The latest Cisco IOS-XE release 17.11.1 adds support for new software features across various Enterprise Networking technology areas along with enhancements to existing features. This release is positioned to bring in enhanced features that will be unique to Cisco and will serve as the key differentiator for Cisco. It is a standard maintenance release and has a support lifetime of 12 months.
Below is a high-level list of features/enhancements that were added across Platform/Infra, Security, Fabric/Overlay Solutions and Programmability on Catalyst 9K Switching Platforms.
Platform and Infra
With IOS-XE 17.11.1, Cisco Catalyst 9400X now supports customizable SDM templates allowing precise allocation of switch internal resources to position the switch for multiple places in the network. Features like L2/L3 Routes, Multicast , NetFlow and ACL can be customized based on network requirements.
On the Application hosting side, prior to IOS-XE 17.11.1, the App Hosting framework (AppGig interface did not support multicast traffic. In this new release, the multicast traffic option is available for the AppGig interface unlocking additional use cases of hosted applications requiring multicast traffic.
With the transition to IPv6, almost all modern IP devices are IPv6-capable, but still many older devices are IPv4-only. We need a way to connect these devices and provide a seamless IPv4 and IPv6 coexistence. Starting with IOS-XE 17.11.1, there is support for PREF64 in IPv6 RA, which allows IPv6 clients to receive NAT64 mappings via Router Advertisement. To strengthen IPv6 security support, 17.11.1 release also introduces IPv6 support for SG ACLs on Catalyst 9500X and Catalyst 9600X Supervisor Engine 2. SG ACLs allow clustering of subnets into groups and combination of source and destination groups can reuse the same permit/deny statements, saving space in TCAM. Additionally, SG ACLs come with monitor mode which does not block traffic.
On Silicon-One Q200 based Cisco Catalyst 9500X and 9600X switch models, ERSPAN and IP MTU on logical interfaces are now supported, further reducing the feature gap between the UADP 3.0 based switches and the Cisco Silicon One Q200 based switches.
High Availability
With IOS-XE 17.11.1, Catalyst 9500X-60L4D can be configured in a StackWise Virtual mode with support for up to 400G StackWise Virtual Link (SVL) using QSFP-DD optics. All the Catalyst 9500X and 9600X models also allow dynamic addition of links into SVL and DAD without requiring a switch reload. With 50G support on the C9500X-60L4D, we can make use of 50G SFP optics to build high speed SVL or Dual active Detection (DAD) without sacrificing the 4 uplink QSFP-DD ports. A port channel with 50G links will provide sufficient bandwidth to manage and maintain the SVL links.
Expanded Bonjour Service capability to C9200 family.
With IOS-XE 17.11.1, Catalyst 9200 family (9200/9200L/9200CX) of switches can now operate in service peer mode to support unicast-based communication with locally attached wired endpoints and export service information to the upstream Cisco Service Discovery Gateway (SDG) agent in the distribution layer. With full Service-Peer support on the Catalyst 9200 Family, we are fully routing mDNS services end-to-end on the Catalyst 9000 Family. And furthermore, with the countless vendors that support the multitude of mDNS services, the opportunities to deploy the Cisco DNA Service for Bonjour in the enterprise are countless.
Transport Security
On transport security, IPsec (hardware-based) has been supported on our Catalyst 9400X Supervisor Engine 2(XL) since IOS-XE 17.10.1 release. Now with IOS-XE 17.11.1NAT traversal support is being added which enables the Catalyst 9400X to terminate IPsec tunnels through a NAT device.
MACSEC encryption with MPLS PN
With IOS-XE 17.11.1, MPLS packets can now be encrypted with MACsec tag for encrypting and authenticating packets between MACsec capable devices. MACsec encryption safeguards the network with range of attacks including Denial of service, intrusion, and man-in-middle attacks. MPLS Layer3 and Layer 2 VPN are now supported over MACsec secured point to point connections.
Fabric and Network Virtualization
BGP EVPN and MPLS VPN enablement on C9500X & C9600X
With IOS-XE 17.11.1, Catalyst 9500X and 9600X switches can be used to build highly scalable BGP EVPN Fabrics. Catalyst 9500X and C9600X now support Leaf, Spine, and Border roles. 9500X and 9600X can also be deployed in a StackWise Virtual mode to simplify BGP EVPN Fabric both from an Underlay and Overlay perspective.
Furthermore, MPLS VPN Inter-AS option A and EoMPLS L2VPN Pseudowire redundancy were introduced in this release. This brings MPLS feature parity closer to features supported on UADP3.0 based 9500 and 9600 platforms.
In addition to the new platform support for BGP EVPN, several features have been introduced in this release as detailed below.
BGP EVPN Micro-segmentation support
In IOS-XE 17.11.1, EVPN Fabrics can accommodate micro segmentation using Security Group Tags (SGTs) on platforms except 9500X and 9600X. SGTs are embedded in the VXLAN frame which is then routed as usual by the VTEPs. Egress VTEP processes the group tag and enforces security policy associated with it to the end device. SGT-based security is easy to manage with Cisco ISE, which can dynamically assign group tags to ingress traffic based on predefined policy. Alternatively, the traffic can be manually configured with a group tag. This feature allows for flexible, centrally managed, and topology-independent security policy.
EVPN ESI Multi-homing Support
Prior to IOS-XE 17.11.1, all VLAN’s on an ESI Multi-homed VTEP’s (Leaf’s) always had to be EVPN Vlans. With IOS-XE 17.11.1 and later, both EVPN and non-EVPN VLANs can co-exist on the VTEP. This provides additional flexibility to customers where there can be a mix of non-EVPN VLANs which can leverage Underlay for FHRP and EVPN VLANs which can leverage Overlay (DAG/FHRP). This feature is useful for customers migrating to an EVPN fabric while retaining some legacy VLANs on the switch.
Dynamic BGP EVPN Peering
Another EVPN innovation introduced in IOS-XE17.11.1 is dynamic BGP peering. This simplifies the spine to leaf BGP configuration and enables fast bring up of VTEPs. It can be used with peer-groups for both IPv4 and IPv6 address families.
EVPN Neighbor Route-Map Support
In IOS-XE 17.11.1 EVPN Neighbors now come with the support of BGP route-maps for route filtering either inbound or outbound. These route-maps can be used to filter Type2/5 routes, apply attributes, or modify next-hops.
Programmability & Automation
In IOS-XE 17.11.1, new YANG models were added to support PTP operational model and automatic SYSLOG message generation. The partner-port-num deviation was removed from the LACP YANG model mappings to provide a more complete view of the link aggregation configuration partners.
gRPC tunnel support was added in IOS-XE 17.11.1. A device makes a secure outbound connection to gRPC tunnel server to expose gNMI for use. Many devices can connect into a single tunnel server to increase operational efficiency. In addition to JSON_IETF encoding, we are adding support in 17.11.1 for PROTO encoding for gNMI periodic subscriptions.
While Cisco IOS XE already supported Zero Touch Provisioning (ZTP), the IOS-XE 17.11.1 release extends support for RFC 8572 Secure ZTP to provide secure communication for entire day-0 device onboarding process.
Summary:
IOS-XE 17.11.1 brings key features in Platform, Security, High availability, Fabric and Programmability. On the platform side, 9400X now comes with a customizable SDM template for flexible network placement. On the Security side, IPsec comes with NAT Traversal and MPLS VPN over MACsec. BGP EVPN is now supported on Silicon One based platforms (9500X and 9600X) along with major feature enhancements. New features in programmability include secure Zero-touch provisioning, PTP operational model and gRPC tunnel.
Find platform specific release notes for IOS-XE 17.11.1 below:
What’s Next?
IOS-XE 17.12.1 will be an extended maintenance release and is targeted for release in July 2023. Stay tuned for more information on new software releases!
