For information about open issues with the software, see Caveats.
Cisco Catalyst 9500 Series Switches are Cisco’s lead purpose-built fixed core and aggregation enterprise switching platform built for security, IoT and Cloud.
Cisco Catalyst 9500 Series Switches deliver complete convergence in terms of ASIC architecture with a Unified Access Data Plane (UADP) 2.0. The platform runs an Open Cisco IOS XE that supports model driven programmability, has the capacity to host containers, and run 3rd party applications and scripts natively within the switch (by virtue of x86 CPU architecture, local storage, and a higher memory footprint). The series forms the foundational building block for Software Defined-Access (SD-Access), which is Cisco’s lead enterprise architecture.
Cisco Catalyst 9500 Series Switches are purpose-built 40 Gigabit switches, targeted for enterprise campus, delivering unmatched table scales (MAC/route/ACL) and buffering for enterprise applications. It offers non-blocking 40G (QSFP) switches with granular port densities that fit diverse campus needs.
The series also supports all the foundational high availability capabilities, and redundant platinum rated power supplies and fans.
The following are the unsupported hardware and software features for the Cisco Catalyst 9500 Series Switches. For the list of supported features, go to http://www.cisco.com/go/cfn.
Unsupported Hardware Features
– The rear USB 3.0 Port
– Breakout cables and breakout LED
Unsupported Software Features:
– IPsec with FIPS
These features are supported on the Cisco Catalyst 3850 Series Switches, but not on the Cisco Catalyst 9500 Series Switches:
– 256-bit AES MACsec (IEEE 802.1AE) host link encryption with MACsec Key Agreement (MKA)
– Audio Video Bridging (including IEEE802.1AS, IEEE 802.1Qat, and IEEE 802.1Qav)
– Cisco StackWise Virtual
– Cisco Plug-in for OpenFlow 1.3
– Gateway Load Balancing Protocol (GLBP)
– IPv4 Preboot eXecution Environment (iPXE)
– Multicast—Bidirectional PIM
– Virtual Router Redundancy Protocol(VRRP), VRRPv3, and VRRPv3 Object Tracking
Cisco Catalyst 9500 Series Switches—Model Numbers
Table 1 lists the supported hardware models and the default license levels they are delivered with. For information about the available license levels, see section License Levels
Table 1 Cisco Catalyst 9500 Series Switches—Model Numbers
– Google Chrome—Version 38 and later (On Windows and Mac)
– Microsoft Internet Explorer—Version 10 or later, and Microsoft Edge (On Windows)
– Mozilla Firefox—Version 33 and later (On Windows and Mac)
– Safari—Version 7 and later (On Mac)
Finding the Software Version
The package files for the Cisco IOS XE software are stored on the system board flash device (flash:).
You can use the show version privileged EXEC command to see the software version that is running on your switch.
Note Although the show version output always shows the software image running on the switch, the model name shown at the end of this display is the factory configuration and does not change if you upgrade the software license.
You can also use the dir filesystem : privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.
Table 4 Software Images
Cisco IOS XE Everest 16.5.1a
Cisco IOS XE Everest 16.5.1a
Licensed Data Payload Encryption (LDPE)
Starting with Cisco IOS XE Everest 16.5.1a, features for Cisco Catalyst 9000 Series Switches come in licensing packages that are different from existing Cisco Catalyst switching platforms.
The software features available on Cisco Catalyst 9500 Series Switches fall under the base or add-on license levels.
Network Essentials—This license level covers essential switch capabilities, such as, full layer 2 access and certain routed access capabilities.
Network Advantage—This license level includes complete Layer 3 access and core capabilities including advanced routing, multicast, segmentation, security and high availability features. It is inclusive of features available with a Network Essentials license.
Add-On Licenses—Require a Network Essentials or Advantage as a pre-requisite. The features available with add-on license levels provide Cisco innovations on the switch, as well as on the Cisco Digital Network Architecture Center (Cisco DNA Center).
DNA Essentials—This license level includes DNA center features for Simplified Network Operations Solutions, and Cisco switch innovations, such as, Flexible NetFlow.
DNA Advantage—This license level includes Cisco DNA Center features for SD-Access, assurance, and ETA. Added switch features include ERSPAN, AVC, mDNS GW, and NAT/ PAT. It is inclusive of features available with the DNA Essentials license.
To find information about platform support and to know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
The following license types are available:
Permanent—for a license level, and without an expiration date.
Term— for a license level, and for a three, five, or seven year period.
Evaluation—for a license level, preinstalled on the device, and for a 90-day trial period only.
Ordering with Smart Accounts
We recommend that you use Smart Accounts to order devices as well as licenses. Smart Accounts enable you to manage all of your software licenses for switches, routers, firewalls, access-points or tools from one centralized website. To create Smart Accounts, use the Cisco Smart Software Manager (Cisco SSM).
Note This is especially relevant to the term licenses that you order, because information about the expiry of term licences is available only through the Cisco SSM website.
Right-to-use (RTU) licensing mode—Supported on Cisco Catalyst 9000 Series Switches, in Cisco IOS XE Everest 16.5.1a. See The RTU Licensing Mode.
Smart Licensing mode—Currently not supported on Cisco Catalyst 9000 Series Switches. It is on the roadmap for future releases.
The RTU Licensing Mode
This is the currently supported licensing mode for Cisco Catalyst 9000 Series Switches.
Right-to-use (RTU) licensing allows you to order and activate a specific license type for a given license level, and then to manage license usage on your switch.
Note The RTU licensing structure has been modified to match the packaging model that will be used with Smart Licensing mode in the future. Unified licensing structures across the RTU and Smart Licensing modes, along with usage reports, will simplify migration and reduce the implentation time required for Smart Licensing.
The license right-to-use command (privilege EXEC mode) provides options to activate or deactivate any license supported on the platform.
Base licenses (Network Essentials and Network-Advantage) may be ordered only with a permanent license type.
Add-on licenses (DNA Essentials and DNA Advantage) may be ordered only with a term license type.
You can set up Cisco SSM to receive daily e-mail alerts, to be notified of expiring add-on licenses that you want to renew.
You must order an add-on license to use the switch software. But after the initial term for the add-on license expires, you will be able to continue using the base license by deactivating the add-on and then reloading the device.
When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:
4.For this combinaton, the DNA-Essentials license must be ordered seperately using Cisco SSM.
The following features are currently available only at the Network Advantage license level. However, the correct minimum license level for these features is Network Essentials and the CFN reflects this correct license level.
You will be able to configure the feature with a Network Essentials license level after the correction is made in an upcoming release.
– IPv6 Multicast
– IPv6 ACL Support for HTTP Servers
Evaluation licenses cannot be ordered. They can be activated temporarily, without purchase. Warning system messages about the evaluation license expiry are generated 10 and 5 days before the 90-day window. Warning system messages are generated every day after the 90-day period. An expired evaluation license cannot be reactivated after reload.
– Use the MODE button to switch-off the beacon LED.
– All port LED behavior is undefined until interfaces are fully initialized.
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
– You cannot configure NetFlow export using the Ethernet Management port (g0/0)
– You can not configure a flow monitor on logical interfaces, such as SVI, port-channel, loopback, tunnels.
– You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
Memory leak—When a logging discriminator is configured and applied to a device, memory leak is seen under heavy syslog or debug output. The rate of the leak is dependent on the quantity of logs produced. In extreme cases, the device may crash. As a workaround, disable the logging discriminator on the device.
– When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.
– For QoS policies, only switched virtual interfaces (SVI) are supported for logical interfaces.
– QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.
Secure Shell (SSH)
– Use SSH Version 2. SSH Version 1 is not supported.
– When the device is running SCP (Secure Copy Protocol) and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.
Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can take upto 40 or 50 percent of CPU memory, but they do not cause the device to shutdown.
Smart Install—Although the commands are visible on the CLI, the Smart Install feature is not supported. Enter the no vstack command in global configuration mode and disable the feature.
VLAN Restriction: It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.
Wired AVC limitations:
– NBAR2 (QoS and Protocol-discovery) configuration is allowed only on wired physical ports. It is not supported on virtual interfaces, for example, VLAN, port channel nor other logical interfaces.
– NBAR2 based match criteria ‘match protocol’ is allowed only with marking or policing actions. NBAR2 match criteria will not be allowed in a policy that has queuing features configured.
– ‘Match Protocol’: up to 256 concurrent different protocols in all policies.
– NBAR2 attributes based QoS is not supported (‘match protocol attribute’).
– NBAR2 and Legacy NetFlow cannot be configured together at the same time on the same interface. However, NBAR2 and wired AVC Flexible NetFlow can be configured together on the same interface.
– Only IPv4 unicast (TCP/UDP) is supported.
– AVC is not supported on management port (Gig 0/0)
– NBAR2 attachment should be done only on physical access ports. Uplink can be attached as long as it is a single uplink and is not part of a port channel.
– Performance—Each switch member is able to handle 500 connections per second (CPS) at less than 50% CPU utilization. Above this rate, AVC service is not guaranteed.
– Scale— Able to handle up to 5000 bi-directional flows per 24 access ports and 10000 bi-directional flows per 48 access ports
YANG data modeling limitations—A maximum of 20 simultaneous NETCONF sessions are supported.
Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.
The Bug Search Tool (BST) allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version. The BST is designed to improve the effectiveness in network risk management and device troubleshooting. The tool has a provision to filter bugs based on credentials to provide external and internal bug views for the search input.
To view the details of a caveat, click on the identifier.
Open Caveats in Cisco IOS XE Everest 16.5.x
The following are the open caveats in this release:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation, which lists all new and revised Cisco Technical documentation, as an RSS feed and deliver content directly to your desktop using a read application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.