+ Reply to Thread
Results 1 to 9 of 9
  1. Member NuclearBeavis's Avatar
    Join Date
    Oct 2017
    Posts
    72
    #1

    Default Differences in Router/Switch IOS and Security Appliance IOS?

    Perhaps someone can clear this up for me, but in my limited experience working on security appliances, it seems the IOS is different than on routers and switches. For instance, there's an "expert" mode in the CLI. These security appliances had Firepower on them, and I'm unsure if Firepower is a full appliance OS or just something that runs on top of the IOS. Thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Padawan d4nz1g's Avatar
    Join Date
    May 2013
    Location
    Brazil
    Posts
    425

    Certifications
    CCNP, BCNE, CCNA, CCNA Sec, MCSA2k8, IPv6 Silver
    #2
    they are all different OSes. different HW architecture = different hardware instructions = different OS to handle them.

    a switch, for example, has special HW intended to switch packets in an incredibly high speed, while routers (by routers i mean LOW END routers AKA ISR) were designed to support more features and do not need to have specialized HW to switch/route packets (exceptions being VPN modules, for example).

    in regards to Firepower, it is a completely different architecture (hardware and software), maybe it can be related to IOS-XE. both are based on *nix systems and are modular.

    edit: missed the main point .-.

    so, usually these "expert" cli are intended to manage the operating system (not the features running on top of it). this means access to the operating system itself (drivers, resource management, and etc).

    looking at FXOS compatibility page, it looks like FXOS is a software that runs inside a dedicated firepower module. this would be another software layer that depends on ASA.

    https://www.cisco.com/c/en/us/td/doc...atibility.html

    please feel free to correct me if i am wrong, its been a looooong time since i dont touch a security device.
    Last edited by d4nz1g; 10-30-2017 at 10:57 PM.
    2017 - CCIE RS
    Labbing, labbing, labbing.
    Reply With Quote Quote  

  4. Member NuclearBeavis's Avatar
    Join Date
    Oct 2017
    Posts
    72
    #3
    Thanks for the response. So a device running Firepower is essentially not running anything like the IOS found on standard routers and switches? I know that routers and switches have different IOS variations, but for the most part the command structure is the same (at least to me). But these ASA's I worked with seemed so drastically different, I wasn't quite sure what to make of it. Hoping as I go through CCNA Sec that some of the details on Firepower and ASA's will become more clear.

    Edit: OK, I think it's more clear now. Cisco ASA's run their own ASA OS, which according to Cisco, is not forked off the IOS, and is based on Linux. Then Firepower is a set of extra services that can run on that ASA OS. I have a little experience using Firepower managment center, but never really conceptually grasped what Firepower was.
    Last edited by NuclearBeavis; 10-31-2017 at 12:36 PM.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Oct 2014
    Location
    San Francisco
    Posts
    150

    Certifications
    CCIE#14023 (R/S, Sec), JNCIE-SP #2332
    #4
    Well, it's kind of a well-known Cisco problem. Cisco grows by acquisition, so often times product lines have very different hardware/software. It's not that they want to make life more complex, just that they realize sometimes buying a company is faster than developing in house. Then you end up with the present situation, with IOS, IOS XE, IOS XR, NXOS, ASA OS, etc., etc., etc. I could talk your ear off about why abstractions and data models are a way around this problem but it probably wouldn't help much.
    Reply With Quote Quote  

  6. Member NuclearBeavis's Avatar
    Join Date
    Oct 2017
    Posts
    72
    #5
    Thanks for the reply. Eventually I hope to pick a direction and narrow my focus.
    Reply With Quote Quote  

  7. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,717

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #6
    To add to this, eventually the ASA OS and firepower module will go away and it's going to be one overarching OS: FTD.

    As far as FXOS, that's only on the Firepower appliances, not the ASAs at ALL. That's more for the management of the hardware platform itself. Think "CIMC" for the Firepower appliance
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  8. Member NuclearBeavis's Avatar
    Join Date
    Oct 2017
    Posts
    72
    #7
    Quote Originally Posted by Iristheangel View Post
    To add to this, eventually the ASA OS and firepower module will go away and it's going to be one overarching OS: FTD.

    As far as FXOS, that's only on the Firepower appliances, not the ASAs at ALL. That's more for the management of the hardware platform itself. Think "CIMC" for the Firepower appliance
    When I was using FPMC, we had a 5545 and 7120 and something else managed from that one VM. So basically, the 7120 was a Firepower appliance running FXOS, the 5545 was a standard ASA running Cisco's ASA OS? But FPMC can manage both just the same? I wish I remembered the details better. I know I went into the CLI a few times on the difference appliances, and at the time I thought they were running the same software. But I never had to reload them from scratch or do anything too detailed, so I didn't take note of a lot of things.
    Reply With Quote Quote  

  9. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,717

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #8
    Well, the 7xxx and 8xxx series are technically renamed as Firepower, they aren't really Firepower in the sense that they have FXOS. They're the original Sourcefire platform which is why they don't have FULL feature parity with the new Firepower 21xx, 41xx, and 9300 platforms.

    The Firepower module from the 5545 and the Firepower OS from the 7120 can still be managed by the Firepower Management Center. The only thing that can't be managed on the 5545 is the ASA OS code that's over the Firepower module. If you decided to wipe it one day and do FTD (the unified code), you wouldn't have that problem anymore but I would wait a couple months until 6.2.3 comes out if you were going that direction
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  10. Member NuclearBeavis's Avatar
    Join Date
    Oct 2017
    Posts
    72
    #9
    OK, thanks again for the reply. The picture is starting to come into focus for me on how some of this stuff is structured.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks