Internet of Things (IoT) and Industrial IoT (IIoT)

 View Only
  • 1.  2930F / M Firmware Track best practices

    Posted Feb 07, 2023 03:03 PM
    I am subscribed to the security notices to ensure I update my switches if there are security issues discovered with a specific firmware revision. I am currently on the 16.10.00xx track with both 2930F and 2930M switches. What are best practices for updates. Should I update every quarter to  he latest version, or can I do this once a year unless a security warning indicates the need for immediate update? Also there are various tracks available. Should I jump to the 16.11.00xx series? 

    I understand the need to stay up to date with the software, but switches tend to be very static devices. Once installed, very little changes. I am using VLANS and VSF, but otherwise I am not leveraging any "fancy" features or dynamic routing. When I read the software release updates. Most of the changes / bug fixes aren't features I use. I have over 80 switches so updating them is a significant amount of work. I want to do what is "correct" by best practices standards, but don't need to create more busy work, updating when not necessary needed.

    Thank you for your input,
    Andr


  • 2.  RE: 2930F / M Firmware Track best practices

    Posted Feb 07, 2023 05:26 PM
    Hi, it's hard to give you the right advise (or just a right advise): managing a network of 80 switches, no matter how much their configurations are simple and/or static, should imply the usage of a (some sort of) network management system tool that, among other expected features, helps you automating firmware update procedures (as example, both HPE IMC and Aruba Airwave or Aruba Central/Central On Premises do that).

    I personally adopt this practice: update often, update early. If I can't proceed as often as I want...I tend to apply software updates only if those are suggested to fix known security bugs...and generally I prefer to use higher software release with respect to all currently supported ones (e.g. ArubaOS-Switch 16.11 instead of 16.10 or 16.09).



  • 3.  RE: 2930F / M Firmware Track best practices

    Posted Feb 08, 2023 04:44 AM
    My personal view:

    To add to that, for the 2930F/M the firmware is quite mature and stable. Every upgrade introduces an interruption and potential risk that the upgrade breaks things that worked before; so if there is no reason to upgrade, don't upgrade. Or 'if it ain't broken, don't fix it'. Reasons to upgrade as mentioned: security fixes, bugs you run into, or be on a standardized firmware level for all devices in your environment. One thing to consider though is that in general taking big steps in firmware upgrades bring higher risk than small steps, just because more things have changed. With that in mind, it may be good to stay at least somewhat current (and less than a year behind sounds reasonable) because IF there is an urgent security fix, rolling out that brings less risk because that step is smaller. If you do the upgrade, then I would go to one of the latest versions so you get a long remaining support time.

    Also, if you use just basic (L2) features, there is lower risk in upgrading than if you use all features available in the platform.

    The problem with risk is that you don't know in advance, and the balance between many smaller steps every few months and possible bigger steps less often may be different for every organization. I also know many customers that never touch the firmware as they don't actively maintain the switches (but just with basic L2 features), which is not something I would advocate but it happens.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: 2930F / M Firmware Track best practices

    Posted Feb 08, 2023 10:49 AM
    Thank you both for your feed back. It reinforces what I thought. This product is mature and software changes are minimal. I will continue to monitor the emails from Aruba to ensure I react quickly to any security concerns that require immediate action. I am review the software every quarter. If there are no significant changes, I will remain on the same software rev. Once a year, I'll bring all the units up to date to the latest track with the latests revision, as long as that software has been out for at least 20 to 60 days. We are using most of the switch as basic Layer 2 end points with PoE enabled. Other than VSF we aren't using any "fancy" features. Your replies helped confirm what I suspected and allows me to feel better about the path I am taking with this hardware. I intend to run this hardware for another 3 to 5 years and then I'll replace it office by office with whatever is the best value at that time. For me good value is stellar reliability, free next day replacement (I keep a few spares on the shelf in case of emergency), and reasonable price. 

    Thank again, Andre'