Cisco IOS

Cisco IOS (originally Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers and all current Cisco network switches. IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking operating system. The first IOS was written by William Yeager.

Cisco IOS has a characteristic command line interface (CLI), whose style has been widely copied by other networking products. The IOS CLI provides a fixed set of multiple-word commands -- the set available is determined by the "mode" and the privilege level of the current user. "Global configuration mode" provides commands to change the system's configuration, and "interface configuration mode" provides commands to change the configuration of a specific interface. A typical command may be "show interface fa0/48" or "no ip cef traffic-statistics". All commands are assigned a privilege level, from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined.

Cisco IOS versions are versioned using three numbers and some letters, in the general form a.b(c.d)e, where

• a is the major version number of the release
• b is the minor version number
• c is the release number, which begins at one and increments as new releases in the same a.b train are released
• d (omitted from general releases) is the interim build number
• e (zero, one or two letters) is the release train identifier, such as none (which designates the mainline, see below), T (for Technology), E (for Enterprise), S (for Service provider), XA as a special functionality train, XB as a different special functionality train etc.

For example, release 12.3(1) is the first mainline Cisco IOS release of version 12.3. 12.3(2) is the next release, and so on. 12.3(1)T is the first release of the T train, 12.3(2)T the next, and so on. Interim builds are candidates for the next release, and are frequently made available by Cisco support as a faster way to provide fixes for bugs before the next release is available. For example, 12.3(1.2)T is the 2nd interim build after release 12.3(1)T.

Rebuilds - Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk.

Interim releases - Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public).

Maintenance releases - Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases.

Cisco IOS releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting.

• The mainline train is designed to be the most stable release the company can offer, and its feature set never expands during its lifetime. Updates are released only to address bugs in the product. The previous technology train becomes the source for the current mainline train--for example, the 12.1T train becomes the basis for the 12.2 mainline. Therefore, to determine the features available in a particular mainline release, look at the previous T train release.
• The T - Technology train, gets new features and bug fixes throughout its life, and is therefore less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.)
• The S - Service Provider train, runs only on the company's core router products and is heavily customized for Service Provider customers.
• The E - Enterprise train, is customized for implementation in enterprise environments.
• The B - broadband train, support internet based broadband features.

There are other trains from time to time, designed for specific needs -- for example, the 12.0AA train contained new code required for Cisco's AS5800 product.

Most Cisco products that run IOS also have one or more "feature sets" or "packages", typically eight packages for Cisco routers and five packages for Cisco switches. For example, Cisco IOS releases meant for use on Catalyst switches are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4 routing support, and "advanced IP services" versions, which provide the enhanced features as well as IPv6 support.

Each individual package corresponds to one service category, such as

• IP data
• Converged voice and data
• Security and VPN

For additional information about Cisco IOS Packaging see White Paper: Cisco IOS Reference Guide

In all versions of Cisco IOS, packet routing and forwarding (switching) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB -- Forwarding Information Base), which is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g. Cisco 7200) most traffic handling, including access control list filtering and forwarding, is done at interrupt level using Cisco Express Forwarding (CEF) or dCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF or BGP4 run at the process level. In routers with hardware-based forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC or network processor), which performs the actual packet forwarding function.

Cisco IOS has a "monolithic" architecture, which means that it runs as a single image and all processes share the same memory space. There is no memory protection between processes, which means that bugs in IOS code can potentially corrupt data used by other processes. It also has a "run to completion" scheduler, which means that the kernel does not pre-empt a running process -- the process must make a kernel call before other processes get a chance to run. For Cisco products that required very high availability, such as the Cisco CRS-1, these limitations were not acceptable. In addition, competitive router operating systems that emerged 10-20 years after IOS, such as Juniper's JunOS, were designed not to have these limitations. Cisco's response was to develop a new version of Cisco IOS called IOS-XR that offered modularity and memory protection between processes, lightweight threads, pre-emptive scheduling and the ability to independently re-start failed processes. IOS-XR uses a 3rd party real-time operating system microkernel (QNX), and a large part of the current IOS code was re-written to take advantage of the features offered by the new kernel -- a massive undertaking. But the microkernel architecture removes from the kernel all process that are not absolutely required to run in the kernel, and executes them as processes similar to the application processes. Through this method, IOS-XR is able to achieve the high availability desired for the new router platform. Thus IOS and IOS-XR are very different codebases, though related in functionality and design. In 2005, Cisco introduced IOS-XR on the Cisco 12000 series platform, extending the microkernel architecture from the CRS-1 to Cisco's widely deployed core router.

Recently (in 2006), Cisco has made available IOS Software Modularity which extends the QNX microkernel into a more traditional IOS environment, but still providing the software upgrade capabilities that customers are demanding. It is currently available on the Catalyst 6500 enterprise switch.

To use Cisco IOS Command Iine Interface you need to change modes in order to enter different commands. Here is a quite sketch on how you get from mode to mode.

You can use the ?. This gives a list of all the commands that you would like to search for. You can type part of a command and then use the tab key to fill in the commands all together. Here is list of different modes in CISCO ISO command line.

• Viewer Mode - Allows you to log on. This is the mode that the user first starts off in.
• Privileged Mode - You can use the Show command. To find out more about the interfaces To get to this mode from the Viewer mode use the command enable.
• Global Configuration Mode - Allows you to change the name of the router.
• Interface Mode - Allows you to change the IP Address of individual cards on the router.

The Show IP int brief shows a table of the current interfaces available. The following infomation is shown.

• Name of Interface
• IP Address and Subnet mask has been assigned to that card.
• Information showing if the card is connected physically to the router.
• if they have been enabled on the router.

To allow administrators to identify routers they use they can give the router a name. This can be done by using the command enable > config t > hostname "Name of router" The name of the router is shown on the command prompt.

Each network interface on the router can have it own IP address and Subnet Mask. You can change each individual interface card by typing

enable config t int [NameOfInterface] e.g int f0/0, int f0/1 etc

The name of the interface refers to the following. This is depend on the router you use. On some CISCO Router there are 4 interfaces.

• Fast Ethernet f0/0 (this allows you to plug in a switch)
• Fast Ethernet f0/1 (this allows you to plug in another switch)
• Serial Ethernet s0/0 (this allows you to plug into another router)
• Serial Ethernet s0/1 (this allows you to plug into another router)

The next job is to give the router a IP Address and subnet mask

" IP address [ip address] [subnet]"

By Default the interface is disabled use the command "no shutdown" to bring the system online.

Cisco IOS has proven vulnerable to buffer overflows and other problems that have afflicted other operating systems and applications. Given that Cisco has by far the largest installed base of networking equipment of all vendors and aspirations to be a leader in network security, it is typically fast to respond to and fix any problems found.

A legacy CLI issue, retained for compatibility reasons, is that passwords encrypted on the CLI as 'Type 7' hash values, such as "username jdoe password 7 0832585B1910010713181F", are easily decrypted using software available since 1995; the above example decrypts to "stupidpass". Although this is old news, use of these weak hashes continues due to ignorance of the problem (see Insecure.Org Cisco password decryption). There are some valid reasons to not move to one-way SHA1 (Type 5) password hashes in every instance, however, such as for a CHAP or PAP secret (whose plaintext must be known to the router to be able to successfully authenticate with a remote system). Type-7 is intended only for protection against shoulder surfing, since it's easily reversible.

• SAN-OS
• Network operating system
• Catalyst switch
• RANCID (Really Awesome New Cisco confIg Differ)

• Cisco IOS Software Configuration Guides and Command References (Versions 10.0 through 12.4)
• Cisco IOS Software Release Reference Guide; comprehensive guide to IOS versioning information
• Cisco Security Advisories; Complete History
• Security Configuration Guide
• Cisco IOS Commands
• Cisco-centric Open Source Community
• NMIS - Network Management Information System
• Cisco IOS commands to prevent flooding/congestion.