Release Notes for Cisco Catalyst 9300 Series Switches, Cisco IOS XE Everest 16.5.1a
First Published: June 20, 2017
This release note gives an overview of the hardware and software with Cisco IOS XE Everest 16.5.1a, on the Cisco Catalyst 9300 Series Switches. Unless otherwise noted, the terms switch and device refer to a standalone switch and to a switch stack.
For information about open issues with the software, see Caveats.
Cisco Catalyst 9300 Series Switches are Cisco’s lead stackable access platforms for the next-generation enterprise. It has been purpose-built to address emerging trends of Security, IoT, Mobility, and Cloud.
Cisco Catalyst 9300 Series Switches deliver complete convergence in terms of ASIC architecture with a Unified Access Data Plane (UADP) 2.0. The platform runs an Open Cisco IOS XE that supports model driven programmability, has the capacity to host containers, and run 3rd party applications and scripts natively within the switch (by virtue of x86 CPU architecture, local storage, and a higher memory footprint). The series forms the foundational building block for SD-Access, which is Cisco’s lead enterprise architecture.
The series offers 1Gigabit copper Ethernet switches with 80G uplink bandwidth and the industry’s highest 480 Gigabit stacking bandwidth solution. It also provides a highly resilient and efficient power architecture with StackPower that delivers high density of UPoE and PoE+ ports.
The following are the unsupported hardware and software features for the Cisco Catalyst 9300 Series Switches. For the list of supported features, go to http://www.cisco.com/go/cfn.
Unsupported Hardware Features
– The rear USB 3.0 port
– Breakout cables
Unsupported Software Features:
– IPsec with FIPS
These features are supported on the Cisco Catalyst 3850 Series Switches, but not on the Cisco Catalyst 9300 Series Switches:
– 256-bit AES MACsec (IEEE 802.1AE) host link encryption with MACsec Key Agreement (MKA)
– Autonomic Networking Infrastructure
– Audio Video Bridging (including IEEE802.1AS, IEEE 802.1Qat, and IEEE 802.1Qav)
– Cisco Discovery Protocol (CDP) Bypass
– Cisco TrustSec Network Device Admission Control (NDAC) on Uplinks
– Google Chrome—Version 38 and later (On Windows and Mac)
– Microsoft Internet Explorer—Version 10 or later, and Microsoft Edge (On Windows)
– Mozilla Firefox—Version 33 and later (On Windows and Mac)
– Safari—Version 7 and later (On Mac)
Finding the Software Version
The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Table 5 Software Images
Cisco IOS XE Everest 16.5.1a
Cisco IOS XE Everest 16.5.1a
Licensed Data Payload Encryption (LDPE)
Starting with Cisco IOS XE Everest 16.5.1a, features for Cisco Catalyst 9000 Series Switches come in licensing packages that are different from existing Cisco Catalyst switching platforms.
The software features available on Cisco Catalyst 9300 Series Switches fall under the base or add-on license levels.
Network Essentials—This license level covers essential switch capabilities, such as, full layer 2 access and certain routed access capabilities.
Network Advantage—This license level includes complete Layer 3 access and core capabilities including advanced routing, multicast, segmentation, security and high availability features. It is inclusive of features available with a Network Essentials license.
Add-On Licenses—Require a Network Essentials or Advantage as a pre-requisite. The features available with add-on license levels provide Cisco innovations on the switch, as well as on the Cisco Digital Network Architecture Center (Cisco DNA Center).
DNA Essentials—This license level includes Cisco DNA Center features for Simplified Network Operations Solutions, and Cisco switch innovations, such as, Flexible NetFlow.
DNA Advantage—This license level includes DNA Center features for SD-Access, assurance, and ETA. Added switch features include ERSPAN, AVC, mDNS gateway. It is inclusive of features available with a DNA Essentials license.
To find information about platform support and to know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
The following license types are available:
Permanent—for a license level, and without an expiration date.
Term— for a license level, and for a three, five, or seven year period.
Evaluation—for a license level, preinstalled on the device, and for a 90-day trial period only.
Ordering with Smart Accounts
We recommend that you use Smart Accounts to order devices as well as licenses. Smart Accounts enable you to manage all of your software licenses for switches, routers, firewalls, access-points or tools from one centralized website. To create Smart Accounts, use the Cisco Smart Software Manager (Cisco SSM).
Note This is especially relevant to the term licenses that you order, because information about the expiry of term licences is available only through the Cisco SSM website.
Right-to-use (RTU) licensing mode—Supported on Cisco Catalyst 9000 Series Switches. See The RTU Licensing Mode.
Smart Licensing mode—Currently not supported on Cisco Catalyst 9000 Series Switches. It is on the roadmap for future releases.
The RTU Licensing Mode
This is the currently supported licensing mode for Cisco Catalyst 9000 Series Switches.
Right-to-use (RTU) licensing allows you to order and activate a specific license type for a given license level, and then to manage license usage on your switch.
Note The RTU licensing structure has been modified to match the packaging model that will be used with Smart Licensing mode in the future. Unified licensing structures across the RTU and Smart Licensing modes, along with usage reports, will simplify migration and reduce the implentation time required for Smart Licensing.
The license right-to-use command (privilege EXEC mode) provides options to activate or deactivate any license supported on the platform.
Licenses may be activated on a standalone device, device stack, or a single device in a stack.
Base licenses (Network Essentials and Network-Advantage) may be ordered only with a permanent license type.
Add-on licenses (DNA Essentials and DNA Advantage) may be ordered only with a term license type.
You can set up Cisco SSM to receive daily e-mail alerts, to be notified of expiring add-on licenses that you want to renew.
You must order an add-on license to use the switch software. But after the initial term for the add-on license expires, you will be able to continue using the base license by deactivating the add-on and then reloading the device.
When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:
5.For this combinaton, the DNA-Essentials license must be ordered seperately using Cisco SSM.
The following features are currently available only at the Network Advantage license level. However, the correct minimum license level for these features is Network Essentials and the CFN reflects this correct license level.
You will be able to configure the feature with a Network Essentials license level after the correction is made in an upcoming release.
– IPv6 Multicast
– IPv6 ACL Support for HTTP Servers
Evaluation licenses cannot be ordered. They can be activated temporarily, without purchase. Warning system messages about the evaluation license expiry are generated 10 and 5 days before the 90-day window. Warning system messages are generated every day after the 90-day period. An expired evaluation license cannot be reactivated after reload.
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
– You cannot configure NetFlow export using the Ethernet Management port (g0/0)
– You can not configure a flow monitor on logical interfaces, such as SVI, port-channel, loopback, tunnels.
– You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
Memory leak—When a logging discriminator is configured and applied to a device, memory leak is seen under heavy syslog or debug output. The rate of the leak is dependent on the quantity of logs produced. In extreme cases, the device may fail. As a workaround, disable the logging discriminator on the device.
– When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.
– For QoS policies, only switched virtual interfaces (SVI) are supported for logical interfaces.
– QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.
Secure Shell (SSH)
– Use SSH Version 2. SSH Version 1 is not supported.
– When the device is running SCP (Secure Copy Protocol) and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.
Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can take upto 40 or 50 percent of CPU memory, but they do not cause the device to shutdown.
– A switch stack supports up to eight stack members.
– Mixed stacking is not supported. Cisco Catalyst 9300 Series Switches cannot be stacked with Cisco Catalyst 3850 Series Switches.
– Auto upgrade for a new member switch is supported only in the install mode.
Smart Install—Although the commands are visible on the CLI, the Smart Install feature is not supported. Enter the no vstack command in global configuration mode and disable the feature.
VLAN Restriction: It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.
Wired AVC limitations:
– NBAR2 (QoS and Protocol-discovery) configuration is allowed only on wired physical ports. It is not supported on virtual interfaces, for example, VLAN, port channel nor other logical interfaces.
– NBAR2 based match criteria ‘match protocol’ is allowed only with marking or policing actions. NBAR2 match criteria will not be allowed in a policy that has queuing features configured.
– ‘Match Protocol’: up to 256 concurrent different protocols in all policies.
– NBAR2 attributes based QoS is not supported (‘match protocol attribute’).
– NBAR2 and Legacy NetFlow cannot be configured together at the same time on the same interface. However, NBAR2 and wired AVC Flexible NetFlow can be configured together on the same interface.
– Only IPv4 unicast (TCP/UDP) is supported.
– AVC is not supported on management port (Gig 0/0)
– NBAR2 attachment should be done only on physical access ports. Uplink can be attached as long as it is a single uplink and is not part of a port channel.
– Performance—Each switch member is able to handle 2000 connections per second (CPS) at less than 50% CPU utilization. Above this rate, AVC service is not guaranteed.
– Scale— Able to handle up to 20000 bi-directional flows per 24 access ports and per 48 access ports.
YANG data modeling limitations—A maximum of 20 simultaneous NETCONF sessions are supported.
Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.
The Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat, click on the identifier.
Open Caveats in Cisco IOS XE Everest 16.5.1a
The following are the open caveats in this release:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation, which lists all new and revised Cisco Technical documentation, as an RSS feed and deliver content directly to your desktop using a read application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.