04-09-2008 04:41 PM - edited 03-03-2019 09:29 PM
I was just wondering about IOS upgrades in general.
What are most peoples thoughts on this.
Security people are saying routers should be upgraded the the latest image available.
I have two core 6509 switches that have a new IOS to upgrade to but Cisco has told me more than once that if there is no specific reason to upgrade, you should not.
What do most people do?
04-09-2008 05:09 PM
I agree with Cisco on this. If you aren't using any features that is not supported in the IOS you are using and if you haven't had any major issues with the current code why bother to upgrade. The reason being you don't know what kind of caveats you might run into with the new image. The simple rule 'if it's not broken, don't fix it' makes lot of sense here.
Just my 2 cents.
HTH
Sundar
04-09-2008 08:54 PM
Hi,
From the security side, the most important is to subscribe to Cisco PSIRT and also to CERT. So that you will be informed of any latest security vulnerabilities and exploitation and how Cisco can help you. If the affected services or feature is not turn-ON in your system or you are not using it, there is no need to update. If workaround exist, there is no rush for update, you can perform the update later during your maintenance window.
In the operational side, If you are encountering strange problems with your current IOS and you can't find any Bugs or Vulnerabilities and you are certain that its not your configuration, I have to say that you should update your IOS. You can also check the Bug Toolkit, but sometimes they are too much to read if they are in the thousands. I do believe that vendors don't post all the Bugs and Vulnerabilities in their website - I know one security vendor but we keep encountering strange problems with their product :). Some updates may improve your system performance or fix some strange problem that you are encountering, although there is no documentation from vendor that it will do so. I believe that they cannot test their new code to all possible scenarios/setup. This is why there is one security vendor that keep insisting to always apply their current patch no matter what.
You need to secure your system also, there are a lot of way to improve performance and block rogue access. Check this links
http://www.cisco.com/warp/public/707/21.html
http://www.cymru.com/Documents/secure-ios-template.html
A good monitoring, logging, remedy system, change management database, event tracking, and performance tracking system will save you a lot of headache.
You also need to plan for maintenance window for the current year. You can choose for monthly, quarterly, half-yearly to perform your updates and other changes that requires downtime. This does not include emergency downtime.
This Handbook is very useful http://www.amazon.com/Visible-Ops-Handbook-Implementing-Practical/dp/0975568612/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1207803597&sr=1-1
Regards,
Dandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide