Cisco 100GBASE QSFP-100G Module

Supported transceiver module product number:

• QSFP-40/100-SRBD

Compatible network modules:

• C9300X-NM-2C

• C9300X-NM-4C

For information about the module, see Cisco 100GBASE QSFP-100G Modules Data Sheet. For information about device compatibility, see the Transceiver Module Group (TMG) Compatibility Matrix.

ASAc Firewall-Application Hosting

Application hosting Infrastructure on Cisco Catalyst 9300 series switches can now host Cisco Adaptive Security Virtual Appliance (ASAc) Firewall for stateful inspection of traffic in a network without changing the network architecture. This allows to seamlessly add firewall services to the existing network.

Cisco QSFP28 to SFP28 Adapter Module on Cisco Catalyst 9300X Series Switches

Supported transceiver module product number:

• CVR-QSFP28-SFP25G

Compatible switch models:

• C9300X-12Y

• C9300X-24Y

• C9300X-48HX

• C9300X-48TX

• C9300X-24HX

BGP EVPN VXLAN

• ARP inspection and DHCP Rogue Server Protection in VXLAN Environment (L2 VNIs)

• BGP EVPN VRF Auto RD and Auto RT

The following BGP EVPN VXLAN features are introduced in this release:

• ARP inspection and DHCP Rogue Server Protection in VXLAN Environment (L2 VNIs): BGP EVPN VXLAN fabric now supports ARP inspection and DHCP Rogue Server Protection. To configure these features, enable ARP inspection and DHCP Snooping on the VTEPs of the EVPN VXLAN fabric.

• BGP EVPN VRF Auto RD and Auto RT: BGP EVPN Layer 3 overlay VRF configuration is simplified with the introduction of new CLIs to auto generate the route distinguisher (RD) and route target (RT) for a VRF.

  You can enable the auto generation of RD either at a global level, using the vrf rd-auto command or specifically for a VRF, using the rd-auto [disable] command in the VRF submode.

  To enable auto assignment of RT for a VRF, use the vnid vni-id command in the VRF submode.

  You can also choose to disable the auto RD and RT features by using the no form of the command.

DSCP marking for RADIUS packets for administrative sessions

Allows you to configure DSCP marking for RADIUS packets for administrative sessions such as SSH and Telnet.

(Network Essentials)

EPC support of AppGigabitEthernet

Introduces support for configuring the AppGigabitEthernet port as an interface for Embedded Packet Capture (EPC).

(DNA Advantage)

Interface ID Option in DHCPv6 Relay Message

Introduces support for interface ID option in DHCPv6 Relay message. With this, the physical interface details of the client interface are included along with the VLAN number in the message.

(Network Essentials and Network Advantage)

Interface Template Support for IPv6 DHCP Guard

Enables you to add the ipv6 dhcp guard attach-policy policy_name global configuration command to an interface template. IPv6 DHCP Guard is then enabled and the policy is applied, wherever the template is applied.

(Network Advantage)

IP DHCP Server Changes to Limit IP Assignment to Next Hop only

Allows you to assign DHCP IP address only to the neighbouring device in an interface using the ip dhcp restrict next hop command. When this command is enabled, the DHCP server in the interface uses the MAC addresses in the DHCP packet and compares it with the addresses in the Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) cache table. If the MAC addresses match, then the DHCP IP address is assigned to that device.

(Network Advantage)

Modified Trustpoints for Secure Unique Device Identity (SUDI) Certificates

Starting from Cisco IOS XE Dublin 17.12.1, the following changes have been introduced for trustpoints.

• Trustpoint names for existing SUDI certificates

  If your device supports Cisco Manufacturing CA III certificate and is not disabled, the trustpoint names are as follows.

  • For Cisco Manufacturing CA III certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA3_SUDI

  • For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA2_SUDI

  If your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled using no platform sudi cmca3 command, the trustpoint names are as follows.

  • For Cisco Manufacturing CA SHA2 certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI to CISCO_IDEVID_CMCA2_SUDI

  • For Cisco Manufacturing CA certificate, the trustpoint name has changed from CISCO_IDEVID_SUDI_LEGACY to CISCO_IDEVID_CMCA_SUDI

• Hardware SUDI certificates

  • If your device supports High Assurance SUDI CA certificate, this certificate is loaded under CISCO_IDEVID_SUDI trustpoint.

  • If your device does not support High Assurance SUDI CA certificate, ACT2 SUDI CA certificate is loaded under CISCO_IDEVID_SUDI trustpoint.

• show wireless management trustpoint command output

  If Cisco Catalyst 9300 Series Switch is used with a Cisco Embedded Wireless Controller for wireless deployments, the trustpoint name in the output of show wireless management trustpoint command is updated to the modified trustpoint name as mentioned previously.

  The following example shows a sample output of show wireless management trustpoint command. Note that if your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled, the Trustpoint Name in the below output displays CISCO_IDEVID_CMCA2_SUDI.

  Device# show wireless management trustpoint
  Trustpoint Name  : CISCO_IDEVID_CMCA3_SUDI
  Certificate Info : Available
  Certificate Type : MIC
  Certificate Hash : <SHA1 - hash>
  Private key Info : Available
  FIPS suitability : Not Applicable
  

• show ip http server status command output

  If you configure the trustpoint for the HTTP server as CISCO_IDEVID_SUDI, the output of show ip http server status command displays the operating trustpoint along with the configured trustpoint.

  The following example shows a sample output of show ip http server status command with both the configured and the operating trustpoint names. Note that if your device does not support Cisco Manufacturing CA III certificate or if the certificate is disabled, the operating trustpoint in the below output displays CISCO_IDEVID_CMCA2_SUDI.

  Device# show ip http server status
  …
  HTTP secure server trustpoint: CISCO_IDEVID_SUDI
  HTTP secure server operating trustpoint: CISCO_IDEVID_CMCA3_SUDI
  

  (Network Essentials)

Programmability:

• NETCONF-SSH Algorithms

• YANG Data Models

The following programmability features are introduced in this release:

• NETCONF-SSH Algorithms: The NETCONF-SSH server configuration file contains the list of all supported algorithms. From this release onwards, you can enable or disable these algorithms at runtime by using Cisco IOS commands or YANG models.

  (Network Essentials)

• YANG Data Models: For the list of Cisco IOS XE YANG models available with this release, navigate to: https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/17121.

  (Network Advantage)

request tech-support command

The request tech-support command was introduced. It generates an archive of tech support file and system report.

show idprom tan command

The show idprom tan command was introduced. It displays the top assembly part number and top assembly part revision number for the identification programmable read-only memory.

There are no new WebUI features in this release.