Release Notes for Catalyst 8200 and Catalyst 8300 Release Notes, 17.18.x

Security

Resilient Infrastructure

Starting with the Cisco IOS XE 17.18.2 release and in future releases, Cisco software will display warning messages when configuring features or protocols that do not provide sufficient security such as those transmitting sensitive data without encryption or using outdated encryption mechanisms. Warnings will also appear when security best practices are not followed, along with suggestions for secure alternatives. This list is subject to change, but the following is a list of features and protocols that are planned to generate warnings in releases beyond the version Cisco IOS XE 17.18.1. Release notes for each release will describe exact changes for that release:

● Plain-text and weak credential storage: Type 0 (plain text), 5 (MD5), or 7 (Vigenère cipher) in configuration files.

Recommendation: Use Type 6 (AES) for reversible credentials, and Type 8 (PBKDF2-SHA-256) or Type 9 (Scrypt) for non-reversible credentials.

● SSHv1

 Recommendation: Use SSHv2.

● SNMPv1 and SNMPv2, or SNMPv3 without authentication and encryption

Recommendation: Use SNMPv3 with authentication and encryption (authPriv).

● MD5 (authentication) and 3DES (encryption) in SNMPv3

Recommendation: Use SHA1 or, preferably, SHA2 for authentication, and AES for encryption.

● IP source routing based on IP header options

Recommendation: Do not use this legacy feature.

● TLS 1.0 and TLS 1.1

Recommendation: Use TLS 1.2 or later.

● TLS ciphers using SHA1 for digital signatures

Recommendation: Use ciphers with SHA256 or stronger digital signatures.

● HTTP

Recommendation: Use HTTPS.

 ● Telnet

Recommendation: Use SSH for remote access.

● FTP and TFTP

Recommendation: Use SFTP or HTTPS for file transfers.

● On-Demand Routing (ODR)

Recommendation: Use a standard routing protocol in place of CDP-based routing information exchange.

● BootP server

Recommendation: Use DHCP or secure boot features such as Secure ZTP.

 ● TCP and UDP small servers (echo, chargen, discard, daytime)

Recommendation: Do not use these services on network devices.

 ● IP finger

Recommendation: Do not use this protocol on network devices.

● NTP control messages

Recommendation: Do not use this feature.

● TACACS+ using pre-shared keys and MD5

Recommendation: Use TACACS+ over TLS 1.3, introduced in release Cisco IOS XE 17.18.1

Software Reliability

High availability for DHCP servers

In a high availability set up DHCP servers are deployed in an active/standby deployment model where two Cisco IOS XE DHCP servers synchronize DHCP bindings (IP address records). This synchronization ensures that if the active device fails, the standby device seamlessly assumes the Active role, preserving IP address records and maintaining uninterrupted network service.

Ease of Setup

IPv6 Rule and Rule Set Support in Security Policies

From Cisco IOS XE 17.18.2, you can configure IPv6 data prefix lists, rule with rule sets, and object groups in security policy using Cisco SD-WAN Manager.

Upgrade

IPv6 GRE-TP tunnel as protected link support for SRv6 TI-LFA with IS-IS

From Cisco IOS XE 17.18.2, this feature extends IPv6 GRE-TP tunnel as protected link support for SRv6 TILFA with ISIS.

Upgrade

IPv4 GRE-TP tunnel as protected link support for SR-MPLS TI-LFA with OSPFv2

From Cisco IOS XE 17.18.2 this feature extends IPv4 GRE-TP tunnel as protected link support for SR-MPLS TILFA with OSPFv2.

Upgrade

IPv4 GRE-TP tunnel as protected link support for SR-MPLS TI-LFA with IS-IS

From Cisco IOS XE 17.18.2 this feature extends IPv4 GRE-TP tunnel as protected link support for SR-MPLS TILFA with ISIS.

CUBE Features

Upgrade

Directional attribute compliance for SIPREC responses

From Cisco IOS XE 17.18.2 onwards, for a recorder response with INACTIVE SDP attributes, CUBE stops media packets transmission towards that recorder.

Security

Security warnings for usage of legacy TLS and associated weaker ciphers – CUBE and SRST

From Cisco IOS XE 17.18.2 onwards, CUBE and SRST display warning messages during handshake for configurations with legacy TLS (v1.0, v 1.1) and associated weaker ciphers.

Ease of Use

Support to upgrade Firmware

From Cisco IOS XE 17.18.1a release, you can now upgrade the firmware image for cellular module, LTE module, or Wi-Fi module of supported devices using Cisco Catalyst SD-WAN Manager, without configuring and managing multiple commands for each device and its associated modules.

Ease of Use

Hosted Edge Services for SD-Routing Devices

From Cisco IOS XE 17.18.1a release, Cisco Catalyst SD-WAN Manager supports deployment of IOx applications such as Cyber Vision, Thousand Eyes, UTD, and so on. The support to monitor these applications is introduced through Hosted Edge Services monitoring dashboard which offers a simplified user experience for overseeing IOx container applications across multiple devices. The Hosted Edge Services monitoring dashboard is introduced on Cisco Catalyst SD-WAN Manager version 20.18. x.

Ease of setup

Cisco Secure Routers Swim and Onboarding Tool

Cisco IOS XE 17.18.1a introduces the Cisco Secure Routers Swim and Onboarding tool that helps customers upgrade and onboard autonomous hardware devices to cloud-hosted or on-premises Catalyst Cisco SD-WAN Manager.

Licensing Process

Licensing compliance, reporting, and notification enhancements

From Cisco IOS XE 17.18.1a release, you can view additional information in your licensing report such as out of compliance and the reason for out of compliance, the number of licenses that have been assigned in the network, how many devices have been assigned licenses, per-device license details, and so on. In addition, you can now connect to the Enterprise Agreement (EA) portal directly from the Cisco SD-WAN Manager with your Smart Account credentials. This helps you to generate the required quantities of licenses for the selected Commerce SKU of EA and deposit them to your desired CSSM Virtual Accounts (VA).

Ease of use

Managing NGFW Policies from Security Cloud Control

Security Cloud Control (SCC) is a cloud-based multi-device manager that facilitates management of security policies to achieve consistent policy implementation. SCC helps optimize your security policies by identifying inconsistencies with them and by giving you tools to fix the inconsistencies. From Cisco IOS XE 17.18.1a release, you can integrate Cisco SD-WAN Manager with SCC, which allows you to import existing NGFW policies, security objects, and security profiles into SCC. With this integration, you can share objects and policies as well as make configuration templates to promote policy consistency across devices.

Security

Custom IPS signature sets

From Cisco IOS XE 17.18.1a release, Custom IPS signature sets are supported in Cisco SD-WAN Manager, which allows you to create and deploy personalized Snort3 IPS signature sets.This feature allows direct modification of actions for existing IPS rules within profiles and supports building custom rules using rule groups or existing rules. With Custom IPS signature sets, organizations can gain greater control and precision in tailoring threat detection to their specific security needs.

Ease of Use

Certificate Management on SD-Routing Devices

This feature introduces a new certificate authorization setting, Enterprise Certificate Settings, which unifies certificate configurations for SD-Routing devices. Cisco SD-WAN Manager automates certificate management by leveraging protocols like EST (Enrolment over Secure Transport) and SCEP (Simple Certificate Enrolment Protocol). The feature automates the enrolment, and renewal of certificates.

Ease of use

Configure cellular band select for cellular interfaces on SD-Routing devices

You can select specific frequency bands to which the device can connect to, allowing optimized connection depending on location and network availability. This configuration can be done using Feature Parcels in Catalyst Cisco SD-WAN Manager.

Ease of use

Configure logging of crash dump events for cellular interfaces  on SD-Routing devices

You can configure the device to collect the crash dump logs by enabling the boot-and-hold mode on the device using the lte modem crash-action boot-and-hold command.

Ease of use

Reset cellular profile for cellular interfaces on SD-Routing devices

You can reset the cellular network profile settings on a specific interface to a factory default state using the cellular<slot> lte profile reset  command.

Ease of use

Enable diagnostic monitoring for SD-Routing devices

You can enable diagnostic monitoring log capture for devices with cellular interfaces using Catalyst Cisco SD-WAN Manager.

Ease of Use

Show drops command

The *show drops* command is introduced in Cisco IOS XE 17.18.1a. This command consolidates multiple platform and protocol-specific debugging tools into a single, user-friendly interface, enabling network operators to efficiently identify the root causes of packet drops. By streamlining the troubleshooting process, this feature significantly improves operational efficiency and network performance.

Upgrade

MVPN Ingress Replication (IR) over SRv6

This feature enables the transport of IPv4 MVPN traffic across an SRv6 network. It simplifies multicast deployment by using the existing SRv6 unicast infrastructure as the underlay. With this feature, the ingress PE router receives multicast traffic and creates a separate unicast SRv6-encapsulated copy for each egress PE router in the multicast group.

Upgrade

SRv6 Path MTU Discovery

This feature introduces a mechanism to determine the maximum transmission unit (MTU) for packets traversing an SRv6 underlay network. It ensures efficient packet forwarding by preventing fragmentation and packet drops, thereby allowing network devices to dynamically adjust packet sizes to avoid exceeding link MTU limits. The system relays ICMP Packet Too Big (PTB) messages from the SRv6 underlay to the IPv6/IPv4 overlay network, supporting both Transit-node and Headend-node PTB relay methods.

Upgrade

SRv6 Flex-Algo with TI-LFA and uLoop Avoidance

From Cisco IOS XE 17.18.1a, Flexible Algorithm enhances SRv6 by including functions like Topology Independent Loop-Free Alternate (TI-LFA) and microloop (uLoop) avoidance. This feature improves network resilience and efficiency.

Licensing Process

Product Analytics for routers

Product Analytics refers to the collection of product telemetry such as product performance and resource usage information directly from IOS-XE-based routing platforms. From Cisco IOS XE 17.18.1a release, Product Analytics is enabled by default when. Use this functionality to gain data insights such as product performance, feature consumption, and the licensing types that suit your requirements best.

Ease of use

Crypto Throughput Logging

Starting with Cisco IOS XE 17.18.1a, network administrators can monitor and manage crypto throughput drops on Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms. This feature sends syslog messages to notify you when crypto throughput drops, offering better visibility and management.

CUBE Features

Ease of use

Enhanced support for serviceability in SIP recording

From Cisco IOS XE 17.18.1a onwards, serviceability is enhanced to display consolidated information on forked and associated anchor call legs.

Upgrade

Third-Party GUID capture for correlation between call transfers and SIP-based recording

From Cisco IOS XE 17.18.1a onwards, the Third-Party GUID capture for correlation between calls and SIP-based recording is extended to support transmission of globally unique identifiers (GUIDs) to the recording server during call transfers.

Upgrade

IOS UC apps reports smart licensing flex subscription entitlement tag

From Cisco IOS XE 17.18.1a onwards, CUBE and SRST smart licensing reports flex subscription entitlement tag on all the supported platforms.

CSCwq53150

Device tunnel key/protection do not work together for VPLS multipoint connections.

CSCwr42950

Device On-Demand Tunnels do not expire when UMTS is enabled.

CSCwq51935

NAT64 static entry removed when command to delete non-existent entry is applied.

CSCwe19394

Device may boot up into prev_packages.conf due to power outage.

CSCwr77958

NWPI not capturing self-generated syslog traffic.

CSCwj61730

Device crash when removing SGT caching on an interface.

CSCwq77322

Device sending a 2 Byte packet of FLOW_SAMPLER_RANDOM_INTERVAL instead of a 4-Byte packet.

CSCwr24031

After upgrade for earlier releases sd-wan service-tracker in vrf selects source IP address from GRT when MPLS Inter-AS VPN option B configured.

CSCwr49794

Device exporters with ETA enabled are generating invalid template data errors in SNA.

CSCwq98206

EPBR set interface action get missing after reboot.

CSCwn12594

SIG zscaler ipsec - vpn credentials for primary tunnel not created.

CSCwn42496

Encore crashed @bfd_send_and_detect_sleep_time  during soak run.

CSCwn69868

Unable to come up control connections with Controllers after Controllers added and down/up.

CSCwo72675

All BFD sessions for dialer interfaces are down. SA ID is 0 for all of them.

CSCwo84428

Memory leak under vdaemon process with DTLS on SNMP polling.

CSCwp24639

Devices reload after vpn config changes.

CSCwm27749

Speed test download / Throughput issue on C8200 platform seen with IPSEC ESP-NULL transform using Zscaler.

CSCwm72336

CXP with Data Policy redirect-DNS via Overlay causes Blackhole.

CSCwn26353

BFD sessions via TLOC-Ext do not come up when IPv6 is dynamically changed.

CSCwo05703

VFR is not Dynamically Disables After ZBFW Removal.

CSCwo75657

Maximum control connection not equal to maximum omp sessions.

CSCwp15042

Module stays down without hw slot reload.

CSCwp91064

FTMD cero pointer dereference leading to crash.

CSCwp23487

SGW offline with SSH error Unable to open socket while establishing netconf session.

CSCws30834

Device ignore the keepalive command under the SIG tunnel interface pushed by the vmanage.

CSCws13857

Incorrect NAT translation from service-vrf to global for self-generated ICMP 11 (Time Exceeded) packets.

CSCwq77458

fman crash after fnf config changes.

CSCwr87083

Not able to onboard sd-routing devices using generic bootstrap file stored in usb.

CSCws12946

Device port forward issue with multiple ISP.

CSCws18137

Out of sync when CLI Template was attached (missing element: authentication in /ios:native/ios:line/ios:vty[ios:first='0']/ios:login/ios:authentication).

CSCwr64075

During soak run observed qfp-ucode-fugazi core poining at memif_ring_free_count thread.

CSCwr76580

Strange behavior with the Cisco Umbrella SIG tunnels configured from device to Umbrella.

CSCwr30573

TLOC Extension unable to program due to module boot up timing.

CSCws25557

Cipher Suites TLS 1.2 for control connections.

CSCwr72375

Serial interface link down after NIM-8CE1T1-PRI module reload.

CSCwr95551

Device crashes when configuring SSL VPN with Policy-Based Routing (PBR) and NAT.

CSCwr08462

There seems to be an issue where the NAT router is not responding to ARP requests.

CSCwr44921

Device Crashes - CPU Usage due to Memory Pressure exceeds threshold.

CSCwr97784

Slow performance on Netconf RPC on stateless static NAT translation.

CSCwr55240

Device experienced Critical process ompd fault on rp_0_0.

CSCwr84985

dmiauthd process crashes, due to which the configuration does not sync between startup-config and the running-config.

CSCwq24119

Device: Traceback seen when detaching the CN railways customer configs in 17.19

CSCwm97460

Device - Control Connection to vManage is only Attempted over Highest Priority TLOC.

CSCwr00088

Add CLI to change per MPLS label CEF statistics query interval on FMAN FP.

CSCwr88206

FIB table routes: Next Hop (NH) ID 0 is getting corrupted and assigned to a value other than Blackhole.

CSCwr72709

Deivice crash in TDM-TDM call when debug voip fpi enabled.

CSCwq98154

Multicast traffic not forwarded over P2P DMVPN phase 1 tunnel.

CSCwr49475

BFD sessions flapping and not recovering - SYMNAT port not updating to data-plane.

CSCwo42664

Device: periodic service restart may generate crash files.

CSCwr64257

Unexpected reload on ftmd SDWAN device.

CSCws26373

Device experiences an unexpected reboot due to NAT in the data-plane after a policy push.

CSCwp97178

Flapping NAT will casue BFD session down with IPSec session shown.

CSCwr76176

PMTU Converges Unexpectedly to 970 Bytes After dbg2:1 Event.

CSCwr77083

Device crashed in crypto library.

CSCwp12196

Device unexpectedly reloads due to memory corruption on a notification queue in FTMd.

CSCwq27426

BFD session down due to unencrypted outbound BFD packets despite active IPsec SA.

CSCwe19394

Device may boot up into prev_packages.conf due to power outage.

CSCwo42664

Keyman core files on cEdge.

CSCwp01089

EPFR-High latency times are observed on the hub.

CSCwq20326

Device does not install service-side static route to CEF after upgrade.

CSCwq40026

Unexpected Reboot due to Process FTMD.

CSCwq56199

"IOSD ipc task" process's Allocated is big and increasing, and Freed is insufficient.

CSCwq68385

TLOC disabled after Link Down- No Automatic Tunnel Recovery After Link Restores and TLOC State Is Up.

CSCwk52867

Observed the CP CPU, CP Memory degradation in devices.

Catalyst 8300 Series Edge Platforms

C8300-1N1S-4T2X|6T

17.18.1a

17.3(4.2r)

17.9(7r)

C8300-2N2S-4T2X|6T

17.18.1a

17.3(4.1r)

17.7(1r)

Catalyst 8200 Series Edge Platforms

C8200-1N-4T

17.18.1a

17.6(8.1r)

17.6(8.1r)

C8200L-1N-4T

17.18.1a

17.6(8.1r)

17.6(8.1r)