The Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internetworking, and telecommunications functions integrated into a multitasking operating system. Although the IOS code base includes a cooperative multitasking kernel, most IOS features have been ported to other kernels, such as Linux and QNX, for use in Cisco products.

Not all Cisco networking products run IOS. Exceptions include some Cisco Catalyst switches, which run IOS XE, and Cisco ASR routers, which run either IOS XE or IOS XR; both are Linux-based operating systems. For data center environments, Cisco Nexus switches (Ethernet) and Cisco MDS switches (Fibre Channel) both run Cisco NX-OS, also a Linux-based operating system.

History

The IOS network operating system was created from code written by William Yeager at Stanford University, which was developed in the 1980s for routers with 256 kB of memory and low CPU processing power. Through modular extensions, IOS has been adapted to increasing hardware capabilities and new networking protocols. When IOS was developed, Cisco Systems' main product line were routers. The company acquired a number of young companies that focused on network switches, such as the inventor of the first Ethernet switch Kalpana, and as a result Cisco switches did not initially run IOS. Prior to IOS, the Cisco Catalyst series ran CatOS.

Command-line interface

The IOS command-line interface (CLI) provides a fixed set of multiple-word commands. The set available is determined by the "mode" and the privilege level of the current user. "Global configuration mode" provides commands to change the system's configuration, and "interface configuration mode" provides commands to change the configuration of a specific interface. All commands are assigned a privilege level, from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined.

Most builds of IOS include a Tcl interpreter. Using the embedded event manager feature, the interpreter can be scripted to react to events within the networking environment, such as interface failure or periodic timers.

Available command modes include:

  • User EXEC Mode
  • Privileged EXEC Mode
  • Global Configuration Mode
  • ROM Monitor Mode
  • Setup Mode

And more than 100 configuration modes and submodes.

Architecture

Cisco IOS has a monolithic architecture, owing to the limited hardware resources of routers and switches in the 1980s. This means that all processes have direct hardware access to conserve CPU processing time. There is no memory protection between processes and IOS has a run to completion scheduler, which means that the kernel does not pre-empt a running process. Instead the process must make a kernel call before other processes get a chance to run. IOS considers each process a single thread and assigns it a priority value, so that high priority processes are executed on the CPU before queued low priority processes, but high priority processes cannot interrupt running low priority processes. The exact feature set required for a particular function can be determined using the Cisco Feature Navigator. Routers come with IP Base installed, and additional feature pack licenses can be installed as bolt-on additions to expand the feature set of the device. The available feature packs are:

  • Data adds features like BFD, IP SLAs, IPX, L2TPv3, Mobile IP, MPLS, SCTP.
  • Security adds features like VPN, Firewall, IP SLAs, NAC.
  • Unified Comms adds features like CallManager Express, Gatekeeper, H.323, IP SLAs, MGCP, SIP, VoIP, CUBE(SBC).

IOS images can not be updated with software bug fixes. To patch a vulnerability in IOS, a binary file with the entire operating system needs to be loaded.

Versioning

Cisco IOS is versioned using three numbers and some letters, in the general form a.b(c.d)e, where:

  • a is the major version number.
  • b is the minor version number.
  • c is the release number, which begins at one and increments as new releases in a same way a.b train are released. "Train" is Cisco-speak for "a vehicle for delivering Cisco software to a specific set of platforms and features."
  • d (omitted from general releases) is the interim build number.
  • e (zero, one or two letters) is the software release train identifier, such as none (which designates the mainline, see below), T (for Technology), E (for Enterprise), S (for Service provider), XA as a special functionality train, XB as a different special functionality train, etc.

Rebuilds – Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimize change and risk.

Interim releases – Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public).

Maintenance releases – Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases.

Trains

Cisco says, "A train provides a vehicle for delivering software with a specific set of features to a specific set of platforms."

Until 12.4

Before Cisco IOS release 15, releases were split into several trains, each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco targeted.

  • The T – Technology train, gets new features and bug fixes throughout its life, and is therefore potentially less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.) Cisco doesn't recommend usage of T train in production environments unless there is urgency to implement a certain T train's new IOS feature. a modern variant, although the passwords can be decoded by the router using the "key chain" command and entering the type 7 password as the key, and then issuing a "show key" command; the above example decrypts to "stupidpass". However, the program will not decrypt 'Type 5' passwords or passwords set with the <code>enable secret</code> command, which uses salted MD5 hashes.

Cisco recommends that all Cisco IOS devices implement the authentication, authorization, and accounting (AAA) security model. AAA can use local, RADIUS, and TACACS+ databases. However, a local account is usually still required for emergency situations.

At the Black Hat Briefings conference in July 2005, Michael Lynn, working for Internet Security Systems at the time, presented information about a vulnerability in IOS. Cisco had already issued a patch, but asked that the flaw not be disclosed. Cisco filed a lawsuit, but settled after an injunction was issued to prevent further disclosures.

With IOS being phased out on devices, IOS-XE adopted many improvements including updated defaults. Some use cases can now store secrets as one-way hashes.

IOS XR train

For Cisco products that required very high availability, such as the Cisco CRS-1, the limitations of a monolithic kernel were not acceptable. In addition, competitive router operating systems that emerged 10–20 years after IOS, such as Juniper's Junos OS, were designed to not have these limitations. Cisco's response was to develop a completely new operating system that offered modularity, memory protection between processes, lightweight threads, pre-emptive scheduling, ability to independently restart failed processes and massive scale for use in service provider networks. The IOS XR development train initially used the real-time operating system microkernel (QNX) and a large part of the IOS source code was re-written to take advantage of the features offered by the kernel. In 2005 Cisco introduced the Cisco IOS XR network operating system on the 12000 series of network routers, extending the microkernel architecture from the CRS-1 routers to Cisco's widely deployed core routers. As of release 6.x of Cisco IOS XR, QNX was dropped in favor of Linux. Part of the initial work focused on modularity inspired modification of monolithic IOS into modular IOS, which extends the microkernel architecture into the IOS environment, while still providing the software upgrade capabilities. That idea was only tested on Catalyst 6500, got limited exposure and was quickly discontinued as requirements were too high and significantly impaired platform operation.

See also

  • Cisco IOS XE
  • Cisco IOS XR
  • Cisco NX-OS
  • Junos OS
  • Supervisor Engine (Cisco)
  • Network operating system
  • Packet Tracer

References

  • Cisco Content Hub
  • Cisco Feature Navigator
  • Cisco Security Advisories