The Internetworking Operating System ( IOS ) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems . The system is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system. Although the IOS code base includes a cooperative multitasking kernel, most IOS features have been ported to other kernels, such as Linux and QNX , for use in Cisco products.
54-420: Not all Cisco networking products run IOS. Exceptions include some Cisco Catalyst switches, which run IOS XE , and Cisco ASR routers, which run either IOS XE or IOS XR ; both are Linux-based operating systems. For data center environments, Cisco Nexus switches ( Ethernet ) and Cisco MDS switches ( Fibre Channel ) both run Cisco NX-OS , also a Linux-based operating system. The IOS network operating system
108-679: A Trivial File Transfer Protocol (TFTP) server for storing the configuration files and any IOS images for updating. Complex configurations are best created using a text editor (using a site standard template), putting the file on the TFTP server and copying it to the Cisco device. However, it can be noted that a TFTP server can present its own security problems. StackWise and Stackwise Virtual previously known as VSS are technologies offered by Cisco Systems that allows some models of Catalyst switches to operate as though they were one switch. One switch from
162-496: A host or other layer 3 , each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure access-control lists based on network domain names , this is a questionable idea because individual TCP , UDP , and ICMP headers do not contain domain names. Consequently, the device enforcing the access-control list must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who
216-473: A router , making them layer 3 devices; when coupled with TCP and UDP filtering, these switches are capable of layer 2-4 operation. Depending on the exact software image, a Catalyst switch that runs IOS or IOS XE may be able to tackle large-scale enterprise routing tasks, using router technologies like OSPF or BGP . Modular chassis-based Catalyst switching models, like the Catalyst 9400 and 9600 Series, have
270-411: A serial console , telnet or Secure Shell . Simple Network Management Protocol (SNMP) allows monitoring of many states, and measurement of traffic flows. Many devices can also run an HTTP server . Configuration of the switch is done in plain text and is thus easy to audit. No special tools are required to generate a useful configuration. For sites with more than a few devices, it is useful to set up
324-586: A configurable selection of chassis, power supplies, line cards and supervisor modules. Among Cisco's modular series are: Announced 2020 (remainder including 2960-X & 2960-XR ) 24/48 8P8C/2 X2 (3750E) Announced 2013 (3750V2) 9200L 9300L Access control list In computer security , an access-control list ( ACL ) is a list of permissions associated with a system resource (object or facility). An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources. Each entry in
378-644: A later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimize change and risk. Interim releases – Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public). Maintenance releases – Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases. Cisco says, "A train
432-812: A local account is usually still required for emergency situations. At the Black Hat Briefings conference in July 2005, Michael Lynn, working for Internet Security Systems at the time, presented information about a vulnerability in IOS. Cisco had already issued a patch, but asked that the flaw not be disclosed. Cisco filed a lawsuit, but settled after an injunction was issued to prevent further disclosures. With IOS being phased out on devices, IOS-XE adopted many improvements including updated defaults. Some use cases can now store secrets as one-way hashes . For Cisco products that required very high availability, such as
486-508: A particular function can be determined using the Cisco Feature Navigator . Routers come with IP Base installed, and additional feature pack licenses can be installed as bolt-on additions to expand the feature set of the device. The available feature packs are: IOS images can not be updated with software bug fixes. To patch a vulnerability in IOS, a binary file with the entire operating system needs to be loaded. Cisco IOS
540-465: A stack is elected in the following order: There are two general types of Catalyst switches: fixed configuration models that are usually one or two rack units in size, with 12 to 80 ports; and modular switches in which virtually every component, from the CPU card to power supplies to switch cards, are individually installed in a chassis. In general, switch model designations start with WS-C or C, followed by
594-562: A superset of both NT ACLs and POSIX draft ACLs. Samba supports saving the NT ACLs of SMB-shared files in many ways, one of which is as NFSv4-encoded ACLs. Microsoft 's Active Directory service implements an LDAP server that store and disseminate configuration information about users and computers in a domain. Active Directory extends the LDAP specification by adding the same type of access-control list mechanism as Windows NT uses for
SECTION 10
#1732782459978648-489: A typical ACL specifies a subject and an operation. For instance, Many kinds of operating systems implement ACLs or have a historical implementation; the first implementation of ACLs was in the filesystem of Multics in 1965. A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes , or files. These entries are known as access-control entries (ACEs) in
702-422: A unique reference to that interface. IOS is shipped as a unique file that has been compiled for specific Cisco network devices. Each IOS Image therefore include a feature set, which determine the command-line interface (CLI) commands and features that are available on different Cisco devices. Upgrading to another feature set therefore entails the installation of a new IOS image on the networking device and reloading
756-422: Is a package of routing, switching, internetworking and telecommunications functions integrated into a multitasking operating system. Although the IOS code base includes a cooperative multitasking kernel, most IOS features have been ported to other kernels such as QNX and Linux for use in Cisco products. Cisco Catalyst products run IOS or a Linux-derived version called Cisco IOS XE . It was originally called XDI by
810-502: Is a vehicle for delivering Cisco software to a specific set of platforms and features." Before Cisco IOS release 15, releases were split into several trains , each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco targeted. There were other trains from time to time, designed for specific needs — for example, the 12.0AA train contained new code required for Cisco's AS5800 product. Starting with Cisco IOS release 15, there
864-505: Is just a single train, the M/T train. This train includes both extended maintenance releases and standard maintenance releases. The M releases are extended maintenance releases, and Cisco will provide bug fixes for 44 months. The T releases are standard maintenance releases, and Cisco will only provide bug fixes for 18 months. Because IOS needs to know the cleartext password for certain uses, (e.g., CHAP authentication) passwords entered into
918-567: Is no memory protection between processes and IOS has a run to completion scheduler , which means that the kernel does not pre-empt a running process . Instead the process must make a kernel call before other processes get a chance to run. IOS considers each process a single thread and assigns it a priority value, so that high priority processes are executed on the CPU before queued low priority processes, but high priority processes cannot interrupt running low priority processes. The Cisco IOS monolithic kernel does not implement memory protection for
972-687: Is seeking to compromise security of the system which the access-control list is protecting. Both individual servers and routers can have network ACLs. Access-control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls . Like firewalls, ACLs could be subject to security regulations and standards such as PCI DSS . ACL algorithms have been ported to SQL and to relational database systems . Many "modern" (2000s and 2010s) SQL -based systems, like enterprise resource planning and content management systems, have used ACL models in their administration modules. The main alternative to
1026-605: Is the brand for a variety of network switches , wireless controllers, and wireless access points sold by Cisco Systems . While commonly associated with Ethernet switches, a number of different types of network interfaces have been available throughout the history of the brand. Cisco acquired several different companies and rebranded their products as different versions of the Catalyst product line. The original Catalyst 5000 and 6000 series were based on technology acquired from Crescendo Communications . The 1700, 1900, and 2800 series Catalysts came from Grand Junction Networks , and
1080-425: Is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g., Cisco 7200), most traffic handling, including access control list filtering and forwarding, is done at interrupt level using Cisco Express Forwarding (CEF) or dCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF or BGP run at
1134-403: Is versioned using three numbers and some letters, in the general form a.b(c.d)e , where: Rebuilds – Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to
SECTION 20
#17327824599781188-692: The Cisco CRS-1 , the limitations of a monolithic kernel were not acceptable. In addition, competitive router operating systems that emerged 10–20 years after IOS, such as Juniper 's Junos OS , were designed to not have these limitations. Cisco's response was to develop a completely new operating system that offered modularity, memory protection between processes, lightweight threads, pre-emptive scheduling , ability to independently restart failed processes and massive scale for use in Service Provider networks. The IOS XR development train initially used
1242-534: The real-time operating system microkernel ( QNX ) and a large part of the IOS source code was re-written to take advantage of the features offered by the kernel. In 2005 Cisco introduced the Cisco IOS XR network operating system on the 12000 series of network routers, extending the microkernel architecture from the CRS-1 routers to Cisco's widely deployed core routers . As of release 6.x of Cisco IOS XR, QNX
1296-572: The ACL model is the role-based access-control (RBAC) model. A "minimal RBAC model", RBACm , can be compared with an ACL mechanism, ACLg , where only groups are permitted as entries in the ACL. Barkley (1997) showed that RBACm and ACLg are equivalent. In modern SQL implementations, ACLs also manage groups and inheritance in a hierarchy of groups. So "modern ACLs" can express all that RBAC express and are notably powerful (compared to "old ACLs") in their ability to express access-control policy in terms of
1350-507: The ACL on an object. One of the first operating systems to provide filesystem ACLs was Multics . PRIMOS featured ACLs at least as early as 1984. In the 1990s the ACL and RBAC models were extensively tested and used to administer file permissions. POSIX 1003.1e/1003.2c working group made an effort to standardize ACLs, resulting in what is now known as "POSIX.1e ACL" or simply "POSIX ACL". The POSIX.1e/POSIX.2c drafts were withdrawn in 1997 due to participants losing interest for funding
1404-457: The CLI by default are weakly encrypted as 'Type 7' ciphertext, such as " Router(config)#username jdoe password 7 0832585B1910010713181F ". This is designed to prevent "shoulder-surfing" attacks when viewing router configurations and is not secure – they are easily decrypted using software called "getpass" available since 1995, or "ios7crypt", a modern variant, although the passwords can be decoded by
1458-549: The Catalyst 3000 series came from Kalpana in 1994. The newest Catalyst series is the Catalyst 9000 family. The Catalyst 9000 family includes switches, wireless access points, and wireless controllers. In most cases, the technology for the Catalyst Switch was developed separately from Cisco's router technology. The Catalyst switches originally ran software called CatOS rather than the more widely known Cisco IOS software used by routers. However, this has changed as
1512-677: The Cisco IOS) also allow web-based management using a graphical interface (GUI) module which is hosted on a HTTP server located on the switch. The Catalyst 2960-L SM Series of switches is an example of a Cisco Catalyst switch that allows this style of GUI via HTTP. Cisco IOS , formally the Cisco Internetwork Operating System, is a family of network operating systems used on many Cisco Systems network switches, routers, wireless controllers and wireless access points. Earlier, Cisco switches ran CatOS. Cisco IOS
1566-582: The IOS operating system. Information about the IOS version and feature-set running on a Cisco device can be obtained with the show version command. Most Cisco products that run IOS also have one or more "feature sets" or "packages", typically eight packages for Cisco routers and five packages for Cisco network switches. For example, Cisco IOS releases meant for use on Catalyst switches are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4 routing support, and "advanced IP services" versions, which provide
1620-541: The IP address, interface state, and packet statistics for networking data. Cisco's IOS software maintains one IDB for each hardware interface in a particular Cisco switch or router and one IDB for each subinterface. The number of IDBs present in a system varies with the Cisco hardware platform type. Physical and logical interfaces on the switch will be referenced with either expanded or abbreviated port description names. This combined with slot, module, and interface numbering creates
1674-478: The Microsoft Windows NT , OpenVMS , and Unix-like operating systems such as Linux , macOS , and Solaris . Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter
Cisco IOS - Misplaced Pages Continue
1728-583: The NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem and the more recent Richacls , which brings NFSv4 ACLs support for Ext4 filesystem. As with POSIX ACLs, NFSv4 ACLs are usually stored as extended attributes on Unix-like systems. NFSv4 ACLs are organized nearly identically to the Windows ;NT ACLs used in NTFS . NFSv4.1 ACLs are
1782-478: The NTFS filesystem. Windows 2000 then extended the syntax for access-control entries such that they could not only grant or deny access to entire LDAP objects, but also to individual attributes within these objects. On some types of proprietary computer hardware (in particular, routers and switches ), an access-control list provides rules that are applied to port numbers or IP addresses that are available on
1836-517: The concept of field-replaceable supervisor, line cards, power supplies and fans. Mirroring most Cisco router designs, these work by separating the line cards, chassis, and supervisor engine . The chassis provides power and a high-speed backplane , the line cards provide interfaces to the network, and the supervisor engine moves packets, participates in routing protocols, etc. This gives several advantages: Catalyst switches offer advanced customization and manageability. The switches can be configured using
1890-424: The data of different processes. The entire physical memory is mapped into one virtual address space. The Cisco IOS kernel does not perform any memory paging or swapping. Therefore the addressable memory is limited to the physical memory of the network device on which the operating system is installed. IOS does however support aliasing of duplicated virtual memory contents to the same physical memory. This architecture
1944-478: The enhanced features as well as IPv6 support. Beginning with the 1900, 2900 and 3900 series of ISR Routers, Cisco revised the licensing model of IOS. To simplify the process of enlarging the feature-set and reduce the need for network operating system reloads, Cisco introduced universal IOS images, that include all features available for a device and customers may unlock certain features by purchasing an additional software license . The exact feature set required for
1998-498: The event of an IOS crash, the operating system automatically reboots and reloads the saved configuration. In all versions of Cisco IOS, packet routing and forwarding ( switching ) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB, Forwarding Information Base), which
2052-541: The extended attributes of a file on these systems. NFSv4 ACLs are much more powerful than POSIX draft ACLs. Unlike draft POSIX ACLs, NFSv4 ACLs are defined by an actually published standard, as part of the Network File System . NFSv4 ACLs are supported by many Unix and Unix-like operating systems. Examples include AIX , FreeBSD , Mac OS X beginning with version 10.4 (" Tiger "), or Solaris with ZFS filesystem, support NFSv4 ACLs, which are part of
2106-440: The interpreter can be scripted to react to events within the networking environment, such as interface failure or periodic timers. Available command modes include: And more than 100 configuration modes and submodes. Cisco IOS has a monolithic architecture, owing to the limited hardware resources of routers and switches in the 1980s. This means that all processes have direct hardware access to conserve CPU processing time. There
2160-465: The inventor of the first Ethernet switch Kalpana , and as a result Cisco switches did not initially run IOS. Prior to IOS, the Cisco Catalyst series ran CatOS . The IOS command-line interface (CLI) provides a fixed set of multiple-word commands . The set available is determined by the "mode" and the privilege level of the current user. "Global configuration mode" provides commands to change
2214-405: The model line (e.g. C9600). A letter at the end of this number signifies a special feature, followed by the number of ports (usually 24 or 48) and additional nomenclature indicating other features like UPOE (e.g. C9300-48U). Catalyst 9000 switches also include software subscription license indicators (e.g. C9200-48T-P, E for Essentials, A for Advantage and P for Premier) Cisco modular switches offer
Cisco IOS - Misplaced Pages Continue
2268-644: The model. Other models can support T1 , E1 , and ISDN PRI interfaces to provide connections to the PSTN . Legacy models supported a variety of interfaces, such as Token Ring , FDDI , Asynchronous Transfer Mode and 100BaseVG , but are no longer sold by Cisco Systems. All models have basic layer 2 functions and are capable of switching Ethernet frames between ports. Commonly found additional features are VLANs , trunking and QoS . The switches, whether IOS or IOS XE, are fully manageable. Many Catalyst switches that run IOS or IOS XE are also capable of functioning as
2322-406: The new switch on-the-fly to accommodate minimal downtime and reduce maintenance effort and errors. Stackwise physically connects the switch stack using special stack interconnect cables, typically up to eight switches per stack. StackWise Virtual and VSS allow for the virtual clustering of two chassis together into a single, logical entity without physical interconnect cables. The primary switch of
2376-424: The primary switch fails, another switch in the stack will automatically take over as primary. This feature means greater redundancy, as one switch's failure will not bring about a failure of the entire stack. As each switch contains the entire configuration for the stack, one of the benefits of this technology is the ability to replace a faulty switch (any—including primary) with a new switch. The stack will configure
2430-455: The process level. In routers with hardware-based forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC or network processor), which performs the actual packet forwarding function. An Interface Descriptor Block, or simply IDB, is a portion of memory or Cisco IOS internal data structure that contains information such as
2484-498: The product lines have merged closer together. In some cases, particularly in the modular chassis switches, a configuration called hybrid has emerged - this is where the layer 2 functions are configured using CatOS, and the layer 3 elements are configured using IOS. Native IOS can also be found with newer software versions that have eliminated CatOS entirely in favor of IOS, even on hardware that originally required CatOS. Some newer Catalyst switch models (with recent versions of
2538-592: The project and turning to more powerful alternatives such as NFSv4 ACL. As of December 2019 , no live sources of the draft could be found on the Internet, but it can still be found in the Internet Archive . Most of the Unix and Unix-like operating systems (e.g. Linux since 2.5.46 or November 2002, FreeBSD , or Solaris ) support POSIX.1e ACLs (not necessarily draft 17). ACLs are usually stored in
2592-503: The router using the "key chain" command and entering the type 7 password as the key, and then issuing a "show key" command; the above example decrypts to "stupidpass". However, the program will not decrypt 'Type 5' passwords or passwords set with the enable secret command, which uses salted MD5 hashes . Cisco recommends that all Cisco IOS devices implement the authentication, authorization, and accounting (AAA) security model. AAA can use local, RADIUS , and TACACS+ databases. However,
2646-412: The stack will act as the primary switch. The primary switch will maintain the stack and allows for configuration and monitoring of the whole stack as though one via a single console. This allows for more efficient management and typically provides more bandwidth between individual switches than other uplink technology. If one switch fails, the remaining switches will continue to operate by bypassing it. If
2700-502: The switching company Crescendo Communications, Inc. Cisco renamed it to CatOS when they acquired Crescendo and later still to Cisco IOS as the operating system was extended to other Cisco products. The newer Catalyst 9000 family uses the Cisco IOS XE operating system. As Catalyst devices are primarily Ethernet switches, all modern Catalyst models have Ethernet interfaces ranging from 10 Mbit/s to 100 Gbit/s depending on
2754-433: The system's configuration, and "interface configuration mode" provides commands to change the configuration of a specific interface. All commands are assigned a privilege level , from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined. Most builds of IOS include a Tcl interpreter. Using the embedded event manager feature,
SECTION 50
#17327824599782808-451: Was created from code written by William Yeager at Stanford University , which was developed in the 1980s for routers with 256 kB of memory and low CPU processing power. Through modular extensions, IOS has been adapted to increasing hardware capabilities and new networking protocols. When IOS was developed, Cisco Systems' main product line were routers. The company acquired a number of young companies that focused on network switches, such as
2862-469: Was dropped in favor of Linux. Part of the initial work focused on modularity inspired modification of monolithic IOS into modular IOS, which extends the microkernel architecture into the IOS environment, while still providing the software upgrade capabilities. That idea was only tested on Catalyst 6500, got limited exposure and was quickly discontinued as requirements were too high and significantly impaired platform operation. Cisco Catalyst Catalyst
2916-413: Was implemented by Cisco in order to ensure system performance and minimize the operational overheads of the operating system. The disadvantage of the IOS architecture is that it increases the complexity of the operating system, data corruption is possible as one process can write over the data of another, and one process can destabilize the entire operating system or even cause a software-forced crash . In
#977022