Showing results for 
Search instead for 
Did you mean: 

Cisco IOS-XE 17.4.1 Switching Release –What’s New?

Cisco Employee

Cisco recently announced availability of the latest release on the IOS-XE train – IOS-XE Gibraltar 17.4.1. This is a standard maintenance release supporting Switching, Wireless, SP-Access, Routing as well as IOT platforms with a sustaining support lifetime of 12 months and two scheduled rebuilds. A unified software release for Enterprise Networking, it adds support for new software features on the existing platforms and also introduces support for new platforms across the various EN technology areas.




While 17.4 spans the breadth of the EN products, here we are going to focus specifically on all that the software release brings in for Catalyst Switching.


Extending Intent Based Networking

Availability of IOS-XE 17.4.1 for Catalyst Switches continues our journey to building Intent-based Networking through introduction of key software features and exciting innovations on Catalyst 9200, 9300, 9400, 9500 and 9600 Series Switches. With these key innovations delivered on our platform, we are able to deliver value and experience that our customers desire.

In this release, features across Zero-Trust, Flexible Architectures, and Platform infrastructure are delivered. Here’s some of the key features introduced on this release.





We can use RADIUS over TLS to provide secure communication between Network Access Switch and RADIUS which runs on cloud or require extra level of security for the transport. RADIUS over TLS wraps the entire RADIUS packet payload into a TLS stream and thus mitigates during in transport and prevents man in the middle of attacks. The most important use of this specification lies in roaming environments where RADIUS packets need to be transferred through different administrative domains and untrusted, potentially hostile networks.

With this release, We are also expanding the Self Inspection Capabilities to check the health of hardware components and verify proper operation of the system data plane and control plane at run-time and boot-time.


Flexible Architectures

A custom SDM template will allow the user to customize the feature resources based on user requirements and not the location of the device in the network. With Cisco IOS XE 17.3.1 release, users were able to configure a custom SDM template for Forwarding Information Base (FIB) resources like mac-addresses, routes and Netflow etc. Starting with Cisco IOS XE 17.4.1 release, users can now configure a custom SDM template for Access Control List (ACL) resources based on the network requirements.

A Customizable SDM template supports the following ACL features:

• Ingress Access Control List (ACL)

• Egress ACL

• Ingress Quality of Service (QoS)

• Egress QoS

• Netflow ACL

• Policy Based Routing (PBR)/ Network Address Translation (NAT)

• Locator/ID Separation Protocol (LISP)

• Tunnels


There is a new enhancement in BGP-EVPN fabric as well, Private VLAN interworking is now supported with primary and secondary VLANs within the EVPN Fabric. Ports within community VLAN can communicate with each other across the fabric over Layer 3 Network but cannot communicate with ports in other community VLANs. This enhancement will allow users to seamlessly migrate from traditional networks based off Private VLAN to EVPN fabric without any major network uplift.



The release also introduces new capabilities in Smart Licensing using Policy (SLP) to address customer pain points by streamlining the licensing process. Starting IOS-XE 17.4.1 and 17.3.2, Catalyst 9000 family will be using “Smart Licensing using Policy” as the new licensing model. This replaces the existing Smart Licensing model. All devices will now boot with the license “In-use” regardless of reporting.

Additionally, changes have been made to the ordering process to ensure that prior to a new device reaching the customer, reporting to the CSSM is performed by Cisco thus eliminating any day 0 operational overheads on the customer side. Finally, an easy reporting option has been provided with the introduction of a new tool, CSLU regardless if the PI is in a network which can communicate with the CSSM or if it’s in an air-gapped network.


With this feature enhancement, Customers will get benefits as follow:

  • Network operations is never impacted by any license operation 
  • Connectivity of the device to the internet is not required
  • License compliance is managed on-change versus acquire before use
  • Factory shipped perpetual licenses are reported at factory.
  • Backwards compatible with SL

For Device Programmability, We are also providing new data structures in YANG models as below :

  • Telemetry support for TCAM utilization on standalone switch,
  • Cisco-IOS-XE-hsrp-events YANG Module,
  • Cisco-IOS-XE-hsrp-oper.YANG module,
  • Cisco-IOS-XE-isis-oper.YANG module and
  • Cisco-IOS-XE-big-oper.YANG module

In additional, total number of EtherChannel in the Catalyst 9600 switches has been expanded to 192 from 128.

Finally, Support for new optics has also been added for C9500H/C9600 platforms including 10G copper optic and all other features can be found in the platform specific IOS-XE 17.4 release notes, links to which are provided below:

What’s Next?

IOS-XE 17.5.1, the next standard maintenance release, is targeted for release in March/April 2021. Features that have been planned for this release including key feature development on Wired Assurance, SDA, BGP-EVPN and OpenFlow as well as HA, Security, App Hosting and Platform infra support to help customers reduce cost and complexity. Stay tuned for our next software release updates!

Leo L
VIP Community Legend


Tobias Heisele

9400 Quadsup support for stackwise-virtual? *pleeeeeease*