Limitations and Restrictions

Limitations and Restrictions

  • Auto negotiation: The SFP+ interface (TenGigabitEthernet0/1) on the Ethernet management port with a 1G transceiver does not support auto negotiation.

  • Control Plane Policing (CoPP)—The show run command does not display information about classes configured under system-cpp policy, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead.

  • Convergence: During SSO, a higher convergence time is observed while removing the active supervisor module installed in slot 3 of a C9606R chassis.

  • Cisco Catalyst 9600 Series Supervisor 2 Module (C9600X-SUP-2) on a C9606R chassis does not support Quad-Supervisor with RPR.

  • Hardware Limitations—Optics:

    • Installation restriction for C9600-LC-24C linecard with CVR-QSFP-SFP10G adapter —This adapter must not be installed on an even numbered port where the corresponding odd numbered port is configured as 40GE port. For example, if port 1 is configured as 40GE, CVR-QSFP-SFP10G must not be installed in port 2.

      Installation restriction for C9600-LC-24C linecard with CVR-QSFP-SFP10G adapter — If you insert a 40-Gigabit Ethernet Transceiver Module to odd numbered port, the corresponding even numbered port does not work with CVR-QSFP-SFP10G adapter.

    • GLC-T and GLC-TE operating at 10/100Mbps speed are not supported with Cisco QSA Module (CVR-QSFP-SFP10G).

    • SFP-10G-T-X supports 100Mbps/1G/10G speeds based on auto negotiation with the peer device. You cannot force speed settings from the transceiver.

  • Hardware Limitations—Power Supply Modules:

    • Input voltage for AC power supply modules—All AC-input power supply modules in the chassis must have the same AC-input voltage level.

    • Using power supply modules of different types—When mixing AC-input and DC-input power supplies, the AC-input voltage level must be 220 VAC.

  • In-Service Software Upgrade (ISSU)

    • Within a major release train (16.x or 17.x or 18.x ), ISSU is supported between any two EMs that are released not more than 3 years apart.

    • Within a major release train, ISSU is supported from:

      • Any EM (EM1, EM2, EM3) to another EM (EM1, EM2, EM3)

        Example: 16.9.x to 16.12.x, 17.3.x to 17.6.x, 17.6.x to 17.9.x

      • Any release within the same EM

        Example: 16.9.2 to 16.9.3 or 16.9.4 or 16.9.x, 16.12.1 to 16.12.2 or 16.12.3 or 16.12.x, 17.3.1 to 17.3.2 or 17.3.3 or 17.3.x

    • Between major release trains, ISSU is not supported from:

      • An EM of a major release train to an EM of another major release train

        Example: 16.x.x to 17.x.x or 17.x.x to 18.x.x is not supported

      • An SM to EM or EM to SM

        Example: 16.10.x or 16.11.x to 16.12.x is not supported

    • ISSU is not supported on engineering special releases and .s (or similar) images.

    • ISSU is not supported between Licensed Data Payload Encryption (LDPE) and No Payload Encryption (NPE) Cisco IOS XE software images.

    • ISSU downgrades are not supported.

    • While ISSU allows you to perform upgrades with zero downtime, we recommend you to do so during a maintenance window only.

    • If a new feature introduced in a software release requires a change in configuration, the feature should not be enabled during ISSU.

    • If a feature is not available in the downgraded version of a software image, the feature should be disabled before initiating ISSU.

  • QoS restrictions

    • When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.

    • Policing and marking policy on sub interfaces is supported.

    • Marking policy on switched virtual interfaces (SVI) is supported.

    • QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.

  • Secure Shell (SSH)

    • Use SSH Version 2. SSH Version 1 is not supported.

    • When the device is running SCP and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.

      Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can show as much as 40 or 50 percent CPU usage, but they do not cause the device to shutdown.

  • Smart Licensing Using Policy: Starting with Cisco IOS XE Amsterdam 17.3.2a, with the introduction of Smart Licensing Using Policy, even if you configure a hostname for a product instance or device, only the Unique Device Identifier (UDI) is displayed. This change in the display can be observed in all licensing utilities and user interfaces where the hostname was displayed in earlier releases. It does not affect any licensing functionality. There is no workaround for this limitation.

    The licensing utilities and user interfaces that are affected by this limitation include only the following: Cisco Smart Software Manager (CSSM), Cisco Smart License Utility (CSLU), and Smart Software Manager On-Prem (SSM On-Prem).

    This limitation is removed from Cisco IOS XE Cupertino 17.9.1. If you configure a hostname and disable hostname privacy (no license smart privacy hostname global configuration command), hostname information is sent from the product instance and displayed on the applicable user interfaces (CSSM, CSLU, SSM On-Prem). For more information, see the command reference for this release.

  • TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.

  • USB Authentication—When you connect a Cisco USB drive to the switch, the switch tries to authenticate the drive against an existing encrypted preshared key. Since the USB drive does not send a key for authentication, the following message is displayed on the console when you enter password encryption aes command:
    Device(config)# password encryption aes
Master key change notification called without new or old key

  • Catatyst 9000 Series Switches support MACsec switch-to-switch connections. We do not recommend configuring MACsec switch-to-host connections in an overlay network. For assistance with an existing switch-to-host MACsec implementation or a design review, contact your Cisco Sales Representative or Channel Partner.

  • VLAN Restriction—It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.

  • YANG data modeling limitation—A maximum of 20 simultaneous NETCONF sessions are supported.

  • Embedded Event Manager—Identity event detector is not supported on Embedded Event Manager.

  • On the Cisco Catalyst 9600 Series Supervisor 2 Module, TCAM space will not be reserved for different features. The available TCAM space will be shared across the features.

  • The File System Check (fsck) utility is not supported in install mode.

  • The command service-routing mdns-sd is being deprecated. Use the mdns-sd gateway command instead.