Cisco recently announced availability of the latest release on the IOS-XE train – IOS-XE 17.5.1. This is a standard maintenance release supporting Switching, Wireless, SP-Access, Routing as well as IOT (Internet of Things) platforms with a sustaining support lifetime of 12 months and two scheduled rebuilds. A unified software release for Enterprise Networking, it adds support for new software features on the existing platforms and introduces support for new platforms across the various EN (Enterprise Networking) technology areas.
In this blog, we are going to focus on everything this release brings to the Catalyst Switching Platforms.
Hardware additions since IOS-XE 17.5.1
Since our last announcement of IOS-XE 17.4.1, we have added support for a new line card for the Catalyst 9400 series switches - C9400-LC-48HN.
This new linecard offers 48 mGIG ports with supported speeds ranging from 100M, 1G, 2.5G and 5G. All 48 ports of this line card come with support for IEEE 802.3bt - 90W PoE. The 9400 can now support dense Wifi-6 on a 9410 chassis using this line card. The line card provides connectivity for high-speed applications like 5G, CBRS, UHD8K, AVID, Open Roaming, AR/VR and 3D design.
Additionally, we have increased the storage capacity to 240Gig by introducing a new USB SSD for 9300 series switches. This allows for saving more app operational data locally and also helps in interacting with some of the apps to provide more options.
Full list of supported optics can be found in platform specific release notes for IOS-XE 17.5.1 which will be linked at the bottom of this blog post.
Next, let us now look at some key features which are added with IOS-XE 17.5.1 release.
Extending Intent Based Networking
Release of IOS-XE 17.5.1 for Catalyst Switches continues our journey to building Intent-based Networking through introduction of key software features and exciting innovations on Catalyst 9000 Series Switches. With these key innovations delivered, we can deliver value and experience that our customers desire.
We continue to evolve our Zero-Trust framework by adding support for Fully Qualified Domain Name (FQDN) redirect ACLs for CWA (Central Web Authentication) and adding support for a Native integration of Secure Network Analytics.
Flexibility of our Core platforms is further enhanced giving more options to tweak the capabilities based on specific needs.
Finally, we improve and enhance the Platform and Infra by adding support for App hosting on Core platforms, enabling extending PTP across L2 boundaries and allowing for real-time monitoring of BGP networks.
Zero Trust
Fully Qualified Domain Name (FQDN) redirect ACL support has been added. This allows users to configure and apply an ACL policy on a device with dynamically resolved host names. The domain names are resolved to IP addresses based on the DNS response directed to the clients.
FQDN redirect ACL can also be created dynamically using Cisco attribute-value (AV) pair attribute which are sent from any Radius server.
With IOS-XE 17.5.1, Catalyst 9200/L and 9300/L switches can integrate natively with the StealthWatch cloud. With this integration, each Catalyst 9200 or 9300 switch has an inbuilt FNF collector which acts as a sensor. The switches send the data as a compressed FNF record to reduce consumption of data over the WAN links.
By analysing this data, the StealthWatch can model a baseline of network behaviour and combine traffic observation with external intelligences to monitor the network traffic for threats and alerts.
With IOS-XE 17.5.1, support for Wired Dynamic PVLAN is added. This enables dynamic isolation of guest endpoints added to a network by placing the user in a restricted VLAN or PVLAN initially and once authentication succeeds, move the user to an isolated PVLAN hence effectivity and dynamically isolating the user. The PVLAN isolates any L2 discovery between the endpoints and allows them to communicate over promiscous port for services like VoIP Applications. Additionally, we have a “closed-mode" option. Here if authentication of the user machine fails then all traffic from the user machine is blocked except for EaPoL packets. In a dynamic environment this prevents the hosts in the same VLAN to discover each other with discovery protocols like LLDP or Bonjour.
Flexible Architectures
Custom SDM template will allow reallocation of hardware resources according to user requirements and not location of the device in the network. With Cisco IOS XE 17.3.1 and 17.4.1 a wide range of customization options were provided to allow for customization of both Forward Information Base (FIB) and (Access Control List)ACL resources. With IOS XE 17.5.1 we are extending this feature by allowing users to now enable support for 4096 Active VLANs and 4096 STP instances on Catalyst 9500 High Performance Switches and Catalyst 9600 switches.
This is added as a configurable option while customizing the ACL resource. This further adds to the flexibility of the core switches allowing for tweaking the hardware resources according to specific use cases of the end customer.
On the Catalyst 9500 High Performance Switches and Catalyst 9600 switches, we have also added an option to enhance the NAT scale. The existing NAT scale is 7000 entries. In 17.5.1 onwards, a single source can map to many destinations and it always consume the same space in the TCAM effectively increasing the scale to 7000 Sources times the No of Destinations.
Finally on the scale front, for BGP EVPN solutions, we have increased the L2 and L3 VNI sessions from 256 to 512.
Support for ERSPAN over MPLS networks has also been added for Catalyst Switches 9300 and above. ERSPAN traffic can now be transported over a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) allowing for monitoring traffic on ports across different networks in different physical locations.
Platform/Infra:
With IOS-XE 17.5.1, app hosting is supported on the Catalyst 9410 Chassis, 9500 and 9600 platforms. In addition, Catalyst 9400 (in-chassis redundancy or SVL), 9500 SVL and 9600 (in-chassis redundancy or SVL) now have application high-availability as the default behaviour. The hosted apps leverage the built-in redundancy provided by modular and SVL devices to maintain the operational state of the application in the event of a reload.
gPTP tunnels are now supported with 17.5.1. PTP networks can now be extended over L3 networks and even over devices which are not PTP enabled. This helps in leveraging PTP tunnels across L2 boundaries and in increasing the scale between PTP domains.
Real time monitoring of BGP networks is now possible with support for BGP Monitoring Protocol (BMP). With this we can configure C9k Switches (9300 and above) as BMP Clients where the Client sends Adjacency and RIB information periodically to the BMP Server for monitoring. Using BMP allows for Realtime visualization of BGP state as well as analysing Traffic Engineering across the network.
On programmability front, support for gNOI os.proto has been added to allow for OS commands to be executed on the target device. Additionally, gNMI support for operations with mixed schemas has been added which previously needed multiple API calls for models with different schemas.
Find the platform specific release notes for the IOS-XE 17.5 below.
https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-17/products-release-notes-list.html
What’s next?
IOS-XE 17.6.1 will be an Extended Maintenance release and is targeted for release in Aug of 2021. Stay tuned for our next software release update.
