Differences in Router/Switch IOS and Security Appliance IOS?

NuclearBeavis

Perhaps someone can clear this up for me, but in my limited experience working on security appliances, it seems the IOS is different than on routers and switches. For instance, there's an "expert" mode in the CLI. These security appliances had Firepower on them, and I'm unsure if Firepower is a full appliance OS or just something that runs on top of the IOS. Thanks.

d4nz1g

they are all different OSes. different HW architecture = different hardware instructions = different OS to handle them.

a switch, for example, has special HW intended to switch packets in an incredibly high speed, while routers (by routers i mean LOW END routers AKA ISR) were designed to support more features and do not need to have specialized HW to switch/route packets (exceptions being VPN modules, for example).

in regards to Firepower, it is a completely different architecture (hardware and software), maybe it can be related to IOS-XE. both are based on *nix systems and are modular.

edit: missed the main point .-.

so, usually these "expert" cli are intended to manage the operating system (not the features running on top of it). this means access to the operating system itself (drivers, resource management, and etc).

looking at FXOS compatibility page, it looks like FXOS is a software that runs inside a dedicated firepower module. this would be another software layer that depends on ASA.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

please feel free to correct me if i am wrong, its been a looooong time since i dont touch a security device.

NuclearBeavis

Thanks for the response. So a device running Firepower is essentially not running anything like the IOS found on standard routers and switches? I know that routers and switches have different IOS variations, but for the most part the command structure is the same (at least to me). But these ASA's I worked with seemed so drastically different, I wasn't quite sure what to make of it. Hoping as I go through CCNA Sec that some of the details on Firepower and ASA's will become more clear.

Edit: OK, I think it's more clear now. Cisco ASA's run their own ASA OS, which according to Cisco, is not forked off the IOS, and is based on Linux. Then Firepower is a set of extra services that can run on that ASA OS. I have a little experience using Firepower managment center, but never really conceptually grasped what Firepower was.

ccie14023

Well, it's kind of a well-known Cisco problem. Cisco grows by acquisition, so often times product lines have very different hardware/software. It's not that they want to make life more complex, just that they realize sometimes buying a company is faster than developing in house. Then you end up with the present situation, with IOS, IOS XE, IOS XR, NXOS, ASA OS, etc., etc., etc. I could talk your ear off about why abstractions and data models are a way around this problem but it probably wouldn't help much.

NuclearBeavis

Thanks for the reply. Eventually I hope to pick a direction and narrow my focus.

Iristheangel

To add to this, eventually the ASA OS and firepower module will go away and it's going to be one overarching OS: FTD.

As far as FXOS, that's only on the Firepower appliances, not the ASAs at ALL. That's more for the management of the hardware platform itself. Think "CIMC" for the Firepower appliance

NuclearBeavis

Iristheangel wrote: »

To add to this, eventually the ASA OS and firepower module will go away and it's going to be one overarching OS: FTD.

As far as FXOS, that's only on the Firepower appliances, not the ASAs at ALL. That's more for the management of the hardware platform itself. Think "CIMC" for the Firepower appliance

When I was using FPMC, we had a 5545 and 7120 and something else managed from that one VM. So basically, the 7120 was a Firepower appliance running FXOS, the 5545 was a standard ASA running Cisco's ASA OS? But FPMC can manage both just the same? I wish I remembered the details better. I know I went into the CLI a few times on the difference appliances, and at the time I thought they were running the same software. But I never had to reload them from scratch or do anything too detailed, so I didn't take note of a lot of things.

Iristheangel

Well, the 7xxx and 8xxx series are technically renamed as Firepower, they aren't really Firepower in the sense that they have FXOS. They're the original Sourcefire platform which is why they don't have FULL feature parity with the new Firepower 21xx, 41xx, and 9300 platforms.

The Firepower module from the 5545 and the Firepower OS from the 7120 can still be managed by the Firepower Management Center. The only thing that can't be managed on the 5545 is the ASA OS code that's over the Firepower module. If you decided to wipe it one day and do FTD (the unified code), you wouldn't have that problem anymore but I would wait a couple months until 6.2.3 comes out if you were going that direction

NuclearBeavis

OK, thanks again for the reply. The picture is starting to come into focus for me on how some of this stuff is structured.