We are a smaller company so IT resources are limited.
My question is more in regards to updating the machines themselves. I have browsed the community and such for answers and I really have not gotten any type of answer. Bottom line, is it best practice to stay closely up to date or should you wait until something goes wrong?
Personally, I like to keep things about 1 patch/update behind the most recent.
I have been with my current firm for 3.5 years now and have never updated any of the machines.
I'd say best practice is to stay at least somewhat knowledgable of the new features as they come out. If no compelling new features are out and you're running stable versions of router and switch code, there's no really good reason to upgrade.
I've seen Cisco switches run just fine for upwards of 10 years without an upgrade or even a reboot. That may be a bit excessive (i.e., none of the staff may have ever seen the old CatOS that is running on the switch and aren't up to speed on how to make changes if any are needed) but you get the point.
One exception would be any public-facing devices in the event of a security advisory.
That said, you should have a backup of your configurations and know what the settings are in the event of needing to rebuild following a catastrophic failure.
I am managing a large school network (98 sites and growing) so we can't let our guards down. All our switches are running the LATEST IOS.
Here's the funny side of our "philosophy". Traditionally, you upgrade the IOS only because you need some new feature, bug or security issues. In our case, we upgrade our IOS and THEN we get projects to implement features in the new IOS. When it comes to security, they gave up after we repeatedly replied to their "security advisory" emails with the words like "doesn't affect us because we've upgraded the IOS looooooooooooong before your email".
I upgrade as often as I can or at an average of three IOS upgrades per year.
Yeah but your network has the estimable 10,000+ post Leo managing it.
I'm sure you can upgrade an IOS while shaving in the morning. Personally I too like to running the latest stable code - at least something of this year's vintage. But then I've been doing network engineering since the pre-LAN days.
The O.P. appears to be coming from quite a different perspective; having apparently done fine with no upgrades in 3.5 years. I'm sensitive that small environments that just need to switch Ethernet frames and route them internally or to the Internet may not need the latest 15.x modular code ...or EnergyWise 2.5 ...or EEM ...or Auto SmartPorts ...or leverage COA in an ISE-managed environment ...etc.. There's a cost to that level of currency that may not yield return on the investment for many small shops.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :