Which IOS release should I use?

July 4th, 2008 | by Ivan Pepelnjak |

Put yourself into the shoes of a network architect working for a big financial institution. Your CIO has been persuaded that the bank could reduce WAN costs significantly by deploying IPSec over public IP network for primary branch office connectivity. You’re responsible for the design and implementation of this solution, keeping in mind the very conservative stability requirements imposed by your overall business practices.

Choosing the 2800 series routers from Cisco looks like a safe bet. After all, they were launched almost four years ago and are widely used. However, you want to deploy stable General Deployment (GD) software on them. Bad luck – they only run IOS release 12.4, which will never reach GD status.

The first alternative offered by Cisco is the Safe Harbor program. Sounds promising, but it only covers some platforms that Cisco is pushing very aggressively into the marketplace: 6500 switches, Content Service switches and Wide Area Application Services (WAAS) appliances.

Next in the list is the Cisco Validated Design (CVD) program. The Point-to-Point GRE IPSec Design Guide recommends the ISR routers you chose, but the test bed used IOS release 12.3(8)T5. I don’t think many network architects would be willing to install years-old T-release on a production network.

But wait … there are the System Assurance Guides, one of them being the Next Generation Enterprise Branch Security CVD System Assurance Guide. Sounds like a perfect match, but the tests were performed with IOS release 12.4(15)T3. By now, you’re probably realizing that you’re close to a deadlock: there is no GD software for the boxes you chose, and Cisco recommends the latest T-release, which you were told to avoid in the past. So what can you do?

Your best bet is partnering with someone who installed a number of similar solutions in the past. Find a reputable Cisco Gold Partner close to you that has installed similar solutions in the same vertical market. Then check their references and work with them through the planning, design, implementation and troubleshooting cycles.

  1. One Response to “Which IOS release should I use?”

  2. By SeanW on Jul 12, 2008 | Reply

    Some questions come to mind after I read this.

    - If reliability is the primary concern, why are we using the Internet? The reliability of the Internet is likely going to be an order of magnitude less than that of a randomly chosen IOS release. The delta in reliability between this release and the release you choose after intensive investigation is going to be even smaller still.

    - Is “well, we haven’t seen any problems with it” a good way of choosing an IOS? If that’s the litmus test, then why not call TAC for advice (who should be more in tune with known problems) and use the bug tracker to look for defects in the release? Coupled with smoke testing in the lab, this would seem to provide the same level of assurance as the partner’s recommendation, and at zero cost. The assumption here is that you and your team have the capability to do the work, which should be the case if the architect in question has reached the level of architect in a large financial institution.

    Cisco Press published (a long time ago) a book on network reliability calculations which really puts this stuff in perspective. I wish I still had it so I could mention the title.

    Thanks for all the descriptions of the various plans and designations that Cisco has for IOS releases.

    Sean

You must be logged in to post a comment.