Solved: WS-C3850-48T Stacked switches upgrading from: IOS-XE Version 03.06.06

michael2791 · ‎10-10-2023

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 56 WS-C3850-48T 03.06.06E cat3k_caa-universalk9 INSTALL
2 56 WS-C3850-48T 03.06.06E cat3k_caa-universalk9 INSTALL

The pair ofWS-C3850-48T are running:

IOS-XE Version 03.06.06E

ROM: IOS-XE ROMMON
BOOTLDR: C3850 Boot Loader (C3850-HBOOT-M) Version 1.1, RELEASE SOFTWARE (P)

I recently was gifted with responsibility for these and they are failing audits due to the no longer support images), while we have hardware support, currently no tech support from cisco. We also do not currently have tech support (only extended hardware).

So looking for any advice:

1) From what I can see technically can go from 03.06.06E all the way to current: Dublin-17.12.1a (or perhaps stop at: 16.12(2r) (as the oldest still in support); though RomMon clearly would need to be updated. (still need to research how many, steps the RomMon is going to be I no to get 16.x I need to start with at least: 16.7(5r) but need to dig still to see if I need some mid-steps starting with 1.1

2) My bigger concern, is given the numerous step, anyone know how compatible running configurations are, or should I plan on needing to do a manual reconfiguration 'in like' but not be able to import the old(existing) configuration into the new IOS.

3) Have dealt with Stacked switches a lot, in suggestion on how a pair of stacked switches changes the process. (does upgrading one automatically upgrade the other, and/or to be safe (as they are stacked to be HA pair), could I break stack, Upgrade 1 (verify configuration ports operations, etc.., then reconnect stack.... if upgrade DOESNT work, re-image 'upgraded' back to 3.6.6. Boot the untouched stack, reconnect stack let config get pushed (and basically be back where I started?)

Thanks for any help/advice that could be provided.

Leo Laohoo · ‎10-10-2023

"failing security audits" does not mean blindly updating the firmware.

Find out what security vulnerabilities are being encountered and mitigate. A lot of the Cisco Security Bulletin has valid Workarounds.

Upgrading the firmware is not a sure-fire solution -- It will only make matters worse.

IOS-XE version 3.6.X is a reliable and stable version. Upgrading to 16.12.10 does not guarantee the network will be stable nor reliable.

View solution in original post

Leo Laohoo · ‎10-10-2023

"failing security audits" does not mean blindly updating the firmware.

Find out what security vulnerabilities are being encountered and mitigate. A lot of the Cisco Security Bulletin has valid Workarounds.

Upgrading the firmware is not a sure-fire solution -- It will only make matters worse.

IOS-XE version 3.6.X is a reliable and stable version. Upgrading to 16.12.10 does not guarantee the network will be stable nor reliable.

michael2791 · ‎10-10-2023

Well for our customers auditors, they require it to be a 'supported' vendor versions of the OS, which from what I can see the 'oldest' still support by Cisco is: 16.12.10. Am I looking at the EOL incorrectly and will Cisco provide any support on anything in the 3.x generation? I personally agree with you sentiment on the they are actually in a fairly hardened environment so very limited access to the devices, and have 5 years + with no changes/no issues, so personally I would choose to leave them alone, but per our customers PCI audit, they fail until/unless on a vendor support version of software.

Leo Laohoo · ‎10-10-2023

Cisco will not provide any more releases in the 3.X.X version.

Everyone is encouraged to migrate from a stable version to a <EXPLETIVE> version, 16.12.X.