Cisco IOS

From Free net encyclopedia

Cisco IOS (originally Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers and some network switches (some switches run CatOS (Catalyst OS); some can run either CatOS or IOS). (CatOS development has now ceased.) IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking operating system. The first IOS was written by William Yeager.

Cisco IOS has a characteristic command line interface (CLI), whose style has been widely copied by other networking products. The IOS CLI provides a fixed set of multiple-word commands -- the set available is determined by the "mode" and the privilege level of the current user. "Global configuration mode" provides commands to change the system's configuration, and "interface configuration mode" provides commands to change the configuration of a specific interface. A typical command may be "show interface fa0/48" or "no ip cef traffic-statistics". All commands are assigned a privilege level, from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined.

Contents 1 Versioning 2 Trains 3 Feature sets 4 Architecture 5 Security and vulnerabilities 6 See also 7 External links

Versioning

Cisco IOS versions are versioned using three numbers and some letters, in the general form a.b(c.d)e, where

• a is the major version number of the release
• b is the minor version number
• c is the release number, which begins at one and increments as new releases in the same a.b train are released
• d (omitted from general releases) is the interim build number
• e (zero, one or two letters) is the release train identifier, such as none (which designates the mainline, see below), T (for Technology), E (for Enterprise), S (for Service provider), XA as a special functionality train, XB as a different special functionality train etc.

For example, release 12.3(1) is the first mainline Cisco IOS release of version 12.3. 12.3(2) is the next release, and so on. 12.3(1)T is the first release of the T train, 12.3(2)T the next, and so on. Interim builds are candidates for the next release, and are frequently made available by Cisco support as a faster way to provide fixes for bugs before the next release is available. For example, 12.3(1.2)T is the 2nd interim build after release 12.3(1)T.

Trains

Cisco IOS releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting.

• The mainline train is designed to be the most stable release the company can offer, and its feature set never expands during its lifetime. Updates are released only to address bugs in the product. The previous technology train becomes the source for the current mainline train--for example, the 12.1T train becomes the basis for the 12.2 mainline. Therefore, to determine the features available in a particular mainline release, look at the previous T train release.
• The T - Technology train, gets new features and bug fixes throughout its life, and is therefore less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.)
• The S - Service Provider train, runs only on the company's core router products and is heavily customized for Service Provider customers.
• The E - Enterprise train, is customized for implementation in enterprise environments.
• The B - broadband train, support internet based broadband features.

There are other trains from time to time, designed for specific needs -- for example, the 12.0AA train contained new code required for Cisco's AS5800 product.

Feature sets

Most Cisco products that run IOS also have one or more "feature sets". For example, Cisco IOS releases meant for use on Catalyst switches are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4 routing support, and "advanced IP services" versions, which provide the enhanced features as well as IPv6 support. See White Paper: Cisco IOS Reference Guide

Architecture

In all versions of Cisco IOS, packet routing and forwarding (switching) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB -- Forwarding Information Base), which is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g. Cisco 7200) most traffic handling, including access control list filtering and forwarding, is done at interrupt level using Cisco Express Forwarding (CEF) or dCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF or BGP4 run at the process level. In routers with hardware-based forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC or network processor), which performs the actual packet forwarding function.

Cisco IOS has a "monolithic" architecture, which means that it runs as a single image and all processes share the same memory space. There is no memory protection between processes, which means that bugs in IOS code can potentially corrupt data used by other processes. It also has a "run to completion" scheduler, which means that the kernel does not pre-empt a running process -- the process must make a kernel call before other processes get a chance to run. For Cisco products that required very high availability, such as the Cisco CRS-1, these limitations were not acceptable. In addition, competitive router operating systems that emerged 10-20 years after IOS, such as Juniper's JunOS, were designed not to have these limitations. Cisco's response was to develop a new version of Cisco IOS called IOS-XR that offered modularity and memory protection between processes, lightweight threads, pre-emptive scheduling and the ability to independently re-start failed processes. IOS-XR uses a 3rd party real-time operating system microkernel (QNX), and a large part of the current IOS code was re-written to take advantage of the features offered by the new kernel -- a massive undertaking. But the microkernel architecture removes from the kernel all process that are not absolutely required to run in the kernel, and executes them as processes similar to the application processes. Through this method, IOS-XR is able to achieve the high availability desired for the new router platform. Thus IOS and IOS-XR are very different codebases, though related in functionality and design. In 2005, Cisco introduced IOS-XR on the Cisco 12000 series platform, extending the microkernel architecture from the CRS-1 to Cisco's widely deployed core router.

Recently (in 2006), Cisco has made available IOS Software Modularity which extends the QNX microkernel into a more traditional IOS environment, but still providing the ISSU capabilities that customers are demanding. It is currently available on the Catalyst 6500 enterprise switch.

Security and vulnerabilities

Cisco IOS has proven vulnerable to buffer overflows and other problems that have afflicted other operating systems and applications. Given that Cisco has by far the largest installed base of networking equipment of all vendors and aspirations to be a leader in network security, it is typically fast to respond to and fix any problems found.

A legacy CLI issue, retained for compatibility reasons, is that passwords encrypted on the CLI as 'Type 7' hash values, such as "username jdoe password 7 0832585B1910010713181F", are easily decrypted using software available since 1995; as an example, a Wikipedia contributor decrypted this to "stupidpass". Although this is old news, use of these weak hashes continues due to ignorance of the problem (see Insecure.org Cisco password decryption). There are some valid reasons to not move to one-way MD5 (Type 5) password hashes in every instance, however, such as for a CHAP or PAP secret (whose plaintext must be known to the router to be able to successfully authenticate with a remote system). Type-7 is intended only for protection against shoulder surfing, since it's easily reversible.

In this example, a more sensible configuration would be "username jdoe secret 5 $1$NX/d$mK2ONF9MHA2klRdYPTLZ31", which uses a one-way MD5 hash (again of "stupidpass"). This is much more secure since it cannot be fed into a program and instantly reversed; however, an attacker with access to the MD5 hash could use software to mount a brute force attack, creating MD5 hashes of every possible combination of characters. This can take an incredibly long time, depending on the length of the original password and the characters used in it, but it is not impossible. Therefore, one should still remove MD5 hashes from configurations provided to third parties (support teams, newsgroup postings asking for help, etc).

See also

• SAN-OS
• Network operating system
• Catalyst switch
• Mike Lynn, a security researcher who publicly exposed a flaw in the operating system in 2005

External links

• Cisco IOS Software Configuration Guides and Command References (Versions 10.0 through 12.4)de:Internetwork Operating System

es:IOS fr:IOS he:IOS pl:IOS ru:IOS