Showing results for 
Search instead for 
Did you mean: 

Cisco IOS-XE 17.3.1 – Catalyst 9000 Switching Updates

Cisco Employee

Cisco IOS-XE 17.3.1 – Catalyst Switching Updates


Table of Contents

IOS-XE 17.3.1

Hardware Additions since IOS-XE 17.2.1

Key Summary Features

Platform and Infra Features

High Availability Features

Routing / MPLS / VPN Features

Security Features


IOS-XE 17.3.1

Cisco is proud to announce the availability of the latest IOS-XE release - IOS-XE Amsterdam 17.3. This release is the newest Extended Maintenance Release on the Catalyst 9000 platforms, which will be supported for a lifetime of 36 months. IOS-XE 17.3.1 continues to evolve the hardware portfolio and delivers multiple key features across Platform Infrastructure, Security, High Availability, and Network Solutions extending Intent Based Networking (IBN) for Enterprise Campus.


Catalyst 9000 Family – Open IOS-XE 17.3.1 lifecycle


Screen Shot 2020-08-10 at 2.12.58 PM.png




Cisco IOS-XE 17.3.1 continues the momentum of common base operating system across Catalyst 9000 family. Catalyst 9300,9400,9500 and 9600 run the same exact binary image with Catalyst 9200 running the lighter version of same base image.

Catalyst 9000 Family– One Operating System (Open IOS-XE)





Hardware Additions since IOS-XE 17.2.1

Since our last announcement of the IOS-XE 17.2, we’ve added more products on the 9200, 9300 and 9600 series. Let’s take a look – Catalyst 9200 has added a new series of switches under Flexible Uplink models with increased virtual network (VN’s) or Virtual Routing and Forwarding (VRF) scale to accommodate Software Defined Access Fabric (SDA) Deployments. This specific catalyst 9200 model can be deployed as “Fabric Edge Node” with support of 32 VRF’s comprising of 31 user configurable VRF’s and remaining one as Default VRF and supports all other catalyst 9200 capabilities.


Below are the 9200 models with 32 VRF’s support and comes with all C9200 features:



With recent IEEE 802.3bt standardization, there has been a huge momentum across different PoE end points and the whole ecosystem is ever growing. Cisco had already introduced 90W standard line cards on Catalyst 9400 last year. But now, 90W capability has also been added on Catalyst 9300 Series under flexible uplink models to provide more choices for customers in picking modular chassis vs fixed switches for their growing power over ethernet (POE) needs. These new 9300 models can provide 90W on all ports based on the IEEE 802.3 BT standards and also are backward compatible with all previous standards.


Below are the 9300 models with 90W Support and come with all C9300 features:



Fiber to the Desktop is becoming common these days and we do support 1G fiber across most of our portfolio except for Catalyst 9600. In order to provide flexibility to end customers a new line card “ C9600-48S” with all 48-ports of 1G Fiber has been introduced. This line card supports 1G speed today and will also support 10M and 100M with the right optics in future.



Key Summary Features


With every software release, the focus has always been towards introducing features which can strengthen the Intent Based Networking Journey. 17.3 Release also continues the innovations and introduces features across different realms of the network from enhancing the existing feature set, securing them further and then building resiliency around them to achieve a stronger overall network solution.



Screen Shot 2020-08-10 at 11.40.19 AM.png


Platform and Infra Features

Deploying Application Visibility and Control (AVC) with Encrypted Traffic Analytics (ETA) on same physical interface is now possible. AVC combined with ETA now provides a complete solution by securing the traffic and at same time providing analysis and option to split business Critical from non-critical traffic.


PVLAN on trunk/Etherchannel has been used for a while to Isolate ports within a VLAN. However, with the increasing usage of virtualized hosts a new usecase has come where multiple Isolated hosts belonging to different VLANs can reside behind same physical trunk port. Isolated PVLAN trunk port solves exactly that problem by allowing multiple Isolated VLAN behind same physical trunk where hypervisors are connected.


Embedded Wireless LAN Controller can now be hosted on Catalyst Switches in Non-SDA deployments, now can be used to provision single site deployments. It provides simplified Operation via WebUI, and double capacity with N+ 1 mode which can support of up to 400 Access Points (AP) and 8000 clients on two switches.


High Availability Features

Power Management on Catalyst 9400 introduces more granular control in case of power load shedding. It gives 8 different Power priorities on every slot and introduces PoE priority per port with 8 groups. In case of power shedding all PoE provisioned ports will stop receive power (data on the port continue to be active) and then the linecard are powered off based on configured priority. Supervisors and Fan Tray are excluded from the power shed.


For faster L3 convergence during switchovers or failures, Non-Stop Routing (NSR) feature has been introduced which synchronizes the unicast routing information between active and standby devices. In the case of failure, the standby takes over the role of active and also the control over protocol handling while continuing to forward the traffic with negligible traffic loss.


Routing / MPLS / VPN Features

Broadcast, Unknown Unicast and Multicast (BUM) traffic can now be rate limited on per Virtual Network Identifier (VNI) basis in BGP-EVPN solution to protect the control plane from unnecessary flooding. This enhancement brings in additional security and stability to the infrastructure


Routed Pseudowire IRB for IPv6 Unicast feature addition now allows a Virtual Private LAN Services (VPLS) multi point provider edge (PE) device interface to route Layer 3 traffic along with switch Layer 2 frames for PseudoWire (PW) connections between PE devices. The ability to route frames between interfaces does not affect the termination of a PW into the Layer 3 network (VPN or global) on the same device, or to tunnel Layer 3 frames over a Layer 2 tunnel (VPLS)


The MPLS VPN—Inter-AS Option AB feature combines the best functionality of an Inter-AS Option A and Inter-AS Option B network to allow a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service provider to interconnect different autonomous systems to provide VPN services using a single MP-BGP session with L3 sub-interfaces in the global routing table, along with separate address-families to signal per-VPN prefixes between two ASBRs. These networks are defined in RFC 4364 section 10 "Multi-AS Backbones," subsections a and b, respectively.


Security Features

SGACL Logging has been enhanced to not increase CPU consumption when it is enabled. It leverages Flexible netflow table to collect the logs at line rate and provide more detailed syslog messages. This enhancement immensely helps to provide additional visibility on the network security based on Cisco TrustSec solution.


Umbrella Switch Connector on Catalyst switch can now communicate with Active Directory (directly or indirectly) which will help in selecting different policy based on user and the domain where they belong. Previously, the umbrella feature integration was device/port specific. In other words, all policy and rules were applied on port depending upon the device tag, and it was not based on user. Thus, it created a huge problem because in an organization, there will be people from different domains (I.e. marketing, engineering etc.) and without any choice they will fall under same policy if they use the same port.


Cat 9300 WEBUI has added support to configure Umbrella.


Active Directory Integration will provide following benefits:

  • Support per user or user group level policy when Catalyst and OpenDNS have access to the user/group information from the Enterprise AAA (e.g. Active Directory).
  • This enhanced solution will be able to apply policy and rule based on user domain.

New Yang Models have been added for MACSEC feature to constantly monitor the traffic on the link if it is encrypted or not. And also to monitor If the total number of the transmitted packets on the link matches with the encrypted packets. These yang model additions has simplified the monitoring of MACSEC enabled traffic using NETCONF API’s.


MACsec is also supported now on front panel ports of Catalyst 9400 when configured in StackWise Virtual mode. This enhancement has enabled secure and encrypted interconnection between StackWise Virtual enabled switches to other switches. The supported modes are MKA and SAP with AES 128 and 256 encryptions.


Now finally, the support for new optics and other specific features can be found at individual Release note pages below.


IOS-XE 17.3.1 brings in some key features to the Catalyst 9000 switching Portfolio making it ever-ready for future challenges in Intent Based Networking Journey


You can access the Cat9k GitHub Repository to browse through the examples on how you can use the Yang models or Ansible to automate various Network tasks. If you have an idea and a script that can automate the network, please do a git push to the repository!