First Published: March 29, 2019

Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Gibraltar 16.11.x

Introduction

Cisco Catalyst 9400 Series Switches are Cisco’s leading modular enterprise switching access platform and have been purpose-built to address emerging trends of Security, IoT, Mobility, and Cloud.

They deliver complete convergence with the rest of the Cisco Catalyst 9000 Series Switches in terms of ASIC architecture with Unified Access Data Plane (UADP) 2.0 and UADP 3.0. The platform runs an Open Cisco IOS XE that supports model driven programmability, has the capacity to host containers, and run 3rd party applications and scripts natively within the switch (by virtue of x86 CPU architecture, local storage, and a higher memory footprint). This series forms the foundational building block for SD-Access, which is Cisco’s lead enterprise architecture.

Cisco Catalyst 9400 Series Switches are enterprise optimized with a dual-serviceable fan tray design, side to side airflow, and are closet-friendly with a16-inch depth

Whats New in Cisco IOS XE Gibraltar 16.11.1

Hardware Features in Cisco IOS XE Gibraltar 16.11.1


Feature Name	Description and Documentation Link
Cisco 25GBASE SFP28 Modules	Supported transceiver module product numbers: Cisco SFP-10/25G-LR-S Cisco SFP-10/25G-CSR-S For information about the module, see the Cisco 25GBASE SFP28 Modules Data Sheet and Cisco 25G Transceivers and Cables Enable 25 Gigabit Ethernet over a Fiber or Copper Cable. For information about device compatibility, see the Transceiver Module Group (TMG) Compatibility Matrix.
Cisco SFP Modules	Supported transceiver module product numbers: GLC-SX-MM-RGD GLC-LX-SM-RGD GLC-ZX-SM-RGD For information about the module, see the Cisco SFP Modules for Gigabit Ethernet Applications Data Sheet. For information about device compatibility, see the Transceiver Module Group (TMG) Compatibility Matrix.

Software Features in Cisco IOS XE Gibraltar 16.11.1


Feature Name	Description, Documentation Link and License Level Information
BGP PE-CE support for MPLS Layer 3 VPNs	Supports BGP as a routing protocol between the provider edge (PE) device and the customer edge (CE) device. See Configuring MPLS Layer 3 VPN. (Network Advantage)
Cisco StackWise Virtual Support on C9400-SUP-1XL-Y and C9410R Recovery Reload	The Cisco StackWise Virtual feature includes the following enhancements in this release: The feature is now supported on the following hardware: Cisco Catalyst 9400 Series Supervisor 1XL 25G Module (C9400-SUP-1XL-Y) Cisco Catalyst 9400 Series 10 Slot Chassis (C9410R) Recovery Reload—Introduces a new default reload action after recovering from a link failure and the option to disable this default. Starting with this release, after recovering from a StackWise Virtual link failure, the failed active switch automatically performs a reload action and restores itself as a standby switch. This is the new default behaviour in the event of a link failure. You can also configure the dual-active recovery-reload-disable command in the stackwise-virtual configuration mode, to retain the switch in recovery mode and prevent the switch from reloading automatically. See High Availability → Configuring Cisco StackWise Virtual. (Network Advantage)
Consent Token for Shell Access	Authenticates a network administrator’s request to access the system shell. When debugging software issues, a Cisco TAC engineer may have to work with a network administrator to collect debug information or perform live debugging on a production system. This feature provides the network administrator with privileged, restricted, and secure access to the system shell with mutual consent from the network administrator and Cisco TAC. See System Management → Consent Token. (Network Essentials and Network Advantage)
ERSPAN Termination	Introduces support for encapsulated remote switched port analyzer (ERSPAN) type 3 source feature and the following ERSPAN type 2 and type 3 features: Security group tag (SGT) Differentiated services code point (DSCP) Remote SPAN based redirection Virtual routing and forwarding (VRF) Termination The header-type 3 , destination , ip dscp , filter mtu , and vrf commands are available for configuration. See Network Management → Configuring ERSPAN. (DNA Advantage)
HSRP BFD Peering	Introduces Bidirectional Forwarding Detection (BFD) in the Hot Standby Router Protocol (HSRP) group member health monitoring system. BFD provides a low-overhead, short-duration method of detecting failures in the forwarding path between two adjacent devices, including the interfaces, data links, and forwarding planes. BFD is a detection protocol that you enable at the interface and routing protocol levels. See IP Routing → Configuring HSRP BFD Peering. (Network Advantage)
IEEE 802.3bt Type 3 Mode	Cisco Catalyst 9400 Series Switching Modules C9400-LC-48U and C9400-LC-48UX, are now compliant with the IEEE 802.3bt standard. Enter the hw-module slot `slot` upoe–plus command in global configuration mode, to enable the 802.3bt Type 3 mode on these switching modules. See Interface and Hardware Components → Configuring PoE. For information about the standard, see https://standards.ieee.org/ (Network Essentials and Network Advantage)
Ingress Replication (IR) for VXLAN BGP EVPN	Enables forwarding of broadcast, unknown unicast, and multicast (BUM) traffic to the relevant recipients in a network. IR is a unicast approach to handling multi-destination traffic, and involves an ingress device replicating every BUM packet and then sending it as a separate unicast to remote egress devices. See Layer 2 → Configuring VXLAN BGP EVPN. (Network Advantage)
IPv6: Border Gateway Protocol (BGP)	IPv6 support is introduced for following BGP features: IPv6: BGP Conditional Route Injection IPv6: BGP Configuration Using Peer Templates IPv6: BGP Next Hop Propagation IPv6: BGP Support for 4-byte ASN See IP Routing. (Network Advantage)
IPv6: DHCP Client	IPv6 support is introduced for the DHCP client feature. See IP Addressing Services. (Network Essentials and Network Advantage)
IPv6: IP Service Level Agreements (SLAs)	IPv6 support is introduced for following IP SLA features: IPv6: IP SLAs - History Statistics IPv6: IP SLAs - ICMP Path Echo Operation IPv6: IP SLAs - UDP Echo Operation See Network Management → Configuring Service Level Agreements. (Network Essentials and Network Advantage)
IPv6: IPv6 Multicast Virtual Private Network (MVPNv6)	Enables service providers to use their existing IPv4 backbone to provide multicast-enabled private IPv6 networks to their customers. See IP Multicast Routing → Configuring Multicast Virtual Private Network (Network Advantage)
IPv6: Open Shortest Path First (OSPF)	IPv6 support is introduced for following OSPF features: IPv6: OSPF Forwarding Address Suppression in Translated Type-5 LSAs IPv6: OSPF Inbound Filtering using Route Maps with a Distribute List IPv6: OSPF MIB Support of RFC 1850 and Latest Extensions IPv6: OSPF Stub Router Advertisement IPv6: OSPF Support for Link State Advertisement (LSA) Throttling IPv6: OSPF Update Packet-Pacing Configurable Timers See IP Routing. (Network Essentials and Network Advantage)
IPv6: OSPF Limit on Number of Redistributed Routes	Enables you to configure a maximum number of prefixes (routes) that can be redistributed into OSPFv3 from other protocols or other OSPFv3 processes. Such a limit helps prevent the device from being flooded by too many redistributed routes. See IP Routing → Configuring OSPFv3 Limit on Number of Redistributed Routes. (Network Essentials and Network Advantage)
IPv6: RFC 5453 Reserved IPv6 Interface Identifiers	An autoconfigured IPv6 address will contain interface identifiers that are not part of the reserved range of interface identifiers specified in RFC 5453. See IP Multicast Routing → IP Multicast Routing Technology Overview. (Network Essentials and Network Advantage)
IPv6 Downloadable ACL (DACL)	Applies per-port IPv6 access-layer restrictions based on Identity Services Engine (ISE) profiles. See Security → IPv6 ACLs. (Network Essentials and Network Advantage)
IPv6 Support for Virtual Extensible LAN (VXLAN) Border Gateway Protocol (BGP) Ethernet VPN (EVPN) in Routed Mode	Introduces IPv6 support for the VXLAN BGP EVPN operation in routed mode. A VXLAN is a network overlay that allows layer 2 segments to be stretched across an IP core. All the benefits of Layer 3 topologies are thereby available with VXLAN. The overlay protocol is VXLAN and BGP uses EVPN as the address family for communicating end host MAC and IP addresses. VXLAN BGP EVPN operates in bridged mode when the hosts are in the same subnet, and in routed mode when the hosts are in different subnets. See Layer 2 → Configuring VXLAN BGP EVPN. (Network Advantage)
Multiprotocol Label Switching (MPLS) MPLS VPN-Inter-AS Option B MPLS VPN-Inter-AS-IPv4 BGP Label Distribution MPLS over GRE MPLS VPN eBGP Multipath Support for Inter-AS VPNs	MPLS VPN-Inter-AS Option B—Allows an MPLS Virtual Private Network (VPN) service provider to interconnect different autonomous systems to provide VPN services. In an Inter-AS Option B network, autonomous system boundary router (ASBR) peers are connected by one or more interfaces that are enabled to receive MPLS traffic. MPLS VPN-Inter-AS-IPv4 BGP Label Distribution—Enables you to set up a VPN service provider network so that ASBRs exchange IPv4 routes with MPLS labels of the provider edge (PE) routers. MPLS over GRE—Provides a mechanism for tunneling MPLS packets over non-MPLS networks by creating a generic routing encapsulation (GRE) tunnel. The MPLS packets are encapsulated within the GRE tunnel packets, and the encapsulated packets traverse the non-MPLS network through the GRE tunnel. When GRE tunnel packets are received at the other side of the non-MPLS network, the GRE tunnel packet header is removed and the inner MPLS packet is forwarded to its final destination. MPLS VPN eBGP Multipath Support for Inter-AS VPNs—Enables you to configure external Border Gateway Protocol (eBGP) multipath with IPv4 labels. It allows load balancing of VPN traffic when you use VPNv4 peering for Inter-AS VPNs. Without this feature, the MPLS forwarding table contains the labels only for the BGP best path even though the routing table has more than one path for the prefix. See Multiprotocol Label Switching. (Network Advantage)
Option to Disable System Thermal Shutdown	Provides an option to manually bypass the system thermal shutdown process, by preventing the triggering of the supervisor module's action to turn off the power supplies of the chassis even when temperatures exceed the critical and shutdown thresholds. See System Management → Environmental Monitoring and Power Management. (Network Essentials and Network Advantage)
Password Configuration: Secure Password Migration	Introduces support for migration of type 0 and type 7 usernames and passwords to type 6. Password protection restricts access to a network or network device. Encrypting passwords provides an additional layer of security, particularly for passwords that cross the network or are stored on a TFTP server. Starting with this release, the switch supports automatic conversion of usernames and passwords with type 0 and type 7 encryption, to type 6 encryption. Type-6 is a strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a primary encryption key, which is used to encrypt and decrypt passwords. See Security → Controlling Switch Access with Passwords and Privilege Levels. (Network Essentials and Network Advantage)
Programmability Kill Telemetry Subscription NETCONF and RESTCONF Service Level Access Control Lists YANG Data Models	The following programmability features are introduced in this release: Kill Telemetry Subscription—Provides the ability to delete a dynamic model driven telemetry subscription using either: The clear telemetry ietf subscription Cisco IOS command, or The <kill-subscription> RPC NETCONF and RESTCONF Service Level Access Control Lists (ACLs)—Enables you to configure an IPv4 or IPv6 ACL for NETCONF and RESTCONF sessions. Clients that do not conform to the configured ACL are not allowed to access the NETCONF or RESTCONF subsystems. When service-level ACLs are configured, NETCONF and RESTCONF connection requests are filtered based on the source IP address. YANG Data Models—For the list of Cisco IOS XE YANG models available with this release, navigate to: https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/16111. Revision statements embedded in the YANG files indicate if there has been a model revision. The README.md file in the same GitHub location highlights changes that have been made in the release. See Programmability. (Network Essentials and Network Advantage)
Radioactive Tracing	The request platform software trace filter-binary and the show platform software trace filter-binary commands were introduced in this release. These commands can be used to collate and sort all the archived logs present in the trace logs subdirectory and to filter the most recent trace information from the temporary directory for a specific module, respectively. See System Management Commands. (Network Advantage)
Smart Licensing: System Messages for an Evaluation License	Evaluation licenses that are not registered will still expire after the 90-day period, but warning system messages about an evaluation license expiry will now be generated only 275 days after this 90-day window. See License Levels - Usage Guidelines. (A license level does not apply)
Supported Spanning-Tree Instances	In per-VLAN spanning-tree plus (PVST+), Rapid PVST+ mode, the device now supports up to 256 spanning-tree instances. See Layer 2. (Network Essentials and Network Advantage)
Time Domain Reflectometer (TDR)	Determines if a cable is OPEN or SHORT when it is at fault. This involves running a TDR test, which detects a cable fault by sending a signal through the cable and reading the signal that is reflected back. To run the test, enter the test cable-diagnostics tdr command in privileged EXEC mode; to display test results, enter the show cable-diagnostics tdr command in privileged EXEC mode. See Interface and Hardware Components → Checking Port Status and Connectivity. (Network Essentials and Network Advantage)
New on the Web UI
Application Visibility and Control (AVC) Switching Database Manager (SDM) templates Cisco TrustSec	Use the WebUI to: Configure and monitor AVC—Enables you to configure application-level classification, monitoring, and traffic control. It helps with improved network capacity management, faster troubleshooting, and lower operating costs. Also, Network-Based Application Recognition (NBAR) supports the use of custom protocols to identify customer-specific applications. Apply SDM templates—Helps configure system resources to optimize support for specific features, depending on how your device is used in the network. Configure and monitor Cisco TrustSec—Helps build secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms.

Important Notes

Cisco StackWise Virtual - Supported and Unsupported Features
Unsupported Features
Complete List of Supported Features
Accessing Hidden Commands

Cisco StackWise Virtual - Supported and Unsupported Features

When you enable Cisco StackWise Virtual on the device

Layer 2, Layer 3, Security, Quality of Service, Multicast, Application, Monitoring and Management, Multiprotocol Label Switching, and High Availability are supported.

Contact the Cisco Technical Support Centre for the specific list of features that are supported under each one of these technologies.
Resilient Ethernet Protocol, Remote Switched Port Analyzer, and Sofware-Defined Access are NOT supported

Unsupported Features

Audio Video Bridging (including IEEE802.1AS, IEEE 802.1Qat, and IEEE 802.1Qav)
Bluetooth
Cisco TrustSec Network Device Admission Control (NDAC) on Uplinks
Converged Access for Branch Deployments
Fast PoE
Gateway Load Balancing Protocol (GLBP)
IPsec VPN
MACsec Switch to Switch Connections on C9400-SUP-1XL-Y.
Performance Monitoring (PerfMon)
Virtual Routing and Forwarding (VRF)-Aware web authentication

Complete List of Supported Features

For the complete list of features supported on a platform, see the Cisco Feature Navigator at https://www.cisco.com/go/cfn.

Accessing Hidden Commands

Starting with Cisco IOS XE Fuji 16.8.1a, as an improved security measure, the way in which hidden commands can be accessed has changed.

Hidden commands have always been present in Cisco IOS XE, but were not equipped with CLI help. This means that entering enter a question mark (?) at the system prompt did not display the list of available commands. Such hidden commands are only meant to assist Cisco TAC in advanced troubleshooting and are therefore not documented. For more information about CLI help, see the Using the Command-Line Interface → Understanding the Help System chapter of the Command Reference document.

Hidden commands are available under:

Category 1—Hidden commands in privileged or User EXEC mode. Begin by entering the service internal command to access these commands.
Category 2—Hidden commands in one of the configuration modes (global, interface and so on). These commands do not require the service internal command.

Further, the following applies to hidden commands under Category 1 and 2:

The commands have CLI help. Entering enter a question mark (?) at the system prompt displays the list of available commands.

Note: For Category 1, enter the service internal command before you enter the question mark; you do not have to do this for Category 2.

The system generates a %PARSER-5-HIDDEN syslog message when the command is used. For example:

*Feb 14 10:44:37.917: %PARSER-5-HIDDEN: Warning!!! 'show processes memory old-header ' is a hidden command. 
Use of this command is not recommended/supported and will be removed in future.

Apart from category 1 and 2, there remain internal commands displayed on the CLI, for which the system does NOT generate the %PARSER-5-HIDDEN syslog message.

Important

We recommend that you use any hidden command only under TAC supervision.

If you find that you are using a hidden command, open a TAC case for help with finding another way of collecting the same information as the hidden command (for a hidden EXEC mode command), or to configure the same functionality (for a hidden configuration mode command) using non-hidden commands.

Supported Hardware

Cisco Catalyst 9400 Series Switches—Model Numbers

The following table lists the supported switch models. For information about the available license levels, see section License Levels.


Switch Model (append with “=” for spares)	Description
C9404R	Cisco Catalyst 9400 Series 4 slot chassis Redundant supervisor module capability Two switching module slots Hot-swappable, front and rear serviceable, non-redundant fan tray assembly Four power supply module slots
C9407R	Cisco Catalyst 9400 Series 7 slot chassis Redundant supervisor module capability Five switching module slots Hot-swappable, front and rear serviceable fan tray assembly Eight power supply module slots
C9410R	Cisco Catalyst 9400 Series 10 slot chassis Redundant supervisor module capability Eight switching module slots Hot-swappable, front and rear serviceable fan tray assembly Eight power supply module slots

Supported Hardware on Cisco Catalyst 9400 Series Switches


Product ID (append with “=” for spares)	Description
Supervisor Modules
C9400-SUP-1	Cisco Catalyst 9400 Series Supervisor 1 Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
C9400-SUP-1XL	Cisco Catalyst 9400 Series Supervisor 1XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
C9400-SUP-1XL-Y	Cisco Catalyst 9400 Series Supervisor 25XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
Gigabit Ethernet Switching Modules
C9400-LC-24S	Cisco Catalyst 9400 Series 24 Port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP
C9400-LC-48P	Cisco Catalyst 9400 Series 48 Port, 1 Gigabit Ethernet POE/POE+ module supporting up to 30W per port.
C9400-LC-48S	Cisco Catalyst 9400 Series 48 Port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP.
C9400-LC-48T	Cisco Catalyst 9400 Series 48-Port 10/100/1000 (RJ-45)
C9400-LC-48U	Cisco Catalyst 9400 Series 48-Port UPOE 10/100/1000 (RJ-45) module supporting up to 60W per port.
Ten Gigabit Ethernet Switching Modules
C9400-LC-24XS	Cisco Catalyst 9400 Series 24-Port SFP/SFP+ Module
Multigigabit Ethernet Switching Modules
C9400-LC-48UX	Cisco Catalyst 9400 Series 48-port, UPOE Multigigabit Ethernet Module with: 24 ports (Ports 1 to 24) 1G UPOE 10/100/1000 (RJ-45) 24 ports (Ports 25 to 48) MultiGigabit Ethernet 100/1000/2500/5000/10000 UPOE ports
M.2 SATA SSD Modules¹ (for the Supervisor)
C9400-SSD-240GB	Cisco Catalyst 9400 Series 240GB M2 SATA memory
C9400-SSD-480GB	Cisco Catalyst 9400 Series 480GB M2 SATA memory
C9400-SSD-960GB	Cisco Catalyst 9400 Series 960GB M2 SATA memory
AC Power Supply Modules
C9400-PWR-2100AC	Cisco Catalyst 9400 Series 2100W AC Power Supply
C9400-PWR-3200AC	Cisco Catalyst 9400 Series 3200W AC Power Supply
DC Power Supply Modules
C9400-PWR-3200DC	Cisco Catalyst 9400 Series 3200W DC Power Supply

¹ M.2 Serial Advanced Technology Attachment (SATA) Solid State Drive (SSD) Module

Optics Modules

Cisco Catalyst Series Switches support a wide range of optics and the list of supported optics is updated on a regular basis. Use the Transceiver Module Group (TMG) Compatibility Matrix tool, or consult the tables at this URL for the latest transceiver module compatibility information: https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html

Compatibility Matrix

The following table provides software compatibility information between Cisco Catalyst 9400 Series Switches, Cisco Identity Services Engine, Cisco Access Control Server, and Cisco Prime Infrastructure.


Catalyst 9400	Cisco Identity Services Engine	Cisco Access Control Server	Cisco Prime Infrastructure
Gibraltar 16.11.1	2.6 2.4 Patch 5	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4 → Downloads.
Gibraltar 16.10.1	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.8	2.5 2.1	5.4 5.5	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Fuji 16.9.7	2.5 2.1	5.4 5.5	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Fuji 16.9.6	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.5	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.4	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.3	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.2	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.1	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.8.1a	2.3 Patch 1 2.4	5.4 5.5	PI 3.3 + PI 3.3 latest maintenance release + PI 3.3 latest device pack See Cisco Prime Infrastructure 3.3→ Downloads.
Everest 16.6.4a	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads.
Everest 16.6.4	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads.
Everest 16.6.3	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads
Everest 16.6.2	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads
Everest 16.6.1	2.2	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads

Web UI System Requirements

The following subsections list the hardware and software required to access the Web UI:

Minimum Hardware Requirements


Processor Speed	DRAM	Number of Colors	Resolution	Font Size
233 MHz minimum²	512 MB³	256	1280 x 800 or higher	Small

² We recommend 1 GHz

³ We recommend 1 GB DRAM

Software Requirements

Operating Systems

Windows 10 or later
Mac OS X 10.9.5 or later

Browsers

Google Chrome—Version 59 or later (On Windows and Mac)
Microsoft Edge
Mozilla Firefox—Version 54 or later (On Windows and Mac)
Safari—Version 10 or later (On Mac)

ROMMON and CPLD Versions

The following table provides ROMMON and CPLD version information for the Cisco Catalyst 9400 Series Supervisor Modules. For ROMMON and CPLD version information of Cisco IOS XE 17.x.x releases, refer to the corresponding Cisco IOS XE 17.x.x release notes of the respective platform.


Release	ROMMON Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y)	CPLD Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y)
Gibraltar 16.11.1	16.10.2r	17101705
Gibraltar 16.10.1	16.6.2r	17101705
Fuji 16.9.x	16.6.2r[FC1]	17101705
Fuji 16.8.1a	16.6.2r	17101705
Everest 16.6.x	16.6.2r[FC1]	17101705

Upgrading the Switch Software

This section covers the various aspects of upgrading or downgrading the device software.

Note

You cannot use the Web UI to install, upgrade, or downgrade device software.

Finding the Software Version

The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch.

Note

Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Software Images


Release	Image Type	File Name
Cisco IOS XE Gibraltar 16.11.1	CAT9K_IOSXE	cat9k_iosxe.16.11.01.SPA.bin
Cisco IOS XE Gibraltar 16.11.1	Licensed Data Payload Encryption (LDPE)	cat9k_iosxeldpe.16.11.01.SPA.bin

Automatic Boot Loader Upgrade

Caution

You must comply with these cautionary guidelines during an upgrade:

Do not power cycle your switch.
Do not disconnect power or remove the supervisor module.
Do not perform an online insertion and replacement (OIR) of either supervisor (in a High Availability setup), if one of the supervisor modules in the chassis is in the process of a bootloader upgrade or when the switch is booting up.
Do not perform an OIR of a switching module (linecard) when the switch is booting up.

Note

Important information that may affect upgrade or downgrade:

Disconnecting and reconnecting power to a Cisco Catalyst 9400 Series Supervisor 1 Module within a 5-second window, can corrupt the boot SPI.

Complex Programmable Logic Device (CPLD) Upgrade

This refers to hardware-programmable firmware. The CPLD upgrade process is part of the automatic boot loader upgrade. The sequence of events is as follows:

Note

There are no FPGA or CPLD upgrades in Cisco IOS XE Gibraltar 16.11.1.

Software Installation Commands


Summary of Software Installation Commands
To install and activate the specified file, and to commit changes to be persistent across reloads: `install add file filename [ activate commit]` To separately install, activate, commit, cancel, or remove the installation file: `install ?`
add file tftp: `filename`	Copies the install file package from a remote location to the device and performs a compatibility check for the platform and image versions.
activate `[` auto-abort-timer`]`	Activates the file, and reloads the device. The auto-abort-timer keyword automatically rolls back image activation.
commit	Makes changes persistent over reloads.
rollback to committed	Rolls back the update to the last committed version.
abort	Cancels file activation, and rolls back to the version that was running before the current installation procedure started.
remove	Deletes all unused and inactive software installation files.

Upgrading in Install Mode

Follow these instructions to upgrade from one release to another, in install mode. To perform a software image upgrade, you must be booted into IOS via boot flash:packages.conf .

Before you begin

Note that you can use this procedure for the following upgrade scenarios.

When upgrading from ...

Permitted Supervisor Setup

(Applies to the release you are upgrading from)

First upgrade to...

To upgrade to ...

Cisco IOS XE Everest 16.6.1⁴

Upgrade a single supervisor, and complete the boot loader and CPLD upgrade. After completing the first supervisor upgrade, remove and swap in the second supervisor. After both supervisors are upgraded, they can be inserted and booted in a high availability setup.

Note

Do not simultaneously upgrade dual supervisors from Cisco IOS XE Everest 16.6.1 to a later release. Doing so may cause hardware damage.

Cisco IOS XE Everest 16.6.3

Follow the upgrade steps as in the Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Everest 16.6.x → Upgrading the Switch Software → Upgrading in Install Mode

Cisco IOS XE Gibraltar 16.11.x

Cisco IOS XE Everest 16.6.2 and later releases

This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously upgraded.

Not applicable

⁴

When upgrading from Cisco IOS XE Everest 16.6.1 to a later release, the upgrade may take a long time, and the system will reset three times due to rommon and complex programmable logic device (CPLD) upgrade. Stateful switchover is supported from Cisco IOS XE Everest 16.6.2

Caution

Do not power cycle your switch during an upgrade.
Do not disconnect power or remove the supervisor module during an upgrade.
Do not perform an online insertion and replacement (OIR) of either supervisor (in a High Availability setup), if one of the supervisor modules in the chassis is in the process of a bootloader upgrade or when the switch is booting up.
Do not perform OIR of a switching module (linecard) when the switch is booting up.

The sample output in this section displays upgrade from Cisco IOS XE Everest 16.6.3 to Cisco IOS XE Gibraltar 16.11.x using install commands.

Procedure

Step 1

Clean Up

install remove inactive

Use this command to clean up old installation files in case of insufficient space. Ensure that you have at least 1GB of space in flash to expand a new image.

Switch# install remove inactive
install_remove: START Wed Mar 06 14:14:40 PDT 2019
Cleaning up unnecessary package files
No path specified, will use booted path flash:packages.conf
Cleaning flash:
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
cat9k-cc_srdriver.16.06.03.SPA.pkg
File is in use, will not delete.
cat9k-espbase.16.06.03.SPA.pkg
File is in use, will not delete.
cat9k-rpbase.16.06.03.SPA.pkg
File is in use, will not delete.
cat9k-rpboot.16.06.03.SPA.pkg
File is in use, will not delete.
cat9k-sipbase.16.06.03.SPA.pkg
File is in use, will not delete.
cat9k-sipspa.16.06.03.SPA.pkg
File is in use, will not delete.
cat9k-srdriver.16.06.03.SPA.pkg
File is in use, will not delete.
cat9k-webui.16.06.01.SPA.pkg
File is in use, will not delete.
packages.conf
File is in use, will not delete.
done.
 
The following files will be deleted:
[R0]:
/flash/cat9k-cc_srdriver.16.06.03.SPA.pkg
/flash/cat9k-espbase.16.06.03.SPA.pkg
/flash/cat9k-rpbase.16.06.03.SPA.pkg
/flash/cat9k-rpboot.16.06.03.SPA.pkg
/flash/cat9k-sipbase.16.06.03.SPA.pkg
/flash/cat9k-sipspa.16.06.03.SPA.pkg
/flash/cat9k-srdriver.16.06.03.SPA.pkg
/flash/cat9k-webui.16.06.03.SPA.pkg
/flash/cat9k_1.bin
/flash/cat9k_1.conf
/flash/cat9k_2.1.conf
/flash/cat9k_2.bin
/flash/cat9k_2.conf
/flash/cat9k_iosxe.16.06.03.SPA.bin
/flash/packages.conf.00-
 
Do you want to remove the above files? [y/n]y
[R0]:
Deleting file flash:cat9k-cc_srdriver.16.06.03.SPA.pkg ... done.
Deleting file flash:cat9k-espbase.16.06.03.SPA.pkg ... done.
Deleting file
Deleting file flash:cat9k-rpbase.16.06.03.SPA.pkg ... done.
Deleting file flash:cat9k-rpboot.16.06.03.SPA.pkg ... done.
Deleting file flash:cat9k-sipbase.16.06.03.SPA.pkg ... done.
Deleting file flash:cat9k-sipspa.16.06.03.SPA.pkg ... done.
Deleting file flash:cat9k-srdriver.16.06.03.SPA.pkg ... done.
Deleting file flash:cat9k-webui.16.06.03.SPA.pkg ... done.
Deleting file flash:cat9k_1.bin ... done.
Deleting file flash:cat9k_1.conf ... done.
Deleting file flash:cat9k_2.1.conf ... done.
Deleting file flash:cat9k_2.bin ... done.
Deleting file flash:cat9k_2.conf ... done.
Deleting file flash:cat9k_iosxe.16.06.03.SPA.bin ... done.
Deleting file flash:packages.conf.00- ... done.
SUCCESS: Files deleted.
--- Starting Post_Remove_Cleanup ---
Performing Post_Remove_Cleanup on Active/Standby
[R0] Post_Remove_Cleanup package(s) on R0
[R0] Finished Post_Remove_Cleanup on R0
Checking status of Post_Remove_Cleanup on [R0]
Post_Remove_Cleanup: Passed on [R0]
Finished Post_Remove_Cleanup
 
SUCCESS: install_remove Wed Mar 06 14:16:29 PDT 2019
Switch#

Step 2

Copy new image to flash

copy tftp: flash:

Use this command to copy the new image to flash: (or skip this step if you want to use the new image from your TFTP server)

Switch# copy tftp://10.8.0.6//cat9k_iosxe.16.11.01.SPA.bin flash:

Destination filename [cat9k_iosxe.16.11.01.SPA.bin]?
Accessing tftp://10.8.0.6//cat9k_iosxe.16.11.01.SPA.bin...
Loading /cat9k_iosxe.16.11.01.SPA.bin from 10.8.0.6 (via GigabitEthernet0/0): 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 601216545 bytes]
 
601216545 bytes copied in 50.649 secs (11870255 bytes/sec)

dir flash

Use this command to confirm that the image has been successfully copied to flash.

Switch# dir flash:*.bin
Directory of flash:/*.bin
 
Directory of flash:/
 
434184 -rw- 601216545 Mar 06 2019 10:18:11 -07:00 cat9k_iosxe.16.11.01.SPA.bin
11353194496 bytes total (8976625664 bytes free)

Step 3

Set boot variable

boot system flash:packages.conf
Use this command to set the boot variable to flash:packages.conf .
```
Switch(config)# boot system flash:packages.conf
Switch(config)# exit
```
write memory
Use this command to save boot settings.
```
Switch# write memory
```
show boot system
Use this command to verify the boot variable is set to flash:packages.conf .

The output should display BOOT variable = flash:packages.conf .
```
Switch# show boot system
```

Step 4

Software install image to flash

install add file activate commit

Use this command to install the target image to flash. You can point to the source image on your TFTP server or in flash if you have it copied to flash.

Switch# install add file flash:cat9k_iosxe.16.11.01.SPA.bin activate commit

install_add_activate_commit: START Wed Mar 06 22:49:41 UTC 2019
 
*Mar 06 22:49:42.772: %IOSXE-5-PLATFORM: Switch 1 R0/0: Mar 06 22:49:42 install_engine.sh:
 %INSTALL-5-INSTALL_START_INFO: Started install one-shot flash:cat9k_iosxe.16.11.01.SPA.bin
install_add_activate_commit: Adding PACKAGE
 
--- Starting initial file syncing ---
Info: Finished copying flash:cat9k_iosxe.16.11.01.SPA.bin to the selected switch(es)
Finished initial file syncing
 
--- Starting Add ---
Performing Add on all members
[1] Add package(s) on switch 1
[1] Finished Add on switch 1
Checking status of Add on [1]
Add: Passed on [1]
Finished Add
 
install_add_activate_commit: Activating PACKAGE
 
/flash/cat9k-webui.16.11.01.SPA.pkg
/flash/cat9k-srdriver.16.11.01.SPA.pkg
/flash/cat9k-sipspa.16.11.01.SPA.pkg
/flash/cat9k-sipbase.16.11.01.SPA.pkg
/flash/cat9k-rpboot.16.11.01.SPA.pkg
/flash/cat9k-rpbase.16.11.01.SPA.pkg
/flash/cat9k-guestshell.16.11.01.SPA.pkg
/flash/cat9k-espbase.16.11.01.SPA.pkg
/flash/cat9k-cc_srdriver.16.11.01.SPA.pkg
 
This operation requires a reload of the system. Do you want to proceed? [y/n]y
--- Starting Activate ---
Performing Activate on all members
[1] Activate package(s) on switch 1
[1] Finished Activate on switch 1
Checking status of Activate on [1]
Activate: Passed on [1]
Finished Activate
 
--- Starting Commit ---
Performing Commit on all members
[1] Commit package(s) on switch 1
[1] Finished Commit on switch 1
Checking status of Commit on [1]
Commit: Passed on [1]
Finished Commit
 
Install will reload the system now!
 
Chassis 1 reloading, reason - Reload command
SUCCESS: install_add_activate_commit
/flash/cat9k-webui.16.11.01.SPA.pkg
/flash/cat9k-srdriver.16.11.01.SPA.pkg
/flash/cat9k-sipspa.16.11.01.SPA.pkg
/flash/cat9k-sipbase.16.11.01.SPA.pkg
/flash/cat9k-rpboot.16.11.01.SPA.pkg
/flash/cat9k-rpbase.16.11.01.SPA.pkg
/flash/cat9k-guestshell.16.11.01.SPA.pkg
/flash/cat9k-espbase.16.11.01.SPA.pkg
/flash/cat9k-cc_srdriver.16.11.01.SPA.pkg
Wed Mar 06 22:53:58 UTC 2019
Switch#

Note

Old files listed in the logs will not be removed from flash.

dir flash:

After the software has been successfully installed, use this command to verify that the flash partition has nine new .pkg files and three .conf files.

Switch# dir flash:
 
Directory of flash:/
475140 -rw- 2012104   Jul 26 2017 09:52:41 -07:00 cat9k-cc_srdriver.16.06.03.SPA.pkg
475141 -rw- 70333380  Jul 26 2017 09:52:44 -07:00 cat9k-espbase.16.06.03.SPA.pkg
475142 -rw- 13256     Jul 26 2017 09:52:44 -07:00 cat9k-guestshell.16.06.03.SPA.pkg
475143 -rw- 349635524 Jul 26 2017 09:52:54 -07:00 cat9k-rpbase.16.06.03.SPA.pkg
475149 -rw- 24248187  Jul 26 2017 09:53:02 -07:00 cat9k-rpboot.16.06.03.SPA.pkg
475144 -rw- 25285572  Jul 26 2017 09:52:55 -07:00 cat9k-sipbase.16.06.03.SPA.pkg
475145 -rw- 20947908  Jul 26 2017 09:52:55 -07:00 cat9k-sipspa.16.06.03.SPA.pkg
475146 -rw- 2962372   Jul 26 2017 09:52:56 -07:00 cat9k-srdriver.16.06.03.SPA.pkg
475147 -rw- 13284288  Jul 26 2017 09:52:56 -07:00 cat9k-webui.16.06.03.SPA.pkg
475148 -rw- 13248     Jul 26 2017 09:52:56 -07:00 cat9k-wlc.16.06.03.SPA.pkg

491524 -rw- 25711568  Mar 06 2019 11:49:33 -07:00  cat9k-cc_srdriver.16.11.01.SPA.pkg
491525 -rw- 78484428  Mar 06 2019 11:49:35 -07:00  cat9k-espbase.16.11.01.SPA.pkg
491526 -rw- 1598412   Mar 06 2019 11:49:35 -07:00  cat9k-guestshell.16.11.01.SPA.pkg
491527 -rw- 404153288 Mar 06 2019 11:49:47 -07:00  cat9k-rpbase.16.11.01.SPA.pkg
491533 -rw- 31657374  Mar 06 2019 11:50:09 -07:00  cat9k-rpboot.16.11.01.SPA.pkg
491528 -rw- 27681740  Mar 06 2019 11:49:48 -07:00  cat9k-sipbase.16.11.01.SPA.pkg
491529 -rw- 52224968  Mar 06 2019 11:49:49 -07:00  cat9k-sipspa.16.11.01.SPA.pkg
491530 -rw- 31130572  Mar 06 2019 11:49:50 -07:00  cat9k-srdriver.16.11.01.SPA.pkg
491531 -rw- 14783432  Mar 06 2019 11:49:51 -07:00  cat9k-webui.16.11.01.SPA.pkg
491532 -rw- 9160      Mar 06 2019 11:49:51 -07:00  cat9k-wlc.16.11.01.SPA.pkg 

11353194496 bytes total (9544245248 bytes free)
Switch#

The following sample output displays the .conf files in the flash partition; note the three .conf files:

packages.conf—the file that has been re-written with the newly installed .pkg files
packages.conf.00—backup file of the previously installed image
cat9k_iosxe.16.11.01.SPA.conf— a copy of packages.conf and not used by the system.

Switch# dir flash:*.conf
 
Directory of flash:/*.conf
Directory of flash:/
 
434197 -rw- 7406 Mar 06 2018 10:59:16 -07:00 packages.conf
434196 -rw- 7504 Mar 06 2018 10:59:16 -07:00 packages.conf.00-
516098 -rw- 7406 Mar 06 2018 10:58:08 -07:00 cat9k_iosxe.16.10.01.SPA.conf
11353194496 bytes total (8963174400 bytes free)

Step 5

Reload

reload
Use this command to reload the switch.
```
Switch# reload
```
boot flash:
If your switches are configured with auto boot, then the stack will automatically boot up with the new image. If not, you can manually boot flash:packages.conf
```
Switch: boot flash:packages.conf
```

show version

After the image boots up, use this command to verify the version of the new image.

Note

When you boot the new image, the boot loader is automatically updated, but the new bootloader version is not displayed in the output until the next reload.

The following sample output of the show version command displays the Cisco IOS XE Gibraltar 16.11.x image on the device:

Switch# show version
Cisco IOS XE Software, Version 16.11.01
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.11.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.

Downgrading in Install Mode

Follow these instructions to downgrade from one release to another, in install mode. To perform a software image downgrade, you must be booted into IOS via boot flash:packages.conf .

Before you begin

Note that you can use this procedure for the following downgrade scenarios:

When downgrading from ...

Permitted Supervisor Setup

(Applies to the release you are downgrading from)

To ...

Cisco IOS XE Gibraltar 16.11.x

This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously downgraded.

Note

Do not perform an Online Removal and Replacement (OIR) of either supervisor module during the process.

Cisco IOS XE Gibraltar 16.10.x or earlier releases.

The sample output in this section shows downgrade from Cisco IOS XE Gibraltar 16.11.x to Cisco IOS XE Everest 16.6.2, using install commands.

Important

New hardware modules (supervisors or line card modules) that are introduced in a release cannot be downgraded. The release in which a module is introduced is the minimum software version for that model. We recommend upgrading all existing hardware to the same release as the latest hardware.

Procedure

Step 1

Clean Up

install remove inactive

Use this command to clean up old installation files in case of insufficient space. Ensure that you have at least 1GB of space in flash to expand a new image.

Switch# install remove inactive
install_remove: START Wed Mar 06 14:14:40 PDT 2019
Cleaning up unnecessary package files
No path specified, will use booted path flash:packages.conf
Cleaning flash:
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
cat9k-cc_srdriver.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-espbase.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-guestshell.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-rpbase.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-rpboot.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-sipbase.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-sipspa.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-srdriver.16.11.01.SPA.pkg
File is in use, will not delete.
cat9k-webui.16.11.01.SPA.pkg
File is in use, will not delete.
packages.conf
File is in use, will not delete.
done.
 
The following files will be deleted:
[R0]:
/flash/cat9k-cc_srdriver.16.11.01.SPA.pkg
/flash/cat9k-espbase.16.11.01.SPA.pkg
/flash/cat9k-guestshell.16.11.01.SPA.pkg
/flash/cat9k-rpbase.16.11.01.SPA.pkg
/flash/cat9k-rpboot.16.11.01.SPA.pkg
/flash/cat9k-sipbase.16.11.01.SPA.pkg
/flash/cat9k-sipspa.16.11.01.SPA.pkg
/flash/cat9k-srdriver.16.11.01.SPA.pkg
/flash/cat9k-webui.pkg
/flash/cat9k_1.bin
/flash/cat9k_1.conf
/flash/cat9k_2.1.conf
/flash/cat9k_2.bin
/flash/cat9k_2.conf
/flash/cat9k_iosxe.16.09.01.SSA.bin
/flash/packages.conf.00-
 
Do you want to remove the above files? [y/n]y
[R0]:
Deleting file flash:cat9k-cc_srdriver.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-espbase.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-guestshell.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-rpbase.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-rpboot.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-sipbase.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-sipspa.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-srdriver.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k-webui.16.11.01.SPA.pkg ... done.
Deleting file flash:cat9k_1.bin ... done.
Deleting file flash:cat9k_1.conf ... done.
Deleting file flash:cat9k_2.1.conf ... done.
Deleting file flash:cat9k_2.bin ... done.
Deleting file flash:cat9k_2.conf ... done.
Deleting file flash:cat9k_iosxe.16.10.01.bin ... done.
Deleting file flash:packages.conf.00- ... done.
SUCCESS: Files deleted.
--- Starting Post_Remove_Cleanup ---
Performing Post_Remove_Cleanup on Active/Standby
[R0] Post_Remove_Cleanup package(s) on R0
[R0] Finished Post_Remove_Cleanup on R0
Checking status of Post_Remove_Cleanup on [R0]
Post_Remove_Cleanup: Passed on [R0]
Finished Post_Remove_Cleanup
 
SUCCESS: install_remove Wed Oct 31 14:16:29 PDT 2018
Switch#

Step 2

Copy new image to flash

copy tftp: flash:

Use this command to copy the new image to flash: (or skip this step if you want to use the new image from your TFTP server)

Switch# copy tftp://10.8.0.6//cat9k_iosxe.16.06.02.SPA.bin flash:

Destination filename [cat9k_iosxe.16.06.02.SPA.bin]?
Accessing tftp://10.8.0.6//cat9k_iosxe.16.06.02.SPA.bin...
Loading /cat9k_iosxe.16.06.02.SPA.bin from 10.8.0.6 (via GigabitEthernet0/0): 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 508584771 bytes]
508584771 bytes copied in 101.005 secs (5035244 bytes/sec)

dir flash:

Use this command to confirm that the image has been successfully copied to flash.

Switch# dir flash:*.bin
Directory of flash:/*.bin
 
Directory of flash:/
 
434184 -rw- 508584771 Wed Oct 31 2018 13:35:16 -07:00 cat9k_iosxe.16.06.02.SPA.bin
11353194496 bytes total (9055866880 bytes free)

Step 3

Downgrade software image

install add file activate commit
install rollback to committed

The following example displays the installation of the cat9k_iosxe.16.06.02.SPA.bin software image to flash, to downgrade the switch by using the install add file activate commit command. You can point to the source image on your tftp server or in flash if you have it copied to flash.

Switch# install add file flash:
Switch# install add file flash:cat9k_iosxe.16.06.02.SPA.bin activate commit
 
install_add_activate_commit: START Wed Oct 31 22:49:41 UTC 2018
 
*Oct 31 22:49:42.772: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 31 22:49:42 install_engine.sh:
%INSTALL-5-INSTALL_START_INFO: Started install one-shot flash:cat9k_iosxe.16.06.02.SPA.bininstall_add_activate_commit: Adding PACKAGE
 
--- Starting initial file syncing ---
Info: Finished copying flash:cat9k_iosxe.16.06.02.SPA.bin to the selected switch(es)
Finished initial file syncing
 
--- Starting Add ---
Performing Add on all members
[1] Add package(s) on switch 1
[1] Finished Add on switch 1
Checking status of Add on [1]
Add: Passed on [1]
Finished Add
 
install_add_activate_commit: Activating PACKAGE
 
/flash/cat9k-webui.16.06.02.SPA.pkg
/flash/cat9k-srdriver.16.06.02.SPA.pkg
/flash/cat9k-sipspa.16.06.02.SPA.pkg
/flash/cat9k-sipbase.16.06.02.SPA.pkg
/flash/cat9k-rpboot.16.06.02.SPA.pkg
/flash/cat9k-rpbase.16.06.02.SPA.pkg
/flash/cat9k-espbase.16.06.02.SPA.pkg
/flash/cat9k-cc_srdriver.16.06.02.SPA.pkg
 
This operation requires a reload of the system. Do you want to proceed? [y/n]y
--- Starting Activate ---
Performing Activate on all members
[1] Activate package(s) on switch 1
[1] Finished Activate on switch 1
Checking status of Activate on [1]
Activate: Passed on [1]
Finished Activate
 
--- Starting Commit ---
Performing Commit on all members
[1] Commit package(s) on switch 1
[1] Finished Commit on switch 1
Checking status of Commit on [1]
Commit: Passed on [1]
Finished Commit
 
Install will reload the system now!
 
Chassis 1 reloading, reason - Reload command
SUCCESS: install_add_activate_commit
/flash/cat9k-webui.16.06.02.SPA.pkg
/flash/cat9k-srdriver.16.06.02.SPA.pkg
/flash/cat9k-sipspa.16.06.02.SPA.pkg
/flash/cat9k-sipbase.16.06.02.SPA.pkg
/flash/cat9k-rpboot.16.06.02.SPA.pkg
/flash/cat9k-rpbase.16.06.02.SPA.pkg
/flash/cat9k-guestshell.16.06.02.SPA.pkg
/flash/cat9k-espbase.16.06.02.SPA.pkg
/flash/cat9k-cc_srdriver.16.06.02.SPA.pkg
Fri Mar 16 22:53:58 UTC 2018
Switch#

The following example displays sample output when downgrading the switch by using the install rollback to committed command.

Important

You use the install rollback to committed command for downgrading, only if the version you want to downgrade to, is committed.

Switch# install rollback to committed

install_rollback: START Wed Oct 31 14:24:56 UTC 2018
 
This operation requires a reload of the system. Do you want to proceed? [y/n]
*Oct 31 14:24:57.555: %IOSXE-5-PLATFORM: R0/0: Oct 31 14:24:57 install_engine.sh: 
%INSTALL-5-INSTALL_START_INFO: Started install rollbacky
--- Starting Rollback ---
Performing Rollback on Active/Standby
 
WARNING: Found 55 disjoint TDL objects.
[R0] Rollback package(s) on R0
--- Starting rollback impact ---

Changes that are part of this rollback
Current : rp 0 0 rp_boot cat9k-rpboot.16.11.01.SPA.pkg
Current : rp 1 0 rp_boot cat9k-rpboot.16.11.01.SPA.pkg
Replacement: rp 0 0 rp_boot cat9k-rpboot.16.06.02.SPA.pkg
Replacement: rp 1 0 rp_boot cat9k-rpboot.16.06.02.SPA.pkg
Current : cc 0  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 0  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 0  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 1  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 1  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 1  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 10 0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 10 0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 10 0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 2  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 2  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 2  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 3  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 3  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 3  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 4  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 4  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 4  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 5  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 5  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 5  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 6  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 6  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 6  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 7  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 7  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 7  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 8  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 8  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 8  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : cc 9  0 cc_srdriver cat9k-cc_srdriver.16.11.01.SPA.pkg
Current : cc 9  0 cc cat9k-sipbase.16.11.01.SPA.pkg
Current : cc 9  0 cc_spa cat9k-sipspa.16.11.01.SPA.pkg
Current : fp 0  0 fp cat9k-espbase.16.11.01.SPA.pkg
Current : fp 1  0 fp cat9k-espbase.16.11.01.SPA.pkg
Current : rp 0  0 guestshell cat9k-guestshell.16.11.01.SPA.pkg
Current : rp 0  0 rp_base cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 0  0 rp_daemons cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 0  0 rp_iosd cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 0  0 rp_security cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 0  0 rp_webui cat9k-webui.16.11.01.SPA.pkg
Current : rp 0  0 rp_wlc cat9k-wlc.16.11.01.SPA.pkg
Current : rp 0  0 srdriver cat9k-srdriver.16.11.01.SPA.pkg
Current : rp 1  0 guestshell cat9k-guestshell.16.11.01.SPA.pkg
Current : rp 1  0 rp_base cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 1  0 rp_daemons cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 1  0 rp_iosd cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 1  0 rp_security cat9k-rpbase.16.11.01.SPA.pkg
Current : rp 1  0 rp_webui cat9k-webui.16.11.01.SPA.pkg
Current : rp 1  0 rp_wlc cat9k-wlc.16.11.01.SPA.pkg
Current : rp 1  0 srdriver cat9k-srdriver.16.11.01.SPA.pkg
Replacement: cc 0  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 0  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 0  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 1  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 1  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 1  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 10 0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 10 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 10 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 2  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 2  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 2  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 3  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 3  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 3  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 4  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 4  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 4  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 5  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 5  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 5  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 6  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 6  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 6  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 7  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 7  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 7  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 8  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 8  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 8  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: cc 9  0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg
Replacement: cc 9  0 cc cat9k-sipbase.16.06.02.SPA.pkg
Replacement: cc 9  0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg
Replacement: fp 0  0 fp cat9k-espbase.16.06.02.SPA.pkg
Replacement: fp 1  0 fp cat9k-espbase.16.06.02.SPA.pkg
Replacement: rp 0  0 guestshell cat9k-guestshell.16.06.02.SPA.pkg
Replacement: rp 0  0 rp_base cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 0  0 rp_daemons cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 0  0 rp_iosd cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 0  0 rp_security cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 0  0 rp_webui cat9k-webui.16.06.02.SPA.pkg
Replacement: rp 0  0 srdriver cat9k-srdriver.16.06.02.SPA.pkg
Replacement: rp 1  0 guestshell cat9k-guestshell.16.06.02.SPA.pkg
Replacement: rp 1  0 rp_base cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 1  0 rp_daemons cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 1  0 rp_iosd cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 1  0 rp_security cat9k-rpbase.16.06.02.SPA.pkg
Replacement: rp 1  0 rp_webui cat9k-webui.16.06.02.SPA.pkg
Replacement: rp 1  0 srdriver cat9k-srdriver.16.06.02.SPA.pkg

Finished rollback impact
[R0] Finished Rollback on R0
Checking status of Rollback on [R0]
Rollback: Passed on [R0]
Finished Rollback
 
Install will reload the system now!
SUCCESS: install_rollback Wed Mar 06 14:26:35 UTC 2019
 
Switch#
*Mar 06 14:26:35.880: %IOSXE-5-PLATFORM: R0/0: Mar 06 14:26:35 install_engine.sh: %INSTALL-5-INSTALL_COMPLETED_INFO: Completed install rollback PACKAGE
*Mar 06 14:26:37.740: %IOSXE_OIR-6-REMCARD: Card (rp) removed from slot R1
*Mar 06 14:26:39.253: %IOSXE_OIR-6-INSCARD: Card (rp) inserted in slot R1Nov 2 14:26:5
 
Initializing Hardware...
 
System Bootstrap, Version 16.10.1r[FC1], RELEASE SOFTWARE (P)
Compiled Wed 11/28/2018  8:52:45.02 by rel
 
Current image running:
Primary Rommon Image
 
Last reset cause: SoftwareResetTrig
C9400-SUP-1 platform with 16777216 Kbytes of main memory
 
Preparing to autoboot. [Press Ctrl-C to interrupt] 0
attempting to boot from [bootflash:packages.conf]
 
Located file packages.conf
#
#################################################################################################################################################################################################################################################################################################
 
Warning: ignoring ROMMON var "BOOT_PARAM"
Warning: ignoring ROMMON var "USER_BOOT_PARAM"
 
Restricted Rights Legend
 
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
 
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
 
Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.6.2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sat 22-Jul-17 05:51 by mcpre
 
Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

FIPS: Flash Key Check : Begin
FIPS: Flash Key Check : End, Not Found, FIPS Mode Not Enabled
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
 
If you require further assistance please contact us by sending email to
export@cisco.com.
 
cisco C9410R (X86) processor (revision V00) with 868521K/6147K bytes of memory.
Processor board ID FXS2118Q1GM
312 Gigabit Ethernet interfaces
40 Ten Gigabit Ethernet interfaces
4 Forty Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
15958516K bytes of physical memory.
11161600K bytes of Bootflash at bootflash:.
1638400K bytes of Crash Files at crashinfo:.
0K bytes of WebUI ODM Files at webui:.
 
%INIT: waited 0 seconds for NVRAM to be available
 
Press RETURN to get started!

Step 4

Reload

boot flash:

If your switches are configured with auto boot, then the stack will automatically boot up with the new image. If not, you can manually boot flash:packages.conf

Switch: boot flash:packages.conf

Note

When you downgrade the software image, the boot loader does not automatically downgrade. It remains updated.

show version

After the image boots up, use this command to verify the version of the new image.

Note

When you boot the new image, the boot loader is automatically updated, but the new bootloader version is not displayed in the output until the next reload.

The following sample output of the show version command displays the Cisco IOS XE Everest 16.6.2 image on the device:

Switch# show version
Cisco IOS XE Software, Version 16.06.02
Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.6.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Tue 10-Jul-18 06:38 by mcpre
<output truncated>

Licensing

This section provides information about the licensing packages for features available on Cisco Catalyst 9000 Series Switches.

License Levels

The software features available on Cisco Catalyst 9400 Series Switches fall under these base or add-on license levels.

Base Licenses

Network Essentials
Network Advantage—Includes features available with the Network Essentials license and more.

Add-On Licenses

Add-On Licenses require a Network Essentials or Network Advantage as a pre-requisite. The features available with add-on license levels provide Cisco innovations on the switch, as well as on the Cisco Digital Network Architecture Center (Cisco DNA Center).

DNA Essentials
DNA Advantage— Includes features available with the DNA Essentials license and more.

To find information about platform support and to know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.

License Types

The following license types are available:

Permanent—for a license level, and without an expiration date.
Term—for a license level, and for a three, five, or seven year period.
Evaluation—a license that is not registered.

License Levels - Usage Guidelines

Base licenses (Network Essentials and Network-Advantage) are ordered and fulfilled only with a permanent license type.
Add-on licenses (DNA Essentials and DNA Advantage) are ordered and fulfilled only with a term license type.
An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it, or deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.

When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:

Table 1. Permitted Combinations
	DNA Essentials	DNA Advantage
Network Essentials	Yes	No
Network Advantage	Yes⁵	Yes

⁵ You will be able to purchase this combination only at the time of the DNA license renewal and not when you purchase DNA-Essentials the first time.

Evaluation licenses cannot be ordered. They are not tracked via Cisco Smart Software Manager and expire after a 90-day period. Evaluation licenses can be used only once on the switch and cannot be regenerated. Warning system messages about an evaluation license expiry are generated only 275 days after expiration and every week thereafter. An expired evaluation license cannot be reactivated after reload. This applies only to Smart Licensing. The notion of evaluation licenses does not apply to Smart Licensing Using Policy.

Cisco Smart Licensing

Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure – you control what users can access. With Smart Licensing you get:

Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys).
Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.
License Flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.

To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (http://software.cisco.com).

Important

Cisco Smart Licensing is the default and the only available method to manage licenses.

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.

Deploying Smart Licensing

The following provides a process overview of a day 0 to day N deployment directly initiated from a device that is running Cisco IOS XE Fuji 16.9.1 or later releases. Links to the configuration guide provide detailed information to help you complete each one of the smaller tasks.

Procedure

Step 1

Begin by establishing a connection from your network to Cisco Smart Software Manager on cisco.com.

In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Connecting to CSSM

Step 2

Create and activate your Smart Account, or login if you already have one.

To create and activate Smart Account, go to Cisco Software Central → Create Smart Accounts. Only authorized users can activate the Smart Account.

Step 3

Complete the Cisco Smart Software Manager set up.

Accept the Smart Software Licensing Agreement.
Set up the required number of Virtual Accounts, users and access rights for the virtual account users.

Virtual accounts help you organize licenses by business unit, product type, IT group, and so on.
Generate the registration token in the Cisco Smart Software Manager portal and register your device with the token.

In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Registering the Device in CSSM

With this,

The device is now in an authorized state and ready to use.
The licenses that you have purchased are displayed in your Smart Account.

Using Smart Licensing on an Out-of-the-Box Device

Starting from Cisco IOS XE Fuji 16.9.1, if an out-of-the-box device has the software version factory-provisioned, all licenses on such a device remain in evaluation mode until registered in Cisco Smart Software Manager.

In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Registering the Device in CSSM

How Upgrading or Downgrading Software Affects Smart Licensing

Starting from Cisco IOS XE Fuji 16.9.1, Smart Licensing is the default and only license management solution; all licenses are managed as Smart Licenses.

Important

Starting from Cisco IOS XE Fuji 16.9.1, the Right-To-Use (RTU) licensing mode is deprecated, and the associated license right-to-use command is no longer available on the CLI.

Note how upgrading to a release that supports Smart Licensing or moving to a release that does not support Smart Licensing affects licenses on a device:

When you upgrade from an earlier release to one that supports Smart Licensing—all existing licenses remain in evaluation mode until registered in Cisco Smart Software Manager. After registration, they are made available in your Smart Account.

In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Registering the Device in CSSM
When you downgrade to a release where Smart Licensing is not supported—all smart licenses on the device are converted to traditional licenses and all smart licensing information on the device is removed.

Scaling Guidelines

For information about feature scaling guidelines, see these datasheets for Cisco Catalyst 9400 Series Switches:

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-data-sheet-cte-en.html

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9600-series-line-data-sheet-cte-en.html

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-sup-eng-data-sheet-cte-en.html

Limitations and Restrictions

Cisco StackWise Virtual—A special, additional, C9400-SUP-UPG-LIC= license is required to configure the feature on the Cisco Catalyst 9400 Series Supervisor 1 Module (C9400-SUP-1).
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
Control Plane Policing (CoPP): The show run command does not display information about classes configured under system-cpp policy, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead.
Flexible NetFlow limitations
- You cannot configure NetFlow export using the Ethernet Management port (GigabitEthernet0/0).
- You can not configure a flow monitor on logical interfaces, such as switched virtual interfaces (SVIs), port-channel, loopback, tunnels.
- You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
Hardware limitations: When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, autonegotiation is enabled by default. If the other end of the line does not support autonegotation, the link does not come up.
Interoperability limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, if one end of the 40G link is a Catalyst 9400 Series Switch and the other end is a Catalyst 9500 Series Switch, the link does not come up, or comes up on one side and stays down on the other. To avoid this interoperability issue between devices, apply the the speed nonegotiate command on the Catalyst 9500 Series Switch interface. This command disables autonegotiation and brings the link up. To restore autonegotiation, use the no speed nonegotiation command.
In-Service Software Upgrade (ISSU)—ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.11.x is not supported. This applies to both a single and dual supervisor module setup.
No service password recovery—With ROMMON versions R16.6.1r and R16.6.2r, the 'no service password-recovery' feature is not available.
QoS restrictions
- When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.
- For QoS policies, only switched virtual interfaces (SVI) are supported for logical interfaces.
- QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.
- Stack Queuing and Scheduling (SQS) drops CPU bound packets exceeding 1.4 Gbps.

Redundancy—The supervisor module (hardware) supports redundancy. Software redundancy is supported starting with Cisco IOS XE Everest 16.6.2. However, the associated route processor redundancy (RPR) feature is not supported.

Before performing a switchover, use the show redundancy , show platform , and show platform software iomd redundancy commands to ensure that both the SSOs have formed and that the IOMD process is completed.

In the following sample output for the show redundancy , note that both the SSOs have formed.

Switch# show redundancy
Redundant System Information :
------------------------------
Available system uptime = 3 hours, 30 minutes
Switchovers system experienced = 2
Standby failures = 0
Last switchover reason = active unit removed

Hardware Mode = Duplex
Configured Redundancy Mode = sso
Operating Redundancy Mode = sso
Maintenance Mode = Disabled
Communications = Up

Current Processor Information :
-------------------------------
Active Location = slot 3
Current Software state = ACTIVE
Uptime in current state = 2 hours, 57 minutes
Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 27-Mar-18 13:43 by mcpre
BOOT = bootflash:packages.conf;
CONFIG_FILE =
Configuration register = 0x1822

Peer Processor Information :
----------------------------
Standby Location = slot 4
Current Software state = STANDBY HOT
Uptime in current state = 2 hours, 47 minutes
Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 27-Mar-18 13:43 by mcpre
BOOT = bootflash:packages.conf;
CONFIG_FILE =
Configuration register = 0x1822

In the following sample output for the show platform command, note that both SSOs have formed and the HA_STATE field is ready.

Switch# show platform
Configured Redundancy Mode = sso
Operating Redundancy Mode = sso
Local RF state = ACTIVE
Peer RF state = STANDBY HOT
 
slot  PSM STATE   SPA INTF   HA_STATE HA_ACTIVE
   1     ready   started     ready    00:01:16
   2     ready   started     ready    00:01:22
   3     ready   started     ready    00:01:27 ***active RP
   4     ready   started     ready    00:01:27
<output truncated>

In the following sample output for the show platform software iomd redundancy command, note that the State for all the linecards and supervisor modules is ok. This indicates that the IOMD processes are completed.

Switch# show platform software iomd redundancy
Chassis type: C9407R             
 
Slot      Type                State                 Insert time (ago)
--------- ------------------- --------------------- -----------------
1         C9400-LC-24XS       ok                    3d09h        
2         C9400-LC-48U        ok                    3d09h        
R0        C9400-SUP-1         ok, active            3d09h        
R1        C9400-SUP-1         ok, standby           3d09h        
P1        C9400-PWR-3200AC    ok                    3d08h        
P2        C9400-PWR-3200AC    ok                    3d08h        
P17       C9407-FAN           ok                    3d08h  
<output truncated>

With bootloader version 16.6.2r, you cannot access the M.2 SATA SSD drive at the ROMMON prompt (rommon> dir disk0). The system displays an error message indicating that the corresponding file system protocol is not found on the device. The only way to access the drive when on bootloader version 16.6.2r, is through the Cisco IOS prompt, after boot up.
Secure Shell (SSH)
- Use SSH Version 2. SSH Version 1 is not supported.
- When the device is running SCP and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.
  
  Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can show as much as 40 or 50 percent CPU usage, but they do not cause the device to shutdown.
Uplink Symmetry—When a redundant supervisor module is inserted, we recommend that you have symmetric uplinks, to minimize packet loss during a switchover.

Uplinks are said to be in symmetry when the same interface on both supervisor modules have the same type of transceiver module. For example, a TenGigabitEthernet interface with no transceiver installed operates at a default 10G mode; if the matching interface of the other supervisor has a 10G transceiver, then they are in symmetry. Symmetry provides the best SWO packet loss and user experience.

Asymmetric uplinks have at least one or more pairs of interfaces in one supervisor not matching the transceiver speed of the other supervisor.
USB Authentication—When you connect a Cisco USB drive to the switch, the switch tries to authenticate the drive against an existing encrypted preshared key. Since the USB drive does not send a key for authentication, the following message is displayed on the console when you enter password encryption aes command:
```
Device(config)# password encryption aes
Master key change notification called without new or old key
```
VLAN Restriction—It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.
YANG data modeling limitation—A maximum of 20 simultaneous NETCONF sessions are supported.
Embedded Event Manager—Identity event detector is not supported on Embedded Event Manager.
Secure Password Migration—Type 6 encrypted password is supported from Cisco IOS XE Gibraltar 16.10.1 and later releases. Autoconversion to password type 6 is supported from Cisco IOS XE Gibraltar 16.11.1 and later releases.

If the startup configuration has a type 6 password and you downgrade to a version in which type 6 password is not supported, you can/may be locked out of the device.
The File System Check (fsck) utility is not supported in install mode.

Caveats

Caveats describe unexpected behavior in Cisco IOS-XE releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.

Cisco Bug Search Tool

The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.

To view the details of a caveat, click on the identifier.

Open Caveats in Cisco IOS XE Gibraltar 16.11.x


Identifier	Description
CSCvo77549	Cisco C2960c not powered up when both uplinks are connected to 9400 line card in BT compliant mode
CSCvo88681	PDs with very low leakage current are not detected on LC operating in 802.3bt compliant mode

Resolved Caveats in Cisco IOS XE Gibraltar 16.11.1


Identifier	Description
CSCvg76459	Status of show module output needs to be more specific for the case of line card shutdown
CSCvj07386	Traffic is lost for about 30 seconds in both directions and comes back in one direction on SWO
CSCvj77431	Some ports are dropping 100% traffic after switchovers
CSCvk00432	Memory leak in alloc_repexp_entry caused by alloc_ril_index failure
CSCvk06087	mGig ports on C9400 - Link down with forced speed 100/full duplex when connect to half duplex device
CSCvk10581	SIT-16.6.4: memory leak in cmcc process when setup in idle state for 12 hours
CSCvk36611	mGig ports on C9400 - Link down with forced speed 100/full duplex when connect to half duplex device
CSCvk52659	C9400 16.6.4 Sup/line card get into faulty state after reload while doing copy start run during POST
CSCvm45417	Cat9K HA/ 16.9.x,16.10.x- Connectivity issue due to wrong dest MAC rewrite for routed packet
CSCvm82878	Some PDs changed from Oper state on to off after switchover if LC inserted after bootup
CSCvm94132	AAL-INFRA:L2 failed to get ID handle
CSCvn60020	Multi-rate SFP CSR/LRS support in SUPXL25
CSCvn65834	Packet drops on mgig ports due to link negotiation issue
CSCvn83359	IOSD Memory Leak in SVL
CSCvo06656	show tech-support stackwise-virtual should look for stby-bootflash: on 9400 as oppose to flash-2:
CSCvo19717	crash in fib_path_list_walk_apply (cisco.comp/cfc_cefmpls/cef/src/fib_path_list_deps.c)

Troubleshooting

For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:

https://www.cisco.com/en/US/support/index.html

Go to Product Support and select your product from the list or enter the name of your product. Look under Troubleshoot and Alerts, to find information for the problem that you are experiencing.

Communications, Services, and Additional Information

To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
To submit a service request, visit Cisco Support.
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
To obtain general networking, training, and certification titles, visit Cisco Press.
To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Gibraltar 16.11.x

Available Languages

Download Options

Bias-Free Language

Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Gibraltar 16.11.x

Introduction

Whats New in Cisco IOS XE Gibraltar 16.11.1

Hardware Features in Cisco IOS XE Gibraltar 16.11.1

Software Features in Cisco IOS XE Gibraltar 16.11.1

Important Notes

Cisco StackWise Virtual - Supported and Unsupported Features

Unsupported Features

Complete List of Supported Features

Accessing Hidden Commands

Supported Hardware

Cisco Catalyst 9400 Series Switches—Model Numbers

Supported Hardware on Cisco Catalyst 9400 Series Switches

Optics Modules

Compatibility Matrix

Web UI System Requirements

Minimum Hardware Requirements

Software Requirements

ROMMON and CPLD Versions

Upgrading the Switch Software

Finding the Software Version

Software Images

Automatic Boot Loader Upgrade

Complex Programmable Logic Device (CPLD) Upgrade

Software Installation Commands

Upgrading in Install Mode

Before you begin

Procedure

Downgrading in Install Mode

Before you begin

Procedure

Licensing

License Levels

Base Licenses

Add-On Licenses

License Types

License Levels - Usage Guidelines

Cisco Smart Licensing

Deploying Smart Licensing

Procedure

Using Smart Licensing on an Out-of-the-Box Device

How Upgrading or Downgrading Software Affects Smart Licensing

Scaling Guidelines

Limitations and Restrictions

Caveats

Cisco Bug Search Tool

Open Caveats in Cisco IOS XE Gibraltar 16.11.x

Resolved Caveats in Cisco IOS XE Gibraltar 16.11.1

Troubleshooting

Related Documentation

Communications, Services, and Additional Information

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products