldome I actually do all the steps, but this is what I would want to do.
New software have new features and hopefully is optimized. However new features also means that the software is untested and have new bugs.
basically you can choose 1 of 2 roles
forerunner = the one who gets the newest software and upgrades often. Gets the newest features but also gets the bugs with downtime and unstable software.
but also gets to be the cutting edge of knowledge and software.
rear = the one who reaps the benefits of the forerunners, gets "stable" software and less bugs, wich gives a more stable and less downtime, fewer upgrades.
Good luck
HTH
03-11-2009 06:54 PM
Another old saying, you're damned if you do, and damned if you don't. Or, another one, the devil you know vs. the devil you don't.
Software is one of the few things that doesn't wear out. So, if it's doing what you want it to do, and doing it correctly, there shouldn't be a need to update. Conversely, if there's something you want the software to do now provided by an upgrade or a known problem you've encountered now fixed, then you'll likely want to update.
Most, I would suspect, would agree with the forgoing paragraph, and would likely add for the latter, it isn't without risk, since feature enhancements or even just pure bug fixes can introduce new bugs. But what about the former, where everything appears just fine?
Well, although software doesn't wear out, it often has bugs. Such bugs are often found over time and then (hopefully) fixed by the vendor. Even if you haven't bumped into a bug, you may. Just as it's annoying to encounter new bugs from an upgrade, it's annoying to bump into a bug that was fixed 3 years ago (the software was never updated "'cause it ain't broke").
If you never change your configs and traffic is always about the same, you increase your chances of not finding bugs, although they can still sneak up on you. Perhaps a bug such as when uptime wraps 32 months (I don't know of such, but counters, can cause issues when they wrap. [Anyone remember the 2000 issue?])
Then there's security bugs. These bugs tend to be hard to find, but when published, your device will likely be at much higher risk unless you preclude it, often with updating the software.
What I suggest is using IOS with the most maintenance that supports just the features you need/desire and keeping it updated with just maintenance updates. Use reason with your updates. For instance, if early in the life cycle, you might want to update not too far behind and for each maintenance patch. If late in the life cycle, you might relax how fast/often you update. If you can, allow some time to see if there a patch to the patch.
Be careful how you roll out the updates. Be prepared to roll back the update.
09-13-2013 06:38 AM
Are there any studies or best-practices papers that support the welll-reasoned logic noted above? I'm pretty sure having very, very old ios versions is bad, but I'd like something concrete to show the brass to justify the ios upgrade. thanks.
09-13-2013 06:17 PM
Are there any studies or best-practices papers that support the welll-reasoned logic noted above? I'm pretty sure having very, very old ios versions is bad, but I'd like something concrete to show the brass to justify the ios upgrade. thanks.
There are no best practices because the phrase "IOS upgrade" can send executives into spasms.
There are two schools of thoughts in this forum:
1. If it ain't broke, don't fix it;
2. Upgrade if you see fit.
I upgrade the IOS of my switches as often as I can. But I make sure the IOS versions I will be using have been properly tested. I don't have the luxury of setting up a full-blown miniature lab of our environment. All I do is load the IOS to a few selected appliances with configs and observe any adverse reaction(s).
I will not say that my method is fool-proof but I will openly admit that I've rolled-back or downgraded to previous versions due to adverse reactions.
I am very thankful and greatful that I have a supervisor who's supportive of my intention but I have worked networks where it's a norm to run IOS versions nearly >4 years old and talk of "upgrading Cisco IOS" is looked upon with disgust and disdain.
There are only three reasons why I would want to upgrade the IOS, and they are:
1. New, enhanced or improved features;
2. Bug fixes; and
3. Security vulnerability fixes.
Currently, we have seen benefits of our actions, and they are:
1. We have some features running in our network where others don't dare to thread;
2. Network security have stopped harassing us with "please explain". It's now the other way around, we deliberately send "have you seen this vulnerability" emails to security team. We want to know if they are sleeping on the job. Being network security folks, they don't find it funny at all. So much for their sense of humour (or lack of).
09-14-2013 04:55 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
No, sorry, can't think of any best-practices documentation. As my original posted noted, and Leo's new posting, there's two schools of thought on whether you should upgrade just for the sake of keeping your software current.
As to "very, very old ios versions is bad", might be with security advisories, where Cisco generally recommends upgrading to stop your exposure. (Once a security bug has actually been documented, I would say it would be a best-practice not to run such software.)
Also in the cases of "very, very old ios versions", if they're old enough, you cannot get support for them. So if you stumble across a bug, that hasn't yet been fixed, vendor won't fix it.
Lastly, Cisco (and I assume under vendors) sometimes makes very subtle improvements that aren't always documented or not well documented. For instance, years ago I recall Cisco improved how OSPF does some of its internal stuff and they recommended you might want to upgrade to, or beyond, the release that provides this improvement. It wasn't a bug fix, as OSPF worked as it was supposed to, and it wasn't a feature enhancement, as OSPF still worked as it was supposed to. In fact pre and post change were interoperable.
Imagine owing an automobile. You discover the dash board instrument lights don't work. Well if you only drive during the day, this "defect" isn't a problem for you, so it's then a personal choice whether you want to spent the time and perhaps cost to have this non-impacting issue (to you) repaired.
Or imagine, someone discovers if you insert any key that fits, and for a locked door or trunk/boot, first attempts to lock again before attempting to unlock, it unlocks the lock. If this is published, would you leave this unfixed?
Lastly, imagine, your automobile's manufacturer, has reformulated their windshield wiper blades, which reduce streaking by 50%, but they don't really highlight this improvement. You'll receive this improvement "automatically" during routine manufacturer authorized maintenance, but if you don't allow for routine maintenance, you don't.
Personally I believe in keeping software maintained, this because I worked 25 years as a software developer. (If you spend your time fixing or improving software, seems rather pointless not to take advantage of such work.)
For those that lean toward the "if it ain't broke - don't fix" school, will argue that revised software (including just bug fixes) can introduce new bugs (true) but I think often the real issue is they're busy enough and they're not looking for additional work. Doing software maintenance "right", is more than loading the latest IOS. (Think of the extra work Leo is describing in his posting.)
09-14-2013 07:14 PM
ONE STAR?????
You got "1" for your post, Joseph?
Rated your post with exactly what it's worth. +5!
09-14-2013 09:18 PM
Leo Laohoo wrote:
ONE STAR?????
You got "1" for your post, Joseph?
Rated your post with exactly what it's worth. +5!
Thank you, Leo.
09-14-2013 07:21 PM
but I think often the real issue is they're busy enough and they're not looking for additional work.
You forgot another factor: Knowledge or know-how.
In my previous employment, no one knows how to upgrade an IOS. Not even one of the two methods.
In another, they had to get (as in PAID) a Cisco Engineer in to upgrade the IOS of a 6500 even though there were two of us who knew or had expereince.
09-14-2013 09:19 PM
Leo Laohoo wrote:
but I think often the real issue is they're busy enough and they're not looking for additional work.You forgot another factor: Knowledge or know-how.
In my previous employment, no one knows how to upgrade an IOS. Not even one of the two methods.
In another, they had to get a Cisco Engineer in to upgrade the IOS of a 6500 even though there were two of us who knew or had expereince.
I hadn't thought of that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide