Cisco IOS
Encyclopedia
Cisco IOS is the software used on the vast majority of Cisco Systems
routers and current Cisco network switch
es. (Earlier switches ran CatOS.) IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking
operating system.
The IOS CLI provides a fixed set of multiple-word commands
— the set available is determined by the "mode" and the privilege level of the current user. "Global configuration mode" provides commands to change the system's configuration, and "interface configuration mode" provides commands to change the configuration of a specific interface. All commands are assigned a privilege level, from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined.
Rebuilds - Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk.
Interim releases - Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public).
Maintenance releases - Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases.
There are other trains from time to time, designed for specific needs — for example, the 12.0AA train contained new code required for Cisco's AS5800 product.
es. For example, Cisco IOS releases meant for use on Catalyst switch
es are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4
routing support, and "advanced IP services" versions, which provide the enhanced features as well as IPv6
support.
Each individual package corresponds to one service category, such as
For additional information about Cisco IOS Packaging see White Paper: Cisco IOS Reference Guide
The exact feature set required for a particular function can be determined using the Cisco Feature Set Browser.
Beginning with the 1900, 2900 and 3900 series of ISR Routers, Cisco has revised the licensing model of IOS. Routers come with IP Base installed, and additional feature pack licenses can be installed as bolt-on additions to expand the feature set of the device. The available feature packs are:
and forwarding (switching
) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB, Forwarding Information Base), which is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g., Cisco 7200) most traffic handling, including access control list
filtering and forwarding, is done at interrupt level using Cisco Express Forwarding
(CEF) or dCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF
or BGP
run at the process level. In routers with hardware-based forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC
or network processor), which performs the actual packet forwarding function.
Cisco IOS has a "monolithic" architecture, which means that it runs as a single image and all processes share the same memory space. There is no memory protection between processes, which means that bugs in IOS code can potentially corrupt data used by other processes. It also has a run to completion scheduler, which means that the kernel does not pre-empt a running process — the process must make a kernel call before other processes get a chance to run. For Cisco products that required very high availability, such as the Cisco CRS-1, these limitations were not acceptable. In addition, competitive router operating systems that emerged 10–20 years after IOS, such as Juniper
's JUNOS
, were designed not to have these limitations. Cisco's response was to develop a new version of Cisco IOS called IOS XR
that offered modularity and memory protection between processes, lightweight threads, pre-emptive scheduling and the ability to independently re-start failed processes. IOS XR uses a 3rd party real-time operating system
microkernel
(QNX
), and a large part of the current IOS code was re-written to take advantage of the features offered by the new kernel. But the microkernel architecture removes from the kernel all processes that are not absolutely required to run in the kernel, and executes them as processes similar to the application processes. Through this method, IOS XR is able to achieve the high availability desired for the new router platform. Thus IOS and IOS XR are very different codebases, though related in functionality and design. In 2005, Cisco introduced IOS XR on the Cisco 12000 series platform, extending the microkernel architecture from the CRS-1 to Cisco's widely deployed core router.
In 2006, Cisco has made available IOS Software Modularity which extends the QNX microkernel into a more traditional IOS environment, but still providing the software upgrade capabilities that customers are demanding. It is currently available on the Catalyst 6500 enterprise switch.
Because the IOS needs to know the cleartext password for certain uses, (e.g., CHAP
authentication) passwords entered into the CLI by default are weakly hashed as 'Type 7' hash values, such as "Router(config)#username jdoe password 7 0832585B1910010713181F". This is designed to prevent "shoulder-surfing" attacks when viewing router configurations and is not secure - they are easily decrypted using software called "getpass" available since 1995, although the passwords can be decoded by the router using the "key chain" command and entering the type 7 password as the key, and then issuing a "show key" command; the above example decrypts to "stupidpass". However, the program will not decrypt 'Type 5' passwords or passwords set with the enable secret command, which uses salted
MD5
hashes.
Note: Cisco recommends that all Cisco IOS devices implement the authentication, authorization, and accounting (AAA) security model. AAA can use local, RADIUS
, and TACACS+
databases. However, a local account is usually still required for emergency situations.
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
routers and current Cisco network switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
es. (Earlier switches ran CatOS.) IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking
Computer multitasking
In computing, multitasking is a method where multiple tasks, also known as processes, share common processing resources such as a CPU. In the case of a computer with a single CPU, only one task is said to be running at any point in time, meaning that the CPU is actively executing instructions for...
operating system.
The IOS CLI provides a fixed set of multiple-word commands
Command (computing)
In computing, a command is a directive to a computer program acting as an interpreter of some kind, in order to perform a specific task. Most commonly a command is a directive to some kind of command line interface, such as a shell....
— the set available is determined by the "mode" and the privilege level of the current user. "Global configuration mode" provides commands to change the system's configuration, and "interface configuration mode" provides commands to change the configuration of a specific interface. All commands are assigned a privilege level, from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined.
Versioning
Cisco IOS is versioned using three numbers and some letters, in the general form a.b(c.d)e, where:- a is the major version number.
- b is the minor version number.
- c is the release number, which begins at one and increments as new releases in the same a.b train are released.
- d (omitted from general releases) is the interim build number.
- e (zero, one or two letters) is the release train identifier, such as none (which designates the mainline, see below), T (for Technology), E (for Enterprise), S (for Service provider), XA as a special functionality train, XB as a different special functionality train, etc.
Rebuilds - Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk.
Interim releases - Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public).
Maintenance releases - Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases.
Trains
Cisco IOS releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting.- The mainline train is designed to be the most stable release the company can offer, and its feature set never expands during its lifetime. Updates are released only to address bugsSoftware bugA software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
in the product. The previous technology train becomes the source for the current mainline train — for example, the 12.1T train becomes the basis for the 12.2 mainline. Therefore, to determine the features available in a particular mainline release, look at the previous T train release. - The T - TechnologyTechnologyTechnology is the making, usage, and knowledge of tools, machines, techniques, crafts, systems or methods of organization in order to solve a problem or perform a specific function. It can also refer to the collection of such tools, machinery, and procedures. The word technology comes ;...
train, gets new features and bug fixes throughout its life, and is therefore potentially less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.) Cisco doesn't recommend usage of T train in production environments unless there is urgency to implement a certain T train's new IOS feature. - The S - Service ProviderService providerA service provider is an entity that provides services to other entities. Usually, this refers to a business that provides subscription or web service to other businesses or individuals. Examples of these services include Internet access, Mobile phone operators, and web application hosting...
train, runs only on the company's core router products and is heavily customized for Service Provider customers. - The E - Enterprise train, is customized for implementation in enterprise environments.
- The B - broadbandBroadband Internet accessBroadband Internet access, often shortened to just "broadband", is a high data rate, low-latency connection to the Internet— typically contrasted with dial-up access using a 56 kbit/s modem or satellite Internet with inherently high latency....
train, support internet based broadband features. - The X* - The XA, XB ... special functionality train, needs to be documented
There are other trains from time to time, designed for specific needs — for example, the 12.0AA train contained new code required for Cisco's AS5800 product.
Packaging / feature sets
Most Cisco products that run IOS also have one or more "feature sets" or "packages", typically eight packages for Cisco routers and five packages for Cisco network switchNetwork switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
es. For example, Cisco IOS releases meant for use on Catalyst switch
Catalyst switch
Catalyst is the brand name for a variety of network switches sold by Cisco Systems. While commonly associated with Ethernet switches, a number of different interfaces have been available throughout the history of the brand. Cisco acquired several different companies and rebranded their products...
es are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
routing support, and "advanced IP services" versions, which provide the enhanced features as well as IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
support.
Each individual package corresponds to one service category, such as
- IP data
- Converged voice and data
- Security and VPNVirtual private networkA virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
For additional information about Cisco IOS Packaging see White Paper: Cisco IOS Reference Guide
The exact feature set required for a particular function can be determined using the Cisco Feature Set Browser.
Beginning with the 1900, 2900 and 3900 series of ISR Routers, Cisco has revised the licensing model of IOS. Routers come with IP Base installed, and additional feature pack licenses can be installed as bolt-on additions to expand the feature set of the device. The available feature packs are:
- Data adds features like BFD, IP SLAs, IPX, L2TPv3, Mobile IP, MPLS.
- Security adds features like VPN, Firewall, IP SLAs, NAC.
- Unified Comms adds features like CallManager Express, Gatekeeper, H.323, IP SLAs, MGCP, SIP, VoIP.
Architecture
In all versions of Cisco IOS, packet routingRouting
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network , electronic data networks , and transportation networks...
and forwarding (switching
Packet switching
Packet switching is a digital networking communications method that groups all transmitted data – regardless of content, type, or structure – into suitably sized blocks, called packets. Packet switching features delivery of variable-bit-rate data streams over a shared network...
) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB, Forwarding Information Base), which is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g., Cisco 7200) most traffic handling, including access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
filtering and forwarding, is done at interrupt level using Cisco Express Forwarding
Cisco Express Forwarding
Cisco Express Forwarding is an advanced layer 3 switching technology used mainly in large core networks or the Internet to enhance the overall network performance.-Function:...
(CEF) or dCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF
Open Shortest Path First
Open Shortest Path First is an adaptive routing protocol for Internet Protocol networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system . It is defined as OSPF Version 2 in RFC 2328 for IPv4...
or BGP
Border Gateway Protocol
The Border Gateway Protocol is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems . It is described as a path vector protocol...
run at the process level. In routers with hardware-based forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC
Application-specific integrated circuit
An application-specific integrated circuit is an integrated circuit customized for a particular use, rather than intended for general-purpose use. For example, a chip designed solely to run a cell phone is an ASIC...
or network processor), which performs the actual packet forwarding function.
Cisco IOS has a "monolithic" architecture, which means that it runs as a single image and all processes share the same memory space. There is no memory protection between processes, which means that bugs in IOS code can potentially corrupt data used by other processes. It also has a run to completion scheduler, which means that the kernel does not pre-empt a running process — the process must make a kernel call before other processes get a chance to run. For Cisco products that required very high availability, such as the Cisco CRS-1, these limitations were not acceptable. In addition, competitive router operating systems that emerged 10–20 years after IOS, such as Juniper
Juniper Networks
Juniper Networks is an information technology and computer networking products multinational company, founded in 1996. It is head quartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services...
's JUNOS
JUNOS
Juniper Junos is the software or the network operating system used in Juniper Networks hardware systems. It is an operating system that is used in Juniper's routing, switching and security devices. Juniper offers a Software Development Kit to partners and customers to allow additional customization...
, were designed not to have these limitations. Cisco's response was to develop a new version of Cisco IOS called IOS XR
IOS XR
IOS XR is a train of Cisco Systems' widely deployed Internetworking Operating System , used on their high-end carrier-grade routers such as the CRS-1, 12000, and ASR9000 series.-Architecture:...
that offered modularity and memory protection between processes, lightweight threads, pre-emptive scheduling and the ability to independently re-start failed processes. IOS XR uses a 3rd party real-time operating system
Real-time operating system
A real-time operating system is an operating system intended to serve real-time application requests.A key characteristic of a RTOS is the level of its consistency concerning the amount of time it takes to accept and complete an application's task; the variability is jitter...
microkernel
Microkernel
In computer science, a microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system . These mechanisms include low-level address space management, thread management, and inter-process communication...
(QNX
QNX
QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. The product was originally developed by Canadian company, QNX Software Systems, which was later acquired by Canadian BlackBerry-producer Research In Motion.-Description:As a microkernel-based...
), and a large part of the current IOS code was re-written to take advantage of the features offered by the new kernel. But the microkernel architecture removes from the kernel all processes that are not absolutely required to run in the kernel, and executes them as processes similar to the application processes. Through this method, IOS XR is able to achieve the high availability desired for the new router platform. Thus IOS and IOS XR are very different codebases, though related in functionality and design. In 2005, Cisco introduced IOS XR on the Cisco 12000 series platform, extending the microkernel architecture from the CRS-1 to Cisco's widely deployed core router.
In 2006, Cisco has made available IOS Software Modularity which extends the QNX microkernel into a more traditional IOS environment, but still providing the software upgrade capabilities that customers are demanding. It is currently available on the Catalyst 6500 enterprise switch.
Security and vulnerabilities
Cisco IOS has proven vulnerable to buffer overflows and other problems that have afflicted other operating systems and applications.Because the IOS needs to know the cleartext password for certain uses, (e.g., CHAP
Challenge-handshake authentication protocol
In computing, the Challenge-Handshake Authentication Protocol authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is specified in RFC 1994....
authentication) passwords entered into the CLI by default are weakly hashed as 'Type 7' hash values, such as "Router(config)#username jdoe password 7 0832585B1910010713181F". This is designed to prevent "shoulder-surfing" attacks when viewing router configurations and is not secure - they are easily decrypted using software called "getpass" available since 1995, although the passwords can be decoded by the router using the "key chain" command and entering the type 7 password as the key, and then issuing a "show key" command; the above example decrypts to "stupidpass". However, the program will not decrypt 'Type 5' passwords or passwords set with the enable secret command, which uses salted
Salt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
hashes.
Note: Cisco recommends that all Cisco IOS devices implement the authentication, authorization, and accounting (AAA) security model. AAA can use local, RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
, and TACACS+
TACACS+
TACACS+ is a Cisco Systems proprietary protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers...
databases. However, a local account is usually still required for emergency situations.
See also
- NX-OSNX-OSNX-OS is a network operating system designed by Cisco Systems for their own Nexus series Ethernet switches and MDS series Fibre Channel storage area network switches. NX-OS is designed to support high performance, high reliability server access switches used in the data center...
formerly known as SAN-OS - Network operating systemNetwork operating systemA networking operating system , also referred to as the Dialoguer, is the software that runs on a server and enables the server to manage data, users, groups, security, applications, and other networking functions...
- IOS XRIOS XRIOS XR is a train of Cisco Systems' widely deployed Internetworking Operating System , used on their high-end carrier-grade routers such as the CRS-1, 12000, and ASR9000 series.-Architecture:...
- JUNOSJUNOSJuniper Junos is the software or the network operating system used in Juniper Networks hardware systems. It is an operating system that is used in Juniper's routing, switching and security devices. Juniper offers a Software Development Kit to partners and customers to allow additional customization...
- Supervisor Engine (Cisco)Supervisor Engine (Cisco)The Cisco Supervisor Engine is the heart of many of Cisco's switches. The Supervisor Engine has evolved several times. While it is the management segment of many routers, the power of the switch is often much greater than that of the Supervisor Engine because one of the features of many switches...