IOS Upgrade, General Consensus

Unanswered Question
Apr 9th, 2008

I was just wondering about IOS upgrades in general.

What are most peoples thoughts on this.

Security people are saying routers should be upgraded the the latest image available.

I have two core 6509 switches that have a new IOS to upgrade to but Cisco has told me more than once that if there is no specific reason to upgrade, you should not.

What do most people do?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Wed, 04/09/2008 - 17:09

I agree with Cisco on this. If you aren't using any features that is not supported in the IOS you are using and if you haven't had any major issues with the current code why bother to upgrade. The reason being you don't know what kind of caveats you might run into with the new image. The simple rule 'if it's not broken, don't fix it' makes lot of sense here.

Just my 2 cents.

HTH

Sundar

Danilo Dy Wed, 04/09/2008 - 20:54

Hi,

From the security side, the most important is to subscribe to Cisco PSIRT and also to CERT. So that you will be informed of any latest security vulnerabilities and exploitation and how Cisco can help you. If the affected services or feature is not turn-ON in your system or you are not using it, there is no need to update. If workaround exist, there is no rush for update, you can perform the update later during your maintenance window.

In the operational side, If you are encountering strange problems with your current IOS and you can't find any Bugs or Vulnerabilities and you are certain that its not your configuration, I have to say that you should update your IOS. You can also check the Bug Toolkit, but sometimes they are too much to read if they are in the thousands. I do believe that vendors don't post all the Bugs and Vulnerabilities in their website - I know one security vendor but we keep encountering strange problems with their product :). Some updates may improve your system performance or fix some strange problem that you are encountering, although there is no documentation from vendor that it will do so. I believe that they cannot test their new code to all possible scenarios/setup. This is why there is one security vendor that keep insisting to always apply their current patch no matter what.

You need to secure your system also, there are a lot of way to improve performance and block rogue access. Check this links

http://www.cisco.com/warp/public/707/21.html

http://www.nsa.gov/snac/

http://www.cymru.com/Documents/secure-ios-template.html

A good monitoring, logging, remedy system, change management database, event tracking, and performance tracking system will save you a lot of headache.

You also need to plan for maintenance window for the current year. You can choose for monthly, quarterly, half-yearly to perform your updates and other changes that requires downtime. This does not include emergency downtime.

This Handbook is very useful http://www.amazon.com/Visible-Ops-Handbook-Implementing-Practical/dp/0975568612/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1207803597&sr=1-1

Regards,

Dandy

Actions

This Discussion