8. Appendices 215 1. Top Ways to Quickly Secure a Cisco Router
8.3. Overview of Cisco IOS Versions and Releases
Cisco provides a very large number of software releases for their routers and other products. This appendix provides an overview of the major release levels, and the release naming scheme. It is intended to help with upgrade strategies and version selection. In general, operational routers should kept up to date with the newest stable release that provides all the needed features. Often it will not be practical to install all the updates that Cisco makes available, especially during the flurry of bug fix releases that tends to follow a major change. Devise a consistent upgrade strategy that matches the needs of your network, and then follow it; use this appendix and the materials listed in the references, to understand what Cisco provides.
8.3.1. Release Levels and Names
Cisco follows strict naming schemes for IOS releases. Unfortunately, the format has changed several times since IOS was first introduced in the mid-1990s. The current format for a Cisco IOS release name is shown below.
Figure 8-1 – Cisco IOS Release Naming
In general, release number and release identifiers tell what features could be available, and the revision number tells how many times the release has undergone fixes to correct problems. Cisco releases may be broadly divided into kinds: regular shipping releases (general or limited) and early releases. A regular release will almost always have a simple number with no release identifier, such as 12.0.8. An early release will usually include an identifier, and may also include a number in parentheses. For example, the release “12.1.3T” is IOS version 12.1, revision 3, identifier T. The ‘T’ identifier designates an early release of new technology features. For operational purposes, it is usually best to avoid early release software, unless it has some required, critical feature. There is a complex naming scheme for early releases that is beyond the scope of this guide; consult [1] for complete details.
Some of the suffixes that you might see on special-purpose releases include “XA”,
“HA”, “F”. You might also see maintenance revision numbers in parentheses, usually for ED releases; for example, 11.2(9)XA.
VV.N.M RR
IOS Major release number: 10, 11, 12 Minor release number Maintenance revision number
Release identifier
Examples:
12.0.3 Release = 12.0 Revision = 3 11.3.5T Release = 11.3
Revision = 5 Identifier = T
Every Cisco IOS release has a release type. The table below describes the types.
Type Description Remarks
ED Early Deployment – a pre-shipping release that supports new features, protocols, or hardware.
This could be considered the ‘beta’ release for an IOS version.
LD Limited Deployment – this is the status of a release when it is first shipped to customers (FCS). Releases at this level are sometimes pre-installed on routers sold by Cisco.
LD releases are usually stable, but have not undergone the extensive customer shakedown and bug fixes of a GD release.
GD General Deployment – a stable shipping release suitable for general use. Most Cisco routers sold come with a GD release pre-installed.
The most stable type of a release, a GD has usually been subject to several rounds of bug fixes since first shipping.
DF Deferred Release – a release that was built and named, but later retracted.
DF releases are not available to customers.
The revision numbers for a given release run sequentially, even as the release status moves from ED to GD. As an example, look at IOS 12.0: for the 3640 router, 12.0.1 was ED, 12.0.4 was LD, and 12.0.8 was GD.
Releases, Features, and the Cisco IOS Upgrade Planner
Every Cisco IOS release is built with a variety of feature sets. The feature sets have names that are roughly evocative of what the features are; two common names are
“IP PLUS” and “ENTERPRISE/APPN”. All feature sets support basic IP routing and filtering, but some also support firewall or IPSec functions (see Section 5) or mainframe protocols, or telephony. IOS versions with more features will require more memory, so it is generally a good idea to use the simplest feature set that meets the network’s needs. Some commercial organizations customarily purchase routers with the maximum memory capacity pre-installed, to give the greatest latitude for future expansion.
The Cisco web site provides a “Software Center” where authorized customers can download software products, including Cisco IOS releases. The part of the software center that contains the IOS releases is called the “Cisco IOS Upgrade Planner.”
Registered Cisco customers with software maintenance contracts may download IOS releases via the Upgrade Planner; it supports choosing versions in a very flexible way. It presents the different available releases in a friendly tabular arrangement, and allows you to select items of interest (hardware mode, feature set, release number) in any order.
When you use the IOS Upgrade Planner to select a particular IOS software release, it supplies the hardware and memory requirements for that release before permitting
you to download it. Be very careful to check these requirements against the router on which you hope to run the software, ensure that amounts of installed memory meet or exceed the requirements before attempting to load the IOS release.
8.3.2. Major Releases and their Features
There are at least five major releases of Cisco IOS software currently in use in operational environments: 11.1, 11.2, 11.3, 12.0, and 12.1. The lists below describe some of the major features introduced into IOS in each of these releases, with emphasis on security-relevant features.
All earlier Cisco IOS releases, 11.0 and 10.x, are now unsupported by Cisco, although they are still available for download.
IOS 11.1
The 11.1 release was the last IOS release to use the old ‘classic’ or monolithic architecture. While exceedingly stable and robust, it did not offer extensive security features. IOS 11.1 was first deployed in 1996, and engineering development for it was dropped in 1999. Some of the important features
§ RIPv2 (see Section 4.5)
§ The IOS web server and web browser management interface [11.1(5) and later]
§ RADIUS support (as part of AAA, see Section 4.7)
§ RMON support (see Section 4.6)
§ Lock-and-Key dynamic access lists
IOS 11.1 is available as a GD release for all older Cisco routers, but is not available for some of the popular newer models (e.g. 7500, 1605, 3660).
IOS 11.2
The 11.2 release was the first IOS version to fully implement Cisco’s modular architecture for router software. A great many new features were added to IOS over the lifetime of 11.2, a few of them are listed below.
§ Named access control lists (See Section 4.4)
§ Network address translation (NAT)
§ Support for RSVP and IP Quality-of-Service (see Section 7.5)
§ Support for LANE (IP over ATM)
§ Various OSPF and BGP4 enhancements
§ Initial support for TCP Intercept (11.2F only)
§ Early (pre-IPSec) VPN support
§ Early versions of the IOS firewall feature set and CBAC (see Section 5.3) IOS 11.2 is available as a GD release for many popular Cisco router models, but not all of them.
IOS 11.3
11.3 was used to introduce a large number of new features into IOS, but it was never officially shipped as a GD release. Some of the features introduced in 11.3 are listed below.
§ Initial implementations of IPSec (11.3T)
§ Cisco Encryption Technology (CET) VPNs
§ Enhancements to AAA (See Section 4.7)
§ Full IOS firewall feature set and CBAC (11.3T)
§ Reflexive access lists
§ TCP Intercept (full availability)
§ Initial support for VLAN routing
§ Enhanced IOS filesystem and initial support for FTP
§ HTTP authentication for the IOS web server
IOS 11.3 is available for almost all Cisco router models, but only at the ED and LD release levels.
IOS 12.0
The 12.0 and 12.0T releases brought together a wide variety of features that had previously been available only in selected LD and ED releases of IOS 11. 12.0 was designed to be the basis for future router software releases, and to help eliminate the confusion of specialized releases that plagued 11.1 through 11.3. Some of the security-relevant features introduced or consolidated in 12.0 are listed below.
§ Full support for the Firewall feature set and CBAC
§ Initial version of IOS Intrusion Detection (IDS)
§ Full support for IPSec
§ Commented IP access list entries
§ Full support for the Layer 2 Tunnelling Protocol (L2TP)
§ SNMP version 3 (See Section 4.6)
§ Time-based access lists
§ General availability of ip unicast reverse-path verification [Section 4.4]
IOS 12.0 is available in both LD and GD forms for all supported Cisco router platforms, and many other Cisco hardware products.
IOS 12.1
The 12.1 release is an incremental step forward from 12.0. While it is expected to reach GD status, as of late 2000 it was only available at the ED and LD release levels. Some of the security features to appear in 12.1 so far are listed below.
§ Enhanced IPSec certificate management and AAA integration
§ AAA accounting enhancements
§ Unicast reverse path forwarding security enhancements
§ Initial support for Secure Shell (SSH Version 1) client and server
8.3.3. References
[1] Coulibaly, M.M., Cisco IOS Releases: The Complete Reference, Cisco Press, 2000.
This highly specialized book covers the Cisco IOS release system and release history in painstaking detail.