In the middle of a entire network overhaul, wireless, backhaul links, and then got approval to replace all of our outdated hp switches. So I get some pricing on 24 and 48 port POE 3750's and get approval to fit all 15 of them into the budget. So I do a little more digging and BAM! July 4 2013 http://www.cisco.com/en/US/prod/collate ... otice.html

The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.

_________________
The best part about telling UDP jokes is I don't really care if you get them or not.

v2, e or x

_________________
http://blog.alwaysthenetwork.com

So you spec'd out devices that already had an EoL announcement on them?

Sounds like someone needs to add the Cisco EoL RSS feed to their favourite RSS reader

http://www.cisco.com/web/feeds/products ... fe_rss.xml

_________________
blog.brokennetwork.ca

Yeah, that EoL dropped just weeks after we had ordered some 10/100 3750 v1's. If you buy any 3560/3750, make sure you are getting the v2 versions.

Yeah my boss was not happy to hear about this the other week. But on the good side of this the 6500 sups I'm running are EOL too so it gave me more leverage to upgrade and deploy VSS! Hopefully this will happen around summer time.

_________________
http://blog.movingonesandzeros.net/

Go with the V2's or if you want to shell out somemore for the X's just make sure you ask your SE about licensing its a bit of an odd entity as far as which features come with which ios.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

Spoke to TAC today and they assured me that the future IOS releases for the V2's will also work on the v1 3560's/3750's as well.

_________________
The best part about telling UDP jokes is I don't really care if you get them or not.

The equipment doesn't vaporize when an EoL is issued... not sure what the big deal is; it's still supported even if they aren't compiling new versions of the IOS for it (full of features you probably aren't using anyway)...

Who runs bleeding edge code on switches anyway? Certainly no one I've worked for in the last 20 years.

In this specific case, the equipment is no longer for sale and could not be added to a SmartNet contract. In addition, last day of hardware support is just over three years out -- typically not long enough to justify a new purchase. I would not be comfortable investing in a product line that Cisco has already EoL'd.

I get what you are saying on the code development though...

It's not about the equip vaporizing, as mlan stated you can't even add smartnet to them and HW support is 3 years out. However, the vendor I purchase from offers their own warranty so from a hardware standpoint that's not an issue.

As for the SW, there are 2 major concerns:

#1 some random ass vulnerability pops up and there are no releases to fix it

#2 From a PCI standpoint, the security scans(nessus etc) actually scan the networking equipment for vulnerabilities and compare the SW versions to the latest releases and it's labeled as a vulnerability if it's too far out of date. This can lead to an organization losing it's ability to process credit card transactions, fines etc.

What I don't understand is if the newer V2 IOS versions will work fine for the "V1" switches as stated by TAC, how are you supposed to get the IOS if you can't add smartnet to them...

_________________
The best part about telling UDP jokes is I don't really care if you get them or not.

Not true as of today. V2 has more flash and can run IOS versions greater than 12.2.55(SE). V1 currently can only run up to 12.2.55(SE). I don't hold much hope that V1 will get newer IOS.

Further, if you just bought these I would go ballistic and demand your reseller take them back and get you V2s. Complain to your Cisco account team too. That is ridiculous.

I still don't understand this either. How did you even buy a version of these switches that was end-of-sale two years ago?



/facepalm

First, vulnerabilities are pretty rare relatively speaking for switches/routers and often have workarounds available so you won't need to constantly upgrade them and incur lots of downtime. It's generally easier to just disable the feature if you don't need it, add some ACLs, or beef up your control plane protection, etc if that's an option.

Second, just because you aren't running the latest version of IOS, because face it no one ever does outside a lab, doesn't necessarily make it vulnerable or get flagged by vulnerability scanning software. There are probably tens of thousands of 6509s still running SXF train code in the wild which is ancient and very stable. Bug fixes and new features drive the upgrade cycle for IOS... read the release notes for each new version and you'll see it's not a big list of security problems that they were fixing...

facepalm?


I don't know if you're intentionally ignoring the main points of my posts.

I Never said that I purchased the switches. I only stated that I requested the vendor I usually purchase from send me a quote for 12 24 port POE switches and 2 48 port POE switches. They sent me quotes for the 3750's.

Secondly, I don't make the rules for PCI DSS standards, what is considered a vulnerability and what isn't, I only have to follow them along with any other institution that processes credit card data. The last time we did our internal scans for the internal PCI audit a lot of the switches failed because.....drum roll....the IOS was out of date

PCI DSS Requirement Testing Procedures
11.2 Run internal and
external network
vulnerability scans at least
quarterly and after any
significant change in the
network (such as new
system component
installations, changes in
network topology, firewall
rule modifications, product
upgrades).

Per the PCI DSS, “System components” are
defined as any network component, server, or
application that is included in or connected to the
cardholder data environment. The cardholder data
environment is that part of the network that
possesses cardholder data or sensitive
authentication data. Network components include,
but are not limited to: firewalls, switches, routers,
wireless access points, network appliances, and
other security appliances. Server types include, but
are not limited to the following: web, application,
database, authentication, mail, proxy, network time
protocol (NTP), and Domain Name System (DNS).
Applications include all purchased and custom
applications, including internal and external
(Internet) applications

_________________
The best part about telling UDP jokes is I don't really care if you get them or not.

I don't even see the point of this thread at all then. You should have reviewed the quote he sent you to make sure it was the proper parts. People in sales generally don't know the difference between the models and if you just ask them to quote you "2 48 port POE switches" they will literally quote you the most expensive thing they have most of the time.

Well I've been through more SOX/PCI/HIPAA/etc audits than I can count and "out-of-date" only applies when the IOS version is not supported by the vendor anymore. Like if you were running something absurd like 11.2 on your routers. That doesn't mean if you are running 12.2(44)SE1 and 12.2(44)SE6 is the latest version you are non-compliant. If SE1 had an open vulnerability and you didn't implement a work-around or have an upgrade planned then you would be non-compliant.

There isn't any config or audit standard out there: PCI, FIPS, CIS, HIPAA, NSA, DISA, etc, etc that requires you to always have the latest version of anything installed.

P.S. The PCI police also won't storm the building and power off your network because it is flagrantly non-compliant. I've also seen companies pay the fines rather than become compliant because it was cheaper to do so.

Maybe the hassle involved in doing this:



I don't know about Axis' organization, but it's a pain to get approvals for network equipment where I work. If the cost exceeds a certain amount, we need multiple quotes from different vendors, several signatures, and finally approval from the parent company. Going through all that work, only to return to do it again would piss me off, regardless of whether I missed the EoL announcement or whether the sales guy quoted me something that was EoL.

Oh, I apologize...I didn't realize I needed to check in with you to see if the post I was making in the Cisco General forum met your approval or not. There were not any questions in my original post, so I guess don't really see the point of your posts in response either? I didn't realize that there needed to be a specific point or query embedded in every post now...did I miss that announcement?

So here's my situation that maybe you don't have to deal with, but it's my Job and I DO. I have been putting bandaids on this network for the past 4 years because I could not get the funding to do any upgrades. I deal with a multi vendor environment mainly HP and Cisco with a couple of one offs. It's finally at the point where I can not absolutely do any more for the infrastructure, I have literally squeezed every last drop out of it and there is nothing else I can do for it. Unlicensed interference, along with saturated links from new camera systems installed has finally brought this to the attention of ownership.

So I finally get approval(tentatively) to do whatever upgrades were necessary but nothing over the top. Well replacing the backhaul links come in at around $85k, upgrading the ASA5510 to a 5550 another $10k, another 10k to upgrade the firewalls in all the outer amenities which puts me at 105k...this is before looking at ANY of the switches(which are primarily hp 2524s(ya, look them up)) that are in DIRE need of upgrading. So I talk to the vendor who I'm buying all the asa's from let them know what I need and they quote me out the 15 switch upgrades at 10k...sweet, I've already got a few 3750's and some 3560's in production. I have to take the quote, write up a purchase order, take the PO to the CIO to get approval explaining why we need them, if he signs, then take it to the CFO, exact same process, and THEN to the CEO to get final approval to add another 10k on top of the 105k I'm trying to get approved. So you'll have to forgive me if the small blurb I posted to the general forum really got under your skin.

No, I did not realize the were EOL/EOS when I got the quote and I'm sure I'm not the only person in the world that didn't get that announcement either.



So are we now going to lay out who's been through more PCI audits? I mean come on now....why in the hell are you being such an antagonist on this?

I've also been through more PCI Audits "than I can count" and in the last few, "out-of-date" applied when the internal audits were red, said the IOS was out of date and listed it as a vulnerability and did not count as a clean scan.

I work for a resort where we deal with 1000's of cc transactions and 1000's member transactions on top of that per day and paying a fine rather than being compliant simply isn't an option. Especially when these members aren't your everyday people, but the kind of people who the lesser sort would LOVE to get their hands on their credit information. Why in the hell would you want to do so anyway. What happens when somebody's credit card information is compromised and they list you as the source, the Auditors come in, a lawsuit is formed etc....which do you think your employers would rather have or benefit you more, 100% clean scans/audits or notifications of you being out of compliance and paying the fines.

You're right, they won't come in and power off your network/equipment, but they can list you as an unsafe place to use CC, or even your merchant account with shift-4 or whoever you use removing the ability to process credit card information. Which can destroy your bottom line...and if that were to happen, who do you think the blame would fall on?

Since you know so much about PCI DSS standards, then you know there are different levels of merchants requiring different levels of compliance along with wether or not the cc data actually touches your servers or are stored on servers etc. I won't go into detail about what level we are and everything we have to adhere to, but needless to say, upper management takes it very seriously.

_________________
The best part about telling UDP jokes is I don't really care if you get them or not.

I'm sorry I should have recognized this thread was just a cry for attention; you weren't actually soliciting input for an issue from people with vastly more experience than you.

protip for the freshly minted CCNA: my network processes billions of dollars in transactions per year... have a nice day.

Really? We're going to get into an argument on the Internet over this?

_________________
blog.brokennetwork.ca

Opera.