Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Gibraltar 16.12.x
Introduction
Cisco Catalyst 9400 Series Switches are Cisco’s leading modular enterprise switching access platform and have been purpose-built to address emerging trends of Security, IoT, Mobility, and Cloud.
They deliver complete convergence with the rest of the Cisco Catalyst 9000 Series Switches in terms of ASIC architecture with Unified Access Data Plane (UADP) 2.0 and UADP 3.0. The platform runs an Open Cisco IOS XE that supports model driven programmability, has the capacity to host containers, and run 3rd party applications and scripts natively within the switch (by virtue of x86 CPU architecture, local storage, and a higher memory footprint). This series forms the foundational building block for SD-Access, which is Cisco’s lead enterprise architecture.
Cisco Catalyst 9400 Series Switches are enterprise optimized with a dual-serviceable fan tray design, side to side airflow, and are closet-friendly with a16-inch depth
Whats New in Cisco IOS XE Gibraltar 16.12.8
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.7
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.6
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.5b
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.5
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.4
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.3a
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.3
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.2
Hardware Features in Cisco IOS XE Gibraltar 16.12.2
There are no new hardware features in this release.
Software Features in Cisco IOS XE Gibraltar 16.12.2
|
Feature Name |
Description, Documentation Link, and License Level Information |
|---|---|
|
Cisco StackWise Virtual |
Introduces support for configuring StackWise Virtual link (SVL) and dual-active detection (DAD) links on Cisco Catalyst 9400 Series Switch 10-Gigabit Ethernet line cards. See High Availability → Configuring Cisco StackWise Virtual. (Network Advantage) |
Whats New in Cisco IOS XE Gibraltar 16.12.1c
There are no new hardware or software features in this release. For the list of open and resolved caveats in this release, see Caveats.
Whats New in Cisco IOS XE Gibraltar 16.12.1
Hardware Features in Cisco IOS XE Gibraltar 16.12.1
|
Feature Name |
Description and Documentation Link |
|---|---|
|
C9400-LC-48H |
Cisco Catalyst 9400 Series 48-port, 10/100/1000 BASE-T Gigabit Ethernet, IEEE 802.3bt compliant module supporting up to 90 W Cisco UPOE+ on each of its 48 RJ45 ports. See Cisco Catalyst 9400 Series Switching Module Installation Note. |
Software Features in Cisco IOS XE Gibraltar 16.12.1
|
Feature Name |
Description, Documentation Link, and License Level Information |
|---|---|
|
Autoconf Device Granularity to PID of Cisco Switch |
Introduces the platform type filter option for class map and parameter map configurations. Use the map platform-type command in parameter map filter configuration mode, to set the parameter map attribute and the match platform-type command in control class-map filter configuration mode, to evaluate control classes. See Network Management → Configuring Autoconf. (Network Essentials and Network Advantage) |
|
Automatic line card (autoLC) shutdown |
Starting with this release, autoLC shutdown (power supply autolc shutdown ) is always enabled and cannot be disabled. In all earlier releases, autoLC shutdown continues to be disabled by default and must be manually enabled if you want the system hardware to shut down line cards in the event of a power constraint. See System Management → Environmental Monitoring and Power Management (Network Essentials and Network Advantage) |
|
Border Gateway Protocol (BGP) Ethernet VPN (EVPN) Route Target (RT) Autonomous System Number (ASN) Rewrite |
Introduces support for the rewrite-evpn-rt-asn command in address-family configuration mode. This command enables the rewrite of the ASN portion of the EVPN route target that originates from the current autonomous system, with the ASN of the target eBGP EVPN peer. See IP Routing Commands → rewrite-evpn-rt-asn. (Network Advantage) |
|
Bidirectional Protocol Independent Multicast (PIM) |
Introduces support for bidirectional PIM. This feature is an extension of the PIM suite of protocols that implements shared sparse trees with bidirectional data flow. In contrast to PIM-sparse mode, bidirectional PIM avoids keeping source-specific state in a router and allows trees to scale to an arbitrary number of sources. See IP Multicast Routing → Configuring Protocol Independent Multicast (PIM). (Network Advantage) |
|
Bluetooth Dongle |
Introduces support for external USB Bluetooth dongles. The connected dongle acts as a Bluetooth host and serves as a management port connection on the device. See Interface and Hardware Components → Configuring an External USB Bluetooth Dongle. (Network Essentials) |
|
Energy Efficient Ethernet (EEE) support on Multigigabit (mGig) Ethernet ports |
EEE is now supported on linecards with mGig ports. See Interface and Hardware Components → Configuring EEE. (Network Essentials and Network Advantage) |
|
Ethernet over MPLS (EoMPLS) Xconnect on Subinterfaces |
Transports Ethernet traffic from a source 802.1Q VLAN to a destination 802.1Q VLAN through a single virtual circuit over an Multiprotocol Label Switching (MPLS) network. See Multiprotocol Label Switching → Configuring Ethernet-over-MPLS (EoMPLS). (Network Advantage) |
|
Flexlink+ |
Configures a pair of Layer 2 interfaces - one interface is configured to act as a backup for the other interface. See Layer 2 → Configuring Flexlink+. (Network Essentials and Network Advantage) |
|
In Service Software Upgrade (ISSU) with CiscoStackWise Virtual |
Introduces support for ISSU with Cisco StackWise Virtual configured on the C9410R switch model, in dual supervisor module configuration, with single supervisor per C9410R. See High Availability → Configuring ISSU. (Network Advantage) |
|
IPv4 and IPv6: Object Groups for access control lists (ACLs) |
Enables you to classify users, devices, or protocols into groups and apply them to ACLs, to create access control policies for these groups. With this feature, you use object groups instead of individual IP addresses, protocols, and ports, which are used in conventional ACLs. It allows multiple access control entries (ACEs), and you can use each ACE to allow or deny an entire group of users the access to a group of servers or services. See Security → Object Groups for ACLs. (Network Essentials and Network Advantage) |
|
IPv6: BGP |
IPv6 support is introduced for the following features:
(Network Advantage) |
|
IPv6: Intermediate System to Intermediate System (IS-IS) |
IPv6 support is introduced for the following IS-IS features:
|
|
IPv6: IP Enhanced IGRP Route Authentication |
IPv6 support is introduced for IP Enhanced IGRP Route Authentication (Network Advantage and Network Essentials) |
|
IPv6: IP Service Level Agreements (SLAs) |
IPv6 support is introduced for following IP SLA features:
(Network Advantage and Network Essentials) |
|
IPv6: MIBs for IPv6 Traffic |
IPv6 support is introduced for the following MIBs:
(Network Advantage and Network Essentials) |
|
IPv6: Multiprotocol Label Switching (MPLS) |
IPv6 support is introduced for the following MPLS features:
(Network Advantage) |
|
IPv6: Multicast Routing |
IPv6 support is introduced for the following multicast routing features:
(Network Advantage) |
|
IPv6: Neighbor Discovery |
IPv6 support is introduced for the following Neighbor Discovery features:
(Network Advantage and Network Essentials) |
|
IPv6: PBR Recursive Next-Hop |
IPv6 support is introduced for PBR Recursive Next-Hop option. (Network Advantage and Network Essentials) |
|
IPv6-based Posture Validation |
IPv6 support is introduced for Posture Validation. (Network Advantage and Network Essentials) |
|
IPv6: Proxy Mobile |
IPv6 support is introduced for PMIPv6 Hybrid Access. |
|
IPv6: Open Shortest Path First (OSPF) |
IPv6 support is introduced for the following OSPF features:
(Network Advantage and Network Essentials) |
|
IPv6: Services |
IPv6 support is introduced for AAAA DNS Lookups over an IPv6 Transport. (Network Advantage and Network Essentials) |
|
IPv6: Time-Based Access Lists Using Time Ranges |
IPv6 support is introduced for Time-Based Access Lists using time ranges. (Network Advantage and Network Essentials) |
|
IPv6: Triggered RIP |
IPv6 support is introduced for Triggered Extensions to RIP. |
|
MPLS Layer 2 VPN over GRE |
Provides a mechanism for tunneling Layer 2 MPLS packets over a non-MPLS network. See Multiprotocol Label Switching → Configuring MPLS Layer 2 VPN over GRE. (Network Advantage) |
|
MPLS Subinterface Support |
MPLS is now supported on Layer 3 subinterfaces. See VLAN → Configuring Layer 3 Subinterfaces. (Network Advantage) |
|
MPLS Layer 3 VPN over Generic Routing Encapsulation (GRE) |
Provides a mechanism for tunneling Layer 3 MPLS packets over a non-MPLS network. See Multiprotocol Label Switching → Configuring MPLS Layer 3 VPN over GRE. (Network Advantage) |
|
Port Channel with Subinterface |
Subinterfaces can now be created on Layer 3 port channels. See VLAN → Configuring Layer 3 Subinterfaces. (Network Essentials and Network Advantage) |
|
Programmability
|
The following programmability features are introduced in this release:
See Programmability. (Network Essentials and Network Advantage) |
|
Seamless MPLS |
Integrates multiple networks into a single MPLS domain. It removes the need for service-specific configurations in network transport nodes. See Multiprotocol Label Switching → Configuring Seamless MPLS. (Network Advantage) |
|
Simplified Factory Reset for Removable Storage |
Performing a factory reset now also erases the contents of removable storage devices such as Serial Advanced Technology Attachment (SATA), Solid State Drive (SSD), and USB. See System Management → Performing Factory Reset. (Network Advantage) |
|
Source Group Tag (SGT), Destination Group Tag (DGT) over FNF for IPv6 traffic |
Introduces support for SGT and DGT fields over FNF, for IPv6 traffic. See Network Management → Configuring Flexible NetFlow. (Network Advantage) |
|
Stack troubleshooting optimization |
The output of the show tech-support stack command has been enhanced to include more stack-related information. See High Availability Commands → show tech-support stack. (A license level does not apply) |
|
VPN Routing and Forwarding-aware Policy Based Routing (VRF-aware PBR) |
The PBR feature is now VRF-aware and can be configured on VRF lite interfaces. You can enable policy based routing of packets for a VRF instance. See IP Routing → Configuring VRF aware PBR. (Network Advantage) |
|
New on the Web UI |
|
|
Use the WebUI for:
|
Important Notes
Cisco StackWise Virtual - Supported and Unsupported Features
When you enable Cisco StackWise Virtual on the device
-
Layer 2, Layer 3, Security, Quality of Service, Multicast, Application, Monitoring and Management, Multiprotocol Label Switching, High Availability, and VXLAN BGP EVPN are supported.
Contact the Cisco Technical Support Centre for the specific list of features that are supported under each one of these technologies.
-
Resilient Ethernet Protocol, Remote Switched Port Analyzer, and Sofware-Defined Access are NOT supported
Unsupported Features
-
Audio Video Bridging (including IEEE802.1AS, IEEE 802.1Qat, and IEEE 802.1Qav)
-
Cisco TrustSec Network Device Admission Control (NDAC) on Uplinks
-
Converged Access for Branch Deployments
-
Fast PoE
-
IPsec VPN
-
MACsec Switch to Switch Connections on C9400-SUP-1XL-Y.
-
Performance Monitoring (PerfMon)
-
Virtual Routing and Forwarding (VRF)-Aware web authentication
Complete List of Supported Features
For the complete list of features supported on a platform, see the Cisco Feature Navigator at https://www.cisco.com/go/cfn.
Default Behaviour
Beginning from Cisco IOS XE Gibraltar 16.12.5 and later, do not fragment bit (DF bit) in the IP packet is always set to 0 for all outgoing RADIUS packets (packets that originate from the device towards the RADIUS server).
Supported Hardware
Cisco Catalyst 9400 Series Switches—Model Numbers
The following table lists the supported switch models. For information about the available license levels, see section License Levels.
|
Switch Model (append with “=” for spares) |
Description |
|---|---|
|
C9404R |
Cisco Catalyst 9400 Series 4 slot chassis
|
|
C9407R |
Cisco Catalyst 9400 Series 7 slot chassis
|
|
C9410R |
Cisco Catalyst 9400 Series 10 slot chassis
|
Supported Hardware on Cisco Catalyst 9400 Series Switches
|
Product ID (append with “=” for spares) |
Description |
|---|---|
|
Supervisor Modules |
|
|
C9400-SUP-1 |
Cisco Catalyst 9400 Series Supervisor 1 Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis. |
|
C9400-SUP-1XL |
Cisco Catalyst 9400 Series Supervisor 1XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis. |
|
C9400-SUP-1XL-Y |
Cisco Catalyst 9400 Series Supervisor 25XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis. |
|
Line Cards |
|
|
C9400-LC-24S |
24-port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP |
|
C9400-LC-24XS |
24-port Gigabit Ethernet module that supports 1 and 10 Gbps connectivity. |
|
C9400-LC-48H |
48-port Gigabit Ethernet UPOE+ module supporting up to 90W on each of its 48 RJ45 ports. |
|
C9400-LC-48P |
48 Port, 1 Gigabit Ethernet POE/POE+ module supporting up to 30W per port. |
|
C9400-LC-48S |
48 Port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP. |
|
C9400-LC-48T |
48-port, 10/100/1000 BASE-T Gigabit Ethernet module. |
|
C9400-LC-48U |
48-Port UPOE 10/100/1000 (RJ-45) module supporting up to 60W per port. |
|
C9400-LC-48UX |
48-port, UPOE Multigigabit Ethernet Module with:
|
|
M.2 SATA SSD Modules1 (for the Supervisor) |
|
|
C9400-SSD-240GB |
Cisco Catalyst 9400 Series 240GB M2 SATA memory |
|
C9400-SSD-480GB |
Cisco Catalyst 9400 Series 480GB M2 SATA memory |
|
C9400-SSD-960GB |
Cisco Catalyst 9400 Series 960GB M2 SATA memory |
|
AC Power Supply Modules |
|
|
C9400-PWR-2100AC |
Cisco Catalyst 9400 Series 2100W AC Power Supply |
|
C9400-PWR-3200AC |
Cisco Catalyst 9400 Series 3200W AC Power Supply |
|
DC Power Supply Modules |
|
|
C9400-PWR-3200DC |
Cisco Catalyst 9400 Series 3200W DC Power Supply |
Optics Modules
Cisco Catalyst Series Switches support a wide range of optics and the list of supported optics is updated on a regular basis. Use the Transceiver Module Group (TMG) Compatibility Matrix tool, or consult the tables at this URL for the latest transceiver module compatibility information: https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Compatibility Matrix
The following table provides software compatibility information between Cisco Catalyst 9400 Series Switches, Cisco Identity Services Engine, Cisco Access Control Server, and Cisco Prime Infrastructure.
|
Catalyst 9400 |
Cisco Identity Services Engine |
Cisco Access Control Server |
Cisco Prime Infrastructure |
|---|---|---|---|
|
Gibraltar 16.12.8 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
|
Gibraltar 16.12.7 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
|
Gibraltar 16.12.6 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
|
Gibraltar 16.12.5b |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
|
Gibraltar 16.12.5 |
2.6 |
- |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
|
Gibraltar 16.12.4 |
2.6 |
- |
PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack See Cisco Prime Infrastructure 3.8 → Downloads. |
|
Gibraltar 16.12.3a |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
|
Gibraltar 16.12.3 |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
|
Gibraltar 16.12.2 |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
|
Gibraltar 16.12.1 |
2.6 |
- |
PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads. |
|
Gibraltar 16.11.1 |
2.6 2.4 Patch 5 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4 → Downloads. |
|
Gibraltar 16.10.1 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
| Fuji 16.9.8 |
2.5 2.1 |
5.4 5.5 |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
|
Fuji 16.9.7 |
2.5 2.1 |
5.4 5.5 |
PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads. |
|
Fuji 16.9.6 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
|
Fuji 16.9.5 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
|
Fuji 16.9.4 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
|
Fuji 16.9.3 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
|
Fuji 16.9.2 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
|
Fuji 16.9.1 |
2.3 Patch 1 2.4 Patch 1 |
5.4 5.5 |
PI 3.4 + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads. |
|
Fuji 16.8.1a |
2.3 Patch 1 2.4 |
5.4 5.5 |
PI 3.3 + PI 3.3 latest maintenance release + PI 3.3 latest device pack See Cisco Prime Infrastructure 3.3→ Downloads. |
| Everest 16.6.4a |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads. |
| Everest 16.6.4 |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads. |
|
Everest 16.6.3 |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads |
|
Everest 16.6.2 |
2.2 2.3 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads |
|
Everest 16.6.1 |
2.2 |
5.4 5.5 |
PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads |
Web UI System Requirements
The following subsections list the hardware and software required to access the Web UI:
Minimum Hardware Requirements
|
Processor Speed |
DRAM |
Number of Colors |
Resolution |
Font Size |
|---|---|---|---|---|
|
233 MHz minimum2 |
512 MB3 |
256 |
1280 x 800 or higher |
Small |
Software Requirements
Operating Systems
-
Windows 10 or later
-
Mac OS X 10.9.5 or later
Browsers
-
Google Chrome—Version 59 or later (On Windows and Mac)
-
Microsoft Edge
-
Mozilla Firefox—Version 54 or later (On Windows and Mac)
-
Safari—Version 10 or later (On Mac)
ROMMON and CPLD Versions
The following table provides ROMMON and CPLD version information for the Cisco Catalyst 9400 Series Supervisor Modules. For ROMMON and CPLD version information of Cisco IOS XE 17.x.x releases, refer to the corresponding Cisco IOS XE 17.x.x release notes of the respective platform.
|
Release |
ROMMON Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y) |
CPLD Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y) |
|---|---|---|
|
Gibraltar 16.12.7 |
16.12.2r |
19032905 |
|
Gibraltar 16.12.6 |
16.12.2r |
19032905 |
|
Gibraltar 16.12.5 |
16.12.2r |
19032905 |
|
Gibraltar 16.12.4 |
16.12.2r |
19032905 |
|
Gibraltar 16.12.3 |
16.12.2r |
19032905 |
|
Gibraltar 16.12.2 |
16.12.1r |
19032905 |
|
Gibraltar 16.12.1c |
16.12.1r |
19032905 |
|
Gibraltar 16.11.1 |
16.10.2r |
17101705 |
|
Gibraltar 16.10.1 |
16.6.2r |
17101705 |
|
Fuji 16.9.x |
16.6.2r[FC1] |
17101705 |
|
Fuji 16.8.1a |
16.6.2r |
17101705 |
|
Everest 16.6.x |
16.6.2r[FC1] |
17101705 |
Upgrading the Switch Software
This section covers the various aspects of upgrading or downgrading the device software.
 Note |
You cannot use the Web UI to install, upgrade, or downgrade device software. |
Finding the Software Version
The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note |
Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license. |
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Software Images
|
Release |
Image Type |
File Name |
|---|---|---|
|
Cisco IOS XE Gibraltar 16.12.8 |
CAT9K_IOSXE |
cat9k_iosxe.16.12.08.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.08.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.7 |
CAT9K_IOSXE |
cat9k_iosxe.16.12.07.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.07.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.6 |
CAT9K_IOSXE |
cat9k_iosxe.16.12.06.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.06.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.5b |
CAT9K_IOSXE |
cat9k_iosxe.16.12.05b.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.05b.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.5 |
CAT9K_IOSXE |
cat9k_iosxe.16.12.05.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.05.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.4 |
CAT9K_IOSXE |
cat9k_iosxe.16.12.04.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.04.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.3a |
CAT9K_IOSXE |
cat9k_iosxe.16.12.03a.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.03a.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.3 |
CAT9K_IOSXE |
cat9k_iosxe.16.12.03.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.03.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.2 |
CAT9K_IOSXE |
cat9k_iosxe.16.12.02.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.02.SPA.bin |
|
|
Cisco IOS XE Gibraltar 16.12.1c |
CAT9K_IOSXE |
cat9k_iosxe.16.12.01c.SPA.bin |
|
No Payload Encryption (NPE) |
cat9k_iosxe_npe.16.12.01c.SPA.bin |
Automatic Boot Loader Upgrade
 Caution |
You must comply with these cautionary guidelines during an upgrade:
|
Note |
Disconnecting and reconnecting power to a Cisco Catalyst 9400 Series Supervisor 1 Module within a 5-second window, can corrupt the boot SPI. |
Software Installation Commands
|
Summary of Software Installation Commands |
|
|---|---|
|
To install and activate the specified file, and to commit changes to be persistent across reloads:
To separately install, activate, commit, cancel, or remove the installation file: |
|
|
add file tftp: filename |
Copies the install file package from a remote location to the device and performs a compatibility check for the platform and image versions. |
|
activate [ auto-abort-timer] |
Activates the file, and reloads the device. The auto-abort-timer keyword automatically rolls back image activation. |
|
commit |
Makes changes persistent over reloads. |
|
rollback to committed |
Rolls back the update to the last committed version. |
|
abort |
Cancels file activation, and rolls back to the version that was running before the current installation procedure started. |
|
remove |
Deletes all unused and inactive software installation files. |
Upgrading with In Service Software Upgrade (ISSU) with Cisco StackWise Virtual
Follow these instructions to perform In Service Software Upgrade (ISSU) to Cisco IOS XE Gibraltar 16.12.1 with Cisco StackWise Virtual, in install mode.
Before you begin
Note that you can use this procedure for the following upgrade scenarios:
|
When upgrading from ... |
To... |
|---|---|
|
Cisco IOS XE Fuji 16.9.3 or Cisco IOS XE Fuji 16.9.4 |
Cisco IOS XE Gibraltar 16.12.x |
Note |
Downgrade with ISSU is not supported. To downgrade, follow the instructions in the Downgrading in Install Mode section. |
For more information about ISSU release support and recommended releases, see Technical References → In-Service Software Upgrade (ISSU).
Procedure
|
Step 1 |
enable Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
install add file activate issu commit Use this command to automate the sequence of all the upgrade procedures, including downloading the images to both the switches, expanding the images into packages, and upgrading each switch as per the procedures. The following sample output displays installation of Cisco IOS XE Gibraltar 16.12.1 software image with ISSU procedure. |
|
Step 3 |
show version Use this command to verify the version of the new image. The following sample output of the show version command displays the Cisco IOS XE Gibraltar 16.12.1 image on the device:
|
|
Step 4 |
show issu state [detail] Use this command to verify that no ISSU process is in pending state. |
|
Step 5 |
exit Exits privileged EXEC mode and returns to user EXEC mode. |
Upgrading with In Service Software Upgrade (ISSU) in Dual Supervisor Module Configuration
Follow these instructions to perform ISSU upgrade from Cisco IOS XE Gibraltar 16.12.1c to Cisco IOS XE Gibraltar 16.12.2, in install mode. The sample output in this section displays upgrade from Cisco IOS XE Gibraltar 16.12.1c to Cisco IOS XE Gibraltar 16.12.2 using install commands.
Before you begin
ISSU from Cisco IOS XE Gibraltar 16.12.1c to any release requires installation of Software Maintenance Upgrade (SMU) packages. ISSU from Cisco IOS XE Gibraltar 16.12.2 and later does not require installation of SMU packages.
Install the following SMU packages before performing ISSU.
|
Scenario |
File Name (Hot Patch) |
|---|---|
|
Cisco IOS XE Fuji 16.9.1 to any ISSU supported release |
cat9k_iosxe.16.09.01.CSCvs66914.SPA.smu.bin |
|
Cisco IOS XE Fuji 16.9.2 to any ISSU supported release |
cat9k_iosxe.16.09.02.CSCvs66914.SPA.smu.bin |
|
Cisco IOS XE Fuji 16.9.3 to any ISSU supported release |
cat9k_iosxe.16.09.03.CSCvs66914.SPA.smu.bin |
|
Cisco IOS XE Fuji 16.9.4 to any ISSU supported release |
cat9k_iosxe.16.09.04.CSCvs66914.SPA.smu.bin |
|
Cisco IOS XE Gibraltar 16.12.1c to any ISSU supported release |
cat9k_iosxe.16.12.01c.CSCvs66914.SPA.smu.bin |
Note |
Downgrade with ISSU is not supported. To downgrade, follow the instructions in the Downgrading in Install Mode section. |
For more information about ISSU release support and recommended releases, see Technical References → In-Service Software Upgrade (ISSU).
Procedure
|
Step 1 |
enable Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
show redundancy Use this command to display redundancy facility information. |
|
Step 3 |
show issu state [detail] Use this command to verify that no other ISSU process is in progress. |
|
Step 4 |
install add file activate commit Use the commands below to install the SMU packages. install add file tftp:cat9k_iosxe.16.12.01c.CSCvs66914.SPA.smu.bin activate commit The following sample output displays installation of the CSCvs66914 SMU package. |
|
Step 5 |
show install summary Use this command to verify if the SMU packages are installed properly. The following sample output displays that the CSCvs66914 SMU package has been installed on the switch. |
|
Step 6 |
install add file activate issu commit Use this command to automate the sequence of all the upgrade procedures, including downloading the images to both the switches, expanding the images into packages, and upgrading each switch as per the procedures. The following sample output displays the installation of the Cisco IOS XE Gibraltar 16.12.2 software image with ISSU procedure. |
|
Step 7 |
show version Use this command to verify the version of the new image. The following sample output of the show version command displays the Cisco IOS XE Gibraltar 16.12.2 image on the device: |
|
Step 8 |
show issu state [detail] Use this command to verify that no ISSU process is in pending state. The following is a sample output of show issu state detail after installation of the software image with ISSU. |
|
Step 9 |
exit Exits privileged EXEC mode and returns to user EXEC mode. |
Upgrading in Install Mode
Follow these instructions to upgrade from one release to another, in install mode. To perform a software image upgrade, you must be booted into IOS via boot flash:packages.conf .
Before you begin
Note that you can use this procedure for the following upgrade scenarios.
|
When upgrading from ... |
Permitted Supervisor Setup (Applies to the release you are upgrading from) |
First upgrade to... |
To upgrade to ... |
||
|---|---|---|---|---|---|
|
Cisco IOS XE Everest 16.6.14
|
Upgrade a single supervisor, and complete the boot loader and CPLD upgrade. After completing the first supervisor upgrade, remove and swap in the second supervisor. After both supervisors are upgraded, they can be inserted and booted in a high availability setup.
|
Cisco IOS XE Everest 16.6.3 Follow the upgrade steps as in the Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Everest 16.6.x → Upgrading the Switch Software → Upgrading in Install Mode |
Cisco IOS XE Gibraltar 16.12.1c |
||
|
Cisco IOS XE Everest 16.6.2 and later releases |
This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously upgraded. |
Not applicable |
When upgrading from Cisco IOS XE Everest 16.6.1 to a later release, the upgrade may take a long time, and the system will reset three times due to rommon and complex programmable logic device (CPLD) upgrade. Stateful switchover is supported from Cisco IOS XE Everest 16.6.2
Caution |
|
The sample output in this section displays upgrade from Cisco IOS XE Everest 16.6.3 to Cisco IOS XE Gibraltar 16.12.1c using install commands.
Procedure
|
Step 1 |
Clean Up |
|
Step 2 |
Copy new image to flash |
|
Step 3 |
Set boot variable |
|
Step 4 |
Software install image to flash |
|
Step 5 |
Reload |
Downgrading in Install Mode
Follow these instructions to downgrade from one release to another, in install mode. To perform a software image downgrade, you must be booted into IOS via boot flash:packages.conf .
Before you begin
Note that you can use this procedure for the following downgrade scenarios:
|
When downgrading from ... |
Permitted Supervisor Setup (Applies to the release you are downgrading from) |
To ... |
||
|---|---|---|---|---|
|
Cisco IOS XE Gibraltar 16.12.1c |
This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously downgraded.
|
Cisco IOS XE Gibraltar 16.11.x or earlier releases. |
The sample output in this section shows downgrade from Cisco IOS XE Gibraltar 16.12.1c to Cisco IOS XE Everest 16.6.2, using install commands.
Important |
New hardware modules (supervisors or line card modules) that are introduced in a release cannot be downgraded. The release in which a module is introduced is the minimum software version for that model. We recommend upgrading all existing hardware to the same release as the latest hardware. |
Procedure
|
Step 1 |
Clean Up |
||
|
Step 2 |
Copy new image to flash |
||
|
Step 3 |
Downgrade software image
The following example displays the installation of the
cat9k_iosxe.16.06.02.SPA.bin software image to flash, to downgrade the switch by using the install add file activate commit command. You can point to the source image on your tftp server or in flash if you have it copied to flash.The following example displays sample output when downgrading the switch by using the install rollback to committed command.
|
||
|
Step 4 |
Reload |
Upgrading the Complex Programmable Logic Device Version
CPLD version upgrade process must be completed after upgrading the software image.
Upgrading the CPLD Version: High Availability Setup
Beginning in the privileged EXEC mode, complete the following steps:
Before you begin
When performing the CPLD version upgrade as shown, the show platform command can be used to confirm the CPLD version after the upgrade. This command output shows the CPLD version on all modules. However, the CPLD upgrade only applies to the supervisors, not the line cards. The line cards CPLD version is a cosmetic display. After the upgrade is completed in a high availability setup, the supervisors will be upgraded, but the line cards will still show the old CPLD version. The version mismatch between the supervisors and line cards is expected until a chassis reload.
Procedure
|
Step 1 |
Upgrade the CPLD Version of the standby supervisor module Enter the following commands on the active supervisor:
The standby supervisor module reloads automatically and the upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes. Wait until the standby supervisor module boots up and the SSO has formed (HOT) before you proceed to the next step; this takes approximately 17 minutes. |
||
|
Step 2 |
Perform a switch over
This causes the standby supervisor (on which you have completed the CPLD upgrade in Step 1) to become the active supervisor module |
||
|
Step 3 |
Upgrade the CPLD Version of the new standby supervisor module Repeat Step 1 and all its substeps.
|
Upgrading the CPLD Version: Cisco StackWise Virtual Setup
Beginning in the privileged EXEC mode, complete the following steps:
Procedure
|
Step 1 |
Upgrade the CPLD version of the standby supervisor module Enter the following commands on the active supervisor:
|
|
Step 2 |
Reload the standby supervisor module
The upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes. Wait until the standby supervisor module boots up and the SSO has formed (HOT) before you proceed to the next step; this takes approximately 17 minutes. |
|
Step 3 |
Perform a switch over
This causes the standby supervisor (on which you have completed the CPLD upgrade in step 1) to become the active supervisor module |
|
Step 4 |
Upgrade the CPLD version of the new standby supervisor module Perfom Steps 1 and 2, including all substeps, on the new standby supervisor module |
Upgrading the CPLD Version: Single Supervisor Module Setup
Beginning in the privileged EXEC mode, complete the following steps:
Procedure
|
Upgrade the CPLD version of the active supervisor module Enter the following commands on the active supervisor:
The supervisor module reloads automatically and the upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes. |
Example: CPLD Upgrade in a High Availability Setup
The sample output here shows the CPLD upgrade process in a High Availability setup:
-
Boot Cisco IOS XE Gibraltar 16.12.1; the bootloader upgrades automatically:
%IOSXEBOOT-4-BOOTLOADER_UPGRADE: (rp/0): boot loader upgrade successful %IOSXEBOOT-4-BOOTLOADER_UPGRADE: (rp/0): Reloading the Supervisor to enable the New BOOTLOADER Initializing Hardware... System Bootstrap, Version 16.12.1r, RELEASE SOFTWARE (P) Compiled Mon 04/15/2019 10:19:23.77 by rel Current ROMMON image : Primary Last reset cause : SoftwareResetTrig C9400-SUP-1XL-Y platform with 16777216 Kbytes of main memory <output truncated> -
Upgrade CPLD
Device# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Device(config)# service internal Device(config)# exit Device# **Feb 27 12:49:27.446 PST: %SYS-5-CONFIG_I: Configured from console by console Device# upgrade hw-programmable cpld filename bootflash: RP Standby Firmware upgrade will require the standby supervisor to reload. Do you want to proceed?(y/n) y *Feb 27 22:22:22.267: %PARSER-5-HIDDEN: Warning!!! ' upgrade hw-programmable cpld filename bootflash: RP standby ' is a hidden command. Use of this command is not recommended/supported and will be removed in future. *Feb 27 22:23:00.059: %IOSXE_OIR-6-REMCARD: Card (rp) removed from slot R1 *Feb 27 22:23:00.063: %SMART_LIC-5-EVAL_START: Entering evaluation period *Feb 27 22:23:00.149: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_NOT_PRESENT) *Feb 27 22:23:00.149: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_DOWN) *Feb 27 22:23:00.149: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_REDUNDANCY_STATE_CHANGE) *Feb 27 22:23:01.148: %RF-5-RF_RELOAD: Peer reload. Reason: EHSA standby down *Feb 27 22:23:01.158: %IOSXE_REDUNDANCY-6-PEER: Active detected switch -1 as standby. *Feb 27 22:23:01.636: %IOSXE_OIR-6-REMSPA: SPA removed from subslot 6/0, interfaces disabled *Feb 27 22:23:01.646: %SPA_OIR-6-OFFLINECARD: SPA (C9400-SUP-1) offline in subslot 6/0 *Feb 27 22:23:01.670: %IOSXE_OIR-6-INSCARD: Card (rp) inserted in slot R1The supervisor module reloads and the upgrade takes place in ROMMON mode. The following is sample output from a standby supervisor during the course of a CPLD upgrade
Initializing Hardware... Initializing Hardware... System Bootstrap, Version 16.12.1r, RELEASE SOFTWARE (P) Compiled Mon 04/15/2019 10:19:23.77 by rel Current ROMMON image : Primary Last reset cause : PowerOn C9400-SUP-1 platform with 16777216 Kbytes of main memory Starting System FPGA Upgrade ..... Programming SPI Primary image is completed. Authenticating SPI Primary image ..... IO FPGA image is authenticated successfully. Programming Header ..... FPGA HDR file size: 12 Image page count: 1 Verifying programmed header ..... Verifying programmed header ..... Programmed header is verified successfully. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Power Cycle is needed to complete System firmware upgrade. It takes ~7 mins to upgrade firmware after power cycle starts. Perform the FPGA upgrade for the standby supervisor board (using the IOS CLI from the active supervisor). “upgrade hw-programmable cpld filename bootflash: RP Standby” The Standby supervisor will get reloaded automatically. FPGA upgrade will take place in Rommon context. During the FPGA upgrade, the Supervisor will get powered cycle, and remain inactive for approximate 5 minutes. b. Once the standby boots up completely (form DO NOT DISRUPT AFTER POWER CYCLE UNTIL ROMMON PROMPT APPEARS. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Power Cycling the Supervisor board now ! Initializing Hardware... Initializing Hardware... System Bootstrap, Version 16.12.1r, RELEASE SOFTWARE (P) Compiled Mon 04/15/2019 10:19:23.77 by rel rommon >Check the version in ROMMON mode:
rommon >version -v System Bootstrap, Version 16.12.1r, RELEASE SOFTWARE (P) Compiled Mon 04/15/2019 10:19:23.77 by rel Current ROMMON image : Primary Last reset cause : SoftwareResetTrig C9400-SUP-1XL-Y platform with 16777216 Kbytes of main memory Fpga Version: 0x19032905 System Integrity Status: 134ABCE 6A40 6A48
Licensing
This section provides information about the licensing packages for features available on Cisco Catalyst 9000 Series Switches.
License Levels
The software features available on Cisco Catalyst 9400 Series Switches fall under these base or add-on license levels.
Base Licenses
-
Network Essentials
-
Network Advantage—Includes features available with the Network Essentials license and more.
Add-On Licenses
Add-On Licenses require a Network Essentials or Network Advantage as a pre-requisite. The features available with add-on license levels provide Cisco innovations on the switch, as well as on the Cisco Digital Network Architecture Center (Cisco DNA Center).
-
DNA Essentials
-
DNA Advantage— Includes features available with the DNA Essentials license and more.
To find information about platform support and to know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.
License Types
The following license types are available:
-
Permanent—for a license level, and without an expiration date.
-
Term—for a license level, and for a three, five, or seven year period.
-
Evaluation—a license that is not registered.
License Levels - Usage Guidelines
-
Base licenses (Network Essentials and Network-Advantage) are ordered and fulfilled only with a permanent license type.
-
Add-on licenses (DNA Essentials and DNA Advantage) are ordered and fulfilled only with a term license type.
-
An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it, or deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.
-
When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:
Table 1. Permitted Combinations DNA Essentials
DNA Advantage
Network Essentials
Yes
No
Network Advantage
Yes5
Yes
5 You will be able to purchase this combination only at the time of the DNA license renewal and not when you purchase DNA-Essentials the first time. -
Evaluation licenses cannot be ordered. They are not tracked via Cisco Smart Software Manager and expire after a 90-day period. Evaluation licenses can be used only once on the switch and cannot be regenerated. Warning system messages about an evaluation license expiry are generated only 275 days after expiration and every week thereafter. An expired evaluation license cannot be reactivated after reload. This applies only to Smart Licensing. The notion of evaluation licenses does not apply to Smart Licensing Using Policy.
Cisco Smart Licensing
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure – you control what users can access. With Smart Licensing you get:
-
Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys).
-
Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.
-
License Flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (http://software.cisco.com).
Important |
Cisco Smart Licensing is the default and the only available method to manage licenses. |
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.
Deploying Smart Licensing
The following provides a process overview of a day 0 to day N deployment directly initiated from a device that is running Cisco IOS XE Fuji 16.9.1 or later releases. Links to the configuration guide provide detailed information to help you complete each one of the smaller tasks.
Procedure
|
Step 1 |
Begin by establishing a connection from your network to Cisco Smart Software Manager on cisco.com. In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Connecting to CSSM |
|
Step 2 |
Create and activate your Smart Account, or login if you already have one. To create and activate Smart Account, go to Cisco Software Central → Create Smart Accounts. Only authorized users can activate the Smart Account. |
|
Step 3 |
Complete the Cisco Smart Software Manager set up. |
With this,
-
The device is now in an authorized state and ready to use.
-
The licenses that you have purchased are displayed in your Smart Account.
Using Smart Licensing on an Out-of-the-Box Device
Starting from Cisco IOS XE Fuji 16.9.1, if an out-of-the-box device has the software version factory-provisioned, all licenses on such a device remain in evaluation mode until registered in Cisco Smart Software Manager.
In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Registering the Device in CSSM
How Upgrading or Downgrading Software Affects Smart Licensing
Starting from Cisco IOS XE Fuji 16.9.1, Smart Licensing is the default and only license management solution; all licenses are managed as Smart Licenses.
Important |
Starting from Cisco IOS XE Fuji 16.9.1, the Right-To-Use (RTU) licensing mode is deprecated, and the associated license right-to-use command is no longer available on the CLI. |
Note how upgrading to a release that supports Smart Licensing or moving to a release that does not support Smart Licensing affects licenses on a device:
-
When you upgrade from an earlier release to one that supports Smart Licensing—all existing licenses remain in evaluation mode until registered in Cisco Smart Software Manager. After registration, they are made available in your Smart Account.
In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Registering the Device in CSSM
-
When you downgrade to a release where Smart Licensing is not supported—all smart licenses on the device are converted to traditional licenses and all smart licensing information on the device is removed.
Scaling Guidelines
For information about feature scaling guidelines, see these datasheets for Cisco Catalyst 9400 Series Switches:
Limitations and Restrictions
-
Control Plane Policing (CoPP)—The show run command does not display information about classes configured under
system-cpp policy, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead. -
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
-
Flexible NetFlow limitations
-
You cannot configure NetFlow export using the Ethernet Management port (GigabitEthernet0/0).
-
You can not configure a flow monitor on logical interfaces, such as layer 2 port-channels, loopback, tunnels.
-
You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
-
-
Hardware limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, autonegotiation is enabled by default. If the other end of the line does not support autonegotation, the link does not come up.
-
Interoperability limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, if one end of the 40G link is a Catalyst 9400 Series Switch and the other end is a Catalyst 9500 Series Switch, the link does not come up, or comes up on one side and stays down on the other. To avoid this interoperability issue between devices, apply the speed nonegotiate command on the Catalyst 9500 Series Switch interface. This command disables autonegotiation and brings the link up. To restore autonegotiation, use the no speed nonegotiation command.
-
In-Service Software Upgrade (ISSU)
-
ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.10.x or to Cisco IOS XE Gibraltar 16.11.x is not supported. This applies to both a single and dual supervisor module setup.
-
While performing ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.12.x, if interface-id snmp-if-index command is not configured with OSPFv3, packet loss can occur. Configure the interface-id snmp-if-index command either during the maintenance window or after isolating the device (by using maintenance mode feature) from the network before doing the ISSU.
-
While ISSU allows you to perform upgrades with zero downtime, we recommend you to do so during a maintenance window only.
-
If a new feature introduced in a software release requires a change in configuration, the feature should not be enabled during ISSU.
-
If a feature is not available in the downgraded version of a software image, the feature should be disabled before initiating ISSU.
-
-
No service password recovery—With ROMMON versions R16.6.1r and R16.6.2r, the 'no service password-recovery' feature is not available.
-
QoS restrictions
-
When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.
-
Policing and marking policy on sub interfaces is supported.
-
Marking policy on switched virtual interfaces (SVI) is supported.
-
QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.
-
Stack Queuing and Scheduling (SQS) drops CPU bound packets exceeding 1.4 Gbps.
-
-
Redundancy—The supervisor module (hardware) supports redundancy. Software redundancy is supported starting with Cisco IOS XE Everest 16.6.2. However, the associated route processor redundancy (RPR) feature is not supported.
Before performing a switchover, use the show redundancy , show platform , and show platform software iomd redundancy commands to ensure that both the SSOs have formed and that the IOMD process is completed.
In the following sample output for the show redundancy , note that both the SSOs have formed.Switch# show redundancy Redundant System Information : ------------------------------ Available system uptime = 3 hours, 30 minutes Switchovers system experienced = 2 Standby failures = 0 Last switchover reason = active unit removed Hardware Mode = Duplex Configured Redundancy Mode = sso Operating Redundancy Mode = sso Maintenance Mode = Disabled Communications = Up Current Processor Information : ------------------------------- Active Location = slot 3 Current Software state = ACTIVE Uptime in current state = 2 hours, 57 minutes Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Tue 27-Mar-18 13:43 by mcpre BOOT = bootflash:packages.conf; CONFIG_FILE = Configuration register = 0x1822 Peer Processor Information : ---------------------------- Standby Location = slot 4 Current Software state = STANDBY HOT Uptime in current state = 2 hours, 47 minutes Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Tue 27-Mar-18 13:43 by mcpre BOOT = bootflash:packages.conf; CONFIG_FILE = Configuration register = 0x1822In the following sample output for the show platform command, note that both SSOs have formed and theHA_STATEfield isready.Switch# show platform Configured Redundancy Mode = sso Operating Redundancy Mode = sso Local RF state = ACTIVE Peer RF state = STANDBY HOT slot PSM STATE SPA INTF HA_STATE HA_ACTIVE 1 ready started ready 00:01:16 2 ready started ready 00:01:22 3 ready started ready 00:01:27 ***active RP 4 ready started ready 00:01:27 <output truncated>In the following sample output for the show platform software iomd redundancy command, note that theStatefor all the linecards and supervisor modules isok. This indicates that the IOMD processes are completed.Switch# show platform software iomd redundancy Chassis type: C9407R Slot Type State Insert time (ago) --------- ------------------- --------------------- ----------------- 1 C9400-LC-24XS ok 3d09h 2 C9400-LC-48U ok 3d09h R0 C9400-SUP-1 ok, active 3d09h R1 C9400-SUP-1 ok, standby 3d09h P1 C9400-PWR-3200AC ok 3d08h P2 C9400-PWR-3200AC ok 3d08h P17 C9407-FAN ok 3d08h <output truncated> -
With bootloader version 16.6.2r, you cannot access the M.2 SATA SSD drive at the ROMMON prompt (
rommon> dir disk0). The system displays an error message indicating that the corresponding file system protocol is not found on the device. The only way to access the drive when on bootloader version 16.6.2r, is through the Cisco IOS prompt, after boot up. -
Secure Shell (SSH)
-
Use SSH Version 2. SSH Version 1 is not supported.
-
When the device is running SCP and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.
Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can show as much as 40 or 50 percent CPU usage, but they do not cause the device to shutdown.
-
-
TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.
-
Uplink Symmetry—When a redundant supervisor module is inserted, we recommend that you have symmetric uplinks, to minimize packet loss during a switchover.
Uplinks are said to be in symmetry when the same interface on both supervisor modules have the same type of transceiver module. For example, a TenGigabitEthernet interface with no transceiver installed operates at a default 10G mode; if the matching interface of the other supervisor has a 10G transceiver, then they are in symmetry. Symmetry provides the best SWO packet loss and user experience.
Asymmetric uplinks have at least one or more pairs of interfaces in one supervisor not matching the transceiver speed of the other supervisor.
-
USB Authentication—When you connect a Cisco USB drive to the switch, the switch tries to authenticate the drive against an existing encrypted preshared key. Since the USB drive does not send a key for authentication, the following message is displayed on the console when you enter password encryption aes command:
Device(config)# password encryption aes Master key change notification called without new or old key -
VLAN Restriction—It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.
-
YANG data modeling limitation—A maximum of 20 simultaneous NETCONF sessions are supported.
-
Embedded Event Manager—Identity event detector is not supported on Embedded Event Manager.
-
The File System Check (fsck) utility is not supported in install mode.
Caveats
Caveats describe unexpected behavior in Cisco IOS-XE releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.
Cisco Bug Search Tool
The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat, click on the identifier.
Open Caveats in Cisco IOS XE Gibraltar 16.12.x
|
Identifier |
Description |
|---|---|
|
Multicast processing takes longer time in port-channel unbundle |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.8
|
Identifier |
Description |
|---|---|
|
Cisco IOS XE Software for Catalyst Switches MPLS Denial of Service Vulnerability |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.7
|
Identifier |
Description |
|---|---|
|
C9400-LC-48S or C9400-LC-24S line card can reboot when inserting an SFP |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.6
|
Identifier |
Description |
|---|---|
|
Cat 9K & 3K: Unexpected reload caused by the FED process. |
|
|
Radius protocol generate jumbo frames for dot1x packets |
|
|
C9400 switch may reload with Last reload reason: RP-CPU |
|
|
SNMP: ifHCInOctets - snmpwalk on sub-interface octet counter does not increase |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.5b
|
Identifier |
Description |
|---|---|
|
Session not getting authenticated via MAB after shut/no shut of interface |
|
|
Cat 9K & 3K fed crash when running 16.12.5 |
|
|
Cisco IOx for IOS XE Software Command Injection Vulnerability |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.5
|
Identifier |
Description |
|---|---|
|
CLI should be auto-upgraded from "tacacs-server" cli to newer version while upgrading |
|
|
Catalyst Switch: SISF Crash due to a memory leak |
|
|
random ports remain in down, down state after randomly bouncing and changing VLAN |
|
|
DAD link on C9400-LC-48T does not bring up after reload |
|
|
ZTP failing with error in creating downloaded_script.py |
|
|
Authentication Config Removal leads to standby reload |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.4
|
Identifier |
Description |
|---|---|
|
systemd service flash-recovery.service always in the running mode |
|
|
show module info for active switch is n/a after booting remaining switches |
|
|
17.1.1 - Memory leak @ SAMsgThread. |
|
|
show beacon output is missing fantray beacon status for switch 1 and shows incorrectly for switch 2 |
|
|
Device crash when upgrading via ISSU |
|
|
Output of crepSegmentComplete is incorrect for the switches with single Edge port |
|
|
DHCPv6 RELAY-REPLY packet is being dropped |
|
|
PnP over 40gig uplink doesn't work with dual SUP |
|
|
Cat9k - Not able to apply Et-analytics on an interface |
|
|
"show mac address-table" does not show remote EIDs when vlan filter used |
|
|
Traffic forwarding stops when Session Idle time out is configured 10 sec with active traffic running |
|
|
Critical auth failing to apply DEFAULT_CRITICAL_DATA_TEMPLATE |
|
|
Crash Due to AutoSmart Port Macros |
|
|
offer is dropped in data vlan with dhcp snooping using dot1x/mab |
|
|
Unable to use VLAN range 4084-4095 for any business operations |
|
|
Eigrp neighbor down up occurred frequently |
|
|
Nvram Failed to initializae ( startup missing ) |
|
|
Cat9400 - Some 3rd-Party phones do not bring up the interface with 'no mdix auto' configured. |
|
|
interface with 100FX SFP stuck in up-state |
|
|
connectivity issue after moving client from dot1x enable port to non dot1x port |
|
|
OID cswDistrStackPhyPortInfo triggers memory leak |
|
|
ISSU upgrade: ISSU fails after stage 2, Standby SUP goes into ROMMON |
|
|
PSU Operating State changes to combined when "power budget mode single-sup" is enabled |
|
|
Cat3k/9k Switch running 16.12.3 is not processing superior BPDUs for non-default native vlan |
|
|
C9407R Operating Redundancy mode shown as SSO after standby SUP fullly booting up. |
|
|
Memory utilization increasing under fman_fp_image due to WRC Stats Req |
|
|
MACSEC issue in SDA deployment |
|
|
Crash when invalid input interrupts a role-based access-list policy installation |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.3a
|
Identifier |
Description |
|---|---|
|
Unexpected reload (or boot loop) caused by Smart Agent (SASRcvWQWrk2) |
|
|
Switch running 16.12.3 is not processing superior BPDUs for non-default native vlan |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.3
|
Identifier |
Description |
|---|---|
|
DHCP snooping may drop dhcp option82 packets w/ ip dhcp snooping information option allow-untrusted |
|
|
9400: Macsec: replay protection window-size is shown as 0 though configured with some size |
|
|
DNA - LAN Automation doesn't configure link between Peer Device and PnP Agent due CDP limitation |
|
|
Crash/Unresponsiveness after TDR test is set through SNMP |
|
|
Private-vlan mapping XXX configuration under SVI is lost from run config after switch reload |
|
|
The active and the standby Sup crashes due to ccmc crash when upgraded to 16.12.1. |
|
|
Switches are adding Device SGT to proxy generated IGMP leave messages while keeping End host src IP |
|
|
Diagnostics errors after the Line Card OIR on C9400 |
|
|
Cat3k/9k Flow-based SPAN(FSPAN) can only work in one direction when mutilple session configured |
|
|
To address sync done message missing after LC OIR and switchover resulting in HMS timeout |
|
|
MAB Client will reauthenticate during an ISSU from 16.9.4 to 16.12.2 |
|
|
HW-faulty not present in OID list for cefcModuleOperStatus object MIB:CISCO-ENTITY-FRU-CONTROL-MIB |
|
|
SNMP timeout when querying entSensorValueEntry |
|
|
c9400 Not able to configure power redundancy mode in SVL |
|
|
C9407R Power setting, default to combine after reload |
|
|
Cat3k/9k crash on running show platform software fed switch 1 fss abstraction |
|
|
Mulitple issues seen if we do SSO with MKA MACsec on Sup ports. |
|
|
Cat3k/Cat9k incorrectly set more-fragment flag for double fragmentation |
|
|
Layer 2 flooding floods IGMP queries causing network outage |
|
|
OSPF External Type-1 Route Present in OSPF Database but not in RIB |
|
|
After valid ip conflict, SVI admin down responds to GARP |
|
|
"login authentication VTY_authen" is missing on "line vty 0 4" only |
|
|
Standby crashes on multiple port flaps |
|
|
Block overrun crash due to Corrupted redzone |
|
|
qos softmax setting doesn't take effect on Catalyst switch in Openflow mode |
|
|
CTS Environmental Data download request triggered before PAC provisioned |
|
|
Netconf incorrectly activate IPv4 address-family for IPv6 BGP peer. |
|
|
cmand crash after removal fantray |
|
|
cmcc crash following oir events |
|
|
When port security applied mac address not learned on hardware |
|
|
Crash during authentication failure of client |
|
|
Memory exhaustion in sessmgrd process due to EAPoL announcement |
|
|
FED crash when premature free of SG element |
|
|
Fed memory leak in 16.9.X related to netflow |
|
|
Cat3k/Cat9k- OBJ_DWNLD_TO_DP_FAILED after exceeding hardware capacity for adjacency table |
|
|
In COPP policy, ARP traffic should be classified under the "system-cpp-police-forus" class |
|
|
Traceback seen when IS-IS crosses LSP boundary and tries to add information in new LSP |
|
|
Memory leak in fed main event qos |
|
|
cat3k Switch with 1.6GB flash size unable to do SWIM upgrade between 16.12.x images |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.2
|
Identifier |
Description |
|---|---|
|
Enable TestUnusedPortLoopback. |
|
|
Mgig - Half-Pair Ethernet Cables do not auto-negotiate to 100 Full with Certain IP Phones |
|
|
~3sec Traffic Loss on Uplink Port Channel After Active SUP removal |
|
|
IOSd Crash within "DHCPD Receive" process |
|
|
EnvMon trap not received after Power Supply and FAN OIR |
|
|
Memory leak in linux_iosd when polling mabClientIndexTest mib. |
|
|
| v169_3_hemit_es_throttle ES image || EGR_INVALID_REWRITE counter increasing in mVPN setup |
|
|
// evpn/vxlan // dhcp relay not working over l3vni |
|
|
Failed to get Board ID shown if stack member boots up |
|
|
SYS-2-BADSHARE: Bad refcount in datagram_done - messages seen during system churn |
|
|
CAT9400: MTU config not getting applied to inactive ports becoming active |
|
|
Switch crashed due to HTTP Core |
|
|
Mac address not being learnt when "auth port-control auto" command is present |
|
|
ospf down upon switchover with aggressive timers "hello-interval 1" and "dead-interval 4" |
|
|
SUP uplinks and/or slot 7 or slot 8 stop passing traffic or fail POST upon SUP failover |
|
|
ip verify source mac-check prevents device tracking from getting arp probe reply |
|
|
Diagnostic test of TestPortTxMonitoring is failing for DAD links |
|
|
switch not forward packet when active route down |
|
|
Seeing 100% CPU with FED on switch SVL setup |
|
|
Switch can't forwarding traffic follow the rule of EIGRP unequal cost load-balancing |
|
|
Switch sif_mgr process crash. |
|
|
missing system_report when crashed - revisit fix of CSCvq26295 |
|
|
Multicast memory leak seen when we have a scale setup |
|
|
The COPP configuration back to the default After rebooting the device |
|
|
Memory Leak on FED due to IPv6 Source Guard |
|
|
Inserting 1Gige SFP (GLC-SX-MMD or SFP GE-T) to SUP port causes another port to link flap. |
|
|
C9400 ISSU to 16.9.4 or 16.12.1c With Port Security Enabled Causes Traffic Loss |
|
|
Inactive Interfaces Incorrectly Holding Buffers, causing output drops on switch SUP active ports. |
|
|
sessmgrd crash with "clear dot1x mac" command |
|
|
Commands returning invalid PRC error message |
|
|
Memory leak due to bcm54185-debug-slot4 on C9404R version 16.9.4 |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.1c
|
Identifier |
Description |
|---|---|
|
The active and the standby Sup crashes due to ccmc crash when upgraded to 16.12.1. |
Resolved Caveats in Cisco IOS XE Gibraltar 16.12.1
|
Identifier |
Description |
|---|---|
|
cat 9300 | span destination interface not dropping ingress traffic |
|
|
IP Source Guard blocks traffic after host IP renewal |
|
|
Missing/incorrect FED entries for IGMP Snooping on Cat9300/Cat3850/Cat3650 |
|
|
Packet drops on mgig ports due to link negotiation issue |
|
|
Switch crashed at mcprp_pak_add_l3_inject_hdr with dhcp snooping |
|
|
Cat9k TFTP copy failed with Port Security enabled |
|
|
'speed nonegotiate' config disappears after reload - C9400-LC-24S |
|
|
C9400 - Half-Pair Ethernet Cables do not auto-negotiate to 100 Full with Certain IP Phones |
|
|
Hardware MAC address programming issue for remote client catalyst 9300 |
|
|
Cat9k not updating checksum after DSCP change |
|
|
multiple CTS sessions stuck in HELD/SAP_NE |
|
|
High CPU Due To Looped Packet and/or Unicast DHCP ACK Dropped |
|
|
9400: Input QoS policy may not get installed in Hardware |
|
|
Mcast traffic loss seen looks due to missing fed entries during IGMP/MLD snooping. |
|
|
C9400-LC-48U goes to faulty status when specific MAC ACL is applied on interfaces |
|
|
Active supervisor crashed during insertion/removal of a line card |
|
|
Cat9500 - Interface in Admin shutdown showing incoming traffic and interface Status led in green. |
|
|
Cat3K | Cat9K - SVI becomes inaccesible upon reboot |
|
|
System report not created for stack_mgr crashes on Cat 9500 |
|
|
Cat3k / Cat9k Gateway routes DHCP offer incorrectly after DHCP snooping |
|
|
Cat9300 | First packet not forwarded when (S,G) needs to be built |
|
|
MAC Access List Blocks Unintended Traffic |
|
|
DHCP SNOOPING DATABASE IS NOT REFRESHED AFTER RELOAD |
|
|
Authentication sessions does not come up on configuring dot1x when there is active client traffic . |
|
|
crash at sisf_show_counters after entering show device-tracking counters command |
|
|
Sessmgr CPU is going high due to DB cursor is not disabled after switchover |
Troubleshooting
For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:
https://www.cisco.com/en/US/support/index.html
Go to Product Support and select your product from the list or enter the name of your product. Look under Troubleshoot and Alerts, to find information for the problem that you are experiencing.
Related Documentation
Information about Cisco IOS XE at this URL: https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html
All support documentation for Cisco Catalyst 9400 Series Switches is at this URL: https://www.cisco.com/c/en/us/support/switches/catalyst-9400-series-switches/tsd-products-support-series-home.html
Cisco Validated Designs documents at this URL: https://www.cisco.com/go/designzone
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.
Feedback