Ios. Versions, licenses and what to do in the Russian Federation
For beginners, Cisco has many questions that cause different variations of IOS lines, their differences and functionality. Additional confusion was brought by the emergence of new ISR G2 routers and a new IOS line of version 15. Let's try to figure it out on our fingers.
We will discuss the IOS for the most common routers - the Integrated Services Router (ISR) of the first and second “waves” (G1 and G2). I will not go very much into history and will start with iOS 12 version. Earlier, of course, there are, but are now extremely rare. Moreover, even for the most ancient iron, there is usually at least a 12.0 version.
Starting with this line, cisco has the notion of a “stable” or “main” image (main deployment, MD), “early versions” (early deployment, ED), all sorts of experimental versions (usually contain several new features) and a whole “advanced” technological ruler (denoted by the letter T in the name of IOS). The general ideology is as follows: everything that was run in the experimental and technological lines of previous versions appears as the main feature in the next version of the main line. For example, what was in 12.3T and was successfully tested is recorded in 12.4 MD. It is clear that the T-line has more opportunities, the functionality is less tested and statistically less reliable.
Separate theme: IOS functionality. So as not to confuse you, let's divide: IOS for ISR G1 (the most common routers are 85x, 87x, 18xx, 28xx, 38xx as well as their predecessors 26xx, 36xx, 37xx) and IOS for ISR G2 (89x, 19xx, 29xx, 39xx). For the latter, there is ONLY IOS version 15.0 (1) M and newer. For old and there are 12 and 15 version.
')
Note: versions 12.5, 13 and 14 have never been. According to legend, 13 is an unlucky number in the United States, and 14 in Japan.
Note 2 : Router 86x, although formally related to G2, is about released before the rest of the line. Has iOS 12.4 and is not licensed (i.e. works the same as G1)
ISR G1:
In versions up to 15, IOS features could be divided into several types:
1. Security. Allows you to make different types of VPNs, ITU, IPS and protect the router itself.
2. Enterprise. Allows you to process not only IPv4, for example, IPX, CLNP. Previously, only it included IPv6. Now this protocol is in Base
3. Unified communications. Various phone features such as CUCM, gateway, gatekeeper, etc.
4. IP Base. The minimum set. Even ip sla no! I try not to leave IP Base.
IOSs themselves were much more because they could combine different features. Find out in detail what features are available in what iOS can be in a tiskin handy feature navigator.
_______________
UPD from 04/03/11
IOS line names in version 12
IP Base
Ip voice
Advanced security
SP Services
Enterprise base
Advanced ip services
Enterprise services
Advanced enterprise services
________________
Since version 15 features are called almost the same
1. Security
2. DATA
3. UC
4. Base
15 version of IOS contains all the features. For ISR G1, this means that you can download a fresh iOS 15 version and not be afraid. T-line, as before, contains more features, but is considered less stable.
Why select groups of features if they are all available? But why: in the ISR G2, a feature licensing system has been introduced, approximately as in ASA. Those. pour another IOS into ISR G2 and get another functionality, as they used to do in ISR G1, it will not work. You need to buy licenses for the desired functionality. So cisco is struggling with the abundance of "not quite legal installations" advanced functionality. After all, IP BASE is much cheaper than the desired bundle, which means you can "save". And even formally you can scold for it, but if you did not buy support from cisco (SmartNet), then no one will know about the fact of such a replacement.
Additional complexity is introduced by our customs legislation, which puts a taboo on the import of encryption tools with a key length of more than 56 bits (DES still passes and so does ASA-K8, and 3DES / AES- not). Cisco in response to these bans released a localized version of IOS, with truncated tunnel encryption functionality. The first sign was NOVPN for 3845, and for version 15 of IOS this line is called NPE (No Payload Encryption). Such a step allowed to receive a notification on ISR G2 and import such tsiski into the territory of the Russian Federation without difficulty (ISR G1 is easily imported from IOS IP Base). However, we were deprived of the mass of convenient features: IPSec VPN, L2TPoIPSec, SSLVPN, GETVPN, DMVPN, sRTP, and other encryption capabilities ... What many people respect ciskins for routers. You can buy bundle UC, Sec-NPE, DATA, but none of them will unlock your encryption. And until recently there was no solution to this problem: there was no official purchase of a full-fledged IOS (PE) and a license for Security, where there is a VPN ...
But if you really want ...
Recently there was such an opportunity: for 12 years to get "technological licenses" for encryption (SecurityK9, UCk9, DATAk9). To do this, you can do this:
1. Find somewhere IOS is not NPE, i.e. without NPE in the title, i.e., for example, like this: c2900-universalk9-mz.SPA.151-3.T.bin.
2. IOS is not lower than the versions: 15.0 (1) M4, 15.1 (1) T2, 15.1 (2) T2, 15.1 (3) T.
3. Enter a few magic commands that, with some perseverance, are as follows:
and after entering each of the lines agree with the EULA.
Note: I deliberately do not give exact commands, because I do not know how the owners of Habr will react to such a "hack"
4. Save
5. Restart the router without being afraid of the warning that there is nothing left until the end of the technological period: 12 years :)
Disclaimer: use at your own risk. Regulators may possibly find fault, so prepare a rollback security action plan. Possible pitfalls that I do not know. For example, one of the testers of the solution reported that after uploading licenses and rebooting, some of the ip inspect commands disappeared.
We will discuss the IOS for the most common routers - the Integrated Services Router (ISR) of the first and second “waves” (G1 and G2). I will not go very much into history and will start with iOS 12 version. Earlier, of course, there are, but are now extremely rare. Moreover, even for the most ancient iron, there is usually at least a 12.0 version.
Starting with this line, cisco has the notion of a “stable” or “main” image (main deployment, MD), “early versions” (early deployment, ED), all sorts of experimental versions (usually contain several new features) and a whole “advanced” technological ruler (denoted by the letter T in the name of IOS). The general ideology is as follows: everything that was run in the experimental and technological lines of previous versions appears as the main feature in the next version of the main line. For example, what was in 12.3T and was successfully tested is recorded in 12.4 MD. It is clear that the T-line has more opportunities, the functionality is less tested and statistically less reliable.
Separate theme: IOS functionality. So as not to confuse you, let's divide: IOS for ISR G1 (the most common routers are 85x, 87x, 18xx, 28xx, 38xx as well as their predecessors 26xx, 36xx, 37xx) and IOS for ISR G2 (89x, 19xx, 29xx, 39xx). For the latter, there is ONLY IOS version 15.0 (1) M and newer. For old and there are 12 and 15 version.
')
Note: versions 12.5, 13 and 14 have never been. According to legend, 13 is an unlucky number in the United States, and 14 in Japan.
Note 2 : Router 86x, although formally related to G2, is about released before the rest of the line. Has iOS 12.4 and is not licensed (i.e. works the same as G1)
ISR G1:
In versions up to 15, IOS features could be divided into several types:
1. Security. Allows you to make different types of VPNs, ITU, IPS and protect the router itself.
2. Enterprise. Allows you to process not only IPv4, for example, IPX, CLNP. Previously, only it included IPv6. Now this protocol is in Base
3. Unified communications. Various phone features such as CUCM, gateway, gatekeeper, etc.
4. IP Base. The minimum set. Even ip sla no! I try not to leave IP Base.
IOSs themselves were much more because they could combine different features. Find out in detail what features are available in what iOS can be in a tiskin handy feature navigator.
_______________
UPD from 04/03/11
IOS line names in version 12
IP Base
Ip voice
Advanced security
SP Services
Enterprise base
Advanced ip services
Enterprise services
Advanced enterprise services
________________
Since version 15 features are called almost the same
1. Security
2. DATA
3. UC
4. Base
15 version of IOS contains all the features. For ISR G1, this means that you can download a fresh iOS 15 version and not be afraid. T-line, as before, contains more features, but is considered less stable.
Why select groups of features if they are all available? But why: in the ISR G2, a feature licensing system has been introduced, approximately as in ASA. Those. pour another IOS into ISR G2 and get another functionality, as they used to do in ISR G1, it will not work. You need to buy licenses for the desired functionality. So cisco is struggling with the abundance of "not quite legal installations" advanced functionality. After all, IP BASE is much cheaper than the desired bundle, which means you can "save". And even formally you can scold for it, but if you did not buy support from cisco (SmartNet), then no one will know about the fact of such a replacement.
Additional complexity is introduced by our customs legislation, which puts a taboo on the import of encryption tools with a key length of more than 56 bits (DES still passes and so does ASA-K8, and 3DES / AES- not). Cisco in response to these bans released a localized version of IOS, with truncated tunnel encryption functionality. The first sign was NOVPN for 3845, and for version 15 of IOS this line is called NPE (No Payload Encryption). Such a step allowed to receive a notification on ISR G2 and import such tsiski into the territory of the Russian Federation without difficulty (ISR G1 is easily imported from IOS IP Base). However, we were deprived of the mass of convenient features: IPSec VPN, L2TPoIPSec, SSLVPN, GETVPN, DMVPN, sRTP, and other encryption capabilities ... What many people respect ciskins for routers. You can buy bundle UC, Sec-NPE, DATA, but none of them will unlock your encryption. And until recently there was no solution to this problem: there was no official purchase of a full-fledged IOS (PE) and a license for Security, where there is a VPN ...
But if you really want ...
Recently there was such an opportunity: for 12 years to get "technological licenses" for encryption (SecurityK9, UCk9, DATAk9). To do this, you can do this:
1. Find somewhere IOS is not NPE, i.e. without NPE in the title, i.e., for example, like this: c2900-universalk9-mz.SPA.151-3.T.bin.
2. IOS is not lower than the versions: 15.0 (1) M4, 15.1 (1) T2, 15.1 (2) T2, 15.1 (3) T.
3. Enter a few magic commands that, with some perseverance, are as follows:
Ro(config)# license boot ?
and after entering each of the lines agree with the EULA.
Note: I deliberately do not give exact commands, because I do not know how the owners of Habr will react to such a "hack"
4. Save
5. Restart the router without being afraid of the warning that there is nothing left until the end of the technological period: 12 years :)
Disclaimer: use at your own risk. Regulators may possibly find fault, so prepare a rollback security action plan. Possible pitfalls that I do not know. For example, one of the testers of the solution reported that after uploading licenses and rebooting, some of the ip inspect commands disappeared.
Source: https://habr.com/ru/post/116722/
All Articles