Cisco IOS

Cisco IOS
Company / developer Cisco Systems
Working state Current
Source model Closed source
Latest stable release 15.1(4)M2[1] / September 27, 2011; 4 months ago (2011-09-27)
Latest unstable release 15.2(1)T1[2] / September 23, 2011; 4 months ago (2011-09-23)
Available language(s) English
Supported platforms The majority of Cisco routers and current Cisco switches
Default user interface Command line interface
Official website Cisco IOS

Cisco IOS (originally Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers and current Cisco network switches. (Earlier switches ran CatOS.) IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking operating system.

The IOS CLI provides a fixed set of multiple-word commands — the set available is determined by the "mode" and the privilege level of the current user. "Global configuration mode" provides commands to change the system's configuration, and "interface configuration mode" provides commands to change the configuration of a specific interface. All commands are assigned a privilege level, from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined.

Contents

Versioning

Cisco IOS is versioned using three numbers and some letters, in the general form a.b(c.d)e, where:

Rebuilds - Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk.

Interim releases - Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public).

Maintenance releases - Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases.

Trains

Cisco provides a Reference Guide for software release numbering.

Until 12.4

Before Cisco IOS release 15 releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting.

There are other trains from time to time, designed for specific needs — for example, the 12.0AA train contained new code required for Cisco's AS5800 product.

Since 15.0

Starting with Cisco IOS release 15 there is just a single train: the M/T train. This train includes both extended maintenance releases and standard maintenance releases. The M releases are extended maintenance releases and Cisco will provide bug fixes for 44 months. The T releases are standard maintenance releases and Cisco will only provides bug fixes for 18 months.

Packaging / feature sets

Most Cisco products that run IOS also have one or more "feature sets" or "packages", typically eight packages for Cisco routers and five packages for Cisco network switches. For example, Cisco IOS releases meant for use on Catalyst switches are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4 routing support, and "advanced IP services" versions, which provide the enhanced features as well as IPv6 support.

Each individual package corresponds to one service category, such as

For additional information about Cisco IOS Packaging see White Paper: Cisco IOS Reference Guide

The exact feature set required for a particular function can be determined using the Cisco Feature Set Browser.

Beginning with the 1900, 2900 and 3900 series of ISR Routers, Cisco has revised the licensing model of IOS. Routers come with IP Base installed, and additional feature pack licenses can be installed as bolt-on additions to expand the feature set of the device. The available feature packs are:

Architecture

In all versions of Cisco IOS, packet routing and forwarding (switching) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB, Forwarding Information Base), which is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g., Cisco 7200) most traffic handling, including access control list filtering and forwarding, is done at interrupt level using Cisco Express Forwarding (CEF) or dCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF or BGP run at the process level. In routers with hardware-based forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC or network processor), which performs the actual packet forwarding function.

Cisco IOS has a "monolithic" architecture, which means that it runs as a single image and all processes share the same memory space. There is no memory protection between processes, which means that bugs in IOS code can potentially corrupt data used by other processes. It also has a run to completion scheduler, which means that the kernel does not pre-empt a running process — the process must make a kernel call before other processes get a chance to run. For Cisco products that required very high availability, such as the Cisco CRS-1, these limitations were not acceptable. In addition, competitive router operating systems that emerged 10–20 years after IOS, such as Juniper's JUNOS, were designed not to have these limitations.[3] Cisco's response was to develop a new version of Cisco IOS called IOS XR that offered modularity and memory protection between processes, lightweight threads, pre-emptive scheduling and the ability to independently re-start failed processes. IOS XR uses a 3rd party real-time operating system microkernel (QNX), and a large part of the current IOS code was re-written to take advantage of the features offered by the new kernel. But the microkernel architecture removes from the kernel all processes that are not absolutely required to run in the kernel, and executes them as processes similar to the application processes. Through this method, IOS XR is able to achieve the high availability desired for the new router platform. Thus IOS and IOS XR are very different codebases, though related in functionality and design. In 2005, Cisco introduced IOS XR on the Cisco 12000 series platform, extending the microkernel architecture from the CRS-1 to Cisco's widely deployed core router.

In 2006, Cisco has made available IOS Software Modularity which extends the QNX microkernel into a more traditional IOS environment, but still providing the software upgrade capabilities that customers are demanding. It is currently available on the Catalyst 6500 enterprise switch.

Security and vulnerabilities

Cisco IOS has proven vulnerable to buffer overflows and other problems that have afflicted other operating systems and applications.

Because the IOS needs to know the cleartext password for certain uses, (e.g., CHAP authentication) passwords entered into the CLI by default are weakly hashed as 'Type 7' hash values, such as "Router(config)#username jdoe password 7 0832585B1910010713181F". This is designed to prevent "shoulder-surfing" attacks when viewing router configurations and is not secure - they are easily decrypted using software called "getpass" available since 1995, although the passwords can be decoded by the router using the "key chain" command and entering the type 7 password as the key, and then issuing a "show key" command; the above example decrypts to "stupidpass".[4] However, the program will not decrypt 'Type 5' passwords or passwords set with the enable secret command, which uses salted MD5 hashes.

Note: Cisco recommends that all Cisco IOS devices implement the authentication, authorization, and accounting (AAA) security model. AAA can use local, RADIUS, and TACACS+ databases. However, a local account is usually still required for emergency situations.

See also

References

External links