Bootstrap IOS Different From Running IOS

deanwebb · June 01, 2018, 08:06:34 AM

Situation:

Working with SNMPv3 SHA and AES128. That requires 12.2(33) on the SXI codetrain according to http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

The switch has that version, but the bootstrap is showing 12.2(17). SNMPv3 is not working on this switch...

I see info at http://www.dslreports.com/forum/r15184029-Info-Difference-between-Bootstrap-and-IOS-Version that mentions the bootstrap version needs to be updated to support the commands in the running version.

Is this correct?

icecream-guy · June 01, 2018, 11:18:10 AM

looks like firmware upgrade is needed, what model switch

deanwebb · June 01, 2018, 11:52:25 AM

Lots of different models, most of them old.

icecream-guy · June 03, 2018, 03:31:01 PM

Quote from: deanwebb on June 01, 2018, 11:52:25 AM
Lots of different models, most of them old.

used to be able to find the files on the Cisco download site, but haven't seen any since they went into the cloud.

deanwebb · June 04, 2018, 09:53:27 AM

Yeah, it's up to the customer to get all that stuff in line, I'm just trying to see if that's a potential thing to consider, since we're using SNMPv3 to communicate with the switches.

icecream-guy · June 04, 2018, 10:44:00 AM

Quote from: deanwebb on June 04, 2018, 09:53:27 AM
Yeah, it's up to the customer to get all that stuff in line, I'm just trying to see if that's a potential thing to consider, since we're using SNMPv3 to communicate with the switches.

if their stuff is old, they may need to open a TAC case to get the firmware code that can't be found. Oh, and if their stuff is old, it' probably no longer supported, so tjhey can't open a TAC case. So they will have to replace all that gear. Then they'll figure out that SNMPv3 is a PITA to setup and get working correctly so then they'll end up using SNMPV2c, wondering why they spent all that money on new gear when they didn't have to, if they'd just settled on 2C in the first place.

deanwebb · June 04, 2018, 11:03:10 AM

Except... they already decided that SNMPv3 is the only path forward and that v2 is not allowed.

They just didn't check what are the minimum requirements for using v3 before they made that decision, that's all...

Otanx · June 05, 2018, 11:21:36 AM

SNMPv3 isn't that hard really. However, with old gear you might run into the fact that the original v3 RFC listed DES/MD5 as the only cipher/hashing pair. Not 3DES, just DES. This has been updated, and the official RFC ciphers are DES, and AES128 with MD5 and SHA1 hashing. I have found one device that has the option to do AES256, but it isn't standard.

-Otanx

deanwebb · June 14, 2018, 12:01:01 PM

Thanks, I've got a meeting with this customer in 90 mins, so that's going to be useful info.

icecream-guy · June 15, 2018, 06:27:04 AM

Quote from: deanwebb on June 14, 2018, 12:01:01 PM
Thanks, I've got a meeting with this customer in 90 mins, so that's going to be useful info.

so how did the meeting go ??

deanwebb · June 15, 2018, 02:26:54 PM

It actually went quite well. We'll use CLI access instead of SNMP and not worry about the IOS.

deanwebb · June 19, 2018, 08:13:59 AM

Had a troubleshooting session, customer went back to insisting on SNMPv3 working. So we got into the weeds with them, got them to upgrade our software, and we had some success in establishing a connection... and then found out that they had the wrong credentials for the switch in question.

Got the right creds, everything worked out.

So... today I learned that...

1. Bootstrap IOS does not impact the running IOS.
2. SNMP v3 is newer than v2, make sure that your software on both sides of the communication is up-to-date and supports the same features.
3. Get your credentials straight. Seriously.