Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Bengaluru 17.5.x
Introduction
Cisco Catalyst 9400 Series Switches are Cisco’s leading modular enterprise switching access platform and have been purpose-built to address emerging trends of Security, IoT, Mobility, and Cloud.
They deliver complete convergence with the rest of the Cisco Catalyst 9000 Series Switches in terms of ASIC architecture with Unified Access Data Plane (UADP) 2.0 and UADP 3.0. The platform runs an Open Cisco IOS XE that supports model driven programmability, has the capacity to host containers, and run 3rd party applications and scripts natively within the switch (by virtue of x86 CPU architecture, local storage, and a higher memory footprint). This series forms the foundational building block for SD-Access, which is Cisco’s lead enterprise architecture.
Cisco Catalyst 9400 Series Switches are enterprise optimized with a dual-serviceable fan tray design, side to side airflow, and are closet-friendly with a16-inch depth
Whats New in Cisco IOS XE Bengaluru 17.5.1
Hardware Features in Cisco IOS XE Bengaluru 17.5.1
Feature Name |
Description and Documentation Link |
---|---|
C9400-LC-48HN |
Cisco Catalyst 9400 Series 48-port, UPOE+ 100Mbps/1/2.5/5G Multigigabit Module, IEEE802.3af, IEEE802.3at, and IEEE802.3bt compliant module supporting up to 90 W Cisco UPOE+ on each of its 48 RJ45 ports
See Cisco Catalyst 9400 Series Switching Module Installation Note. |
Software Features in Cisco IOS XE Bengaluru 17.5.1
Feature Name |
Description, Documentation Link, and License Level Information |
---|---|
ACL Template for IPv4 and IPv6 |
Allows you to configure IPv4 and IPv6 access list (ACL) in template configuration mode. Use the ip access-group command to apply an IPv4 access list and ipv6 traffic-filter command to apply an IPv6 access list in template configuration mode.
|
Disabling USB Ports |
Allows you to disable all USB ports on a standalone or stacked device using the platform usb disable command.
|
DSCP marking on RADIUS Servers |
Allows you to configure Differentiated Services Code Point (DSCP) marking on RADIUS servers and RADIUS server groups using dscp command. The radius-server dscp command is used to configure DSCP marking for authentication and accounting on RADIUS servers in global configuration mode.
|
ERSPAN over MPLS VPN |
Introduces support for Multiprotocol Label Switching (MPLS) VPN for Encapsulated Remote Switched Port Analyzer (ERSPAN). ERSPAN traffic can be transported over MPLS VPN.
|
Fully Qualified Domain Name (FQDN) ACL |
Allows you to configure and apply a URL Redirect access list (ACL) policy in the system with dynamically resolved host names based on the domain name system.
|
Generalized PTP over Layer 3 Unicast |
Introduces support for generalized Precision Time Protocol (PTP) networks connected over Layer 3 devices.
|
Programmability
|
The following programmability features are introduced in this release:
|
Selective Q-in-Q |
Maps the specified customer VLAN-IDs (C-VLANs) entering the User Network Interface (UNI) to the specified, translated VLAN IDs (S-VLANs). The feature enables selective tunnelling or translation of C-VLANs to S-VLANs on interfaces configured as trunk ports. The egress packet is double-tagged with the C-VLAN ID and the mapped S-VLAN ID.
|
Session Timer Enhancement |
The range for number of seconds between reauthentication attempts was increased from 1 to 65535 seconds to 1 to 1073741823 seconds.
|
Support for Openflow MACsec |
Introduces support for MACsec in OpenFlow mode. This feature is not supported with high availability.
|
Wired Dynamic PVLAN |
Introduces support for Wired Dynamic Private VLAN (PVLAN) that uses a private VLAN to isolate the clients and provide zero-trust. This feature allows you to block peer to peer communications within a subnet or a VLAN. The client is assigned to a PVLAN which isolates a single wired client connected on a port, from the other ports.
|
New on the Web UI |
|
There are no new features on the Web UI in this release. |
Important Notes
Cisco StackWise Virtual - Supported and Unsupported Features
When you enable Cisco StackWise Virtual on the device
-
Layer 2, Layer 3, Security, Quality of Service, Multicast, Application, Monitoring and Management, Multiprotocol Label Switching, High Availability, VXLAN BGP EVPN, and Cisco Sofware-Defined Access are supported.
Contact the Cisco Technical Support Centre for the specific list of features that are supported under each one of these technologies.
-
Resilient Ethernet Protocol (REP) and Remote Switched Port Analyzer (RSPAN) are NOT supported.
Unsupported Features
-
Audio Video Bridging (including IEEE802.1AS, IEEE 802.1Qat, and IEEE 802.1Qav)
-
Cisco TrustSec Network Device Admission Control (NDAC) on Uplinks
-
Converged Access for Branch Deployments
-
Fast PoE
-
IPsec VPN
-
MACsec Switch to Switch Connections on C9400-SUP-1XL-Y.
-
Performance Monitoring (PerfMon)
-
Virtual Routing and Forwarding (VRF)-Aware web authentication
Complete List of Supported Features
For the complete list of features supported on a platform, see the Cisco Feature Navigator at https://cfnng.cisco.com.
Default Behaviour
Beginning from Cisco IOS XE Gibraltar 16.12.5 and later, do not fragment bit (DF bit) in the IP packet is always set to 0 for all outgoing RADIUS packets (packets that originate from the device towards the RADIUS server).
Supported Hardware
Cisco Catalyst 9400 Series Switches—Model Numbers
The following table lists the supported switch models. For information about the available license levels, see section License Levels.
Switch Model (append with “=” for spares) |
Description |
---|---|
C9404R |
Cisco Catalyst 9400 Series 4 slot chassis
|
C9407R |
Cisco Catalyst 9400 Series 7 slot chassis
|
C9410R |
Cisco Catalyst 9400 Series 10 slot chassis
|
Supported Hardware on Cisco Catalyst 9400 Series Switches
Product ID (append with “=” for spares) |
Description |
---|---|
Supervisor Modules |
|
C9400-SUP-1 |
Cisco Catalyst 9400 Series Supervisor 1 Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis. |
C9400-SUP-1XL |
Cisco Catalyst 9400 Series Supervisor 1XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis. |
C9400-SUP-1XL-Y |
Cisco Catalyst 9400 Series Supervisor 25XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis. |
Line Cards |
|
C9400-LC-24S |
24-port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP |
C9400-LC-24XS |
24-port Gigabit Ethernet module that supports 1 and 10 Gbps connectivity. |
C9400-LC-48H |
48-port Gigabit Ethernet UPOE+ module supporting up to 90W on each of its 48 RJ45 ports. |
C9400-LC-48HN |
48-port, UPOE+ 100 Mbps/1G/2.5G/5G Multigigabit Ethernet Module |
C9400-LC-48P |
48-port, 1 Gigabit Ethernet POE/POE+ module supporting up to 30W per port. |
C9400-LC-48S |
48-port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP. |
C9400-LC-48T |
48-port, 10/100/1000 BASE-T Gigabit Ethernet module. |
C9400-LC-48U |
48-port UPOE 10/100/1000 (RJ-45) module supporting up to 60W per port. |
C9400-LC-48UX |
48-port, UPOE Multigigabit Ethernet Module with:
|
M.2 SATA SSD Modules1 (for the Supervisor) |
|
C9400-SSD-240GB |
Cisco Catalyst 9400 Series 240GB M2 SATA memory |
C9400-SSD-480GB |
Cisco Catalyst 9400 Series 480GB M2 SATA memory |
C9400-SSD-960GB |
Cisco Catalyst 9400 Series 960GB M2 SATA memory |
AC Power Supply Modules |
|
C9400-PWR-2100AC |
Cisco Catalyst 9400 Series 2100W AC Power Supply |
C9400-PWR-3200AC |
Cisco Catalyst 9400 Series 3200W AC Power Supply |
DC Power Supply Modules |
|
C9400-PWR-3200DC |
Cisco Catalyst 9400 Series 3200W DC Power Supply |
Optics Modules
Cisco Catalyst Series Switches support a wide range of optics and the list of supported optics is updated on a regular basis. Use the Transceiver Module Group (TMG) Compatibility Matrix tool, or consult the tables at this URL for the latest transceiver module compatibility information: https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Compatibility Matrix
The following table provides software compatibility information between Cisco Catalyst 9400 Series Switches, Cisco Identity Services Engine, Cisco Access Control Server, and Cisco Prime Infrastructure.
Catalyst 9400 |
Cisco Identity Services Engine |
Cisco Access Control Server |
Cisco Prime Infrastructure |
---|---|---|---|
Bengaluru 17.5.1 |
3.0 Patch 1 2.7 Patch 2 2.6 Patch 7 2.4 Patch 13 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Bengaluru 17.4.1 |
3.0 2.7 Patch 2 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Amsterdam 17.3.8a |
2.7 |
- |
PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads. |
Amsterdam 17.3.8 |
2.7 |
- |
PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads. |
Amsterdam 17.3.7 |
2.7 |
- |
PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads. |
Amsterdam 17.3.6 |
2.7 |
- |
PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads. |
Amsterdam 17.3.5 |
2.7 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Amsterdam 17.3.4 |
2.7 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Amsterdam 17.3.3 |
2.7 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Amsterdam 17.3.2a |
2.7 |
- |
PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack See Cisco Prime Infrastructure 3.8 → Downloads. |
Amsterdam 17.3.1 |
2.7 |
- |
PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack See Cisco Prime Infrastructure 3.8 → Downloads. |
Amsterdam 17.2.1 |
2.7 |
- |
PI 3.7 + PI 3.7 latest maintenance release + PI 3.7 latest device pack See Cisco Prime Infrastructure 3.7 → Downloads. |
Amsterdam 17.1.1 |
2.7 |
- |
PI 3.6 + PI 3.6 latest maintenance release + PI 3.6 latest device pack See Cisco Prime Infrastructure 3.6 → Downloads. |
Gibraltar 16.12.8 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Gibraltar 16.12.7 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Gibraltar 16.12.6 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Gibraltar 16.12.5b |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Gibraltar 16.12.5 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Gibraltar 16.12.4 |
2.6 |
- |
PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack See Cisco Prime Infrastructure 3.8 → Downloads. |
Gibraltar 16.12.3a |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
Gibraltar 16.12.3 |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
Gibraltar 16.12.2 |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
Gibraltar 16.12.1 |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
Gibraltar 16.11.1 |
2.6 2.4 Patch 5 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4 → Downloads. |
Gibraltar 16.10.1 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
Fuji 16.9.8 |
2.5 2.1 |
5.4 5.5 |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Fuji 16.9.7 |
2.5 2.1 |
5.4 5.5 |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
Fuji 16.9.6 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
Fuji 16.9.5 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
Fuji 16.9.4 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
Fuji 16.9.3 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
Fuji 16.9.2 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
Fuji 16.9.1 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
Fuji 16.8.1a |
2.3 Patch 1 2.4 |
5.4 5.5 |
PI 3.3 + PI 3.3 latest maintenance release + PI 3.3 latest device pack See Cisco Prime Infrastructure 3.3→ Downloads. |
Everest 16.6.4a |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads. |
Everest 16.6.4 |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads. |
Everest 16.6.3 |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads |
Everest 16.6.2 |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads |
Everest 16.6.1 |
2.2 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads |
Web UI System Requirements
The following subsections list the hardware and software required to access the Web UI:
Minimum Hardware Requirements
Processor Speed |
DRAM |
Number of Colors |
Resolution |
Font Size |
---|---|---|---|---|
233 MHz minimum2 |
512 MB3 |
256 |
1280 x 800 or higher |
Small |
Software Requirements
Operating Systems
-
Windows 10 or later
-
Mac OS X 10.9.5 or later
Browsers
-
Google Chrome—Version 59 or later (On Windows and Mac)
-
Microsoft Edge
-
Mozilla Firefox—Version 54 or later (On Windows and Mac)
-
Safari—Version 10 or later (On Mac)
ROMMON and CPLD Versions
ROM Monitor (ROMMON)
ROMMON, also known as the boot loader, is firmware that runs when the device is powered up or reset. It initializes the processor hardware and boots the operating system software (Cisco IOS XE software image). The ROMMON is stored on the following Serial Peripheral Interface (SPI) flash devices on your switch:
-
Primary: The ROMMON stored here is the one the system boots every time the device is powered-on or reset.
-
Golden: The ROMMON stored here is a backup copy. If the one in the primary is corrupted, the system automatically boots the ROMMON in the golden SPI flash device.
ROMMON upgrades may be required to resolve firmware defects, or to support new features, but there may not be new versions with every release.
Complex Programmable Logic Device (CPLD)
CPLD refers to hardware-programmable firmware. CPLD upgrades may be required to resolve firmware defects, or to support new features, but there may not be new versions with every release. CPLD version upgrade process must be completed after upgrading the software image.
The following table provides ROMMON and CPLD version information for the Cisco Catalyst 9400 Series Supervisor Modules. For ROMMON and CPLD version information of Cisco IOS XE 16.x.x releases, refer to the corresponding Cisco IOS XE 16.x.x release notes of the respective platform.
Release |
ROMMON Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y) |
CPLD Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y) |
ROMMON Version (C9400X-SUP-2, C9400X-SUP-2XL) |
CPLD Version (C9400X-SUP-2, C9400X-SUP-2XL) |
---|---|---|---|---|
Bengaluru 17.5.1 |
17.5.1r |
20062105 |
- |
- |
Bengaluru 17.4.1 |
17.3.1r[FC2] |
20062105 |
- |
- |
Amsterdam 17.3.8a |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.8 |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.7 |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.6 |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.5 |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.4 |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.3 |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.2a |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.3.1 |
17.3.1r[FC2] |
19082605 |
- |
- |
Amsterdam 17.2.1 |
17.1.1r |
19082605 |
- |
- |
Amsterdam 17.1.1 |
17.1.1r |
19032905 |
- |
- |
Upgrading the Switch Software
This section covers the various aspects of upgrading or downgrading the device software.
Note |
You cannot use the Web UI to install, upgrade, or downgrade device software. |
Finding the Software Version
The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note |
Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license. |
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Software Images
Release |
Image Type |
File Name |
---|---|---|
Cisco IOS XE Bengaluru 17.5.1 |
CAT9K_IOSXE |
cat9k_iosxe.17.05.01.SPA.bin |
No Payload Encryption (NPE) |
cat9k_iosxe_npe.17.05.01.SPA.bin |
Upgrading the ROMMON
To know the ROMMON or bootloader version that applies to every major and maintenance release, see ROMMON and CPLD Versions.
You can upgrade the ROMMON before, or, after upgrading the software version. If a new ROMMON version is available for the software version you are upgrading to, proceed as follows:
-
Upgrading the ROMMON in the primary SPI flash device
This ROMMON is upgraded automatically. When you upgrade from an existing release on your switch to a later or newer release for the first time, and there is a new ROMMON version in the new release, the system automatically upgrades the ROMMON in the primary SPI flash device, based on the hardware version of the switch when you boot up your switch with the new image for the first time.
-
Upgrading the ROMMON in the golden SPI flash device
You must manually upgrade this ROMMON. Enter the upgrade rom-monitor capsule golden switch command in privileged EXEC mode.
Note
-
Golden ROMMON upgrade is only applicable to Cisco IOS XE Amsterdam 17.3.5 and later releases.
-
Golden ROMMON upgrade will fail if the FPGA version is 17101705 or older. To upgrade the FPGA version, see Upgrading the Complex Programmable Logic Device Version.
-
In case of a Cisco StackWise Virtual setup, upgrade the active and standby supervisor modules.
-
In case of a High Availability set up, upgrade the active and standby supervisor modules.
-
After the ROMMON is upgraded, it will take effect on the next reload. If you go back to an older release after this, the ROMMON is not downgraded. The updated ROMMON supports all previous releases.
Software Installation Commands
Summary of Software Installation Commands |
|
---|---|
To install and activate the specified file, and to commit changes to be persistent across reloads:
To separately install, activate, commit, cancel, or remove the installation file: |
|
add file tftp: filename |
Copies the install file package from a remote location to the device and performs a compatibility check for the platform and image versions. |
activate [ auto-abort-timer] |
Activates the file, and reloads the device. The auto-abort-timer keyword automatically rolls back image activation. |
commit |
Makes changes persistent over reloads. |
rollback to committed |
Rolls back the update to the last committed version. |
abort |
Cancels file activation, and rolls back to the version that was running before the current installation procedure started. |
remove |
Deletes all unused and inactive software installation files. |
Upgrading in Install Mode
Follow these instructions to upgrade from one release to another, in install mode. To perform a software image upgrade, you must be booted into IOS via boot flash:packages.conf .
Before you begin
Caution |
You must comply with these cautionary guidelines during an upgrade:
|
Note |
Disconnecting and reconnecting power to a Cisco Catalyst 9400 Series Supervisor 1 Module within a 5-second window, can corrupt the boot SPI. |
Note that you can use this procedure for the following upgrade scenarios.
When upgrading from ... |
Permitted Supervisor Setup (Applies to the release you are upgrading from) |
First upgrade to... |
To upgrade to ... |
||
---|---|---|---|---|---|
Cisco IOS XE Everest 16.6.14
|
Upgrade a single supervisor, and complete the boot loader and CPLD upgrade. After completing the first supervisor upgrade, remove and swap in the second supervisor. After both supervisors are upgraded, they can be inserted and booted in a high availability setup.
|
Cisco IOS XE Everest 16.6.3 Follow the upgrade steps as in the Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Everest 16.6.x → Upgrading the Switch Software → Upgrading in Install Mode |
Cisco IOS XE Bengaluru 17.5.x |
||
Cisco IOS XE Everest 16.6.2 and later releases |
This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously upgraded. |
Not applicable |
When upgrading from Cisco IOS XE Everest 16.6.1 to a later release, the upgrade may take a long time, and the system will reset three times due to rommon and complex programmable logic device (CPLD) upgrade. Stateful switchover is supported from Cisco IOS XE Everest 16.6.2
The sample output in this section displays upgrade from Cisco IOS XE Bengaluru 17.4.1 to Cisco IOS XE Bengaluru 17.5.1 using install commands.
Procedure
Step 1 |
Clean-up install remove inactive
Use this command to clean-up old installation files in case of insufficient space and to ensure that you have at least 1GB of space in flash, to expand a new image. The following sample output displays the cleaning up of unused files, by using the
install remove inactive
command:
|
||
Step 2 |
Copy new image to flash |
||
Step 3 |
Set boot variable |
||
Step 4 |
Install image to flash install add file activate commit
Use this command to install the image. The following sample output displays installation of the
Cisco IOS XE Bengaluru 17.5.1 software image in the flash memory:
|
||
Step 5 |
Verify installation After the software has been successfully installed, check that the ten new |
Downgrading in Install Mode
Follow these instructions to downgrade from one release to another, in install mode. To perform a software image downgrade, you must be booted into IOS via boot flash:packages.conf .
Before you begin
Note that you can use this procedure for the following downgrade scenarios:
When downgrading from ... |
Permitted Supervisor Setup (Applies to the release you are downgrading from) |
To ... |
||
---|---|---|---|---|
Cisco IOS XE Bengaluru 17.5.x |
This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously downgraded.
|
Cisco IOS XE Bengaluru 17.4.x or earlier releases. |
Note |
New switch models that are introduced in a release cannot be downgraded. The release in which a module is introduced is the minimum software version for that model. We recommend upgrading all existing hardware to the same release as the latest hardware. |
The sample output in this section shows downgrade from Cisco IOS XE Bengaluru 17.5.1 to Cisco IOS XE Bengaluru 17.4.1, using install commands.
Procedure
Step 1 |
Clean-up install remove inactive
Use this command to clean-up old installation files in case of insufficient space and to ensure that you have at least 1GB of space in flash, to expand a new image. The following sample output displays the cleaning up of unused files, by using the
install remove inactive
command:
|
||
Step 2 |
Copy new image to flash |
||
Step 3 |
Set boot variable |
||
Step 4 |
Downgrade software image Use one of these options, to downgrade:
The following example displays the installation of the
cat9k_iosxe.17.04.01.SPA.bin software image to flash,
to downgrade the switch by using the install add file activate
commit command. You can point to the source image on
your tftp server or in flash if you have it copied to
flash.
The following example displays sample output when downgrading the switch by using the install rollback to committed command.
|
||
Step 5 |
Verify version show version
After the image boots up, use this command to verify the version of the new image.
The
following sample output of the show version
command displays the Cisco IOS XE Bengaluru 17.4.1 image on the
device:
|
Upgrading the Complex Programmable Logic Device Version
You can trigger a CPLD version upgrade after upgrading the software image. During CPLD upgrade, the supervisor module automatically power cycles. This completes the CPLD upgrade process for the supervisor module but also causes traffic disruption. Therefore, auto-upgrade of CPLD is not supported. You must manually perform CPLD upgrade.
Upgrading the CPLD Version: High Availability Setup
Beginning in the privileged EXEC mode, complete the following steps:
Before you begin
When performing the CPLD version upgrade as shown, the show platform command can be used to confirm the CPLD version after the upgrade. This command output shows the CPLD version on all modules. However, the CPLD upgrade only applies to the supervisors, not the line cards. The line cards CPLD version is a cosmetic display. After the upgrade is completed in a high availability setup, the supervisors will be upgraded, but the line cards will still show the old CPLD version. The version mismatch between the supervisors and line cards is expected until a chassis reload.
Procedure
Step 1 |
Upgrade the CPLD Version of the standby supervisor module Enter the following commands on the active supervisor:
The standby supervisor module reloads automatically and the upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes. Wait until the standby supervisor module boots up and the SSO has formed (HOT) before you proceed to the next step; this takes approximately 17 minutes. |
||
Step 2 |
Perform a switch over
This causes the standby supervisor (on which you have completed the CPLD upgrade in Step 1) to become the active supervisor module |
||
Step 3 |
Upgrade the CPLD Version of the new standby supervisor module Repeat Step 1 and all its substeps.
|
Upgrading the CPLD Version: Cisco StackWise Virtual Setup
Beginning in the privileged EXEC mode, complete the following steps:
Procedure
Step 1 |
Upgrade the CPLD version of the standby supervisor module Enter the following commands on the active supervisor: |
Step 2 |
Reload the standby supervisor module
The upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes. Wait until the standby supervisor module boots up and the SSO has formed (HOT) before you proceed to the next step; this takes approximately 17 minutes. |
Step 3 |
Perform a switch over
This causes the standby supervisor (on which you have completed the CPLD upgrade in step 1) to become the active supervisor module |
Step 4 |
Upgrade the CPLD version of the new standby supervisor module Perfom Steps 1 and 2, including all substeps, on the new standby supervisor module |
Upgrading the CPLD Version: Single Supervisor Module Setup
Beginning in the privileged EXEC mode, complete the following steps:
Procedure
Upgrade the CPLD version of the active supervisor module Enter the following commands on the active supervisor:
The supervisor module reloads automatically and the upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes. |
Licensing
This section provides information about the licensing packages for features available on Cisco Catalyst 9000 Series Switches.
License Levels
The software features available on Cisco Catalyst 9400 Series Switches fall under these base or add-on license levels.
Base Licenses
-
Network Essentials
-
Network Advantage—Includes features available with the Network Essentials license and more.
Add-On Licenses
Add-On Licenses require a Network Essentials or Network Advantage as a pre-requisite. The features available with add-on license levels provide Cisco innovations on the switch, as well as on the Cisco Digital Network Architecture Center (Cisco DNA Center).
-
DNA Essentials
-
DNA Advantage— Includes features available with the DNA Essentials license and more.
To find information about platform support and to know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.
Available Licensing Models and Configuration Information
-
Cisco IOS XE Fuji 16.8.x and earlier: RTU Licensing is the default and the only supported method to manage licenses.
-
Cisco IOS XE Fuji 16.9.1 to Cisco IOS XE Amsterdam 17.3.1: Smart Licensing is the default and the only supported method to manage licenses.
In the software configuration guide of the required release, see System Management → Configuring Smart Licensing.
-
Cisco IOS XE Amsterdam 17.3.2a and later: Smart Licensing Using Policy, which is an enhanced version of Smart Licensing, is the default and the only supported method to manage licenses.
In the software configuration guide of the required release (17.3.x onwards), see System Management → Smart Licensing Using Policy.
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.
License Levels - Usage Guidelines
-
The duration or term for which a purchased license is valid:
Smart Licensing Using Policy
Smart Licensing
-
Perpetual: There is no expiration date for such a license.
-
Subscription: The license is valid only until a certain date (for a three, five, or seven year period).
-
Permanent: for a license level, and without an expiration date.
-
Term: for a license level, and for a three, five, or seven year period.
-
Evaluation: a license that is not registered.
-
-
Base licenses (Network Essentials and Network-Advantage) are ordered and fulfilled only with a perpetual or permanent license type.
-
Add-on licenses (DNA Essentials and DNA Advantage) are ordered and fulfilled only with a subscription or term license type.
-
An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it, or deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.
-
When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:
Table 1. Permitted Combinations DNA Essentials
DNA Advantage
Network Essentials
Yes
No
Network Advantage
Yes5
Yes
5 You will be able to purchase this combination only at the time of the DNA license renewal and not when you purchase DNA-Essentials the first time. -
Evaluation licenses cannot be ordered. They are not tracked via Cisco Smart Software Manager and expire after a 90-day period. Evaluation licenses can be used only once on the switch and cannot be regenerated. Warning system messages about an evaluation license expiry are generated only 275 days after expiration and every week thereafter. An expired evaluation license cannot be reactivated after reload. This applies only to Smart Licensing. The notion of evaluation licenses does not apply to Smart Licensing Using Policy.
Scaling Guidelines
For information about feature scaling guidelines, see these datasheets for Cisco Catalyst 9400 Series Switches:
Limitations and Restrictions
-
Control Plane Policing (CoPP)—The show run command does not display information about classes configured under
system-cpp policy
, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead. -
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
-
Flexible NetFlow limitations
-
You cannot configure NetFlow export using the Ethernet Management port (GigabitEthernet0/0).
-
You can not configure a flow monitor on logical interfaces, such as layer 2 port-channels, loopback, tunnels.
-
You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
-
-
Hardware limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, autonegotiation is enabled by default. If the other end of the line does not support autonegotation, the link does not come up.
-
Interoperability limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, if one end of the 40G link is a Catalyst 9400 Series Switch and the other end is a Catalyst 9500 Series Switch, the link does not come up, or comes up on one side and stays down on the other. To avoid this interoperability issue between devices, apply the the speed nonegotiate command on the Catalyst 9500 Series Switch interface. This command disables autonegotiation and brings the link up. To restore autonegotiation, use the no speed nonegotiation command.
-
In-Service Software Upgrade (ISSU)
-
ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.10.x or to Cisco IOS XE Gibraltar 16.11.x is not supported. This applies to both a single and dual supervisor module setup.
-
While performing ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.12.x, if interface-id snmp-if-index command is not configured with OSPFv3, packet loss can occur. Configure the interface-id snmp-if-index command either during the maintenance window or after isolating the device (by using maintenance mode feature) from the network before doing the ISSU.
-
While ISSU allows you to perform upgrades with zero downtime, we recommend you to do so during a maintenance window only.
-
If a new feature introduced in a software release requires a change in configuration, the feature should not be enabled during ISSU.
-
If a feature is not available in the downgraded version of a software image, the feature should be disabled before initiating ISSU.
-
-
M.2 SATA SSD drive: With bootloader version 16.6.2r, you cannot access the M.2 SATA SSD drive at the ROMMON prompt (
rommon> dir disk0
). The system displays an error message indicating that the corresponding file system protocol is not found on the device. The only way to access the drive when on bootloader version 16.6.2r, is through the Cisco IOS prompt, after boot up. -
No service password recovery—With ROMMON versions R16.6.1r and R16.6.2r, the 'no service password-recovery' feature is not available.
-
QoS restrictions
-
When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.
-
Policing and marking policy on sub interfaces is supported.
-
Marking policy on switched virtual interfaces (SVI) is supported.
-
QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.
-
Stack Queuing and Scheduling (SQS) drops CPU bound packets exceeding 1.4 Gbps.
-
-
Redundancy—The supervisor module (hardware) supports redundancy. Software redundancy is supported starting with Cisco IOS XE Everest 16.6.2. However, the associated route processor redundancy (RPR) feature is not supported.
Before performing a switchover, use the show redundancy , show platform , and show platform software iomd redundancy commands to ensure that both the SSOs have formed and that the IOMD process is completed.
In the following sample output for the show redundancy , note that both the SSOs have formed.Switch# show redundancy Redundant System Information : ------------------------------ Available system uptime = 3 hours, 30 minutes Switchovers system experienced = 2 Standby failures = 0 Last switchover reason = active unit removed Hardware Mode = Duplex Configured Redundancy Mode = sso Operating Redundancy Mode = sso Maintenance Mode = Disabled Communications = Up Current Processor Information : ------------------------------- Active Location = slot 3 Current Software state = ACTIVE Uptime in current state = 2 hours, 57 minutes Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Tue 27-Mar-18 13:43 by mcpre BOOT = bootflash:packages.conf; CONFIG_FILE = Configuration register = 0x1822 Peer Processor Information : ---------------------------- Standby Location = slot 4 Current Software state = STANDBY HOT Uptime in current state = 2 hours, 47 minutes Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Tue 27-Mar-18 13:43 by mcpre BOOT = bootflash:packages.conf; CONFIG_FILE = Configuration register = 0x1822
In the following sample output for the show platform software iomd redundancy command, note that both SSOs have formed and theHA_STATE
field isready
.Switch# show platform software iomd redundancy Configured Redundancy Mode = sso Operating Redundancy Mode = sso Local RF state = ACTIVE Peer RF state = STANDBY HOT slot PSM STATE SPA INTF HA_STATE HA_ACTIVE 1 ready started ready 00:01:16 2 ready started ready 00:01:22 3 ready started ready 00:01:27 ***active RP 4 ready started ready 00:01:27 <output truncated>
In the following sample output for the show platform command, note that theState
for all the linecards and supervisor modules isok
. This indicates that the IOMD processes are completed.Switch# show platform Chassis type: C9407R Slot Type State Insert time (ago) --------- ------------------- --------------------- ----------------- 1 C9400-LC-24XS ok 3d09h 2 C9400-LC-48U ok 3d09h R0 C9400-SUP-1 ok, active 3d09h R1 C9400-SUP-1 ok, standby 3d09h P1 C9400-PWR-3200AC ok 3d08h P2 C9400-PWR-3200AC ok 3d08h P17 C9407-FAN ok 3d08h <output truncated>
-
Secure Shell (SSH)
-
Use SSH Version 2. SSH Version 1 is not supported.
-
When the device is running SCP and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.
Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can show as much as 40 or 50 percent CPU usage, but they do not cause the device to shutdown.
-
-
Smart Licensing Using Policy: Starting with Cisco IOS XE Amsterdam 17.3.2a, with the introduction of Smart Licensing Using Policy, even if you configure a hostname for a product instance or device, only the Unique Device Identifier (UDI) is displayed. This change in the display can be observed in all licensing utilities and user interfaces where the hostname was displayed in earlier releases. It does not affect any licensing functionality. There is no workaround for this limitation.
The licensing utilities and user interfaces that are affected by this limitation include only the following: Cisco Smart Software Manager (CSSM), Cisco Smart License Utility (CSLU), and Smart Software Manager On-Prem (SSM On-Prem).
-
TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.
-
Uplink Symmetry—When a redundant supervisor module is inserted, we recommend that you have symmetric uplinks, to minimize packet loss during a switchover.
Uplinks are said to be in symmetry when the same interface on both supervisor modules have the same type of transceiver module. For example, a TenGigabitEthernet interface with no transceiver installed operates at a default 10G mode; if the matching interface of the other supervisor has a 10G transceiver, then they are in symmetry. Symmetry provides the best SWO packet loss and user experience.
Asymmetric uplinks have at least one or more pairs of interfaces in one supervisor not matching the transceiver speed of the other supervisor.
-
USB Authentication—When you connect a Cisco USB drive to the switch, the switch tries to authenticate the drive against an existing encrypted preshared key. Since the USB drive does not send a key for authentication, the following message is displayed on the console when you enter password encryption aes command:
Device(config)# password encryption aes Master key change notification called without new or old key
-
VLAN Restriction—It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.
-
YANG data modeling limitation—A maximum of 20 simultaneous NETCONF sessions are supported.
-
Embedded Event Manager—Identity event detector is not supported on Embedded Event Manager.
-
The File System Check (fsck) utility is not supported in install mode.
Caveats
Caveats describe unexpected behavior in Cisco IOS-XE releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.
Cisco Bug Search Tool
The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat, click on the identifier.
Open Caveats in Cisco IOS XE Bengaluru 17.5.x
Identifier |
Description |
---|---|
9400 SVL damages the startup config on bootup when CSSM unreachable |
|
interface running-config turns to default and no display in "show interface status" |
|
Interface does not up if 100/full is set in certain port |
Resolved Caveats in Cisco IOS XE Bengaluru 17.5.1
Identifier |
Description |
---|---|
Need to stop the loop of POE devices flapping when power shedding is triggered |
|
C9400 SVL linecard of standby in inserted(physical) status after boot up w/ single power module only |
|
Cat9400: Line protocol flap observed in specific interface frequently on C9400-LC-24S/48S |
|
GLC-GE-100FX Version 02 is not working with C9400-LC-48S (ACCELINK) |
|
17.4.1 : With Macsec failover to standby switch port in portchannel causes multicast traffic drop. |
|
Traffic failed if incoming interface MPLS and 2+ outgoing interfaces (ECMP) with recursive routing |
Troubleshooting
For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:
https://www.cisco.com/en/US/support/index.html
Go to Product Support and select your product from the list or enter the name of your product. Look under Troubleshoot and Alerts, to find information for the problem that you are experiencing.
Related Documentation
Information about Cisco IOS XE at this URL: https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html
All support documentation for Cisco Catalyst 9400 Series Switches is at this URL: https://www.cisco.com/c/en/us/support/switches/catalyst-9400-series-switches/tsd-products-support-series-home.html
Cisco Validated Designs documents at this URL: https://www.cisco.com/go/designzone
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: https://cfnng.cisco.com/mibs
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.