Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
1417
Views
0
Helpful
0
Comments

Cisco IOS XE 17.10.1 for Catalyst Switching

eowusuha
Cisco Employee
Cisco Employee
‎12-07-2022 08:47 PM

Cisco brings in its latest release on the IOS-XE train with IOS-XE 17.10.1 which adds support for new software features across various Enterprise Networking technology areas. This release is positioned to bring in enhanced features that will be unique to Cisco and will serve as the key differentiator against competitors. It delivers strategic Silicon one enablement features to drive mid-life refresh with Catalyst 9K X-Series switching platform. It is a standard maintenance release and has a support lifetime of 12 months.  

2022-12-07_20-28-46.jpg

 

Below is a high-level list of features/enhancements that were added across Platform/Infra, Security, Fabric/Overlay Solutions and Programmability on Catalyst 9K Switching Platforms 

2022-12-07_20-30-39.jpg

 

Platform and Infra 

Starting with 17.10.1, we are introducing an industry-first 50GE speed; first time in Campus on the C9600X-SUP2 with LC-48YL and LC-40YL4CD, which provides seamless migration path from 10/25GE. We are also introducing 1G speed supports on the Gen 2 C9600-LC-40YL4CD line cards when deployed with C9600-Sup-1.  

Prior to 17.10.1, the switch architecture did not support control packets like LLDP packets to be exchanged on the port-channel interface with the protocol down. However, from 17.10.1, the devices can be configured in the LACP Standalone Mode on L3 EtherChannel, which makes the protocol status active/UP while the interface remains unbundled, allowing the LLDP packet exchange for device discovery and then allowing the configuration to be pushed using PNP/ZTP. 

With the transition to IPv6, almost all modern IP devices are IPv6-capable, but still many older devices are IPv4-only. We need a way to connect these devices and provide a seamless IPv4 and IPv6 coexistence. Starting with 17.10.1, The Stateful NAT64 feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa. The stateful nature ensures states are maintained and a single IP Address is used for all the private users with different TCP port numbers.  With this release, you can also enable NAT on Layer 3 Multi-chassis EtherChannel (MEC) using the interface port-channel command to provide resiliency.  

Previously, switches were allowed only a 1:1 IP to MAC address mapping of end devices. With this release, the limit of IP addresses mapped to a single MAC address has been raised to 1000, to allow for connection of virtualization setups, IOT devices and firewall integration with SDA fabric.  

Starting in 17.10.1, support for StackWise Virtual is added for the platforms: C9500X and C9600X-SUP2. There have been some enhancements made as well, where dynamic addition and removal of SVL and DAD links are supported and therefore a reload is not required for adding or removing the SVL and DAD links when the device is already operating in SVL mode.  

We are extending PTPv2 support to our StackWise virtual environments in this release, thereby giving the customers end-to-end flexibility by bringing their time-sensitive applications onto the ethernet networks. 

To continue innovations in our app-hosting capabilities, starting from 17.10, ERSPAN is supported on AppGigEthernet port on C9300 and C9400, enabling mirroring of the data traffic from the switchports to application that runs on top of AppGigEthernet port using IoX capabilities. This enables to host Cyber Vison app on Catalyst switches. 

Bonjour support is also now available on our Silicon One platforms 9500X and 9600X in this release. 

 

Security 

The traditional approach to network security using ACLs, provides a stateless form of filtering where traffic needs to be explicitly allowed or denied on different interfaces before entering or leaving the network. A full and ongoing understanding of all inbound and outbound flow combinations is required, and this easily utilizes a lot of TCAM memory space. Starting from 17.10.1, Reflexive ACLs is supported on C9000 series switches, providing a form of stateful filtering for the enterprise. It can be used to permit return IP traffic for sessions originating from the inside network but to deny IP traffic for sessions originating from the outside network.

With 17.10.1, flexibility to change the default Ether-type for MACsec was introduced. This enables MACsec EAPOL frames to be transparently forwarded via the intermediate Catalyst 9000 Switches which enables establishing a MACsec session between third-party devices and allows establishing point-to-point MACsec session between the Catalyst 9000 Switches. 17.10 also introduces support for MACsec Fallback Key with High Availability which helps to re-establish MKA sessions when it fails to establish a MACsec session due to pre-shared key (PSK) mismatch in highly available architectures. 

2022-12-07_20-37-33.jpg

Prior to IOS-XE 17.10, when RADIUS automate-tester had been configured, the server was assumed to be UP, and several dead intervals had to pass before the server was detected as down which caused a longer convergence time. In IOS-XE 17.10, with the Automate-tester enhancement for RADIUS Server when the automate-tester is configured or the switch is rebooted, the server is presumed DOWN and a 4-second timer is started before the first tester hello message. If the server responds, the status is transitioned to UP. This allows for faster convergence and better detection of a DOWN RADIUS server. 

It is a major concern for the major financial sector to provide a customer friendly method to ensure data is sufficiently erased to hinder data recovery attempts. To ensure the secure wipe of all data on the C9000 series switches, we have introduced the Secure Data Wipe feature in 17.10.1, an industry first, which performs data sanitization and securely resets the C9000 switches following the guidelines for media sanitization described in NIST SP 800-88 Rev 1.  

In 17.10.1, DHCP snoop glean feature is now enabled on our C9000 series switches to provide a read-only DHCP snooping option on our switches. IPv4 SGACL is also brought to parity on our Silicon One platforms in this release. The monitor mode and SGACL logging will be supported on the C9600X-SUP2 and C9500X. 

 

New IPsec App Support 

Starting from 17.10, we are now supporting IPsec capability on C9300 platform using a VPN-hosted Application called Codilime which also provides an Interactive Web UI for configuration and management purposes. This is also supported on C9300X in addition to its own native IPsec support. Minimal resources required including 1 CPU core, < 1 GB memory and up to 200M throughput.  

Fabric Solutions 

BGP EVPN provides a scalable solution to build different Layer 3 and Layer 2 overlay topologies over existing infrastructure. We continue to enhance the solution by introducing new features in each subsequent release. With 17.10, you can now have an IPv6 underlay and build IPv6 overlays, IPv4 overlays or Dual stack with a combination of IPv4 and IPv6. With Dual stack, customers will now have an option to seamlessly migrate from an IPv4 stack to a complete IPv6 stack. 

Programmability & Automation 

Lastly, Cisco IOS XE 17.10.1 brings three enhancements to the programmability and automation realm including YANG 1.1 support, Guest Shell DNS updates, and gNMI support for IPv6. 

First, with the transition from Yang 1.0 to Yang 1.1, there is no difference for customers working with YANG. The only exception is if the desired application previously parsed the NETCONF "hello" message to retrieve the supported YANG models, the parsing must be modified to reflect how version 1.1 advertises via "ietf-yang-library". Previously, DNS was supported to find Zero Touch Provisioning files. With this Guest Shell DNS enhancements in 17.10.1, DNS servers are now available for use within the Guest Shell, which allows using cloud-based services like HashiCorp Vault easier. Finally, starting with 17.10.1, along with IPv4 support for gNMI, now Cisco IOS XE also supports IPv6 for gNMI. 

 These key enhancements and new features with 17.10.1 make Cisco Catalyst Switching portfolio more feature rich and ready to meet future demands. For a complete list of features, release notes, and configuration guide related to 17.10.1 release, please check below: 

C9200 Release Notes:  https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-10/release_notes/ol-17-10-9200.html 

C9300 Release Notes: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-10/release_notes/ol-17-10-9300.html 

C9400 Release Notes: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-10/release_notes/ol-17-10-9400.html 

C9500 Release Notes: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-10/release_notes/ol-17-10-9500.html 

C9600 Release Notes: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/17-10/release_notes/ol-17-10-9600.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents