First Published: December 7, 2021

Last Updated: May 13, 2022

Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Cupertino 17.7.x

Introduction

Cisco Catalyst 9400 Series Switches are Cisco’s leading modular enterprise switching access platform and have been purpose-built to address emerging trends of Security, IoT, Mobility, and Cloud.

They deliver complete convergence with the rest of the Cisco Catalyst 9000 Series Switches in terms of ASIC architecture with Unified Access Data Plane (UADP) 2.0 and UADP 3.0. The platform runs an Open Cisco IOS XE that supports model driven programmability, has the capacity to host containers, and run 3rd party applications and scripts natively within the switch (by virtue of x86 CPU architecture, local storage, and a higher memory footprint). This series forms the foundational building block for SD-Access, which is Cisco’s lead enterprise architecture.

Cisco Catalyst 9400 Series Switches are enterprise optimized with a dual-serviceable fan tray design, side to side airflow, and are closet-friendly with a16-inch depth

Whats New in Cisco IOS XE Cupertino 17.7.1

Hardware Features in Cisco IOS XE Cupertino 17.7.1


Feature Name	Description and Documentation Link
Cisco Catalyst 9400 Series Supervisor 2 Module (C9400X-SUP-2)	Hardware Features: Supported on Cisco Catalyst C9404R, C9407R, and C9410R chassis. Supports a backplane bandwidth of 240 Gbps. Compatible with all available line cards. See Cisco Catalyst 9400 Series Switching Module Installation Note. Has four 10-GigabitEthernet (GE) or 25-GE uplink ports and four 40-GE or 100-GE uplink ports. Install a suitable transceiver module for the required uplink port speeds. For information about device compatibility, see the Transceiver Module Group (TMG) Compatibility Matrix. The following transceiver modules are not supported: SFP-H25G-CU1M, SFP-H25G-CU1.5M, SFP-H25G-CU2M, SFP-H25G-CU2.5M, SFP-H25G-CU3M, SFP-H25G-CU4M, SFP-H25G-CU5M. QSFP-H40G-CU0-5M, QSFP-H40G-CU1M, QSFP-H40G-CU2M, QSFP-H40G-CU3M, QSFP-H40G-CU4M, QSFP-H40G-CU5M. QSFP-100G-CU1M, QSFP-100G-CU2M, QSFP-100G-CU3M, QSFP-100G-CU5M. Software Features: The software features supported on C9400X-SUP-2 maintain parity with the existing supervisor modules, with a few exceptions. The following software features are not supported: Cisco StackWise Virtual, In-Service Software Upgrade (ISSU), Application Hosting, OpenFlow, High Availability in OpenFlow, and SDM Templates. For more information about the hardware, see the Cisco Catalyst 9400 Series Supervisor Module Installation Note and Cisco Catalyst 9400 Series Switches Hardware Installation Guide. For more information about supported software features, see Software Configuration Guide, Cisco IOS XE Cupertino 17.7.x (Catalyst 9400 Switches) and Command Reference, Cisco IOS XE Cupertino 17.7.x (Catalyst 9400 Switches).
Cisco Catalyst 9400 Series Supervisor 2XL Module (C9400X-SUP-2XL)	Hardware Features: Supported on Cisco Catalyst C9404R, C9407R, and C9410R chassis. Supports a backplane bandwidth of 480 Gbps. Compatible with all available line cards. See Cisco Catalyst 9400 Series Switching Module Installation Note. Has four 10-GE or 25-GE uplink ports and four 40-GE or 100-GE uplink ports. Install a suitable transceiver module for the required uplink port speeds. For information about device compatibility, see the Transceiver Module Group (TMG) Compatibility Matrix. The following transceiver modules are not supported: SFP-H25G-CU1M, SFP-H25G-CU1.5M, SFP-H25G-CU2M, SFP-H25G-CU2.5M, SFP-H25G-CU3M, SFP-H25G-CU4M, SFP-H25G-CU5M. QSFP-H40G-CU0-5M, QSFP-H40G-CU1M, QSFP-H40G-CU2M, QSFP-H40G-CU3M, QSFP-H40G-CU4M, QSFP-H40G-CU5M. QSFP-100G-CU1M, QSFP-100G-CU2M, QSFP-100G-CU3M, QSFP-100G-CU5M. Software Features: The software features supported on C9400X-SUP-2XL maintain parity with the existing supervisor modules, with a few exceptions. The following software features are not supported: Cisco StackWise Virtual, In-Service Software Upgrade (ISSU), Application Hosting, OpenFlow, High Availability in OpenFlow, and SDM Templates. For more information about the hardware, see the Cisco Catalyst 9400 Series Supervisor Module Installation Note and Cisco Catalyst 9400 Series Switches Hardware Installation Guide. For more information about supported software features, see Software Configuration Guide, Cisco IOS XE Cupertino 17.7.x (Catalyst 9400 Switches) and Command Reference, Cisco IOS XE Cupertino 17.7.x (Catalyst 9400 Switches).

Software Features in Cisco IOS XE Cupertino 17.7.1


Feature Name	Description and License Level Information
AAA Authentication Cache for 802.1x	Introduces support for AAA authentication caching for 802.1x.
AES67 Compliance	Introduces support for AES67 timing profile for high-performance streaming and audio-over-IP interoperability in audio devices.
Cisco TrustSec support with IEEE 802.1X	Introduces support for interoperability of Cisco TrustSec with IEEE 802.1x.
Low priority control packet mapping to Non-Low Latency Queueing (LLQ)	The system generated low-priority CPU traffic is now mapped to threshold 2 of a non-priority queue with highest bandwidth.
MACsec Access Control Option	Introduces support for MACsec access control option to allow unencrypted packets to be transmitted or received from the same physical interface.
Mandatory enable secret password in the initial configuration	For a device that loads with no start-up configuration, the enable secret password is now a mandatory configuration in the initial configuration wizard.
MPLS Traffic Engineering Any Transport over MPLS Tunnel Selection Forwarding Adjacency Interarea Tunnels Inter-AS TE RSVP Graceful Restart RSVP Refresh Reduction and Reliable Messaging Verbatim Path Support	Any Transport over MPLS Tunnel Selection: Any Transport over MPLS Tunnel Selection feature allows you to specify the path that Any Transport over MPLS (AToM) traffic uses. You can specify either a Multiprotocol Label Switching (MPLS) traffic engineering tunnel or a destination IP address and Domain Name System (DNS) name. Forwarding Adjacency: Forwarding Adjacency feature allows you to handle a traffic engineering (TE) label switched path (LSP) tunnel as a link in an Interior Gateway Protocol (IGP) network based on the Shortest Path First (SPF) algorithm. Interarea Tunnels: Interarea Tunnels feature allows you to establish MPLS TE tunnels that span multiple IGP areas and levels, removing the restriction that had required the tunnel headend and tailend devices both to be in the same area. Inter-AS TE: Autonomous System Boundary Router (ASBR) node protection, loose path reoptimization, stateful switchover (SSO) recovery of label-switched paths (LSPs) that include loose hops. It also provides ASBR forced link flooding, Cisco IOS Resource Reservation Protocol (RSVP) local policy extensions for interautonomous system (Inter-AS), and per-neighbor keys. RSVP Graceful Restart: RSVP Graceful Restart feature allows a neighboring Route Processor (RP) to recover from disruption in control plane service (specifically, the Label Distribution Protocol (LDP) component) without losing its Multiprotocol Label Switching (MPLS) forwarding state. RSVP Refresh Reduction and Reliable Messaging: RSVP Graceful Restart feature allows a neighboring Route Processor (RP) to recover from disruption in control plane service (specifically, the Label Distribution Protocol (LDP) component) without losing its Multiprotocol Label Switching (MPLS) forwarding state. Verbatim Path Support: Verbatim Path Support feature allows network nodes to support Resource Reservation Protocol (RSVP) extensions without supporting Interior Gateway Protocol (IGP) extensions for traffic engineering (TE), thereby bypassing the topology database verification process.
Programmability YANG Model Version 1.1 Converting IOS Commands to XML gNOI Factory Reset Services Leaf-Level Filtering for Telemetry ZTP Configuration through YANG	The following programmability features are introduced in this release: YANG Model Version 1.1: Cisco IOS XE Cupertino 17.7.1 uses the YANG version 1.0; however, you can download Cisco IOS XE YANG models in yang-version 1.1 from GitHub at https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1771 folder. For inquiries related to the migrate_yang_version.py script or the Cisco IOS XE YANG version 1.1 migration process, send an email to xe-yang-migration@cisco.com. Converting IOS Commands to XML: This feature helps to automatically translate IOS commands into relevant NETCONF-XML or RESTCONF/JSON request messages. gNOI Factory Reset Services: The gNOI factory reset service provides an interface that instructs target devices to clean the existing state, and boot the devices in same condition as it was shipped from the factory. Leaf-Level Filtering for Telemetry: Optimised code path is enhanced to support on-change subscriptions via gNMI and gRPC. Both on-change and periodic subscriptions currently receive all the data for the subscribed XPath and all the XPaths under the same gatherpoint. The Leaf-Level Filtering for Telemetry feature allows filtering below the gatherpoint level for the optimized code paths ZTP Configuration through YANG: ZTP is enabled through YANG models when NETCONF is enabled.
Smart Licensing Using Policy Factory-installed trust code Support for trust code in additional topologies Ability to save authorization code request and return in a file and simpler upload in the CSSM Web UI RUM Report optimization and availability of statistics Support to collect software version in a RUM report Account information included in the ACK and show command outputs CSLU support for Linux	The following Smart Licensing Using Policy enhancements were introduced in this release: Factory-installed trust code: For new hardware orders, a trust code is now installed at the time of manufacturing. Note: You cannot use a factory-installed trust code to communicate with CSSM. See: Overview and Trust Code. Support for trust code in additional topologies: A trust code is automatically obtained in topologies where the product instance initiates the sending of data to CSLU and in topologies where the product instance is in an air-gapped network. See: Trust Code Connected to CSSM Through CSLU and Tasks for Product Instance-Initiated Communication CSLU Disconnected from CSSM and Tasks for Product Instance-Initiated Communication No Connectivity to CSSM and No CSLU and Workflow for Topology: No Connectivity to CSSM and No CSLU Ability to save authorization code request and return in a file and simpler upload in the CSSM Web UI: If your product instance is in an air-gapped network, you can now save a SLAC request in a file on the product instance. The SLAC request file must be uploaded to the CSSM Web UI. You can then download the file containing the SLAC code and install it on the product instance. You can also upload a return request file in a similar manner. With this new method you do not have to gather and enter the required details on the CSSM Web UI to generate a SLAC. You also do not have to locate the product instance in the CSSM Web UI to return an authorization code. In the CSSM Web UI, the request or return file is uploaded in the same location and in the same way as you upload a RUM report. In the required Smart Account, navigate to Reports → Usage Data Files. No Connectivity to CSSM and No CSLU, Workflow for Topology: No Connectivity to CSSM and No CSLU, and license smart (privileged EXEC). RUM Report optimization and availability of statistics: RUM report generation and related processes have been optimized. This includes a reduction in the time it takes to process RUM reports, better memory and disk space utilization, and visibility into the RUM reports on the product instance (how many there are, the processing state each one is in, if there are errors in any of them, and so on). See: RUM Report and Report Acknowledgement, Upgrades Within the Smart Licensing Using Policy Environment, and Downgrades Within the Smart Licensing Using Policy Environment. Also see: show license rum, show license tech, and show license all. Support to collect software version in a RUM report: If version privacy is disabled (no license smart privacy version global configuration command), the Cisco IOS-XE software version running on the product instance and the Smart Agent version information is included in the RUM report. See: license smart (global config). Account information included in the ACK and show command outputs: A RUM acknowledgement (ACK) includes the Smart Account and Virtual Account that was reported to, in CSSM. You can then display account information using various show commands. The account information that is displayed is always as per the latest available ACK on the product instance. See: show license status, show license summary, show license all, and show license tech. CSLU support for Linux: CSLU can now be deployed on a machine (laptop or desktop) running Linux. See: CSLU, Workflow for Topology: Connected to CSSM Through CSLU and Workflow for Topology: CSLU Disconnected from CSSM.
Switch Integrated Security Features (SISF): ARP Protection	Support for the prevention of IPv4 spoofing was introduced (Detection and reporting of IPv4 spoofing is supported since the introductory release of SISF). See: Example: Detecting and Preventing Spoofing.
New on the WebUI
There are no WebUI features in this release.
Serviceability
access-session host-mode multi-host peer	The command was modified. peer keyword was introduced. Use this command to enable authentication and authorization of a device before any other devices on the fabric edge port. Ensure that the extended node is the peer device that is connected to the fabric edge port.
show ip pim vrf	The command was introduced. It displays Protocol Independent Multicast (PIM) related information for all VRFs.
show ip mroute vrf	The command was introduced. It displays all the multicast VPN routing and forwarding (VRF) instances related to multicast routing tables.
show consistency-checker mcast l3m	The command was modified. mcast l3m keyword was introduced. It displays inconsistent states of software entries on the Layer 3 multicast forwarding tables.

Important Notes

Unsupported Features

Cisco TrustSec
- Cisco TrustSec Network Device Admission Control (NDAC) on Uplinks
High Availability
- Cisco StackWise Virtual solution does not support Resilient Ethernet Protocol (REP) and Remote Switched Port Analyzer (RSPAN).
Interface and Hardware
- Fast PoE
Layer 2
- Audio Video Bridging (including IEEE802.1AS, IEEE 802.1Qat, and IEEE 802.1Qav)
Security
- IPsec VPN
- MACsec switch-to-switch connections on C9400-SUP-1XL-Y.
- MACsec switch-to-host connections in an overlay network.
- Virtual Routing and Forwarding (VRF)-Aware web authentication
System Management
- Performance Monitoring (PerfMon)
Converged Access for Branch Deployments
Network Load Balancing (NLB)

Complete List of Supported Features

For the complete list of features supported on a platform, see the Cisco Feature Navigator.

Accessing Hidden Commands

Starting with Cisco IOS XE Fuji 16.8.1a, as an improved security measure, the way in which hidden commands can be accessed has changed.

Hidden commands have always been present in Cisco IOS XE, but were not equipped with CLI help. That is, entering a question mark (?) at the system prompt did not display the list of available commands. These commands were only meant to assist Cisco TAC in advanced troubleshooting and were not documented either.

Starting with Cisco IOS XE Fuji 16.8.1a, hidden commands are available under:

Category 1—Hidden commands in privileged or User EXEC mode. Begin by entering the service internal command to access these commands.
Category 2—Hidden commands in one of the configuration modes (global, interface and so on). These commands do not require the service internal command.

Further, the following applies to hidden commands under Category 1 and 2:

The commands have CLI help. Enter enter a question mark (?) at the system prompt to display the list of available commands.

Note: For Category 1, enter the service internal command before you enter the question mark; you do not have to do this for Category 2.

The system generates a %PARSER-5-HIDDEN syslog message when a hidden command is used. For example:

*Feb 14 10:44:37.917: %PARSER-5-HIDDEN: Warning!!! 'show processes memory old-header ' is a hidden command. 
Use of this command is not recommended/supported and will be removed in future.

Apart from category 1 and 2, there remain internal commands displayed on the CLI, for which the system does NOT generate the %PARSER-5-HIDDEN syslog message.

Important

We recommend that you use any hidden command only under TAC supervision.

If you find that you are using a hidden command, open a TAC case for help with finding another way of collecting the same information as the hidden command (for a hidden EXEC mode command), or to configure the same functionality (for a hidden configuration mode command) using non-hidden commands.

Default Behaviour

Beginning from Cisco IOS XE Gibraltar 16.12.5 and later, do not fragment bit (DF bit) in the IP packet is always set to 0 for all outgoing RADIUS packets (packets that originate from the device towards the RADIUS server).

Supported Hardware

Cisco Catalyst 9400 Series Switches—Model Numbers

The following table lists the supported switch models. For information about the available license levels, see section License Levels.


Switch Model (append with “=” for spares)	Description
C9404R	Cisco Catalyst 9400 Series 4 slot chassis Redundant supervisor module capability Two switching module slots Hot-swappable, front and rear serviceable, non-redundant fan tray assembly Four power supply module slots
C9407R	Cisco Catalyst 9400 Series 7 slot chassis Redundant supervisor module capability Five switching module slots Hot-swappable, front and rear serviceable fan tray assembly Eight power supply module slots
C9410R	Cisco Catalyst 9400 Series 10 slot chassis Redundant supervisor module capability Eight switching module slots Hot-swappable, front and rear serviceable fan tray assembly Eight power supply module slots

Supported Hardware on Cisco Catalyst 9400 Series Switches


Product ID (append with “=” for spares)	Description
Supervisor Modules
C9400-SUP-1	Cisco Catalyst 9400 Series Supervisor 1 Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
C9400-SUP-1XL	Cisco Catalyst 9400 Series Supervisor 1XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
C9400-SUP-1XL-Y	Cisco Catalyst 9400 Series Supervisor 25XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
C9400X-SUP-2	Cisco Catalyst 9400 Series Supervisor 2 Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
C9400X-SUP-2XL	Cisco Catalyst 9400 Series Supervisor 2XL Module This supervisor module is supported on the C9404R, C9407R, and C9410R chassis.
Line Cards
C9400-LC-24S	24-port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP
C9400-LC-24XS	24-port Gigabit Ethernet module that supports 1 and 10 Gbps connectivity.
C9400-LC-48H	48-port Gigabit Ethernet UPOE+ module supporting up to 90W on each of its 48 RJ45 ports.
C9400-LC-48HN	48-port, UPOE+ 100 Mbps/1G/2.5G/5G Multigigabit Ethernet Module
C9400-LC-48P	48-port, 1 Gigabit Ethernet POE/POE+ module supporting up to 30W per port.
C9400-LC-48S	48-port, 1 Gigabit Ethernet SFP module that supports 100/1000 BASET-T with Cu-SFP.
C9400-LC-48T	48-port, 10/100/1000 BASE-T Gigabit Ethernet module.
C9400-LC-48U	48-port UPOE 10/100/1000 (RJ-45) module supporting up to 60W per port.
C9400-LC-48UX	48-port, UPOE Multigigabit Ethernet Module with: 24 ports (Ports 1 to 24) 1G UPOE 10/100/1000 (RJ-45) 24 ports (Ports 25 to 48) MultiGigabit Ethernet 100/1000/2500/5000/10000 UPOE ports
M.2 SATA SSD Modules¹ (for the Supervisor)
C9400-SSD-240GB	Cisco Catalyst 9400 Series 240GB M2 SATA memory
C9400-SSD-480GB	Cisco Catalyst 9400 Series 480GB M2 SATA memory
C9400-SSD-960GB	Cisco Catalyst 9400 Series 960GB M2 SATA memory
AC Power Supply Modules
C9400-PWR-2100AC	Cisco Catalyst 9400 Series 2100W AC Power Supply
C9400-PWR-3200AC	Cisco Catalyst 9400 Series 3200W AC Power Supply
DC Power Supply Modules
C9400-PWR-3200DC	Cisco Catalyst 9400 Series 3200W DC Power Supply

¹ M.2 Serial Advanced Technology Attachment (SATA) Solid State Drive (SSD) Module

Optics Modules

Cisco Catalyst Series Switches support a wide range of optics and the list of supported optics is updated on a regular basis. Use the Transceiver Module Group (TMG) Compatibility Matrix tool, or consult the tables at this URL for the latest transceiver module compatibility information: https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html

Compatibility Matrix

The following table provides software compatibility information between Cisco Catalyst 9400 Series Switches, Cisco Identity Services Engine, Cisco Access Control Server, and Cisco Prime Infrastructure.


Catalyst 9400	Cisco Identity Services Engine	Cisco Access Control Server	Cisco Prime Infrastructure
Cupertino 17.7.1	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.7	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.6a	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.6	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.5	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.4	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.3	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.2	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Bengaluru 17.6.1	3.1 3.0 latest patch 2.7 latest patch 2.6 latest patch 2.4 latest patch	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Bengaluru 17.5.1	3.0 Patch 1 2.7 Patch 2 2.6 Patch 7 2.4 Patch 13	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Bengaluru 17.4.1	3.0 2.7 Patch 2	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Amsterdam 17.3.8a	2.7	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Amsterdam 17.3.8	2.7	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Amsterdam 17.3.7	2.7	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Amsterdam 17.3.6	2.7	-	PI 3.10 + PI 3.10 latest maintenance release + PI 3.10 latest device pack See Cisco Prime Infrastructure 3.10 → Downloads.
Amsterdam 17.3.5	2.7	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Amsterdam 17.3.4	2.7	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Amsterdam 17.3.3	2.7	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Amsterdam 17.3.2a	2.7	-	PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack See Cisco Prime Infrastructure 3.8 → Downloads.
Amsterdam 17.3.1	2.7	-	PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack See Cisco Prime Infrastructure 3.8 → Downloads.
Amsterdam 17.2.1	2.7	-	PI 3.7 + PI 3.7 latest maintenance release + PI 3.7 latest device pack See Cisco Prime Infrastructure 3.7 → Downloads.
Amsterdam 17.1.1	2.7	-	PI 3.6 + PI 3.6 latest maintenance release + PI 3.6 latest device pack See Cisco Prime Infrastructure 3.6 → Downloads.
Gibraltar 16.12.8	2.6	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Gibraltar 16.12.7	2.6	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Gibraltar 16.12.6	2.6	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Gibraltar 16.12.5b	2.6	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Gibraltar 16.12.5	2.6	-	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Gibraltar 16.12.4	2.6	-	PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack See Cisco Prime Infrastructure 3.8 → Downloads.
Gibraltar 16.12.3a	2.6	-	PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads.
Gibraltar 16.12.3	2.6	-	PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads.
Gibraltar 16.12.2	2.6	-	PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads.
Gibraltar 16.12.1	2.6	-	PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack See Cisco Prime Infrastructure 3.5 → Downloads.
Gibraltar 16.11.1	2.6 2.4 Patch 5	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4 → Downloads.
Gibraltar 16.10.1	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.8	2.5 2.1	5.4 5.5	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Fuji 16.9.7	2.5 2.1	5.4 5.5	PI 3.9 + PI 3.9 latest maintenance release + PI 3.9 latest device pack See Cisco Prime Infrastructure 3.9 → Downloads.
Fuji 16.9.6	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.5	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.4	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.3	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.2	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.9.1	2.3 Patch 1 2.4 Patch 1	5.4 5.5	PI 3.4 + PI 3.4 latest device pack See Cisco Prime Infrastructure 3.4→ Downloads.
Fuji 16.8.1a	2.3 Patch 1 2.4	5.4 5.5	PI 3.3 + PI 3.3 latest maintenance release + PI 3.3 latest device pack See Cisco Prime Infrastructure 3.3→ Downloads.
Everest 16.6.4a	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads.
Everest 16.6.4	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads.
Everest 16.6.3	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads
Everest 16.6.2	2.2 2.3	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads
Everest 16.6.1	2.2	5.4 5.5	PI 3.1.6 + Device Pack 13 See Cisco Prime Infrastructure 3.1 → Downloads
Everest 16.5.1a	2.1 Patch 3	5.4 5.5	-

Web UI System Requirements

The following subsections list the hardware and software required to access the Web UI:

Minimum Hardware Requirements


Processor Speed	DRAM	Number of Colors	Resolution	Font Size
233 MHz minimum²	512 MB³	256	1280 x 800 or higher	Small

² We recommend 1 GHz

³ We recommend 1 GB DRAM

Software Requirements

Operating Systems

Windows 10 or later
Mac OS X 10.9.5 or later

Browsers

Google Chrome—Version 59 or later (On Windows and Mac)
Microsoft Edge
Mozilla Firefox—Version 54 or later (On Windows and Mac)
Safari—Version 10 or later (On Mac)

ROMMON and CPLD Versions

ROM Monitor (ROMMON)

ROMMON, also known as the boot loader, is firmware that runs when the device is powered up or reset. It initializes the processor hardware and boots the operating system software (Cisco IOS XE software image). The ROMMON is stored on the following Serial Peripheral Interface (SPI) flash devices on your switch:

Primary: The ROMMON stored here is the one the system boots every time the device is powered-on or reset.
Golden: The ROMMON stored here is a backup copy. If the one in the primary is corrupted, the system automatically boots the ROMMON in the golden SPI flash device.

ROMMON upgrades may be required to resolve firmware defects, or to support new features, but there may not be new versions with every release.

Complex Programmable Logic Device (CPLD)

CPLD refers to hardware-programmable firmware. CPLD upgrades may be required to resolve firmware defects, or to support new features, but there may not be new versions with every release. CPLD version upgrade process must be completed after upgrading the software image.

The following table provides ROMMON and CPLD version information for the Cisco Catalyst 9400 Series Supervisor Modules. For ROMMON and CPLD version information of Cisco IOS XE 16.x.x releases, refer to the corresponding Cisco IOS XE 16.x.x release notes of the respective platform.


Release	ROMMON Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y)	CPLD Version (C9400-SUP-1, C9400-SUP-1XL, C9400-SUP-1XL-Y)	ROMMON Version (C9400X-SUP-2, C9400X-SUP-2XL)	CPLD Version (C9400X-SUP-2, C9400X-SUP-2XL)
Cupertino 17.7.1	17.6.1r[FC2]	20062105	17.7.1r[FC3]	21080305
Bengaluru 17.6.7	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.6.6a	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.6.6	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.6.5	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.6.4	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.6.3	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.6.2	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.6.1	17.6.1r[FC2]	20062105	-	-
Bengaluru 17.5.1	17.5.1r	20062105	-	-
Bengaluru 17.4.1	17.3.1r[FC2]	20062105	-	-
Amsterdam 17.3.8a	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.8	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.7	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.6	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.5	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.4	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.3	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.2a	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.3.1	17.3.1r[FC2]	19082605	-	-
Amsterdam 17.2.1	17.1.1r	19082605	-	-
Amsterdam 17.1.1	17.1.1r	19032905	-	-

Upgrading the Switch Software

This section covers the various aspects of upgrading or downgrading the device software.

Note

You cannot use the Web UI to install, upgrade, or downgrade device software.

Finding the Software Version

The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch.

Note

Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Software Images


Release	Image Type	File Name
Cisco IOS XE Cupertino 17.7.1	CAT9K_IOSXE	cat9k_iosxe.17.07.01.SPA.bin
Cisco IOS XE Cupertino 17.7.1	No Payload Encryption (NPE)	cat9k_iosxe_npe.17.07.01.SPA.bin

Upgrading the ROMMON

To know the ROMMON or bootloader version that applies to every major and maintenance release, see ROMMON and CPLD Versions.

You can upgrade the ROMMON before, or, after upgrading the software version. If a new ROMMON version is available for the software version you are upgrading to, proceed as follows:

Upgrading the ROMMON in the primary SPI flash device

This ROMMON is upgraded automatically. When you upgrade from an existing release on your switch to a later or newer release for the first time, and there is a new ROMMON version in the new release, the system automatically upgrades the ROMMON in the primary SPI flash device, based on the hardware version of the switch.

Upgrading the ROMMON in the golden SPI flash device

You must manually upgrade this ROMMON. Enter the upgrade rom-monitor capsule golden switch command in privileged EXEC mode.

Note

Golden ROMMON upgrade is only applicable to Cisco IOS XE Amsterdam 17.3.5 and later releases.
Golden ROMMON upgrade will fail if the FPGA version is 17101705 or older. To upgrade the FPGA version, see Upgrading the Complex Programmable Logic Device Version.
In case of a Cisco StackWise Virtual setup, upgrade the active and standby supervisor modules.
In case of a High Availability set up, upgrade the active and standby supervisor modules.

After the ROMMON is upgraded, it will take effect on the next reload. If you go back to an older release after this, the ROMMON is not downgraded. The updated ROMMON supports all previous releases.

Software Installation Commands


Summary of Software Installation Commands
To install and activate the specified file, and to commit changes to be persistent across reloads: `install add file filename [ activate commit]` To separately install, activate, commit, cancel, or remove the installation file: `install ?`
add file tftp: `filename`	Copies the install file package from a remote location to the device and performs a compatibility check for the platform and image versions.
activate `[` auto-abort-timer`]`	Activates the file, and reloads the device. The auto-abort-timer keyword automatically rolls back image activation.
commit	Makes changes persistent over reloads.
rollback to committed	Rolls back the update to the last committed version.
abort	Cancels file activation, and rolls back to the version that was running before the current installation procedure started.
remove	Deletes all unused and inactive software installation files.

Upgrading in Install Mode

Follow these instructions to upgrade from one release to another, in install mode. To perform a software image upgrade, you must be booted into IOS via boot flash:packages.conf .

Before you begin

Caution

You must comply with these cautionary guidelines during an upgrade:

Do not power cycle the switch.
Do not disconnect power or remove the supervisor module.
Do not perform an online insertion and replacement (OIR) of either supervisor (in a High Availability setup), if one of the supervisor modules in the chassis is in the process of a bootloader upgrade or when the switch is booting up.
Do not perform an OIR of a switching module (linecard) when the switch is booting up.

Note

Disconnecting and reconnecting power to a Cisco Catalyst 9400 Series Supervisor 1 Module within a 5-second window, can corrupt the boot SPI.

Note that you can use this procedure for the following upgrade scenarios.

When upgrading from ...

Permitted Supervisor Setup

(Applies to the release you are upgrading from)

First upgrade to...

To upgrade to ...

Cisco IOS XE Everest 16.6.1⁴

Upgrade a single supervisor, and complete the boot loader and CPLD upgrade. After completing the first supervisor upgrade, remove and swap in the second supervisor. After both supervisors are upgraded, they can be inserted and booted in a high availability setup.

Note

Do not simultaneously upgrade dual supervisors from Cisco IOS XE Everest 16.6.1 to a later release. Doing so may cause hardware damage.

Cisco IOS XE Everest 16.6.3

Follow the upgrade steps as in the Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Everest 16.6.x → Upgrading the Switch Software → Upgrading in Install Mode

Cisco IOS XE Cupertino 17.7.x

Cisco IOS XE Everest 16.6.2 and later releases

This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously upgraded.

Not applicable

⁴

When upgrading from Cisco IOS XE Everest 16.6.1 to a later release, the upgrade may take a long time, and the system will reset three times due to rommon and complex programmable logic device (CPLD) upgrade. Stateful switchover is supported from Cisco IOS XE Everest 16.6.2

The sample output in this section displays upgrade from Cisco IOS XE Bengaluru 17.6.1 to Cisco IOS XE Cupertino 17.7.1 using install commands.

Procedure

Step 1

Clean-up

install remove inactive

Use this command to clean-up old installation files in case of insufficient space and to ensure that you have at least 1GB of space in flash, to expand a new image.

The following sample output displays the cleaning up of unused files, by using the install remove inactive command:

Switch# install remove inactive
install_remove: START Fri Jul 23 14:14:40 UTC 2021
Cleaning up unnecessary package files
No path specified, will use booted path flash:packages.conf
Cleaning flash:
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
cat9k-cc_srdriver.17.06.01.SPA.pkg
File is in use, will not delete.
cat9k-espbase.17.06.01.SPA.pkg
File is in use, will not delete.
cat9k-rpbase.17.06.01.SPA.pkg
File is in use, will not delete.
cat9k-rpboot.17.06.01.SPA.pkg
File is in use, will not delete.
cat9k-sipbase.17.06.01.SPA.pkg
File is in use, will not delete.
cat9k-sipspa.17.06.01.SPA.pkg
File is in use, will not delete.
cat9k-srdriver.17.06.01.SPA.pkg
File is in use, will not delete.
cat9k-webui.17.06.01.SPA.pkg
File is in use, will not delete.
packages.conf
File is in use, will not delete.
done.
 
The following files will be deleted:
[R0]:
/flash/cat9k-cc_srdriver.17.06.01.SPA.pkg
/flash/cat9k-espbase.17.06.01.SPA.pkg
/flash/cat9k-guestshell.17.06.01.SPA.pkg
/flash/cat9k-rpbase.17.06.01.SPA.pkg
/flash/cat9k-rpboot.17.06.01.SPA.pkg
/flash/cat9k-sipbase.17.06.01.SPA.pkg
/flash/cat9k-sipspa.17.06.01.SPA.pkg
/flash/cat9k-srdriver.17.06.01.SPA.pkg
/flash/cat9k-webui.17.06.01.SPA.pkg
/flash/cat9k-wlc.17.06.01.SPA.pkg
/flash/packages.conf
/flash/cat9k_iosxe.17.06.01.SPA.bin
 
Do you want to remove the above files? [y/n]y
[R0]:
Deleting file flash:cat9k-cc_srdriver.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-espbase.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-guestshell.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-rpbase.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-rpboot.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-sipbase.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-sipspa.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-srdriver.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-webui.17.06.01.SPA.pkg ... done.
Deleting file flash:cat9k-wlc.17.06.01.SPA.pkg ... done.
Deleting file flash:packages.conf ... done.
SUCCESS: Files deleted.
SUCCESS: Files deleted.
--- Starting Post_Remove_Cleanup ---
Performing Post_Remove_Cleanup on Active/Standby
[R0] Post_Remove_Cleanup package(s) on R0
[R0] Finished Post_Remove_Cleanup on R0
Checking status of Post_Remove_Cleanup on [R0]
Post_Remove_Cleanup: Passed on [R0]
Finished Post_Remove_Cleanup
 
SUCCESS: install_remove Fri Jul 23 14:16:29 UTC 2021
Switch#

Step 2

Copy new image to flash

copy tftp:[[//location]/directory]/filenameflash:

Use this command to copy the new image from a TFTP server to flash memory. The location is either an IP address or a host name. The filename is specified relative to the directory used for file transfers. Skip this step if you want to use the new image from a TFTP server.

Switch# copy tftp://10.8.0.6/image/cat9k_iosxe.17.07.01.SPA.bin flash:
destination filename [cat9k_iosxe.17.07.01.SPA.bin]?
Accessing tftp://10.8.0.6/image/cat9k_iosxe.17.07.01.SPA.bin...
Loading /cat9k_iosxe.17.07.01.SPA.bin from 10.8.0.6 (via GigabitEthernet0/0): 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 601216545 bytes]
 
601216545 bytes copied in 50.649 secs (11870255 bytes/sec)

dir flash:

Use this command to confirm that the image has been successfully copied to flash.

Switch# dir flash:*.bin
Directory of flash:/*.bin
 
Directory of flash:/
 
434184 -rw- 601216545    Jul 23 2021 10:18:11 -07:00 cat9k_iosxe.17.07.01.SPA.bin
11353194496 bytes total (8976625664 bytes free)

Step 3

Set boot variable

boot system flash:packages.conf
Use this command to set the boot variable to flash:packages.conf .
```
Switch(config)# boot system flash:packages.conf
```
no boot manual
Use this command to configure the switch to auto-boot. Settings are synchronized with the standby switch, if applicable.
```
Switch(config)# no boot manual
Switch(config)# exit
```
write memory
Use this command to save boot settings.
```
Switch# write memory
```

show bootvar

Use this command to verify the boot variable (packages.conf) and manual boot setting (no):

Switch# show bootvar
BOOT variable = bootflash:packages.conf
MANUAL_BOOT variable = no
BAUD variable = 9600
ENABLE_BREAK variable = yes
BOOTMODE variable does not exist
IPXE_TIMEOUT variable does not exist
CONFIG_FILE variable = 

Standby BOOT variable = bootflash:packages.conf
Standby MANUAL_BOOT variable = no
Standby BAUD variable = 9600
Standby ENABLE_BREAK variable = yes
Standby BOOTMODE variable does not exist
Standby IPXE_TIMEOUT variable does not exist
Standby CONFIG_FILE variable =

Step 4

Install image to flash

install add file activate commit

Use this command to install the image.

The following sample output displays installation of the Cisco IOS XE Cupertino 17.7.1 software image in the flash memory:

Switch# install add file flash:cat9k_iosxe.17.07.01.SPA.bin
 activate commit

install_add_activate_commit: START Fri Jul 23 22:49:41 UTC 2021
 
*Jul 23 22:49:42.772: %IOSXE-5-PLATFORM: Switch 1 R0/0: Jul 23 22:49:42 install_engine.sh:
 %INSTALL-5-INSTALL_START_INFO: Started install one-shot flash:cat9k_iosxe.17.07.01.SPA.bin

install_add_activate_commit: Adding PACKAGE
 
--- Starting initial file syncing ---
Info: Finished copying flash:cat9k_iosxe.17.07.01.SPA.bin
 to the selected switch(es)
Finished initial file syncing
 
--- Starting Add ---
Performing Add on all members
[1] Add package(s) on switch 1
[1] Finished Add on switch 1
Checking status of Add on [1]
Add: Passed on [1]
Finished Add
 
install_add_activate_commit: Activating PACKAGE
 
/flash/cat9k-webui.17.07.01.SPA.pkg
/flash/cat9k-srdriver.17.07.01.SPA.pkg
/flash/cat9k-sipspa.17.07.01.SPA.pkg
/flash/cat9k-sipbase.17.07.01.SPA.pkg
/flash/cat9k-rpboot.17.07.01.SPA.pkg
/flash/cat9k-rpbase.17.07.01.SPA.pkg
/flash/cat9k-guestshell.17.07.01.SPA.pkg
/flash/cat9k-espbase.17.07.01.SPA.pkg
/flash/cat9k-cc_srdriver.17.07.01.SPA.pkg

This operation requires a reload of the system. Do you want to proceed? [y/n]y

--- Starting Activate ---
Performing Activate on all members
[1] Activate package(s) on switch 1
[1] Finished Activate on switch 1
Checking status of Activate on [1]
Activate: Passed on [1]
Finished Activate
 
--- Starting Commit ---
Performing Commit on all members
[1] Commit package(s) on switch 1
[1] Finished Commit on switch 1
Checking status of Commit on [1]
Commit: Passed on [1]
Finished Commit
 
Install will reload the system now!
 
Chassis 1 reloading, reason - Reload command
SUCCESS: install_add_activate_commit
/flash/cat9k-webui.17.07.01.SPA.pkg
/flash/cat9k-srdriver.17.07.01.SPA.pkg
/flash/cat9k-sipspa.17.07.01.SPA.pkg
/flash/cat9k-sipbase.17.07.01.SPA.pkg
/flash/cat9k-rpboot.17.07.01.SPA.pkg
/flash/cat9k-rpbase.17.07.01.SPA.pkg
/flash/cat9k-guestshell.17.07.01.SPA.pkg
/flash/cat9k-espbase.17.07.01.SPA.pkg
/flash/cat9k-cc_srdriver.17.07.01.SPA.pkg
Fri Jul 23 22:53:58 UTC 2021
Switch#

Note

Old files listed in the logs will not be removed from flash.

Step 5

Verify installation

After the software has been successfully installed, check that the ten new .pkg files and two .conf are in the flash partition, and also check the version installed on the switch.

dir flash:*.pkg

The following is sample output of the dir flash:*.pkg command:

Switch# dir flash:*.pkg
Directory of flash:/*.pkg
Directory of flash:/
475140 -rw- 2012104     Mar 20 2021 09:52:41 -07:00 cat9k-cc_srdriver.17.06.01.SPA.pkg
475141 -rw- 70333380    Mar 20 2021 09:52:44 -07:00 cat9k-espbase.17.06.01.SPA.pkg
475142 -rw- 13256       Mar 20 2021 09:52:44 -07:00 cat9k-guestshell.17.06.01.SPA.pkg
475143 -rw- 349635524   Mar 20 2021 09:52:54 -07:00 cat9k-rpbase.17.06.01.SPA.pkg
475149 -rw- 24248187    Mar 20 2021 09:53:02 -07:00 cat9k-rpboot.17.06.01.SPA.pkg
475144 -rw- 25285572    Mar 20 2021 09:52:55 -07:00 cat9k-sipbase.17.06.01.SPA.pkg
475145 -rw- 20947908    Mar 20 2021 09:52:55 -07:00 cat9k-sipspa.17.06.01.SPA.pkg
475146 -rw- 2962372     Mar 20 2021 09:52:56 -07:00 cat9k-srdriver.17.06.01.SPA.pkg
475147 -rw- 13284288    Mar 20 2021 09:52:56 -07:00 cat9k-webui.17.06.01.SPA.pkg
475148 -rw- 13248       Mar 20 2021 09:52:56 -07:00 cat9k-wlc.17.06.01.SPA.pkg

491524 -rw- 25711568    Jul 23 2021 11:49:33 -07:00  cat9k-cc_srdriver.17.07.01.SPA.pkg
491525 -rw- 78484428    Jul 23 2021 11:49:35 -07:00  cat9k-espbase.17.07.01.SPA.pkg
491526 -rw- 1598412     Jul 23 2021 11:49:35 -07:00  cat9k-guestshell.17.07.01.SPA.pkg
491527 -rw- 404153288   Jul 23 2021 11:49:47 -07:00  cat9k-rpbase.17.07.01.SPA.pkg
491533 -rw- 31657374    Jul 23 2021 11:50:09 -07:00  cat9k-rpboot.17.07.01.SPA.pkg
491528 -rw- 27681740    Jul 23 2021 11:49:48 -07:00  cat9k-sipbase.17.07.01.SPA.pkg
491529 -rw- 52224968    Jul 23 2021 11:49:49 -07:00  cat9k-sipspa.17.07.01.SPA.pkg
491530 -rw- 31130572    Jul 23 2021 11:49:50 -07:00  cat9k-srdriver.17.07.01.SPA.pkg
491531 -rw- 14783432    Jul 23 2021 11:49:51 -07:00  cat9k-webui.17.07.01.SPA.pkg
491532 -rw- 9160        Jul 23 2021 11:49:51 -07:00  cat9k-wlc.17.07.01.SPA.pkg
11353194496 bytes total (8963174400 bytes free)

dir flash:*.conf
The following is sample output of the dir flash:*.conf command. It displays the .conf files in the flash partition; note the two .conf files:
```
Switch# dir flash:*.conf
 
Directory of flash:/*.conf
Directory of flash:/

16631  -rw- 4882 Jul 23 2021 05:39:42 +00:00  packages.conf
16634  -rw- 4882 Jul 23 2021 05:34:06 +00:00  cat9k_iosxe.17.07.01.SPA.conf
```
- packages.conf—the file that has been re-written with the newly installed .pkg files
- cat9k_iosxe.17.07.01.SPA.conf— a backup copy of the newly installed packages.conf file

show install summary

The following is sample output of the show install summary command:

Switch# show install summary

[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.07.01.0.58

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

show version

After the image boots up, use this command to verify the version of the new image.

The following sample output of the show version command displays the Cisco IOS XE Cupertino 17.7.1 image on the device:

Switch# show version
Cisco IOS XE Software, Version 17.07.01
Cisco IOS Software [Cupertino], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.7.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
<output truncated>

Downgrading in Install Mode

Follow these instructions to downgrade from one release to another, in install mode. To perform a software image downgrade, you must be booted into IOS via boot flash:packages.conf .

Before you begin

Note that you can use this procedure for the following downgrade scenarios:

When downgrading from ...

Permitted Supervisor Setup

(Applies to the release you are downgrading from)

To ...

Cisco IOS XE Cupertino 17.7.x

This procedure automatically copies the images to both active and standby supervisor modules. Both supervisor modules are simultaneously downgraded.

Note

Do not perform an Online Removal and Replacement (OIR) of either supervisor module during the process.

Cisco IOS XE Bengaluru 17.6.x or earlier releases.

Note

New switch models that are introduced in a release cannot be downgraded. The release in which a module is introduced is the minimum software version for that model. We recommend upgrading all existing hardware to the same release as the latest hardware.

The sample output in this section shows downgrade from Cisco IOS XE Cupertino 17.7.1 to Cisco IOS XE Bengaluru 17.6.1, using install commands.

Procedure

Step 1

Clean-up

install remove inactive

Use this command to clean-up old installation files in case of insufficient space and to ensure that you have at least 1GB of space in flash, to expand a new image.

The following sample output displays the cleaning up of unused files, by using the install remove inactive command:

Switch# install remove inactive
 install_remove: START Fri Jul 23 11:42:27 UTC 2021

Cleaning up unnecessary package files

No path specified, will use booted path bootflash:packages.conf

Cleaning bootflash:
  Scanning boot directory for packages ... done.
  Preparing packages list to delete ... 
    cat9k-cc_srdriver.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-espbase.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-guestshell.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-rpbase.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-rpboot.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-sipbase.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-sipspa.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-srdriver.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-webui.17.07.01.SSA.pkg
      File is in use, will not delete.
    cat9k-wlc.17.07.01.SSA.pkg
      File is in use, will not delete.
    packages.conf
      File is in use, will not delete.
  done.
SUCCESS: No extra package or provisioning files found on media. Nothing to clean.

SUCCESS: install_remove  Fri Jul 23 11:42:39 UTC 2021

--- Starting Post_Remove_Cleanup ---
Performing Post_Remove_Cleanup on all members
[1] Post_Remove_Cleanup package(s) on switch 1
[1] Finished Post_Remove_Cleanup on switch 1
Checking status of Post_Remove_Cleanup on [1]
Post_Remove_Cleanup: Passed on [1]
Finished Post_Remove_Cleanup
 
SUCCESS: install_remove Fri Jul 23 19:52:25 UTC 2021
Switch#

Step 2

Copy new image to flash

copy tftp:[[//location]/directory]/filenameflash:

Switch# copy tftp://10.8.0.6/image/cat9k_iosxe.17.06.01.SPA.bin flash:
Destination filename [cat9k_iosxe.17.06.01.SPA.bin]?
Accessing tftp://10.8.0.6//cat9k_iosxe.17.06.01.SPA.bin...
Loading /cat9k_iosxe.17.06.01.SPA.bin from 10.8.0.6 (via GigabitEthernet0/0): 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 508584771 bytes]
508584771 bytes copied in 101.005 secs (5035244 bytes/sec)

dir flash:

Use this command to confirm that the image has been successfully copied to flash.

Switch# dir flash:*.bin
Directory of flash:/*.bin
 
Directory of flash:/
 
434184 -rw- 508584771 Jul 23 2021 13:35:16 -07:00 cat9k_iosxe.17.06.01.SPA.bin
11353194496 bytes total (9055866880 bytes free)

Step 3

Set boot variable

boot system flash:packages.conf
Use this command to set the boot variable to flash:packages.conf .
```
Switch(config)# boot system flash:packages.conf
```
no boot manual
Use this command to configure the switch to auto-boot. Settings are synchronized with the standby switch, if applicable.
```
Switch(config)# no boot manual
Switch(config)# exit
```
write memory
Use this command to save boot settings.
```
Switch# write memory
```

show bootvar

Use this command to verify the boot variable (packages.conf) and manual boot setting (no):

Switch# show bootvar
BOOT variable = bootflash:packages.conf
MANUAL_BOOT variable = no
BAUD variable = 9600
ENABLE_BREAK variable = yes
BOOTMODE variable does not exist
IPXE_TIMEOUT variable does not exist
CONFIG_FILE variable = 

Standby BOOT variable = bootflash:packages.conf
Standby MANUAL_BOOT variable = no
Standby BAUD variable = 9600
Standby ENABLE_BREAK variable = yes
Standby BOOTMODE variable does not exist
Standby IPXE_TIMEOUT variable does not exist
Standby CONFIG_FILE variable =

Step 4

Downgrade software image

Use one of these options, to downgrade:

install add file activate commit
install rollback to committed

The following example displays the installation of the cat9k_iosxe.17.06.01.SPA.bin software image to flash, to downgrade the switch by using the install add file activate commit command. You can point to the source image on your tftp server or in flash if you have it copied to flash.

Switch# install add file flash:cat9k_iosxe.17.06.01.SPA.bin activate commit

install_add_activate_commit: START Fri 23 Jul 22:49:41 UTC 2021

*Jul 23 22:49:42.772: %IOSXE-5-PLATFORM: Switch 1 R0/0: Jul 23 22:49:42 install_engine.sh:
%INSTALL-5-INSTALL_START_INFO: Started install one-shot flash:cat9k_iosxe.17.06.01.SPA.bininstall_add_activate_commit: Adding PACKAGE
 
--- Starting initial file syncing ---
Info: Finished copying flash:cat9k_iosxe.17.06.01.SPA.bin to the selected switch(es)
Finished initial file syncing
 
--- Starting Add ---
Performing Add on all members
[1] Add package(s) on switch 1
[1] Finished Add on switch 1
Checking status of Add on [1]
Add: Passed on [1]
Finished Add
 
install_add_activate_commit: Activating PACKAGE
 
/flash/cat9k-webui.17.06.01.SPA.pkg
/flash/cat9k-srdriver.17.06.01.SPA.pkg
/flash/cat9k-sipspa.17.06.01.SPA.pkg
/flash/cat9k-sipbase.17.06.01.SPA.pkg
/flash/cat9k-rpboot.17.06.01.SPA.pkg
/flash/cat9k-rpbase.17.06.01.SPA.pkg
/flash/cat9k-espbase.17.06.01.SPA.pkg
/flash/cat9k-cc_srdriver.17.06.01.SPA.pkg
 
This operation requires a reload of the system. Do you want to proceed? [y/n]y

--- Starting Activate ---
Performing Activate on all members
[1] Activate package(s) on switch 1
[1] Finished Activate on switch 1
Checking status of Activate on [1]
Activate: Passed on [1]
Finished Activate
 
--- Starting Commit ---
Performing Commit on all members
[1] Commit package(s) on switch 1
[1] Finished Commit on switch 1
Checking status of Commit on [1]
Commit: Passed on [1]
Finished Commit
 
Install will reload the system now!
 
Chassis 1 reloading, reason - Reload command
SUCCESS: install_add_activate_commit
/flash/cat9k-webui.17.06.01.SPA.pkg
/flash/cat9k-srdriver.17.06.01.SPA.pkg
/flash/cat9k-sipspa.17.06.01.SPA.pkg
/flash/cat9k-sipbase.17.06.01.SPA.pkg
/flash/cat9k-rpboot.17.06.01.SPA.pkg
/flash/cat9k-rpbase.17.06.01.SPA.pkg
/flash/cat9k-guestshell.17.06.01.SPA.pkg
/flash/cat9k-espbase.17.06.01.SPA.pkg
/flash/cat9k-cc_srdriver.17.06.01.SPA.pkg
Fri Jul 23 22:53:58 UTC 2021
Switch#

The following example displays sample output when downgrading the switch by using the install rollback to committed command.

Caution

Use the install rollback to committed command for downgrading, only if the version you want to downgrade to, is committed.

Switch# install rollback to committed

install_rollback: START Fri 23 Jul 14:24:56 UTC 2021
 
This operation requires a reload of the system. Do you want to proceed? [y/n]
*Jul 23 14:24:57.555: %IOSXE-5-PLATFORM: R0/0: Jul 23 14:24:57 install_engine.sh: 
%INSTALL-5-INSTALL_START_INFO: Started install rollbacky
--- Starting Rollback ---
Performing Rollback on Active/Standby
 
WARNING: Found 55 disjoint TDL objects.
[R0] Rollback package(s) on R0
--- Starting rollback impact ---

Changes that are part of this rollback
Current : rp 0 0 rp_boot cat9k-rpboot.17.07.01.SPA.pkg
Current : rp 1 0 rp_boot cat9k-rpboot.17.07.01.SPA.pkg
Replacement: rp 0 0 rp_boot cat9k-rpboot.17.06.01.SPA.pkg
Replacement: rp 1 0 rp_boot cat9k-rpboot.17.06.01.SPA.pkg
Current : cc 0  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 0  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 0  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 1  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 1  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 1  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 10 0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 10 0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 10 0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 2  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 2  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 2  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 3  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 3  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 3  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 4  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 4  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 4  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 5  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 5  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 5  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 6  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 6  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 6  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 7  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 7  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 7  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 8  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 8  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 8  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : cc 9  0 cc_srdriver cat9k-cc_srdriver.17.07.01.SPA.pkg
Current : cc 9  0 cc cat9k-sipbase.17.07.01.SPA.pkg
Current : cc 9  0 cc_spa cat9k-sipspa.17.07.01.SPA.pkg
Current : fp 0  0 fp cat9k-espbase.17.07.01.SPA.pkg
Current : fp 1  0 fp cat9k-espbase.17.07.01.SPA.pkg
Current : rp 0  0 guestshell cat9k-guestshell.17.07.01.SPA.pkg
Current : rp 0  0 rp_base cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 0  0 rp_daemons cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 0  0 rp_iosd cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 0  0 rp_security cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 0  0 rp_webui cat9k-webui.17.07.01.SPA.pkg
Current : rp 0  0 rp_wlc cat9k-wlc.17.07.01.SPA.pkg
Current : rp 0  0 srdriver cat9k-srdriver.17.07.01.SPA.pkg
Current : rp 1  0 guestshell cat9k-guestshell.17.07.01.SPA.pkg
Current : rp 1  0 rp_base cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 1  0 rp_daemons cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 1  0 rp_iosd cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 1  0 rp_security cat9k-rpbase.17.07.01.SPA.pkg
Current : rp 1  0 rp_webui cat9k-webui.17.07.01.SPA.pkg
Current : rp 1  0 rp_wlc cat9k-wlc.17.07.01.SPA.pkg
Current : rp 1  0 srdriver cat9k-srdriver.17.07.01.SPA.pkg
Replacement: cc 0  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 0  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 0  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 1  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 1  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 1  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 10 0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 10 0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 10 0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 2  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 2  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 2  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 3  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 3  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 3  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 4  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 4  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 4  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 5  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 5  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 5  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 6  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 6  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 6  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 7  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 7  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 7  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 8  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 8  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 8  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: cc 9  0 cc_srdriver cat9k-cc_srdriver.17.06.01.SPA.pkg
Replacement: cc 9  0 cc cat9k-sipbase.17.06.01.SPA.pkg
Replacement: cc 9  0 cc_spa cat9k-sipspa.17.06.01.SPA.pkg
Replacement: fp 0  0 fp cat9k-espbase.17.06.01.SPA.pkg
Replacement: fp 1  0 fp cat9k-espbase.17.06.01.SPA.pkg
Replacement: rp 0  0 guestshell cat9k-guestshell.17.06.01.SPA.pkg
Replacement: rp 0  0 rp_base cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 0  0 rp_daemons cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 0  0 rp_iosd cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 0  0 rp_security cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 0  0 rp_webui cat9k-webui.17.06.01.SPA.pkg
Replacement: rp 0  0 srdriver cat9k-srdriver.17.06.01.SPA.pkg
Replacement: rp 1  0 guestshell cat9k-guestshell.17.06.01.SPA.pkg
Replacement: rp 1  0 rp_base cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 1  0 rp_daemons cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 1  0 rp_iosd cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 1  0 rp_security cat9k-rpbase.17.06.01.SPA.pkg
Replacement: rp 1  0 rp_webui cat9k-webui.17.06.01.SPA.pkg
Replacement: rp 1  0 srdriver cat9k-srdriver.17.06.01.SPA.pkg

Finished rollback impact
[R0] Finished Rollback on R0
Checking status of Rollback on [R0]
Rollback: Passed on [R0]
Finished Rollback
 
Install will reload the system now!
SUCCESS: install_rollback Fri 23 Jul 14:26:35 UTC 2021
 
Switch#
*Jul 23 14:26:35.880: %IOSXE-5-PLATFORM: R0/0: Jul 23 14:26:35 install_engine.sh: %INSTALL-5-INSTALL_COMPLETED_INFO: Completed install rollback PACKAGE
*Jul 23 14:26:37.740: %IOSXE_OIR-6-REMCARD: Card (rp) removed from slot R1
*Jul 23 14:26:39.253: %IOSXE_OIR-6-INSCARD: Card (rp) inserted in slot R1 Jul 23 14:26:5
 
Initializing Hardware...

System Bootstrap, Version 17.3.1r
Compiled Tue 03/16/2021 10:19:23.77 by rel

Current image running:
Primary Rommon Image
 
Last reset cause: SoftwareResetTrig
C9400-SUP-1 platform with 16777216 Kbytes of main memory
 
Preparing to autoboot. [Press Ctrl-C to interrupt] 0
attempting to boot from [bootflash:packages.conf]
 
Located file packages.conf
#
#################################################################################################################################################################################################################################################################################################
 
Warning: ignoring ROMMON var "BOOT_PARAM"
Warning: ignoring ROMMON var "USER_BOOT_PARAM"
 
Restricted Rights Legend
 
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
 
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS XE Software, Version 17.06.01
Cisco IOS Software [Bengaluru], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.06.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Fri 23-Jul-21 23:25 by mcpre
 
Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

FIPS: Flash Key Check : Begin
FIPS: Flash Key Check : End, Not Found, FIPS Mode Not Enabled
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
 
If you require further assistance please contact us by sending email to
export@cisco.com.
 
cisco C9410R (X86) processor (revision V00) with 868521K/6147K bytes of memory.
Processor board ID FXS2118Q1GM
312 Gigabit Ethernet interfaces
40 Ten Gigabit Ethernet interfaces
4 Forty Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
15958516K bytes of physical memory.
11161600K bytes of Bootflash at bootflash:.
1638400K bytes of Crash Files at crashinfo:.
0K bytes of WebUI ODM Files at webui:.
 
%INIT: waited 0 seconds for NVRAM to be available
 
Press RETURN to get started!

Step 5

Verify version

show version

After the image boots up, use this command to verify the version of the new image.

Note

When you downgrade the software image, the ROMMON version does not downgrade. It remains updated.

The following sample output of the show version command displays the Cisco IOS XE Bengaluru 17.6.1 image on the device:

Switch# show version
Cisco IOS XE Software, Version 17.06.01
Cisco IOS Software [Bengaluru], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.6.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
<output truncated>

Upgrading the Complex Programmable Logic Device Version

You can trigger a CPLD version upgrade after upgrading the software image. During CPLD upgrade, the supervisor module automatically power cycles. This completes the CPLD upgrade process for the supervisor module but also causes traffic disruption. Therefore, auto-upgrade of CPLD is not supported. You must manually perform CPLD upgrade.

Upgrading the CPLD Version: High Availability Setup

Beginning in the privileged EXEC mode, complete the following steps:

Before you begin

When performing the CPLD version upgrade as shown, the show platform command can be used to confirm the CPLD version after the upgrade. This command output shows the CPLD version on all modules. However, the CPLD upgrade only applies to the supervisors, not the line cards. The line cards CPLD version is a cosmetic display. After the upgrade is completed in a high availability setup, the supervisors will be upgraded, but the line cards will still show the old CPLD version. The version mismatch between the supervisors and line cards is expected until a chassis reload.

Procedure

Step 1

Upgrade the CPLD Version of the standby supervisor module

Enter the following commands on the active supervisor:

Device# configure terminal
Device(config)# service internal
Device(config)# exit
Device# upgrade hw-programmable cpld filename bootflash: rp standby

The standby supervisor module reloads automatically and the upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes.

Wait until the standby supervisor module boots up and the SSO has formed (HOT) before you proceed to the next step; this takes approximately 17 minutes.

Step 2

Perform a switch over

Device# redundancy force-switchover

This causes the standby supervisor (on which you have completed the CPLD upgrade in Step 1) to become the active supervisor module

Step 3

Upgrade the CPLD Version of the new standby supervisor module

Repeat Step 1 and all its substeps.

Note

Do not operate an HA system with mismatched FPGA versions. FPGA version should be upgraded on both the supervisors one at a time.

Upgrading the CPLD Version: Cisco StackWise Virtual Setup

Beginning in the privileged EXEC mode, complete the following steps:

Procedure

Step 1

Upgrade the CPLD version of the standby supervisor module

Enter the following commands on the active supervisor:

Device# configure terminal
Device(config)# service internal
Device(config)# exit

Device# upgrade hw-programmable cpld filename bootflash: switch standby r1

Note

For the upgrade hw-programmable cpld filename bootflash command, configure with the switch keyword only. The other available keywords are not applicable when upgrading with Cisco StackWise Virtual.

Step 2

Reload the standby supervisor module

Device# redundancy reload peer

The upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes.

Wait until the standby supervisor module boots up and the SSO has formed (HOT) before you proceed to the next step; this takes approximately 17 minutes.

Step 3

Perform a switch over

Device# redundancy force-switchover

This causes the standby supervisor (on which you have completed the CPLD upgrade in step 1) to become the active supervisor module

Step 4

Upgrade the CPLD version of the new standby supervisor module

Perfom Steps 1 and 2, including all substeps, on the new standby supervisor module

Upgrading the CPLD Version: Single Supervisor Module Setup

Beginning in the privileged EXEC mode, complete the following steps:

Procedure

Upgrade the CPLD version of the active supervisor module

Enter the following commands on the active supervisor:

Device# configure terminal
Device(config)# service internal
Device(config)# exit
Device# upgrade hw-programmable cpld filename bootflash: rp active

The supervisor module reloads automatically and the upgrade occurs in ROMMON. During the upgrade, the supervisor module automatically power cycles and remains inactive for approximately 5 minutes.

Licensing

This section provides information about the licensing packages for features available on Cisco Catalyst 9000 Series Switches.

License Levels

The software features available on Cisco Catalyst 9400 Series Switches fall under these base or add-on license levels.

Base Licenses

Network Essentials
Network Advantage—Includes features available with the Network Essentials license and more.

Add-On Licenses

Add-On Licenses require a Network Essentials or Network Advantage as a pre-requisite. The features available with add-on license levels provide Cisco innovations on the switch, as well as on the Cisco Digital Network Architecture Center (Cisco DNA Center).

DNA Essentials
DNA Advantage— Includes features available with the DNA Essentials license and more.

To find information about platform support and to know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.

Available Licensing Models and Configuration Information

Cisco IOS XE Fuji 16.8.x and earlier: RTU Licensing is the default and the only supported method to manage licenses.
Cisco IOS XE Fuji 16.9.1 to Cisco IOS XE Amsterdam 17.3.1: Smart Licensing is the default and the only supported method to manage licenses.

In the software configuration guide of the required release, see System Management → Configuring Smart Licensing.
Cisco IOS XE Amsterdam 17.3.2a and later: Smart Licensing Using Policy, which is an enhanced version of Smart Licensing, is the default and the only supported method to manage licenses.

In the software configuration guide of the required release (17.3.x onwards), see System Management → Smart Licensing Using Policy.

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.

License Levels - Usage Guidelines

The duration or term for which a purchased license is valid:


Smart Licensing Using Policy	Smart Licensing
Perpetual: There is no expiration date for such a license. Subscription: The license is valid only until a certain date (for a three, five, or seven year period).	Permanent: for a license level, and without an expiration date. Term: for a license level, and for a three, five, or seven year period. Evaluation: a license that is not registered.

Base licenses (Network Essentials and Network-Advantage) are ordered and fulfilled only with a perpetual or permanent license type.
Add-on licenses (DNA Essentials and DNA Advantage) are ordered and fulfilled only with a subscription or term license type.
An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it, or deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.

When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:

Table 1. Permitted Combinations
	DNA Essentials	DNA Advantage
Network Essentials	Yes	No
Network Advantage	Yes⁵	Yes

⁵ You will be able to purchase this combination only at the time of the DNA license renewal and not when you purchase DNA-Essentials the first time.

Evaluation licenses cannot be ordered. They are not tracked via Cisco Smart Software Manager and expire after a 90-day period. Evaluation licenses can be used only once on the switch and cannot be regenerated. Warning system messages about an evaluation license expiry are generated only 275 days after expiration and every week thereafter. An expired evaluation license cannot be reactivated after reload. This applies only to Smart Licensing. The notion of evaluation licenses does not apply to Smart Licensing Using Policy.

Scaling Guidelines

For information about feature scaling guidelines, see these datasheets for Cisco Catalyst 9400 Series Switches:

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-data-sheet-cte-en.html

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9600-series-line-data-sheet-cte-en.html

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-sup-eng-data-sheet-cte-en.html

Limitations and Restrictions

Control Plane Policing (CoPP)—The show run command does not display information about classes configured under system-cpp policy, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead.
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
Flexible NetFlow limitations
- You cannot configure NetFlow export using the Ethernet Management port (GigabitEthernet0/0).
- You can not configure a flow monitor on logical interfaces, such as layer 2 port-channels, loopback, tunnels.
- You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
Hardware limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, autonegotiation is enabled by default. If the other end of the line does not support autonegotation, the link does not come up.
Interoperability limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, if one end of the 40G link is a Catalyst 9400 Series Switch and the other end is a Catalyst 9500 Series Switch, the link does not come up, or comes up on one side and stays down on the other. To avoid this interoperability issue between devices, apply the the speed nonegotiate command on the Catalyst 9500 Series Switch interface. This command disables autonegotiation and brings the link up. To restore autonegotiation, use the no speed nonegotiation command.
In-Service Software Upgrade (ISSU)
- ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.10.x or to Cisco IOS XE Gibraltar 16.11.x is not supported. This applies to both a single and dual supervisor module setup.
- While performing ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.12.x, if interface-id snmp-if-index command is not configured with OSPFv3, packet loss can occur. Configure the interface-id snmp-if-index command either during the maintenance window or after isolating the device (by using maintenance mode feature) from the network before doing the ISSU.
- While ISSU allows you to perform upgrades with zero downtime, we recommend you to do so during a maintenance window only.
- If a new feature introduced in a software release requires a change in configuration, the feature should not be enabled during ISSU.
- If a feature is not available in the downgraded version of a software image, the feature should be disabled before initiating ISSU.
M.2 SATA SSD drive: With bootloader version 16.6.2r, you cannot access the M.2 SATA SSD drive at the ROMMON prompt (rommon> dir disk0). The system displays an error message indicating that the corresponding file system protocol is not found on the device. The only way to access the drive when on bootloader version 16.6.2r, is through the Cisco IOS prompt, after boot up.
No service password recovery—With ROMMON versions R16.6.1r and R16.6.2r, the 'no service password-recovery' feature is not available.
QoS restrictions
- When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.
- Policing and marking policy on sub interfaces is supported.
- Marking policy on switched virtual interfaces (SVI) is supported.
- QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.
- Stack Queuing and Scheduling (SQS) drops CPU bound packets exceeding 1.4 Gbps.

Redundancy—The supervisor module (hardware) supports redundancy. Software redundancy is supported starting with Cisco IOS XE Everest 16.6.2. However, the associated route processor redundancy (RPR) feature is not supported.

Before performing a switchover, use the show redundancy , show platform , and show platform software iomd redundancy commands to ensure that both the SSOs have formed and that the IOMD process is completed.

In the following sample output for the show redundancy , note that both the SSOs have formed.

Switch# show redundancy
Redundant System Information :
------------------------------
Available system uptime = 3 hours, 30 minutes
Switchovers system experienced = 2
Standby failures = 0
Last switchover reason = active unit removed

Hardware Mode = Duplex
Configured Redundancy Mode = sso
Operating Redundancy Mode = sso
Maintenance Mode = Disabled
Communications = Up

Current Processor Information :
-------------------------------
Active Location = slot 3
Current Software state = ACTIVE
Uptime in current state = 2 hours, 57 minutes
Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 27-Mar-18 13:43 by mcpre
BOOT = bootflash:packages.conf;
CONFIG_FILE =
Configuration register = 0x1822

Peer Processor Information :
----------------------------
Standby Location = slot 4
Current Software state = STANDBY HOT
Uptime in current state = 2 hours, 47 minutes
Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Tue 27-Mar-18 13:43 by mcpre
BOOT = bootflash:packages.conf;
CONFIG_FILE =
Configuration register = 0x1822

In the following sample output for the show platform software iomd redundancy command, note that both SSOs have formed and the HA_STATE field is ready.

Switch# show platform software iomd redundancy
Configured Redundancy Mode = sso
Operating Redundancy Mode = sso
Local RF state = ACTIVE
Peer RF state = STANDBY HOT
 
slot  PSM STATE   SPA INTF   HA_STATE HA_ACTIVE
   1     ready   started     ready    00:01:16
   2     ready   started     ready    00:01:22
   3     ready   started     ready    00:01:27 ***active RP
   4     ready   started     ready    00:01:27
<output truncated>

In the following sample output for the show platform command, note that the State for all the linecards and supervisor modules is ok. This indicates that the IOMD processes are completed.

Switch# show platform
Chassis type: C9407R             
 
Slot      Type                State                 Insert time (ago)
--------- ------------------- --------------------- -----------------
1         C9400-LC-24XS       ok                    3d09h        
2         C9400-LC-48U        ok                    3d09h        
R0        C9400-SUP-1         ok, active            3d09h        
R1        C9400-SUP-1         ok, standby           3d09h        
P1        C9400-PWR-3200AC    ok                    3d08h        
P2        C9400-PWR-3200AC    ok                    3d08h        
P17       C9407-FAN           ok                    3d08h  
<output truncated>

Secure Shell (SSH)
- Use SSH Version 2. SSH Version 1 is not supported.
- When the device is running SCP and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.
  
  Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can show as much as 40 or 50 percent CPU usage, but they do not cause the device to shutdown.
Smart Licensing Using Policy: Starting with Cisco IOS XE Amsterdam 17.3.2a, with the introduction of Smart Licensing Using Policy, even if you configure a hostname for a product instance or device, only the Unique Device Identifier (UDI) is displayed. This change in the display can be observed in all licensing utilities and user interfaces where the hostname was displayed in earlier releases. It does not affect any licensing functionality. There is no workaround for this limitation.

The licensing utilities and user interfaces that are affected by this limitation include only the following: Cisco Smart Software Manager (CSSM), Cisco Smart License Utility (CSLU), and Smart Software Manager On-Prem (SSM On-Prem).
TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.
Uplink Symmetry—When a redundant supervisor module is inserted, we recommend that you have symmetric uplinks, to minimize packet loss during a switchover.

Uplinks are said to be in symmetry when the same interface on both supervisor modules have the same type of transceiver module. For example, a TenGigabitEthernet interface with no transceiver installed operates at a default 10G mode; if the matching interface of the other supervisor has a 10G transceiver, then they are in symmetry. Symmetry provides the best SWO packet loss and user experience.

Asymmetric uplinks have at least one or more pairs of interfaces in one supervisor not matching the transceiver speed of the other supervisor.
USB Authentication—When you connect a Cisco USB drive to the switch, the switch tries to authenticate the drive against an existing encrypted preshared key. Since the USB drive does not send a key for authentication, the following message is displayed on the console when you enter password encryption aes command:
```
Device(config)# password encryption aes
Master key change notification called without new or old key
```
MACsec is not supported on Software-Defined Access deployments.
VLAN Restriction—It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.
YANG data modeling limitation—A maximum of 20 simultaneous NETCONF sessions are supported.
Embedded Event Manager—Identity event detector is not supported on Embedded Event Manager.
The File System Check (fsck) utility is not supported in install mode.

Caveats

Caveats describe unexpected behavior in Cisco IOS-XE releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.

Cisco Bug Search Tool

The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.

To view the details of a caveat, click on the identifier.

Open Caveats in Cisco IOS XE Cupertino 17.7.x


Identifier	Description
CSCwa75659	Cat9400X: Support for DAC cables on cat9400X platform
CSCwb51578	C9400-SUP-2/C9400-SUP-2XL HundredGigE link flap with SR4 or LR4 optic

Resolved Caveats in Cisco IOS XE Cupertino 17.7.1


Identifier	Description
CSCvs33050	SVL Hung - CPU HOG by Process - "Crimson Flush Transaction"
CSCvx87277	Cat9k may experience an unexpected reboot with Critical process fed fault on fp_0_0
CSCvx94276	%CRIMSON-3-DATABASE_MEMLEAK: Database memory leak detected in /tmp/rp/tdldb/0/IOS_PRIV_OPER_DB
CSCvy08148	Multicast packets replicates twice after redundant switch take power off
CSCvy16234	IOSd crashes with system buffer pool corruption
CSCvy19160	C9400 switch may reload with Last reload reason: RP-CPU
CSCvy25356	Packet leak from L2 flooding-enabled fabric IP Pools into L2 Border external VLAN
CSCvy25845	SNMP: ifHCInOctets - snmpwalk on sub-interface octet counter does not increase
CSCvy28508	Enable speed command for 1G SFP on C9400
CSCvy51582	SNMP: sub-interface octet counter reports wrong value
CSCvy62453	Cat9k Switch may see Multicast traffic loss triggered by IGMP Join received on Mcast source port.
CSCvz10097	ETA to claim flows only for ETA and not for ETA+AVC \| Enhancement to avoid stale FNF exports

Troubleshooting

For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:

https://www.cisco.com/en/US/support/index.html

Go to Product Support and select your product from the list or enter the name of your product. Look under Troubleshoot and Alerts, to find information for the problem that you are experiencing.

Communications, Services, and Additional Information

To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
To submit a service request, visit Cisco Support.
To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.
To obtain general networking, training, and certification titles, visit Cisco Press.
To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.

Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Cupertino 17.7.x

Available Languages

Download Options

Bias-Free Language

Release Notes for Cisco Catalyst 9400 Series Switches, Cisco IOS XE Cupertino 17.7.x

Introduction

Whats New in Cisco IOS XE Cupertino 17.7.1

Hardware Features in Cisco IOS XE Cupertino 17.7.1

Software Features in Cisco IOS XE Cupertino 17.7.1

Important Notes

Unsupported Features

Complete List of Supported Features

Accessing Hidden Commands

Default Behaviour

Supported Hardware

Cisco Catalyst 9400 Series Switches—Model Numbers

Supported Hardware on Cisco Catalyst 9400 Series Switches

Optics Modules

Compatibility Matrix

Web UI System Requirements

Minimum Hardware Requirements

Software Requirements

ROMMON and CPLD Versions

ROM Monitor (ROMMON)

Complex Programmable Logic Device (CPLD)

Upgrading the Switch Software

Finding the Software Version

Software Images

Upgrading the ROMMON

Software Installation Commands

Upgrading in Install Mode

Before you begin

Procedure

Downgrading in Install Mode

Before you begin

Procedure

Upgrading the Complex Programmable Logic Device Version

Upgrading the CPLD Version: High Availability Setup

Before you begin

Procedure

Upgrading the CPLD Version: Cisco StackWise Virtual Setup

Procedure

Upgrading the CPLD Version: Single Supervisor Module Setup

Procedure

Licensing

License Levels

Base Licenses

Add-On Licenses

Available Licensing Models and Configuration Information

License Levels - Usage Guidelines

Scaling Guidelines

Limitations and Restrictions

Caveats

Cisco Bug Search Tool

Open Caveats in Cisco IOS XE Cupertino 17.7.x

Resolved Caveats in Cisco IOS XE Cupertino 17.7.1

Troubleshooting

Related Documentation

Communications, Services, and Additional Information

Cisco Bug Search Tool

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products