What factors drive a Cisco IOS upgrade?

  • In order of preference/priority, what factors do you consider in driving an upgrade (or downgrade) with Cisco IOS? If no compelling factors exist, how long would you allow a particular version of IOS to stay running? I've seen some switches with uptimes > 5 years.

    And when upgrading, how is the specific IOS release identified as the upgrade target?

  • In order of preference/priority, our company tends to upgrade based on these factors:

    • Vulnerabilities, vulnerabilities, vulnerabilities!
    • Bugs
    • Attaining new features not currently available-- new cards/modules have a "first supported in" IOS version which could be higher than what you have running
    • Migrating away from retired release trains
    • Matching versions on more recently deployed and similar hardware

    A device that is very critical to the infrastructure may not be as aggressively upgraded as one that is less critical. Consideration is given to the role of the device, the redundancy surrounding it, and the impact of the upgrade itself by the downtime incurred or by the possibility of having config feature behavior changes or different defaults when going between major versions. This is the necessity question that also touches on soft costs such as the time and resources to accomplish the upgrades measured against the weight given to each of the factors such as vulnerabilities.

    Be sure to subscribe to multiple vulnerability announcement sites such as Cisco PSIRT (Product Security Incident Response Team) and the US Cert (Computer Emergency Readiness Team).

    A downgrade might be in order if:

    • Organization has a policy to only run tested/QA'd versions and new equipment came with a more recent release.
    • Org has a policy against running anything other than GD.

    • Use Cisco's Output Interpreter of "show version" to look for obvious issues/vulnerabities/bugs.
    • Look for GD (General Deployment) releases and avoid DF (Deferred).
    • Use ED (Early Deployment) only when it contains must-have features not available elsewhere.
    • Avoid LD (Limited Deployment) when possible and use GD instead.

    There are certainly arguments for going to an ED or LD version, but the desire, of course, is to get to the most stable version that meets requirements. Use Cisco's Feature Navigator to help identify potentially different feature-sets (assuming you're licensed to use them).

    Expanding upon "Attaining new features" I would bring out the fact that new cards/modules have a "first supported in" IOS version which could be higher than what you have running.

    I would add it depends on how critical the equipment is and if it's redundant or not. For instance, if it's your core switch, and for some reason, you only have one, then you might NOT want to upgrade, unless you HAVE to - and then maybe not to the most recent version, but to the most STABLE version instead.

    I would have said: 1. Vulnerabilities 2. Vulnerabilities 3. Vulnerabilities 4. Bugs

    Excellent points by everyone. Folded back into answer.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM