We're currently dealing with some outdated enterprise switches that aren't supported anymore. I'm curious about how others handle their switch firmware updates. Do you prioritize keeping your switches updated to the latest firmware, especially during urgent issues? In a data center environment, it seems essential, but does the same urgency apply in our closed-off workspace where we rarely have guests? Additionally, how do you assess the security implications of sticking with old firmware, given that our management interfaces are well-protected on a separate VLAN?
6 Answers
This situation is more about systems management. Holding onto outdated switches can lead to unexpected expenses that require quick turnaround on replacements. It's a balance between managing assets economically and not inviting a significant business risk, particularly when security is involved.
I've got some older Brocade ICX6450s that haven't seen a software update since 2019. Interestingly, they announced end-of-life in 2019 but continued warranty on hardware until 2023. So I still have spares if one fails, even though the SSH is throwing warnings. We opted not to replace them years ago when a sales rep tried to push new models.
Keeping firmware updated is crucial, especially if you're running mission-critical switches. It's all about maintaining warranty support so you can download updates and stay off the end-of-life list.
We usually wait for a major vulnerability that can't be mitigated before updating. We have some Cisco gear that raises alarms about key-exchange algorithms in an older IOS version, but I haven't seen a fix yet.
Are you talking about IOS 15.2? You do know you can tweak the SSH configurations for key exchange, right? Plus, there's a newer version out.
In my opinion, core devices should always be updated to a supported firmware and under a support contract. If you're just lagging behind a couple of versions and everything's fine, that's okay—as long as there are no critical security flaws. But keeping track of updates can be pretty hands-off for me with our management software.
From a technical standpoint, I only want to upgrade firmware if there's a defect or vulnerability that impacts our setup. However, risk and security teams often push for constant upgrades, which is not realistic. We try to stay informed and review every quarter to decide if we need to make updates.
Yep, managing those interfaces and isolating them can definitely help if there are vulnerabilities.
Exactly! But it really depends on the switch's role. Like, an access switch in a tiny remote office? Not a huge deal. But your main data center switch? That's a different story—you definitely want it under a service contract.