Cisco's method for rolling out updates (basically stuck in the 90s) is becoming more and more of a liability. When evaluating vendors I have started to place high importance in how they handle updates as there is less and less tolerance for leaving anything in a unpatched state for very long. Patch management software should be part of the product, it shouldn't be something I need to pay extra to do in an efficient manner, nor should it be expected you'd build out some scripting solution that accounts for all the annoying oddities a vendors platform should have. Cisco and other vendors need to really do better to ensure that their customers can easily patch so their boxes are not viewed as security liabilities.
-----Original Message----- From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Mark Tinka via cisco-nsp Sent: Sunday, February 26, 2023 7:55 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NCS IOS-XR rant (was:Re: Internet border router recommendations and experiences) CAUTION: This email originated from outside of Civeo. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 2/26/23 16:44, Tarko Tikan via cisco-nsp wrote: > Well, not so in practice. > > You can't issue install from http:// or any other remote URL. > > You have to sit around and issue "install apply" after "install > replace" is finished. Replace is async so you have to sit around and > poll the process. > > After reboot you have to reconnect to device and issue "install commit". > > In some cases direct upgrades from version X to Y fail so you have to > go through this whole process twice (X to Z to Y) that takes around 2 > hours on NCS540. > > In some other X to Y cases there is not sufficient diskspace to > complete "install replace". > > We personally have automated the whole install process via netconf and > can workaround the quirks relevant for our platforms and versions. > Many people can't do that or can't justify the expense (when they have > small number of devices). > > Some other issues have been solved by Cisco in latest releases, I > belive install replace can now be sync operation, maybe not on NCS540 > but on larger platforms (IOS-XR consistency between platforms is an > issue itself). > > So I totally get what Mark and Gert are saying. IOS-XR is currently > worst NOS operational experience from all large NOSes out there. Oh gosh - it's such a shame that it's 2023 and we still have to put up with shoddy software maintenance processes, just because a vendor insists that their next generation OS core is worth the daily-use pain. I could be okay with doing for this for about 10 - 20 nodes in the core. But even with some level of automation (because you have to baby-sit the automation, especially when the vendor changes things in a bid to "improve" life with their OS), trying to manage this on 100's - 1,000's of nodes in the Metro (or anywhere, really) is just too much of a nightmare. So you either end up with network gear running very old code because operators can't be asked to spend 2hrs on upgrading a single device, or simply tying up too many engineer hours at the expense of other projects. Mark. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp&data=05%7C01%7Csteve.mikulasik%40civeo.com%7C6026c96b2aa84683fd4508db1809a7f5%7C19af17147411493892e842145780331d%7C0%7C0%7C638130201987637854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oZ6pox81KyUj2bwtn9pbmXdYK3x1Jf5k4194wD0JXR4%3D&reserved=0 archive at https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F&data=05%7C01%7Csteve.mikulasik%40civeo.com%7C6026c96b2aa84683fd4508db1809a7f5%7C19af17147411493892e842145780331d%7C0%7C0%7C638130201987637854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=arChJnDgaJLcdrhPSrW269c9GcKc3xrWMsqVhlD7C4k%3D&reserved=0 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/