The future of Cisco IOS images

wildfire · March 2007

We had a brief by our onsite Cisco Engineer (yes we spend so much money Cisco give us a pre/post sales guy to assist)

He was talking about the new 3560/3750-E series. while they look like an impressive product, the worrying thing that struck out was that he confirmed that the images for these devices will require an activation key. Moving away from the old system of download an image on and TFTP it on the switch.

These every switch has the full feature set but each stage is released using an activation key which is tied to individual serial number.

What he also did say was that people buying routers and swtiches from ebay beware, its actually illegal to transfer a software image even if its on a device. Officially if you buy a switch say from ebay you should delete the image, then the purchase the relevant key from Cisco.

The new Key activation software will use a 'Free' key management server provided by Cisco.

The logistics for work is going to be a nightmare! getting activation keys for all our switches across our 3000+ sites!

Also before a 6500 IOS image with certain feature sets would be a resonable size, now you will need the whole size image meaning you need the bigger flash....you can see where this is going

Also E seems to be the theme for the future all new annoucnments have E in them, like the sup 1440-E.

Anyway beware in the future, buying a Switch on ebay could mean you have a $500 paperweight until you purchase an activation key or a smartnet contract.

Dont panic to much its only the new hardware platforms and the 2800 series ISR that will be affected.

mikej412 · March 2007

Well... it will be good for Techexams, at least initially, when everyone rushes to certify while they can still afford the labs.

Then I guess it will become good for the rack rental places.

It could be worse -- they could use hardware dongles and make you physically show up on site for every piece of equipment to load the features from a hardware key into the dongle....

Webmaster · March 2007

Thanks for sharing this very interesting info!

I wish Cisco would encourage students to get hands-on experience through homelabs instead making it a more expensive option. A 120-days trial/limited/educational IOS edition would be nice.

The activation doesn't come as a total surprise. I recently wondered whether Cisco is going to release a IOS version 'thirteen' (

: ) or use it as an opportunity to start with something fresh. Which amongst other things I expected would be used as an opporunity to include some sort of licensing through activation, considering that's almost standard for software nowadays. Or just skip to version 14

jvax · May 2007

Webmaster wrote:

A 120-days trial/limited/educational IOS edition would be nice.

It would be very nice indeed.

Or Cisco could exclude say 12.2 and below from its license agreement!! How about that?

Has anyone ever brought up the idea of "Open Source IOS" for discussion?

Just curious

mgeorge · May 2007

Obviously Cisco is killing them selves by using this type of activation technology. By
far they are preventing piracy but yet they are going to run more people to different
brands due to the lack of trained professionals avaliable in the indusry because of limited
resources of real lab equipment due to high ass prices, just to gain hands on experince.

Once this happens I can garuentee you calix, redback, and junipers will become prime
choices in infrastructure deployment due to avaliablity of certified professionals able to
support the high end equipment.

I agree with webmaster there, if they dont offere a trial version of the IOS or some type
of trainning software that works along the lines of dynamips then the salary and the demand
of cisco certified professionals will increase exponetially. With hundreds of Cisco Certified
Professionals letting their certs expire due to inavaliability of Cisco Lab equipment to gain skills
on new technology, would consideriably fuel a revolutionary market change.

If Cisco does deploy this, I will get my juniper certs and start teaching their courses as
well because I'm sure they will be in demand after this stupid microsoft ideal is deployed.

I hate it when companies always think about the money instead of the people.

Darthn3ss · May 2007

what/ you mean you can't prepare for CCIE lab with a boson simulator? :-p

Rearden · May 2007

If this is really going to happen, am I wasting my time with Cisco? Maybe I should just go back to being a programmer.

seraphus · May 2007

I don't see the "lockdown" as a major issue for anyone in the near future...

Are they gonna' stop me from learning 80% to 90% on my home lab?
(or anyone using 12.2/12.3/12.4?)

Unless they plan on coming across town (over to Raleigh from RTP) to
lock down my routers, I'll continue to get busy.

malweth · May 2007

I think if Cisco made their products easy to administer, Cisco engineers would be getting lower salaries and infrastructure would run just as good. God bless Cisco for making us money!!!!

Except if people "thought" they were easy to administer (via the SDM, for example) they would screw up their networks even more

It's the difference between fixing a network that has gotten out of hand versus fixing a broken network where knew just enough to screw it up.

mgeorge · May 2007

Well if they lock down their IOS it wont affect any one for a few years but when the 2800 service routers
become 300-400 bucks on ebay thats when most people trying to learn the latest and greatest technologies
will be litterly screwed because they cannot activate the IOS

And I love the ideal that each activation key is unique to the Cisco box... I love how they stole
that ideal from the Xbox360 CPU.

milliamp · May 2007

I think Cisco's open nature up till now has helped them out quite a bit. This is a bummer.

Nik00117 · January 2008

I agree, I think CISCO merely needs to ensure that corps are not pirating. However I feel that the individual who is studying for his CISCO cert should be given a certain amount of "we don't care type deal" I mean especially when starting out, we don't got hundreds of dollars to throw away. I think CISCO should be considerate towards its new and up coming engineers.

JohnDouglas · January 2008

I guess it would go much the same way XP or Vista has gone. That's not stopped pirating and misuse on a private scale.

mgeorge · January 2008

Well I can definately confirm that 3560E's and 3750E's require a license file to derminate the feature set that is unlocked. The license file is stored in a secure flash memory space "as cisco likes to say" which is not directly accessable.

The license file is not tied to the serial numbers or any thing, it is tied to the "UDI" of the device (Unique Device Identifier) So when purchasing a new license you must submit the PAK Code (which is a code you get when purchsing a license) and the UDI number of the device you purchased it for to Cisco's online license portal. Then you install the license file provided by CLP (Cisco Licensing Portal) to the switch, then reboot and botta bing!!! You have a new featureset.

The UDI can be found on a sticker on the back of the device.

Cisco also offers a licensing server used to manage licensing for devices (of course the license management server is free) - go figure

Dont worry guys, if no license file is present, it will default to IPBASE. So at least you wont be completely SOL. Example below;

Switch> show version
Cisco IOS Software, C3750E Software (C3750E-UNIVERSAL-M), Version 12.2(35)SE2, RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 19-Dec-06 01:36 by antonino
Image text-base: 0x00003000, data-base: 0x01473D34
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750E-HBOOT-M) Version 12.2(35r)SE, RELEASE SOFTWARE (fc1)
cisl-9mem uptime is 0 day, 0 hours, 6 minutes
System returned to ROM by power-on
System restarted at 22:10:23 UTC Wed Sep 27 2006
System image file is "flash:IMG/c3750e-fa06-u-304k"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ipbase Type: Default. No license found.
Next reboot license Level: ipbase
cisco WS-C3750E-24PD (PowerPC405) processor with 245760K/16376K bytes of memory.
Processor board ID CAT1006R0LH
Last reset from power-on
Target IOS Version 12.2(35)SE2
1 Virtual Ethernet interfaces
1 FastEthernet interface
24 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:12:80:A2:F2:00
Motherboard assembly number : 73-10314-06
Motherboard serial number : CAT10060XXX
Motherboard revision number : 04
Model number : 78-7056-05
System serial number : CAT100XXXXX
Hardware Board Revision Number : 0x00
Switch Ports Model SW Version SW Image

* 1 30 WS-C3750E-24PD 12.2(35)SE2 C3750E-UNIVERSALK9-M
Configuration register is 0xF

Lovely isnt it?

Rumor has it that in 12.5, it will be using the same technology, and will default to IPBASE as well if no license file is found. I cant really find no hard evidence to confirm this so like I said its just a rumor.

I know for now, the 3 feature sets available for switches will be IPBase, IP Services & Advanced IP Services.

I'm guessing from how Cisco is trying to standarize the IOS naming convention, the new flavors of IOS will probably be along the lines of IPBase, IP Voice, SP Services, Enterprise Base, Adv Security, Adv IP Services, Adv Enterprise Services.

Well figured i'd post more on this. If I learn any thing new ill post it as well

On a personal note i did have a great ideal that cisco could do to ensure self study cisco cert persuits can still gain hands on experince even with devices that require such licensing. They can provide a image for free (or a small charge) probably the latter (I'm sure cisco has to make money off of it in order for it to be possible) that could be used in a lab enviroment that will provide all features but have a limitation kinda like the Fail over license on ASA's where they reboot every so often. Lets say for example the lab devices reboot every 72 hours. Some people think why 72 hours, and thats where i'd say you have to consider the candidates persuing the CCIE, I leave my lab on for days at a time. I'll quit in the middle of a lab and come back to it 2 days later. But any who, thats just my idea

larkspur · January 2008

then it will look like dynaips and all the efforts to write that app will be wasted. I totaly dislike greedy companies. This pisses me off.

people learn what they can afford so maybe juniper and foundry will capitilze on thsi mistake!!

mgeorge · January 2008

larkspur wrote:

People learn what they can afford so maybe juniper and foundry will capitilze on thsi mistake!!

That is my prediction if Cisco does not offer a educational licensing program, because all of the simulators out there are crappy as hell, and dynamips will be useless then unless you use older ios.

networker050184 · January 2008

From what I understand Juniper already has a software licensing and has stopped there JunOS from running on platforms other than Juniper hardware ie Olive. Not 100% sure though...

empc4000xl · January 2008

I guess this is why cisco never got into the dynampis mess, they already had a plan cooking. As far as people going to other vendors for gear I doubt it. When you have that much of the market share you can do what you want. People have been mad at big Bill for years and they still control more than half of the market share. It took Steve jobs to come back and actually take a bite of out of MS.

itdaddy · May 2008

wow! well it would pay to be in business as a CISCO trainer
and charge top dollar to get certified! a plan!
wow!

like oil people will pay if they need it!

but like microsoft. someone with crk them oops did i say crack! ahhahahaha
i meant remedy them hahaahahhha

I am hurying up to get my CCNP so i can sit on my Arse! hahaha and cash in!

hahhah just kidding!

Ahriakin · May 2008

Well considering the current CCIE images are 2 revisions behind I don't think this will affect Dynamips/Dynagen anytime soon even if/when it is implemented. Still it would be beneficial to Cisco to create training images and perhaps buy/license Dynamips themselves, they could restrict bandwidth to say 1 mbps on these images so there is no way in hell they could be used in a live environment.

pullin-gs · May 2008

Vs lock down router code, I wish Cisco would spend more time working on a certification process that would do away with ****.
Nothing chaps my ass more than calling in an engineer in for an interview with an AAA+++ resume and discovering that he/she is nothing more than a paper-cert who studied for a few weeks on some *&%&^$#$# braindumps.

Last week I asked a guy what STP was and he rambled on about OSPF costs!
....and the week before that another guy couldnt configure a trunk port or enable routing.
BOTH these guys had current CCNP certifications, wanting $110k.

PS: Here is a good one--->For my GWGK CCVP test I noticed that part of the Cisco agreement for taking a test says you cant use ****, or copies of test material (that is what a **** is)....yet their own business partners who do Cisco training hand out MODERATED material to their test-takers like it was candy!

I think I'll start a thread on this just to stir the pot!

mikej412 · June 2008

pullin-gs wrote:

I think I'll start a thread on this just to stir the pot!

Or you could file a report online at the Cisco Brand Center. There is a link on the page to Report Usage Violations where you can

Report suspected misuse of Cisco intellectual property, such as logos, trademarks, and copyrighted material.

And if they are also a VUE Test Center, report them to Pearson/Vue using the VUE Contact Form for Test Security.

And if this is a branch office of a large Cisco Business Partner, report them to their HQ. They may be doing it on their own to boost their training "success rate."

Sepiraph · June 2008

The more interesting question is whether the IOS is ever going to be open-source, even if partially.

dtlokee · June 2008

I don't think it will go open source

I sat through some Cisco training on the ASR 1000 and it runs on a Linux kernel. Also some of the new routers and switches are going to run a modularized IOS instead of the "single file" IOS. I deployed about 80 6509-E switches (some of which were VSS, very nice indeed!) with the new modular IOS and it offers the ability to upgrade one part of the IOS without needing to bring down the whole box for an upgrade. I guess there will still be some cases where a reload of the supervisor will be required, but this should minimize it. Another cool thing is the ability to have a box with 2 supervisors running SSO even though they don't have the same code version, in the past this would require RPR which required about 1 minute to switchover to the standby supervisor, where SSO is like 50ms for a switchover.

mgeorge · June 2008

I doubt cisco will ever completely open source their ios code mainly because cisco wants
to prevent people from running it on any random device you can buy off ebay.

"WOW... I just stuck Cisco IOS on my laserjet printer!!! I can route and print simultaneously"

As dtlokee said, most of the new breakthroughs are with modularlization, they could
open source such code, but the core os will most likely be kept under lock and key.

Paul Boz · June 2008

I don't see a problem with Cisco locking down their devices. A big problem that many networks are facing right now (including many US government networks) is that of counterfeit hardware. Cisco has been tying operating systems to hardware codes with their security appliances for years now. This is nothing new. This is a further method for Cisco to ensure that their extremely well-engineered hardware isn't confused for counterfeit stuff. Dynamips isn't endangered. It will move on to operate like PEMU. Home labs aren't in danger. No one really has bleeding-edge devices in their home networks anyway so people won't see any problems for quite a while.

It's not like the OS drastically changes very often either. IOS is Cisco's bread and butter. They bank on people being able to pick up a Cisco device and configure it with no prior knowledge other than how to work inside an IOS environment. If they changed the look and feel of IOS they would alienate a large portion of their customer base and that's bad business any way you slice it.

dynamik · June 2008

Great points, but I have to wonder...

Paul Boz wrote:

It's not like the OS drastically changes very often either. IOS is Cisco's bread and butter. They bank on people being able to pick up a Cisco device and configure it with no prior knowledge other than how to work inside an IOS environment. If they changed the look and feel of IOS they would alienate a large portion of their customer base and that's bad business any way you slice it.

..are you craving a sandwich?

mgeorge · June 2008

hot ham and chedder...

The future of Cisco IOS images

Comments