Switching and Routing

What to use for secondary image on a switch

Occasional Visitor

What to use for secondary image on a switch

The primary image on my switches was pretty old...so much so that the switches showed up in a vulnerability scan.  So I've updated the primary image to the latest version on all of my switches.

My question is...what should I have for the secondary image?  The latest version?  One version behind?  Something else?



Re: What to use for secondary image on a switch

Hi @zibby8008315 !

It is really up to you, but a common sense tells me it's good to have there a version that is not much older than the current image. Generally the logic behind those slots can be as follows (this doesn't exclude other rotation schemes, just an example):

- You buy and deploy the device. Primary: v1, Secondary: v1 (version numbers are arbitrary, just for illustration I will use simple integers)
- You decide to upgrade the software, but want to keep the current version just in case things go wrong. Primary: v2, Secondary: v1
- Next planned upgrade, same logic - we need to try newer version while keeping the current one in case the new one won't work well. Primary: v2, Secondary: v3. Use command "boot set-default flash secondary" to set the Secondary image as the default one
- Next planned upgrade. Primary: v4, Secondary: v3. Use command "boot set-default flash primary" to set the Primary image as the default one

I hope you got the logic - keep the current version in its Slot and use another slot for the newer version. 


I am an HPE employee

Accept or Kudo

Honored Contributor

Re: What to use for secondary image on a switch

Hi @zibby8008315 

Add to the perfect example suggested by @Ivan_B just one additional point after the 2nd step:

- ONCE Primary slot is upgraded to v2 image (while Secondary slot is left with non booted v1 image) AND you evaluate that running v2 image is OK for your configuration, THEN do flash the Secondary slot v1 with the booted image v2 used on the Primary slot (the command is: copy flash flash secondary <- it copies/flashes the current running flash image - actually v2 image on Primary slot - into the Secondary slot without requiring you to (re)boot the switch since you don't change the already booted code [*]); both Secondary and Primary are now flashed with v2 identical images.

That's just to say that, in case you don't update too frequently, bewteen consecutive update procedures you're able to run a Switch with both flash images made equal (which is not a bad idea ONCE you verify the running code is OK).

[*] the command refers to legacy HP ProVision OS based switches or to newer HPE Aruba ArubaOS-Switch OS based switches.

I'm not an HPE Employee
Kudos and Accepted Solution banner