Release Notes for Cisco Catalyst 9200 Series Switches, Cisco IOS XE Amsterdam 17.1.x

Introduction

Cisco Catalyst 9200 Series Switches are entry level enterprise-class access switches that extend the power of intent-based networking and Cisco Catalyst 9000 Series Switches hardware and software innovation to a broader scale of deployments. These switches focus on offering features for the mid-market and simple branchdeployments. With its family pedigree, Cisco Catalyst 9200 Series Switches offer simplicity without compromise - it is secure, always on and provides IT simplicity.

As a foundational building block for Cisco Digital Network Architecture, this platform is built with security, mobility, cloud and IoT at its core. This gives you out of the box upgrades in security, resiliency and programmability regardless of where you are in the intent-based networking journey.

With access to Cisco’s best in class security portfolio anchored trustworthy solutions, MACsec encryption and segmentation, the platform provides advanced security features that protect the integrity of the hardware as well as the software and all data that flows through the switch and the network. These switches provide enterprise-level resiliency and keep your business up and running seamlessly with field-replaceable power supplies and fans, modular uplinks, cold patching, perpetual PoE, and the industry’s highest mean time between failures (MTBF). Combine the application visibility of full flexible NetFlow with telemetry and the open APIs of Cisco IOS XE and programmability of the UADP ASIC technology and these switches give you the best simple experience provisioning and managing your network now with investment protection on future innovations.

Whats New in Cisco IOS XE Amsterdam 17.1.1

Hardware Features in Cisco IOS XE Amsterdam 17.1.1

Feature Name

Description and Documentation Link

Cisco Catalyst 9200 Series Switches (C9200 Multigigabit Ethernet models)

These new Multigigabit Ethernet models are introduced:

  • C9200-24PXG

  • C9200-48PXG

For more information about these models, see the Cisco Catalyst 9200 Series Switches Hardware Installation Guide.

Cisco Catalyst 9200 Series Switches—Network Modules

The following uplink network modules are available with the C9200 SKUs:

  • C9200-NM-2Y—Two ports (25-GigabitEthernet SFP28 module slots)

  • C9200-NM-2Q—Two ports (40-GigabitEthernet QSFP+ connector slots)


For information about the hardware, see the Cisco Catalyst 9200 Series Switches Hardware Installation Guide.

Software Features in Cisco IOS XE Amsterdam 17.1.1

Feature Name

Description, Documentation Link, and License Level Information

Flash MIB instance retrieval count limit increase

The limitation of Flash MIB listing 100 files per partition per device has been removed. Flash MIB can now fetch all the files from the flash file system.

See Network Management → Configuring Simple Network Management Protocol.

(Network Essentials and Network Advantage)

Neighbor Discovery (ND) Inspection Feature Deprecation

The IPv6 ND Inspection feature is deprecated. The Switch Integrated Security Features based (SISF-based) device tracking feature replaces it and offers the same capabilities.

See Security → Configuring IPv6 First Hop Security.

(Network Essentials and Network Advantage)

Opening or Closing SNMP UDP Ports

A security enhancement that enables you to access the Simple Network Management Protocol (SNMP) UDP ports only after one of the requisite commands is configured. This design change secures and opens the ports only when required and prevents a device from listening to a port unnecessarily.

See Network Management → Configuring Simple Network Management Protocol.

(Network Essentials and Network Advantage)

Per-Port MTU Configuration

Introduces support for port level and port channel level maximum transmission unit (MTU) configuration. With Per-Port MTU configuration, you can configure different MTU values for different interfaces as well as for different port channel interfaces.

See Interface and Hardware Components → Configuring Per-Port MTU.

(Network Essentials and Network Advantage)

Programmability

The following programmability features are introduced in this release:

  • The candidate configuration supports the confirmed commit capability. This implementation is as specified in RFC 6241 for the confirmed commit capability which, when issued, sets the running configuration to the current contents of the candidate configuration and starts a confirmed commit timer. The confirmed commit operation will be rolled back if the commit is not issued within the timeout period. The default timeout period is 600 seconds or 10 minutes.

  • Model-Driven Telemetry Event Notification Support: Introduces support for event notifications over the NETCONF protocol.

  • RESTCONF YANG-Patch Support: Introduces support for YANG-Patch media type as specified by RFC 8072.

  • TLS for gRPC Dial-Out: Introduces support for TLS for gRPC dial-out.

  • Cisco TrustSec uses the REST-based transport protocol for SGACL policy provisioning and data download from Cisco Identity Services Engine (ISE). The REST-based protocol is more secure, and provides reliable, and faster policy and environment data provisioning, than the RADIUS protocol that is used in previous releases. Both the REST API-based and RADIUS-based download of Cisco TrustSec data is supported. However, only one protocol can be active on a device. In Cisco IOS XE Amsterdam 17.1.1, REST-based protocol is the default.

  • YANG Data Models—For the list of Cisco IOS XE YANG models available with this release, navigate to: https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1711.

    Some of the models introduced in this release are not backward compatible. For the complete list, navigate to: https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1711/BIC.

    Revision statements embedded in the YANG files indicate if there has been a model revision. The README.md file in the same GitHub location highlights changes that have been made in the release.

See Programmability.

(Network Essentials and Network Advantage)

Cisco Umbrella Integration

Provides security and policy enforcement at the Domain Name Sever (DNS) level. It enables the administrator to split the DNS traffic and directly send some of the desired DNS traffic to a specific DNS server (DNS server located within the enterprise network).

See Security → Configuring Cisco Umbrella Integration.

(Network Advantage)

New on the Web UI

  • Cisco Umbrella Integration

  • New default credentials for WebUI

  • Power Over Ethernet (POE)

  • Intermediate System- Intermediate System(IS-IS)

  • Routing Information Protocol (RIP)

  • Virtual Terminal Lines (VTY)

Use the WebUI for:

  • Cisco Umbrella Integration—Supports integration with the cloud-based security platform–Cisco Umbrella. It provides a first line of defense by inspecting the Domain Name System (DNS) query and preventing a user from accessing a site if it is known to be malicious. Using the WebUI, the security administrator configures policies on the Cisco Umbrella Integration cloud to either allow or deny traffic towards the fully qualified domain name (FQDN).

  • New default credentials for WebUI—The login credentials for connecting to the device from the WebUI at Day 0 have been updated. This is available in the respective platform hardware guide.

  • Power Over Ethernet (POE)—The dashboard displays a dashlet for POE utilization for the switch.

  • Intermediate System- Intermediate System(IS-IS)—Supports Integrated Intermediate System- Intermediate System(IS-IS) routing protocol configuration for improved routing of data packets to their destination based on the best route.

  • Routing Information Protocol (RIP)—Supports RIP configuration for improved routing of data packets to their destination based on the hop count.

  • Virtual Terminal Lines (VTY)—Supports vty lines configuration in device setup, to allow a maximum number of simultaneous access to the device, remotely, through Telnet or SSH.

Important Notes

Unsupported Features

  • Audio Video Bridging (including IEEE802.1AS, IEEE 802.1Qat, and IEEE 802.1Qav)

  • Border Gateway Protocol (BGP)

  • Cisco DNA Service for Bonjour

  • Cisco StackWise Virtual

  • Cisco TrustSec Network Device Admission Control (NDAC) on Uplinks

  • Converged Access for Branch Deployments

  • Fabric Enabled Wireless on C9200L SKUs

  • Gateway Load Balancing Protocol (GLBP)

  • Hot patching (for SMUs)

  • MACSec Encryption

    • MACsec configuration on EtherChannel

    • 256-bit AES MACsec (IEEE 802.1AE) host link encryption with MACsec Key Agreement (MKA)

  • Multiprotocol Label Switching (MPLS)

  • Non Stop Forwarding (NSF)

  • Performance Monitoring (PerfMon)

  • Programmability (Cisco Plug-in for OpenFlow 1.3, Third-Party Application Hosting)

  • Virtual Routing and Forwarding (VRF)-Aware web authentication

  • Web Cache Communication Protocol (WCCP)

Complete List of Supported Features

For the complete list of features supported on a platform, see the Cisco Feature Navigator at https://www.cisco.com/go/cfn.

Accessing Hidden Commands

This section provides information about hidden commands in Cisco IOS XE and the security measures that are in place, when they are accessed. Hidden commands are not equipped with CLI help. This means that entering a question mark (?) at the system prompt does not display the list of available commands. These commands are only meant to assist Cisco TAC in advanced troubleshooting and are not documented either.

Hidden commands are available under:

  • Category 1—Hidden commands in privileged or User EXEC mode. Begin by entering the service internal command to access these commands.

  • Category 2—Hidden commands in one of the configuration modes (global, interface and so on). These commands do not require the service internal command.

Further, the following applies to hidden commands under Category 1 and 2:

  • The commands have CLI help. Entering enter a question mark (?) at the system prompt displays the list of available commands.

    Note: For Category 1, enter the service internal command before you enter the question mark; you do not have to do this for Category 2.

  • The system generates a %PARSER-5-HIDDEN syslog message when the command is used. For example:
    *Feb 14 10:44:37.917: %PARSER-5-HIDDEN: Warning!!! 'show processes memory old-header ' is a hidden command. 
    Use of this command is not recommended/supported and will be removed in future.
    
    

Apart from category 1 and 2, there remain internal commands displayed on the CLI, for which the system does NOT generate the %PARSER-5-HIDDEN syslog message.


Important

We recommend that you use any hidden command only under TAC supervision.

If you find that you are using a hidden command, open a TAC case for help with finding another way of collecting the same information as the hidden command (for a hidden EXEC mode command), or to configure the same functionality (for a hidden configuration mode command) using non-hidden commands.


Supported Hardware

Cisco Catalyst 9200 Series Switches—Model Numbers

The following table lists the supported hardware models and the default license levels they are delivered with. For information about the available license levels, see section License Levels.

Switch Model

Default License Level1

Description

C9200-24T-A

Network Advantage

Stackable 24x1G ports; 4x1G and 4x10G fixed uplink ports; 2 power supply slots; 2 field-replaceable fans; supports StackWise-160.

C9200-24T-E

Network Essentials

C9200-24P-A

Network Advantage

Stackable 24x1G PoE+ ports; 4x1G and 4x10G fixed uplink ports; 2 power supply slots; 2 field-replaceable fans; supports StackWise-160.

C9200-24P-E

Network Essentials

C9200-48T-A

Network Advantage

Stackable 48x1G ports; 4x1G and 4x10G fixed uplink ports; 2 power supply slots; 2 field-replaceable fans; supports StackWise-160.

C9200-48T-E

Network Essentials

C9200-48P-A

Network Advantage

Stackable 48x1G PoE+ ports; 4x1G and 4x10G fixed uplink ports; 2 power supply slots; 2 field-replaceable fans; supports StackWise-160.

C9200-48P-E

Network Essentials

C9200-24PXG-E

Network Essentials

Stackable 8 Multigigabit Ethernet and 16x1G PoE+ ports; supports 4x10G, 2x25G and 2x40G network modules for uplink ports; 2 power supply slots; 2 field-replaceable fans; supports StackWise-160.

C9200-24PXG-A

Network Advantage

C9200-48PXG-E

Network Essentials

Stackable 8 Multigigabit Ethernet and 40x1G PoE+ ports; supports 4x10G, 2x25G and 2x40G network modules for uplink ports; 2 power supply slots; 2 field-replaceable fans; supports StackWise-160.

C9200-48PXG-A

Network Advantage

C9200L-24P-4G-A

Network Advantage

Stackable 24x1G PoE+ ports; 4x1G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-24P-4G-E

Network Essentials

C9200L-24P-4X-A

Network Advantage

Stackable 24x1G PoE+ ports; 4x10G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-24P-4X-E

Network Essentials

C9200L-24T-4G-A

Network Advantage

Stackable 24x1G ports; 4x1G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-24T-4G-E

Network Essentials

C9200L-24T-4X-A

Network Advantage

Stackable 24x1G ports; 4x10G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-24T-4X-E

Network Essentials

C9200L-48P-4G-A

Network Advantage

Stackable 48x1G PoE+ ports; 4x1G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-48P-4G-E

Network Essentials

C9200L-48P-4X-A

Network Advantage

Stackable 48x1G PoE+ ports; 4x10G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-48P-4X-E

Network Essentials

C9200L-48T-4G-A

Network Advantage

Stackable 48x1G ports; 4x1G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-48T-4G-E

Network Essentials

C9200L-48T-4X-A

Network Advantage

Stackable 48x1G ports; 4x10G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-48T-4X-E

Network Essentials

C9200L-24PXG-4X-A

Network Advantage

Stackable 8xMultigigabit Ethernet PoE+ ports and 16x1G PoE+ ports; 4x10G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-24PXG-4X-E

Network Essentials

C9200L-24PXG-2Y-A

Network Advantage

Stackable 8xMultigigabit Ethernet PoE+ ports and 16x1G PoE+ ports; 2x25G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-24PXG-2Y-E

Network Essentials

C9200L-48PXG-4X-A

Network Advantage

Stackable 12xMultigigabit Ethernet PoE+ ports and 36x1G PoE+ ports; 4x10G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-48PXG-4X-E

Network Essentials

C9200L-48PXG-2Y-A

Network Advantage

Stackable 8xMultigigabit Ethernet PoE+ ports and 40x1G PoE+ ports; 2x25G fixed uplink ports; 2 power supply slots; 2 fixed fans; supports StackWise-80.

C9200L-48PXG-2Y-E

Network Essentials

1 See Table: Table 1, for information about the add-on licenses that you can order.

Network Modules

The following table lists the optional uplink network modules with 1-GigabitEthernet and 10-GigabitEthernet slots. You should only operate the switch with either a network module or a blank module installed.

Network Module

Description

C9200-NM-4G 1

Four 1-GigabitEthernet SFP module slots

C9200-NM-4X 1

Four 10-GigabitEthernet SFP+ module slots

C9200-NM-2Y2

Two 25-GigabitEthernet SFP28 module slots

C9200-NM-2Q2

Two 40-GigabitEthernet slots with a QSFP+ connector in each slot


Note

  1. These network modules are supported only on the C9200 SKUs of the Cisco Catalyst 9200 Series Switches.

  2. These network modules are supported only on the C9200 Multigigabit Ethernet switch models of Cisco Catalyst 9200 Series Switches.


Compatibility Matrix

The following table provides software compatibility information.

Catalyst 9200

Cisco Identity Services Engine

Cisco Prime Infrastructure

Amsterdam 17.1.1

2.7

C9200 and C9200L: PI 3.6 + PI 3.6 latest maintenance release + PI 3.6 latest device pack

See Cisco Prime Infrastructure 3.6 Downloads.

Gibraltar 16.12.4

2.6

C9200 and C9200L: PI 3.8 + PI 3.8 latest maintenance release + PI 3.8 latest device pack

See Cisco Prime Infrastructure 3.8 → Downloads.

Gibraltar 16.12.3a

2.6

C9200 and C9200L: PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack

See Cisco Prime Infrastructure 3.5Downloads.

Gibraltar 16.12.3

2.6

C9200 and C9200L: PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack

See Cisco Prime Infrastructure 3.5Downloads.

Gibraltar 16.12.2

2.6

C9200 and C9200L: PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack

See Cisco Prime Infrastructure 3.5Downloads.

Gibraltar 16.12.1

2.6

C9200 and C9200L: PI 3.5 + PI 3.5 latest maintenance release + PI 3.5 latest device pack

See Cisco Prime Infrastructure 3.5Downloads.

Gibraltar 16.11.1

2.6

2.4 Patch 5

C9200 and C9200L: PI 3.4 + PI 3.4 latest maintenance release + PI 3.4 latest device pack

See Cisco Prime Infrastructure 3.4Downloads.

Gibraltar 16.10.1

2.4

C9200: PI 3.4 + Device Pack 9

C9200L: PI 3.4 + Device Pack 7

See Cisco Prime Infrastructure 3.4Downloads.

Fuji 16.9.5

2.4

PI 3.4 + Device Pack 7

See Cisco Prime Infrastructure 3.4Downloads.

Fuji 16.9.4

2.4

PI 3.4 + Device Pack 7

See Cisco Prime Infrastructure 3.4Downloads.

Fuji 16.9.3

2.4

PI 3.4 + Device Pack 7

See Cisco Prime Infrastructure 3.4Downloads.

Fuji 16.9.22

2.4

PI 3.4 + Device Pack 7

See Cisco Prime Infrastructure 3.4Downloads.

2 The compatibility information for Fuji 16.9.2 applies only to the C9200L SKUs.

Web UI System Requirements

The following subsections list the hardware and software required to access the Web UI:

Minimum Hardware Requirements

Processor Speed

DRAM

Number of Colors

Resolution

Font Size

233 MHz minimum3

512 MB4

256

1280 x 800 or higher

Small

3 We recommend 1 GHz
4 We recommend 1 GB DRAM

Software Requirements

Operating Systems

  • Windows 10 or later

  • Mac OS X 10.9.5 or later

Browsers

  • Google Chrome—Version 59 or later (On Windows and Mac)

  • Microsoft Edge

  • Mozilla Firefox—Version 54 or later (On Windows and Mac)

  • Safari—Version 10 or later (On Mac)

Upgrading the Switch Software

This section covers the various aspects of upgrading or downgrading the device software.


Note

You cannot use the Web UI to install, upgrade, or downgrade device software.

Finding the Software Version

The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).

You can use the show version privileged EXEC command to see the software version that is running on your switch.


Note

Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Software Images

Release

Image Type

File Name

Cisco IOS XE Amsterdam 17.1.1

CAT9K_LITE_IOSXE

cat9k_lite_iosxe.17.01.01.SPA.bin

Automatic Boot Loader Upgrade

When you upgrade from the existing release on your switch to a later or newer release for the first time, the boot loader may be automatically upgraded, based on the hardware version of the switch. If the boot loader is automatically upgraded, it will take effect on the next reload. If you go back to the older release after this, the boot loader is not downgraded. The updated boot loader supports all previous releases.


Caution

Do not power cycle your switch during the upgrade.

Scenario

Automatic Boot Loader Response

If you boot Cisco IOS XE Amsterdam 17.1.1 for the first time

The boot loader may be upgraded to version 17.1.1 [FC3]. For example:
ROM: IOS-XE ROMMON
BOOTLDR: System Bootstrap, Version 17.1.1 [FC3], RELEASE SOFTWARE(P)

Software Installation Commands

Summary of Software Installation Commands

To install and activate the specified file, and to commit changes to be persistent across reloads:

install add file filename [ activate commit]

To separately install, activate, commit, cancel, or remove the installation file: install ?

add file tftp: filename

Copies the install file package from a remote location to the device and performs a compatibility check for the platform and image versions.

activate [ auto-abort-timer]

Activates the file, and reloads the device. The auto-abort-timer keyword automatically rolls back image activation.

commit

Makes changes persistent over reloads.

rollback to committed

Rolls back the update to the last committed version.

abort

Cancels file activation, and rolls back to the version that was running before the current installation procedure started.

remove

Deletes all unused and inactive software installation files.

Upgrading in Install Mode

Follow these instructions to upgrade from one release to another, in install mode. To perform a software image upgrade, you must be booted into IOS through boot flash:packages.conf .

Before you begin

Note that you can use this procedure for the following upgrade scenarios:

When upgrading from ...

To...

Cisco IOS XE Gibraltar 16.12.1 and later

Cisco IOS XE Amsterdam 17.1.1

The sample output in this section displays upgrade from Cisco IOS XE Gibraltar 16.12.1 to Cisco IOS XE Amsterdam 17.1.1 using install commands.

Procedure


Step 1

Clean Up

  1. install remove inactive

    Use this command to clean up unused installation files in case of insufficient space. Ensure that you have at least 1GB of space in flash to expand a new image.
    Switch# install remove inactive
    install_remove: START Wed Nov 20 17:46:18 IST 2019
    Cleaning up unnecessary package files
    No path specified, will use booted path flash:packages.conf
    Cleaning flash:
      Scanning boot directory for packages ... done.
      Preparing packages list to delete ... 
        cat9k_lite-rpbase.16.12.01.SPA.pkg
          File is in use, will not delete.
        cat9k_lite-rpboot.16.12.01.SPA.pkg
          File is in use, will not delete.
        cat9k_lite-srdriver.16.12.01.SPA.pkg
          File is in use, will not delete.
        cat9k_lite-webui.16.12.01.SPA.pkg
          File is in use, will not delete.
        packages.conf
          File is in use, will not delete.
      done.
      
    The following files will be deleted:
    [switch 1]:
    /flash/cat9k_lite_iosxe.16.12.01.SPA.bin
    
    Do you want to remove the above files? [y/n]y
    [switch 1]:
    Deleting file flash:cat9k_lite_iosxe.16.12.01.SPA.bin ... done.
    SUCCESS: Files deleted.
    --- Starting Post_Remove_Cleanup ---
    Performing Post_Remove_Cleanup on all members
      [1] Post_Remove_Cleanup package(s) on switch 1
      [1] Finished Post_Remove_Cleanup on switch 1
    Checking status of Post_Remove_Cleanup on [1]
    Post_Remove_Cleanup: Passed on [1]
    Finished Post_Remove_Cleanup
    SUCCESS: install_remove  Wed Nov 20 17:47:20 IST 2019
    Switch#
Step 2

Copy new image to flash

  1. copy tftp: flash:

    Use this command to copy the new image to flash: (or skip this step if you want to use the new image from your TFTP server)

    Switch# copy tftp://10.8.0.6//cat9k_lite_iosxe.17.01.01.SPA.bin flash:
    
    Destination filename [cat9k_lite_iosxe.17.01.01.SPA.bin]?
    Accessing tftp://10.8.0.6//cat9k_lite_iosxe.17.01.01.SPA.bin...
    Loading /cat9k_lite_iosxe.17.01.01.SPA.bin from 10.8.0.6 (via GigabitEthernet0/0): 
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    [OK - 601216545 bytes]
     
    601216545 bytes copied in 50.649 secs (11870255 bytes/sec)
     
    
  2. dir flash

    Use this command to confirm that the image has been successfully copied to flash.

    Switch# dir flash:*.bin
    Directory of flash:/*.bin
     
    Directory of flash:/
     
    434184 -rw- 601216545 Nov 20 2019 10:18:11 -07:00 cat9k_lite_iosxe.17.01.01.SPA.bin
    11353194496 bytes total (8976625664 bytes free)
    
    
Step 3

Set boot variable

  1. boot system flash:packages.conf

    Use this command to set the boot variable to flash:packages.conf .

    Switch(config)# boot system flash:packages.conf
    Switch(config)# exit
  2. write memory

    Use this command to save boot settings.

    Switch# write memory
  3. show boot system

    Use this command to verify the boot variable is set to flash:packages.conf .

    The output should display BOOT variable = flash:packages.conf .

    Switch# show boot system
Step 4

Software install image to flash

  1. install add file activate commit

    Use this command to install the target image. You can point to the source image on your TFTP server or in flash if you have it copied to flash.
    Switch# install add file flash:cat9k_lite_iosxe.17.01.01.SPA.bin activate commit
    install_add_activate_commit: START Wed Nov 20 17:32:18 IST 2019
    
    *Nov 20 17:32:21.642 IST: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_engine: Started install one-shot flash:cat9k_lite_iosxe.17.01.01.SPA.bininstall_add_activate_commit: Adding PACKAGE
    
    This operation requires a reload of the system. Do you want to proceed? 
    Please confirm you have changed boot config to flash:packages.conf [y/n]y
    
    --- Starting initial file syncing ---
    Info: Finished copying flash:cat9k_lite_iosxe.17.01.01.SPA.bin to the selected switch(es)
    Finished initial file syncing
    
    --- Starting Add ---
    Performing Add on all members
      [1] Add package(s) on switch 1
      [1] Finished Add on switch 1
    Checking status of Add on [1]
    Add: Passed on [1]
    Finished Add
    
    Image added. Version: 17.1.1
    install_add_activate_commit: Activating PACKAGE
    
    gzip: initramfs.cpio.gz: decompression OK, trailing garbage ignored
    Following packages shall be activated:
    /flash/cat9k_lite-webui.17.01.01.SPA.pkg
    /flash/cat9k_lite-srdriver.17.01.01.SPA.pkg
    /flash/cat9k_lite-rpboot.17.01.01.SPA.pkg
    /flash/cat9k_lite-rpbase.17.01.01.SPA.pkg
    
    This operation requires a reload of the system. Do you want to proceed? [y/n]y
    --- Starting Activate ---
    Performing Activate on all members
      [1] Activate package(s) on switch 1
      [1] Finished Activate on switch 1
    Checking status of Activate on [1]
    Activate: Passed on [1]
    Finished Activate
    
    --- Starting Commit ---
    Performing Commit on all members
    
    *Nov 20 17:36:43.102 IST: %INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: Switch 1 R0/0: rollback_timer: Install auto abort timer will expire in 7199 seconds  [1] Commit package(s) on switch 1
      [1] Finished Commit on switch 1
    Checking status of Commit on [1]
    Commit: Passed on [1]
    Finished Commit
    
    Install will reload the system now!
    SUCCESS: install_add_activate_commit  Wed Nov 20 17:37:03 IST 2019
    
    
    Note 
    The system reloads automatically after executing the install add file activate commit command . You do not have to manually reload the system.
  2. dir flash:

    After the software has been successfully installed, use this command to verify that the flash partition has four new .pkg files and two .conf files.
    Switch# dir flash:*.pkg
    
    Directory of flash:/*.pkg
    Directory of flash:/
    
    48582  -rw- 298787860 Jul 20 2019 05:13:32 +00:00  cat9k_lite-rpbase.16.12.01.SPA.pkg
    48585  -rw- 35713901  Jul 20 2019 05:14:12 +00:00  cat9k_lite-rpboot.16.12.01.SPA.pkg
    48583  -rw- 4252692   Jul 20 2019 05:13:33 +00:00  cat9k_lite-srdriver.16.12.01.SPA.pkg
    48584  -rw- 8119312   Jul 20 2019 05:13:34 +00:00  cat9k_lite-webui.16.12.01.SPA.pkg
    
    16640  -rw- 301188116 Nov 20 2019 05:33:25 +00:00  cat9k_lite-rpbase.17.01.01.SPA.pkg
    16647  -rw- 35112025  Nov 20 2019 05:34:06 +00:00  cat9k_lite-rpboot.17.01.01.SPA.pkg
    16642  -rw- 4326420   Nov 20 2019 05:33:25 +00:00  cat9k_lite-srdriver.17.01.01.SPA.pkg
    16643  -rw- 8328208   Nov 20 2019 05:33:25 +00:00  cat9k_lite-webui.17.01.01.SPA.pkg
    
    

    The following sample output displays the .conf files in the flash partition; note the two .conf files:

    • packages.conf—the file that has been re-written with the newly installed .pkg files

    • cat9k_lite_iosxe.17.01.01.SPA.conf— a backup copy of the newly installed packages.conf file

    Switch# dir flash:*.conf
     
    Directory of flash:/*.conf
    Directory of flash:/
    
    16631 -rw- 4882  Nov 20 2019 05:39:42 +00:00  packages.conf
    16634 -rw- 4882  Nov 20 2019 05:34:06 +00:00  cat9k_lite_iosxe.17.01.01.SPA.conf
    
Step 5

Reload

  1. boot flash:

    If your switches are configured with auto boot, then the stack will automatically boot up with the new image. If not, you can manually boot flash:packages.conf
    Switch: boot flash:packages.conf
    
    
  2. show version

    After the image boots up, use this command to verify the version of the new image.

    Note 
    When you boot the new image, the boot loader is automatically updated, but the new bootloader version is not displayed in the output until the next reload.
    The following sample output of the show version command displays the Cisco IOS XE Amsterdam 17.1.1 image on the device:
    Switch# show version
    Cisco IOS XE Software, Version 17.01.01
    Cisco IOS Software [Amsterdam], Catalyst L3 Switch Software (CAT9K_LITE_IOSXE), Version 17.1.1, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2019 by Cisco Systems, Inc.
    Compiled Fri 22-Nov-19 00:55 by mcpre
    <output truncated>

Downgrading in Install Mode

Follow these instructions to downgrade from one release to another, in install mode. To perform a software image downgrade, you must be booted into IOS through boot flash:packages.conf .

Before you begin

Note that you can use this procedure for the following downgrade scenarios:

When downgrading from ...

To ...

Cisco IOS XE Amsterdam 17.1.1

Cisco IOS XE Gibraltar 16.12.1 or earlier releases.

The sample output in this section shows downgrade from Cisco IOS XE Amsterdam 17.1.1 to Cisco IOS XE Gibraltar 16.12.1, using install commands.


Important

New switch models that are introduced in a release cannot be downgraded. The release in which a module is introduced is the minimum software version for that model. We recommend upgrading all existing hardware to the same release as the latest hardware.

Procedure


Step 1

Clean Up

  1. install remove inactive

    Use this command to clean up unused installation files in case of insufficient space. Ensure that you have at least 1GB of space in flash to expand a new image.
    Switch# install remove inactive
    install_remove: START Wed Nov 20 17:46:18 IST 2019
    Cleaning up unnecessary package files
    No path specified, will use booted path flash:packages.conf
    Cleaning flash:
      Scanning boot directory for packages ... done.
      Preparing packages list to delete ... 
        cat9k_lite-rpbase.17.1.01.SPA.pkg
          File is in use, will not delete.
        cat9k_lite-rpboot.17.01.1.SPA.pkg
          File is in use, will not delete.
        cat9k_lite-srdriver.17.01.1.SPA.pkg
          File is in use, will not delete.
        cat9k_lite-webui.17.01.1.SPA.pkg
          File is in use, will not delete.
        packages.conf
          File is in use, will not delete.
      done.
      
    The following files will be deleted:
    [switch 1]:
    /flash/cat9k_lite_iosxe.17.01.1.SPA.bin
    
    Do you want to remove the above files? [y/n]y
    [switch 1]:
    Deleting file flash:cat9k_lite_iosxe.17.01.1.SPA.bin ... done.
    SUCCESS: Files deleted.
    --- Starting Post_Remove_Cleanup ---
    Performing Post_Remove_Cleanup on all members
      [1] Post_Remove_Cleanup package(s) on switch 1
      [1] Finished Post_Remove_Cleanup on switch 1
    Checking status of Post_Remove_Cleanup on [1]
    Post_Remove_Cleanup: Passed on [1]
    Finished Post_Remove_Cleanup
    
    SUCCESS: install_remove  Wed Nov 20 17:47:20 IST 2019
    Switch#
Step 2

Copy new image to flash

  1. copy tftp: flash:

    Use this command to copy the new image to flash: (or skip this step if you want to use the new image from your TFTP server)

    Switch# copy tftp://10.8.0.6//cat9k_lite_iosxe.16.12.01.SPA.bin flash:
    
    Destination filename [cat9k_lite_iosxe.16.12.01.SPA.bin]?
    Accessing tftp://10.8.0.6//cat9k_lite_iosxe.16.12.01.SPA.bin...
    Loading /cat9k_lite_iosxe.16.12.01.SPA.bin from 10.8.0.6 (via GigabitEthernet0/0): 
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    [OK - 508584771 bytes]
    508584771 bytes copied in 101.005 secs (5035244 bytes/sec)
     
    
  2. dir flash:

    Use this command to confirm that the image has been successfully copied to flash.

    Switch# dir flash:*.bin
    Directory of flash:/*.bin
     
    Directory of flash:/
     
    434184 -rw- 508584771 Wed Nov 20 2019 13:35:16 -07:00 cat9k_lite_iosxe.16.12.01.SPA.bin
    11353194496 bytes total (9055866880 bytes free)
    
    
Step 3

Downgrade software image

  1. install add file activate commit

The following example displays the installation of the Cisco IOS XE Gibraltar 16.12.1 software image to flash, by using the install add file activate commit command. You can point to the source image on your tftp server or in flash if you have it copied to flash.

Switch# install add file flash:cat9k_lite_iosxe.16.12.01.SPA.bin activate commit
install_add_activate_commit: START Wed Nov 20 17:32:18 IST 2019

*Nov  20 17:32:21.642 IST: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_engine: Started install one-shot flash:cat9k_lite_iosxe.16.12.01.SPA.bin install_add_activate_commit: Adding PACKAGE

This operation requires a reload of the system. Do you want to proceed? 
Please confirm you have changed boot config to flash:packages.conf [y/n]y

--- Starting initial file syncing ---
Info: Finished copying flash:cat9k_lite_iosxe.16.12.01.SPA.bin to the selected switch(es)
Finished initial file syncing

--- Starting Add ---
Performing Add on all members
  [1] Add package(s) on switch 1
  [1] Finished Add on switch 1
Checking status of Add on [1]
Add: Passed on [1]
Finished Add

Image added. Version: 16.12.1.0.214
install_add_activate_commit: Activating PACKAGE

gzip: initramfs.cpio.gz: decompression OK, trailing garbage ignored
Following packages shall be activated:
/flash/cat9k_lite-webui.16.12.01.SPA.pkg
/flash/cat9k_lite-srdriver.16.12.01.SPA.pkg
/flash/cat9k_lite-rpboot.16.12.01.SPA.pkg
/flash/cat9k_lite-rpbase.16.12.01.SPA.pkg

This operation requires a reload of the system. Do you want to proceed? [y/n]y
--- Starting Activate ---
Performing Activate on all members
  [1] Activate package(s) on switch 1
  [1] Finished Activate on switch 1
Checking status of Activate on [1]
Activate: Passed on [1]
Finished Activate

--- Starting Commit ---
Performing Commit on all members

*Nov  20 17:36:43.102 IST: %INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: Switch 1 R0/0: rollback_timer: Install auto abort timer will expire in 7199 seconds  [1] Commit package(s) on switch 1
  [1] Finished Commit on switch 1
Checking status of Commit on [1]
Commit: Passed on [1]
Finished Commit

Install will reload the system now!
SUCCESS: install_add_activate_commit  Wed Nov 20 17:37:03 IST 2019

Note 
The system reloads automatically after executing the install add file activate commit command. You do not have to manually reload the system.
Step 4

Reload

  1. boot flash:

    If your switches are configured with auto boot, then the stack will automatically boot up with the new image. If not, you can manually boot flash:packages.conf
    Switch: boot flash:packages.conf
    
    
    Note 
    When you downgrade the software image, the boot loader does not automatically downgrade. It remains updated.
  2. show version

    After the image boots up, use this command to verify the version of the new image.

    Note 
    When you boot the new image, the boot loader is automatically updated, but the new bootloader version is not displayed in the output until the next reload.
    The following sample output of the show version command displays the Cisco IOS XE Gibraltar 16.12.1 image on the device:
    Switch# show version
    Cisco IOS XE Software, Version 16.12.01
    Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_LITE_IOSXE), Version 16.12.01, RELEASE SOFTWARE (fc4)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2018 by Cisco Systems, Inc.
    Compiled Wed 20-Nov-19 18:14 by mcpre

Licensing

This section provides information about the licensing packages for features available on Cisco Catalyst 9000 Series Switches.

License Levels

The software features available on Cisco Catalyst 9200 Series Switches fall under these base or add-on license levels.

Base Licenses

  • Network Essentials

  • Network Advantage—Includes features available with the Network Essentials license and more.

Add-On Licenses

Add-On Licenses require a Network Essentials or Network Advantage as a pre-requisite. The features available with add-on license levels provide Cisco innovations on the switch, as well as on the Cisco Digital Network Architecture Center (Cisco DNA Center).

  • DNA Essentials

  • DNA Advantage— Includes features available with the DNA Essentials license and more.

To find information about platform support and to know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://www.cisco.com/go/cfn. An account on cisco.com is not required.

License Types

The following license types are available:

  • Permanent—for a license level, and without an expiration date.

  • Term—for a license level, and for a three, five, or seven year period.

  • Evaluation—a license that is not registered.

License Levels - Usage Guidelines

  • Base licenses (Network Essentials and Network-Advantage) are ordered and fulfilled only with a permanent license type.

  • Add-on licenses (DNA Essentials and DNA Advantage) are ordered and fulfilled only with a term license type.

  • An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it, or deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.

  • When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:

    Table 1. Permitted Combinations

    DNA Essentials

    DNA Advantage

    Network Essentials

    Yes

    No

    Network Advantage

    Yes5

    Yes

    5 You will be able to purchase this combination only at the time of the DNA license renewal and not when you purchase DNA-Essentials the first time.
  • Evaluation licenses cannot be ordered. They are not tracked via Cisco Smart Software Manager and expire after a 90-day period. Evaluation licenses can be used only once on the switch and cannot be regenerated. Warning system messages about an evaluation license expiry are generated only 275 days after expiration and every week thereafter. An expired evaluation license cannot be reactivated after reload.

Smart Licensing

Cisco Smart Licensing is a unified license management system that manages all the software licenses across Cisco products.

It enables you to purchase, deploy, manage, track and renew Cisco Software. It provides information about license ownership and consumption through a single user interface.

The solution is composed of Smart Accounts and Cisco Smart Software Manager. The former is an online account of your Cisco software assets and is required to use the latter. Cisco Smart Software Manager is where you can perform all your licensing management related tasks, such as, registering, de-registering, moving, and transferring licenses. Users can be added and given access and permissions to the smart account and specific virtual accounts.


Important

Cisco Smart Licensing is the default and the only available method to manage licenses.

Deploying Smart Licensing

The following provides a process overview of a day 0 to day N deployment directly initiated from a device. Links to the configuration guide provide detailed information to help you complete each one of the smaller tasks.

Procedure

Step 1

Begin by establishing a connection from your network to Cisco Smart Software Manager on cisco.com.

In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Connecting to CSSM

Step 2

Create and activate your Smart Account, or login if you already have one.

To create and activate Smart Account, go to Cisco Software Central → Create Smart Accounts. Only authorized users can activate the Smart Account.

Step 3

Complete the Cisco Smart Software Manager set up.

  1. Accept the Smart Software Licensing Agreement.

  2. Set up the required number of Virtual Accounts, users and access rights for the virtual account users.

    Virtual accounts help you organize licenses by business unit, product type, IT group, and so on.

  3. Generate the registration token in the Cisco Smart Software Manager portal and register your device with the token.

    In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Registering the Device in CSSM


With this,

  • The device is now in an authorized state and ready to use.

  • The licenses that you have purchased are displayed in your Smart Account.

Using Smart Licensing on an Out-of-the-Box Device

If an out-of-the-box device has the software version factory-provisioned, all licenses on such a device remain in evaluation mode until registered in Cisco Smart Software Manager.

In the software configuration guide of the required release, see System Management → Configuring Smart Licensing → Registering the Device in CSSM

Limitations and Restrictions

  • Control Plane Policing (CoPP)—The show run command does not display information about classes configured under system-cpp policy, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead.

  • Hardware limitations

    • Management Port—You cannot modify the configured port speed, duplex mode and flow control and disable auto-negotiation on the Ethernet Management port (GigabitEthernet0/0). Port speed and duplex mode can only be changed from a peer port.

    • Network Module — When the C9200-NM-4X network module is plugged into the C9200 SKUs of the Cisco Catalyst 9200 Series Switches, the downlink interface remains in down state until the network module is recognized by the switch. The time taken for the switch to recognize the network module is longer in comparison to the time taken by the switch to recognize other interconnected devices.

  • Memory leak—When a logging discriminator is configured and applied to a device, memory leak is seen under heavy syslog or debug output. The rate of the leak is dependent on the quantity of logs produced. In extreme cases, the device may fail. As a workaround, disable the logging discriminator on the device.

  • QoS restrictions

    • When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.

    • For QoS policies, only switched virtual interfaces (SVI) are supported for logical interfaces.

    • QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.

  • Secure Shell (SSH)

    • Use SSH Version 2. SSH Version 1 is not supported.

    • When the device is running SCP and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.

      Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can show as much as 40 or 50 percent CPU usage, but they do not cause the device to shutdown.

  • Stacking

    • Stacking is supported on Cisco Catalyst 9200 Series Switches; A switch stack supports up to eight stack members. However, you cannot stack C9200 SKUs with C9200L SKUs

      The supported stacking bandwidth on C9200L SKUs is up to 80Gbps; on C9200 SKUs, this is up to 160Gbps.

    • Auto upgrade for a new member switch is supported only in the install mode.

  • TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.

  • USB Authentication—When you connect a Cisco USB drive to the switch, the switch tries to authenticate the drive against an existing encrypted preshared key. Since the USB drive does not send a key for authentication, the following message is displayed on the console when you enter password encryption aes command:
    Device(config)# password encryption aes
    Master key change notification called without new or old key
  • YANG data modeling limitation—A maximum of 20 simultaneous NETCONF sessions are supported.

Caveats

Caveats describe unexpected behavior in Cisco IOS-XE releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.

Open Caveats in Cisco IOS XE Amsterdam 17.1.x

Identifier

Description

CSCvq72472

Private-vlan mapping XXX configuration under SVI is lost from run config after switch reload

CSCvr37065

C9200L kernel Oops jumbo packets

CSCvr88090

Cat9300 crash on running show platform software fed switch 1 fss abstraction

CSCvr92287

EPC with packet-len opt breaks CPU in-band path for bigger frames

CSCvr92660

STP BPDUs not being sent from FED to IOSd

CSCvr98281

After valid ip conflict, SVI admin down responds to GARP

CSCvr99132

SPANed multicast packet reduced TTL

CSCvs14893

802.1x-MultiAuth/MultiDomain: C9K - Traffic drop in egress direction for Data-Vlan on a Auth port

Resolved Caveats in Cisco IOS XE Amsterdam 17.1.1

Identifier

Description

CSCvo66246

Enabling SPAN source of VLAN 1 affects LACP operations

CSCvp71557

%CRB_EVENT-3-CRB_RT_ERROR: CRB Runtime Exception: attempted negative int -> ptr cast (0xCBE0D3A4)

CSCvq19871

RX traffic get stuck on of interface phy ASIC

CSCvq30460

SYS-2-BADSHARE: Bad refcount in datagram_done - messages seen during system churn

CSCvq40137

Mac address not being learnt when "auth port-control auto" command is present

CSCvq56135

C9200 stack member switches reset with reset reason as stack merge

CSCvq77496

C9200 interface comes up in half-duplex mode even if interface is forced to "duplex full"

CSCvq82952

input error of uplink ports are increasing slowly even if disconnecting cable and SFP.

CSCvr04551

Multicast stream flickers on igmp join/leave

CSCvr07162

system crash on execute "fed TCAM utilization"

CSCvr32460

C9200 stack breaks and subsequent merge fails

CSCvr46931

ports remain down/down object-manager (fed-ots-mo thread is stuck)

CSCvs06760

17.1.1 c9200: FEW: access tunnel scale limitation

Cisco Bug Search Tool

The Cisco Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.

To view the details of a caveat, click on the identifier.

Troubleshooting

For the most up-to-date, detailed troubleshooting information, see the Cisco TAC website at this URL:

https://www.cisco.com/en/US/support/index.html

Go to Product Support and select your product from the list or enter the name of your product. Look under Troubleshoot and Alerts, to find information for the problem that you are experiencing.

Related Documentation

Information about Cisco IOS XE 16 at this URL: https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-xe/index.html

All support documentation for Cisco Catalyst 9200 Series Switches is at this URL: https://www.cisco.com/c/en/us/support/switches/catalyst-9200-r-series-switches/tsd-products-support-series-home.html

Cisco Validated Designs documents at this URL: https://www.cisco.com/go/designzone

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

Communications, Services, and Additional Information

  • To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

  • To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

  • To submit a service request, visit Cisco Support.

  • To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit Cisco Marketplace.

  • To obtain general networking, training, and certification titles, visit Cisco Press.

  • To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.