IOS management

Discussion in 'Cisco' started by Pat Donlon, Jul 6, 2004.

  1. Pat Donlon

    Pat Donlon Guest

    I'd like to know how everyone is managing the updates on their Cisco
    equipment. I want to be able to keep all the equipment on stable and
    non vulnerable releases of IOS or Cat OS. I'm looking at using Cisco
    Works 2k at the moment but I'd like to know what other tools are in
    use

    Cheers

    Pat
    Pat Donlon, Jul 6, 2004
    #1
    1. Advertising

  2. Pat Donlon

    Ivan Ostres Guest

    In article <>,
    says...
    > I'd like to know how everyone is managing the updates on their Cisco
    > equipment. I want to be able to keep all the equipment on stable and
    > non vulnerable releases of IOS or Cat OS. I'm looking at using Cisco
    > Works 2k at the moment but I'd like to know what other tools are in
    > use
    >


    Well, I asked the same question a while ago. I got answers that people
    generally don't use CW for IOS upgrades.

    --
    -Ivan.
    Ivan Ostres, Jul 6, 2004
    #2
    1. Advertising

  3. In article <>,
    Pat Donlon <> wrote:
    >I'd like to know how everyone is managing the updates on their Cisco
    >equipment. I want to be able to keep all the equipment on stable and
    >non vulnerable releases of IOS or Cat OS. I'm looking at using Cisco
    >Works 2k at the moment but I'd like to know what other tools are in
    >use


    http://cosi-nms.sourceforge.net/

    alan
    Alan Strassberg, Jul 6, 2004
    #3
  4. Pat Donlon

    Pat Donlon Guest

    Ivan Ostres <> wrote in message news:<>...
    > In article <>,
    > says...
    > > I'd like to know how everyone is managing the updates on their Cisco
    > > equipment. I want to be able to keep all the equipment on stable and
    > > non vulnerable releases of IOS or Cat OS. I'm looking at using Cisco
    > > Works 2k at the moment but I'd like to know what other tools are in
    > > use
    > >

    >
    > Well, I asked the same question a while ago. I got answers that people
    > generally don't use CW for IOS upgrades.


    What is everyone using then? still doing this manually? I can
    understand the reasoning for this but with a large number devices it
    becomes combersome and time consuming during the maintenance window.
    Pat Donlon, Jul 6, 2004
    #4
  5. Pat Donlon

    Hansang Bae Guest

    In article <>,
    says...
    > What is everyone using then? still doing this manually? I can
    > understand the reasoning for this but with a large number devices it
    > becomes combersome and time consuming during the maintenance window.


    We do it manually. Because tools don't scale to a very large
    enterprises. It really doesn't take that long if you can get some block
    greenzone times. For example, one of my branch networks is being
    upgraded to 12.1.19 and that covers 700+ routers. It's the smallest
    branch network we have so we're tackling that first. If you plan on 15
    to 20 devices per night, it can get done in a reasonable amount of time.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Jul 7, 2004
    #5
  6. Pat Donlon

    Pat Donlon Guest

    Hansang Bae <> wrote in message news:<>...
    > In article <>,
    > says...
    > > What is everyone using then? still doing this manually? I can
    > > understand the reasoning for this but with a large number devices it
    > > becomes combersome and time consuming during the maintenance window.

    >
    > We do it manually. Because tools don't scale to a very large
    > enterprises. It really doesn't take that long if you can get some block
    > greenzone times. For example, one of my branch networks is being
    > upgraded to 12.1.19 and that covers 700+ routers. It's the smallest
    > branch network we have so we're tackling that first. If you plan on 15
    > to 20 devices per night, it can get done in a reasonable amount of time.
    >
    >
    > --
    >
    > hsb
    >


    I see what you're saying here but if your upgrading 700+ routers in
    groups of 20, where's does this fit into regular maintenance windows?
    Do you just force the changes through your organisation?

    Cheers
    Pat Donlon, Jul 7, 2004
    #6
  7. Pat Donlon

    Ivan Ostres Guest

    In article <>,
    says...
    > Hansang Bae <> wrote in message news:<>...
    > > In article <>,
    > > says...
    > > > What is everyone using then? still doing this manually? I can
    > > > understand the reasoning for this but with a large number devices it
    > > > becomes combersome and time consuming during the maintenance window.

    > >
    > > We do it manually. Because tools don't scale to a very large
    > > enterprises. It really doesn't take that long if you can get some block
    > > greenzone times. For example, one of my branch networks is being
    > > upgraded to 12.1.19 and that covers 700+ routers. It's the smallest
    > > branch network we have so we're tackling that first. If you plan on 15
    > > to 20 devices per night, it can get done in a reasonable amount of time.
    > >
    > >
    > > --
    > >
    > > hsb
    > >

    >
    > I see what you're saying here but if your upgrading 700+ routers in
    > groups of 20, where's does this fit into regular maintenance windows?
    > Do you just force the changes through your organisation?
    >
    > Cheers
    >


    I would assume that they have maintenance window per segment...

    --
    -Ivan.
    Ivan Ostres, Jul 7, 2004
    #7
  8. Pat Donlon

    Hansang Bae Guest

    In article <>,
    says...
    > I see what you're saying here but if your upgrading 700+ routers in
    > groups of 20, where's does this fit into regular maintenance windows?
    > Do you just force the changes through your organisation?


    Yes. This is a branch network so we tackle one router at a time. The
    redundant router picks up the load so it works out fine. Normally, our
    greenzones are very tight, but it would take years to upgrade our branch
    routers if we only had the weekends.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Jul 8, 2004
    #8
  9. In article <>,
    Hansang Bae <> wrote:
    >In article <>,
    > says...
    >> I see what you're saying here but if your upgrading 700+ routers in
    >> groups of 20, where's does this fit into regular maintenance windows?
    >> Do you just force the changes through your organisation?

    >
    >Yes. This is a branch network so we tackle one router at a time. The
    >redundant router picks up the load so it works out fine. Normally, our
    >greenzones are very tight, but it would take years to upgrade our branch
    >routers if we only had the weekends.
    >--
    >hsb


    For those unfamiliar with Hansang's network, be aware that it is a fully
    redundant design where every site has two of everything with automatic
    failover to alternate routers/links/firewalls/switches/etc. So taking
    down a router to upgrade the IOS should have no noticeable impact on
    operations. There is also a separate organization which does the actual
    touching of the routers and a formal design review process for all
    configuration changes to minimize the danger of introducing broken fixes
    into the network.

    What Hansang does not mention is the testing effort required to
    get a new IOS release approved for deployment. It makes the actual
    deployment, even across thousands of routers, pale by comparison.

    As a side note, back when I was there, their standard design approach
    did not provide working redundancy when going through firewalls and
    required token rings and RSRB to get SNA redundancy. Guess which
    client provided the inspiration for the firewall and DLSw chapters
    in my book :)

    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
    Vincent C Jones, Jul 8, 2004
    #9
  10. Pat Donlon

    AnyBody43 Guest

    (Vincent C Jones) wrote
    > Hansang Bae <> wrote:
    > > says...
    > >> I see what you're saying here but if your upgrading 700+ routers in
    > >> groups of 20, where's does this fit into regular maintenance windows?
    > >> Do you just force the changes through your organisation?

    > >
    > >Yes. This is a branch network so we tackle one router at a time. The
    > >redundant router picks up the load so it works out fine. Normally, our
    > >greenzones are very tight, but it would take years to upgrade our branch
    > >routers if we only had the weekends.
    > >--
    > >hsb

    >
    > For those unfamiliar with Hansang's network, be aware that it is a fully
    > redundant design where every site has two of everything with automatic
    > failover to alternate routers/links/firewalls/switches/etc. So taking
    > down a router to upgrade the IOS should have no noticeable impact on
    > operations. There is also a separate organization which does the actual
    > touching of the routers and a formal design review process for all
    > configuration changes to minimize the danger of introducing broken fixes
    > into the network.
    >
    > What Hansang does not mention is the testing effort required to
    > get a new IOS release approved for deployment. It makes the actual
    > deployment, even across thousands of routers, pale by comparison.


    Pat,

    The key issue when considering a process like automatically
    updating the IOS on (let's say) 700 remote routers is that you
    would need to be pretty confident that it was all going to work.

    When I was involved with banks and stuff like that they had a
    very stringent process of testing and evaluating the code itself
    against production like traffic in a lab environment, and they did
    find real show stopper bugs in this way.

    They would also insist on there being a risk assessment of any
    proposed work on the production kit and the written implementation
    plan would include a back out plan in the event that things went
    horribly wrong. It would be, what is the worst case, how are you
    going to fix it? e.g The copy of IOS on your tftp server gets
    corrupted but the check sum is not affected.

    What might be your backout plan if for whatever (unforseen) reason
    you have 700 remote offices not working one morning? Even the lesser
    problem of having 700 remote offices without a backup link might get
    the management plenty twitchy.


    What I would probably do would be to have a written detailed
    script (not a program) for each device and would possibly
    automate some stages or all of the process. I would do only as
    many at a time as I could recover within the change window.
    Slow but I need my beauty sleep.

    I like automated processes since they work the same way every
    time. But I would not set off an automated job that affected
    a large number of remote devices. It is too scary for me.

    Hope this helps, good luck, sleep well:)
    AnyBody43, Jul 8, 2004
    #10
  11. Pat Donlon

    Hansang Bae Guest

    In article <ccji5g$f0h$>,
    says...
    [snip]
    > What Hansang does not mention is the testing effort required to
    > get a new IOS release approved for deployment. It makes the actual
    > deployment, even across thousands of routers, pale by comparison.


    And that's the reason why we are *always* behind SEVERAL revisions.

    > As a side note, back when I was there, their standard design approach
    > did not provide working redundancy when going through firewalls and
    > required token rings and RSRB to get SNA redundancy. Guess which
    > client provided the inspiration for the firewall and DLSw chapters
    > in my book :)


    That was quite funny. I had the distinct pleasure of migrating this
    data center and the client said "we had this smart guy who setup a
    special FW/DSLw+ config...." I was thinking "yeah sure, smart guy!"

    "Why don't you tell me the service request number so I can look it
    up..."

    So I grab the design package and see "by Vicent Jones!" Small world
    indeed!

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Jul 9, 2004
    #11
  12. Pat Donlon

    James Guest

    Hansang Bae wrote:
    > In article <ccji5g$f0h$>,
    > says...
    > [snip]
    >
    >>What Hansang does not mention is the testing effort required to
    >>get a new IOS release approved for deployment. It makes the actual
    >>deployment, even across thousands of routers, pale by comparison.

    >
    >
    > And that's the reason why we are *always* behind SEVERAL revisions.
    >
    >
    >>As a side note, back when I was there, their standard design approach
    >>did not provide working redundancy when going through firewalls and
    >>required token rings and RSRB to get SNA redundancy. Guess which
    >>client provided the inspiration for the firewall and DLSw chapters
    >>in my book :)

    >
    >
    > That was quite funny. I had the distinct pleasure of migrating this
    > data center and the client said "we had this smart guy who setup a
    > special FW/DSLw+ config...." I was thinking "yeah sure, smart guy!"
    >
    > "Why don't you tell me the service request number so I can look it
    > up..."
    >
    > So I grab the design package and see "by Vicent Jones!" Small world
    > indeed!
    >


    Set up a Gentoo Linux system and run JFFNMS, (Just For Fun Network
    Management System) it's really cool, supports versioning of config
    files and will let you automate configuration management and many,
    many more things...


    James
    James, Jul 9, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Bilgrav
    Replies:
    1
    Views:
    975
    Martin Bilgrav
    Dec 20, 2003
  2. Evan Mann

    IOS to IOS VPN Problem

    Evan Mann, Feb 11, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,230
    Evan Mann
    Feb 11, 2004
  3. Ed Kideys, Tech-Train
    Replies:
    3
    Views:
    4,606
    Wence Van der Meersch
    Apr 30, 2004
  4. Mike Rahl
    Replies:
    1
    Views:
    1,238
    Trendkill
    May 30, 2007
  5. maruffaiz
    Replies:
    0
    Views:
    898
    maruffaiz
    Dec 11, 2012
Loading...

Share This Page