How to Download Cisco IOS Updates for Free (Legally)

A few years ago Cisco walled off their update downloads, requiring that you have a current SMARTnet subscription (be under a support contract) to download them.

Ignoring how ridiculous it is for a hardware vendor to require continual payments to receive software fixes, let’s look at how to obtain Cisco IOS (as well as IOS-XE, IOX-XR, and NX-OS) update software without a valid support contract.

What most people don’t know is that Cisco has a security vulnerability policy that states:

“As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Cisco security publication for details. Free software updates will typically be limited to Cisco Security Advisories.

If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the General Security-Related Queries section of this document. To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the update.”

Some CVE’s even state:

“Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC): http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.

 Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.”

What this all means is that, on a case-by-case basis, Cisco will provide you with updated software if they found serious vulnerability in prior software releases. To get that software you will need to provide a link to the CVE listing the vulnerability related to your device as well as your device’s serial number to TAC.

To find out if your device has any vulnerabilities you can head over to the Cisco Security IOS Software Checker and paste in the “show version” output from your device in the box I’ve highlighted below.

This will show you any CVEs outstanding for your device. You’ll want to find the Critical and High CVEs that affect the IOS version you’re running.

You can also browse the posted CVEs here https://tools.cisco.com/security/center/publicationListing.x

Armed with that info, you need to email Cisco TAC at TAC@CISCO.COM and provide the following info:

Device: 2811
Serial: XXXXXX
CVE: CVE-2018-XXX
Requested File Name: fullIOSfilename.bin

I would also include a brief explanation as well as the quote from above since it seems not all of their support people know about it and will just brush you off because “You don’t have a valid support contract” or “Your device is end-of-sale or end-of-life.”

I’ve done this successfully for a number of devices and each time it has been a battle so remain patient and diligent. Eventually, they will hand you off to one of their Entitlement Support personnel who may provide you with the download.

Be aware that if your device is End-of-Life, they may require that the device was on contract at least through the End-of-Life date before they’ll give you the download.  This seems to be their last ditch effort to keep you from updating your unsupported device to try and force you to upgrade.

Or you could buy hardware from a company that doesn’t pull these shenanigans…

Anywho, hopefully this helps you out and saves you some heartache. If you have to jump through any hoops not listed here, be sure to share them in the comments below!

[ncm_box]