cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1007
Views
0
Helpful
0
Comments
Pradeep Chaudhari
Cisco Employee
Cisco Employee

On 16th April 2021 Cisco recently announced availability of the latest release on the IOS-XE train – IOS-XE Bengaluru 17.5.1a.

This is the 2nd one in the Cisco IOS XE Bengaluru release seriesIOS XE 17.5.1a unlocks various routing features and enhancements comprehensively covering different technology segments such as Layer-3, Layer-2, Security, VPN, Network Management and programmability.

While 17.5 spans the breadth of across the EN products, here we are going to focus specifically on all that the software release brings in for Routing Product family in Autonomous mode(traditional routing).

 

New Addition of Hardware:

Cisco has introduced new addition of Catalyst8200L Series Edge Platforms in Catalyst8000 Edge Platform family in 17.5

The Catalyst8200L platform is powered with x86 based SoC architecture. Its compact 1RU a high-performance platform built for SD-WAN services designed for Small/Medium Branch deployments with Cisco SASE and 5G Solution.

 

Additionally, we are enabling SD-WAN support to Modular ASR1000 (ASR1006-X) Chassis:

The existing ASRR1006-X platform with modular line card ESP200-X, can provide higher SD-WAN performance. The platform’s data path ESP200-X, is powered by the all-new 3rd Gen QFP ASIC which enabled it to provide more SD-WAN higher throughput and makes it suitable for SD-WAN Headend. There are flexible port options with 100GE, 40GE, or 10GE port adapters per Chassis. You just need to add a DNA subscription license for ASR1006-X to enable SD-WAN.

 

Time to explore new Features introduced in 17.5. The table below is a summarised view of all the key features introduced in each of these segments:IOS XE 17.5.1a key features summary 

 17.5 Key Features.jpg

Segment routing,

Segment routing capabilities on IOS XE routing platforms are enhanced to support SR-TE features. The new ISIS Flex-Algo feature enhances the network traffic prioritisation and path selection mechanism on enterprise routing platforms. The solution has three aspects:

  • The ISIS Flex-algo prefix-metric in SR-TE allows to associate metric computed in given flex-algo with a prefix during prefix inter-level leaking or during inter-domain redistribution, and therefore, compute optimal inter-level or inter-domain path.
  • The ISIS Flex-algo affinity map & interface affinities configuration allow to pick and choose the links for certain type of traffic. For that you can define matching flex-algo affinities like Exclude-any, Include-any and Include-all.
  • The ISIS Flex-algo TI-LFA repair path - Repair paths for a Flexible Algorithm are computed using the same constraints as the calculation of the primary paths. This preserves the existing logic in LFA, that when the computation is done, we only deal with a single entity protection (e.g. link, node, SRLG) and we only remove one entity from the SPT when the backup is calculated.

In addition, to avoid SR-TE traffic fall back to the default (unconstrained IGP) forwarding path,

  • Upon the failure of SR-TE policy, the SR-TE path-invalidation drop feature helps to drop the traffic in the data plane but keep it up in the control plane.  Therefore, other SR policies, which does not have valid path, potentially carrying premium traffic, will not be impacted.

If customers want to implement, Unequal Cost Multi-path (UCMP) for ISIS, they can enable it using Local UCMP feature starting from IOS XE 17.5. Unequal Cost Multi-path for IS-IS feature will enable load balancing capabilities across links such that traffic will be proportionately distributed across the links based on bandwidth,

 

For layer 3 segment we have a few other enhancements in the 17.5 IOS XE code.

With this software release, you can enable path MTU Discovery on MPLS-enabled GRE tunnel. Which in turn copy the IP “Don’t Fragment” bit (df-bit) from the payload packet into the tunnel packet’s IP header and thus can avoid the fragmentation in the core. Its applicable only for L3 Packet header & does not support L2 packet Header

BGP EVPN and L3VPN interworking is a way to connect EVPN domain such as a DC or CO over an IPVPN Core/WAN network. This is a common use-case for end-to-end connectivity of Hosts/CEs in EVPN domain to other domains over an IPVPN network providing inter-subnet routing.

 

In L3 DCI EVPN, currently handoff between EVPN and MPLS VPNv4 is supported and working.

The 17.5 release now enable the redistribution between VxLAN EVPN and MPLS VPNv6. So, you can now import the VPNv6 routes from the MPLS WAN network into the EVPN VXLAN Fabric.

 

Security:

Key Security Features for Next Generation L2 EtherSwitch Module (SM-X-16G4M2X, SM-X-40G8M2X ,C-SM-16G4M2X, C-SM-40G8M2X)

As you build out the digital capabilities in your enterprise branch offices, IT needs flexibility without compromising performance or scale, while still providing secure access and a consistent user experience for LAN users. You can make use of these below security measures on L2 Ether Switch module to make sure that you provide more secure branch LAN network deployment.

 

IPv6 First Hop Security (FHS) for SM-X Switch Module prevent different attack in IPv6 network for a secure branch LAN network deployment. IPv6 FHS is a collection of below security features and can be used to secure the branch LAN network.

  • Manual IPv6 Binding
  • IPv6 Address Glean/Inspect/Guard
  • IPv6 Device Tracking
  • iPv6 Binding Recovery
  • IPv6 Destination Guard
  • IPv6 Source Guard
  • DHCPv6 Guard
  • IPv6 RA Guard
  • IPv6 DAD Proxy

Dynamic ARP Inspection (DAI) allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. DAI will be supported on all these EtherSwitch Module L2 ports.

 

Additionally you can define Template, add ACL’s “ip access-group” for IPv4 and “ipv6 traffic-filter” for IPv6 under template and these templates can be shared with multiple interfaces without binding the ACL to interfaces one by one explicitly.

 

For the endpoint security and access control, we have added TrustSec support for ISR1K SVI port.

  • TrustSec support enables the SGT/SGACL enforcement on SVI interface (For egress traffic to ISR1000 switchport interfaces).

Network Management:

Thanks to the Intel x86 System on Chip (SoC) architecture, the Catalyst 8200/8300 Series offers the same system flexibility. One of the key innovations of the SoC architecture is dynamic core allocation which offers flexibility in which the multi-core planes can be utilized.

 

The Dynamic Core Allocation (DCA) was introduced & delivered in 17.4 IOS XE release around Jan 2021 time frame.

Starting in the IOS XE 17.4 release, dynamic core allocation between the service plane and data plane is supported. Customers are able to modify the core allocation using CLI based on their deployment model and its needs (i.e., services heavy or data plane heavy). With IOS XE 17.4, a device reboot is required after re-allocation of the cores.

 

However, with the new IOS XE 17.5 release for DCA (dynamic core allocation), a reboot is not necessary for core allocations between SP-heavy and DP-heavy modes.

 

The goal of dynamic core allocation is to allow in-service upgrade of Services without reloading the system and can be activated in run time and take effect without router reload.

 

With this release, we are also adding the capability to generate Syslog alerts If we need to track the NAT translations limit. Using a new CLI you can configure nat translation max-entries for {vrf | all-vrf | host | all-host} and syslog message will be generated every time a maximum entry of NAT translations reached in each of the use case such as 1) VRF  2) Host  3) All-VRF  4) All-Host Translation

 

In scenarios like RMA device, customer prefer to wipe any sensitive data and execute “factory-reset all” command wiping off information maintained by various functions in the device. Most of Smart License info is lost when “factory-reset all” command is executed.

However, there are some license data such as Un-ACK’ed license usage report including critical licensing information like authorization code tied to product that is required to be retained after factory-reset.

This release introduced a new capabilities in Smart Licensing using Policy (SLP) to convey the choice of how much licensing data to retain with a new CLI “factory reset keep-licensing-info” command.

 

With the help of this new enhancement, customer can retain the Smart licensing data such as

  • Open/Un-ACK’ed license usage report – RUM Report.
  • Usage reporting details (last ACK received, next ACK scheduled, last/next report push)
  • UDI- tied trust codes.
  • Customer policy received from CSSM.
  • SLAC authorization codes, return codes.
  • Factory installed purchase information

Programmability:

Lastly, for Device Programmability, We have also added new data structures in YANG models For:

  • GETVPN YANG Module
  • IPv6 maximum route YANG Module

To summarise, below table provides all features & supported platform for respective features.

Features & patform support.jpg

 

If you would like to know more, please check out the platform specific release notes on the portal.

Cisco IOS XE Bengaluru 17.5.1

 

What’s Next?

IOS-XE 17.6.1, the next Extended maintenance release, is targeted for release in July/Aug 2021. Stay tuned for our next software release updates!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: