Cisco recently announced the availability of the IOS-XE train – IOS-XE Cupertino 17.7.1. This is a standard maintenance release supporting switching, wireless, SP-Access, Routing as well as IoT (Internet of things) platforms with a sustaining support lifetime of 12 months and two schedule rebuilds. A unified software release for Enterprise Networking, it adds support for new software features and introduces new platforms across various Enterprise Networking technology areas.
In this blog, we will discuss new software features that this release brings to the Catalyst 9000 switching platforms.
New Feature support with IOS-XE on Catalyst 9000 Switching platforms
Below is a high-level list of features/enhancements that were added across Platform/Infra, High Availability, Security and Routing/Overlay Solutions on Catalyst 9000 Switching Platforms.
Time Sensitive Networking is becoming critical in financial, broadcast, automotive, defense, manufacturing industries and we are continuing to add features and expand support across multiple platforms to assist customers onboard time sensitive applications onto existing Ethernet networks seamlessly.
In addition to supporting PTPv2 and 802.1AS profiles, Catalyst 9000 switches can now be deployed in AES67 compliant audio networks starting 17.7.1. AES67 defines standards for high-performance audio-over-IP interoperability. Customers using multi audio-vendors within the network can now leverage Catalyst 9000 switches to transport the audio. With PTP now supported across Access, Distribution and Core, Customers can enable PTP on their existing ethernet infrastructure and onboard time sensitive applications to a converged network without building a separate network.
The Cisco DNA Service for Bonjour solution assists with end-to-end unicast service routing of mDNS instead of flooding across the network. With 17.1.1, Micro-location capability has been added where customers can now get deep granular location-based service.
Catalyst 9300/9500 switches have gone through rigorous testing in a multi-vendor environment and are now AVNU certified for Audio and Video Bridging (AVB) Deployments. Avnu Alliance is a consortium of professional, automotive, consumer electronics and industrial manufacturing companies working together to establish and certify the interoperability of open Audio Video Bridging (AVB) and Time-Sensitive Networking (TSN) standards. Specific PID’s can be found @ AVNU Product page.
High Availability is crucial for any network, and we continue to innovate in this area to minimize the downtime during upgrades. Starting 17.7.1, we have added Extended Software Upgrade (xFSU) capability to the 9300X models reducing the downtime to less than 30 seconds during a software upgrade or reload. This is achieved by decoupling the control plane and dataplane during the reload/upgrade process.
Graceful Insertion and Removal support has now been extended to Catalyst 9500H models and Catalyst 9600 Series switches to help customers gracefully offload traffic from a specific device to redundant devices/path prior to any planned maintenance or upgrade plans.
Applications are transitioning to cloud at a rapid pace. Many of the applications that we use on a day-to-day basis like Office 365, Salesforce, etc. have already been migrated to Cloud. Connectivity to the Internet Edge has become a necessity for many branches now. Starting 17.6.2/17.7.1, Catalyst 9300X switches are now capable of supporting hardware IPSEC to provision Secure tunnels and can deliver IPSEC throughput up to 100G.
IPSEC implementation on 9300X is based on IKEv2 Open standards. 9300X IPSEC supports ESP encapsulation and operates in tunnel mode. 9300X can scale up to 128 IPSEC tunnels with 17.6.2/17.7.1. 9300X IPSEC implementation supports both IPv4 and IPv6 and uses Static Virtual Tunnel Interfaces (SVTI) interfaces to originate and terminate IPSEC connections. This mode eliminates the extra GRE headers that is required when operating in GRE mode, thus help in saving bandwidth for sending encrypted traffic. Traffic can be redirected to the tunnel using static routes, IGP (OSPF/BGP) or Policy based Routing. HSEC Key is required to enable IPSEC on Catalyst 9300X models.
With IPSEC capabilities on Catalyst 9300X models, customers can now connect their Lean Branches securely to a multi-Cloud environment. Secure tunnels can be provisioned from 9300X to Multi-Cloud service providers like Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure to access Native Applications or workloads securely. Secure tunnels can also be provisioned from 9300X to Secure Cloud Gateway Providers like Cisco Umbrella, Zscaler or any other 3rd party IKEv2 based providers to offload security to the Cloud.
DNS security provides additional layer of security between the hosts and the internet by blocking malicious sites and filtering content. Catalyst 9200 & 9300 series switches already have a tight integration with Cisco Umbrella to secure DNS traffic and act as first line of defense. Starting 17.7.1, Catalyst 9300/9400 switches can now use API Keys to integrate with Umbrella in addition to the token-based registration. These API keys can be obtained from the API Keys section of Umbrella Dashboard.
Catalyst 9000 switching platforms already support full suite of MPLS features to enable seamless overlay solution for Layer 3 segmentation and Layer 2 Extensions at scale. Starting 17.6.1 release, we have enabled MPLS Traffic Engineering (MPLS-TE) support to enable Explicit or Dynamic path forwarding for L3VPN and L2VPN traffic. With 17.6.2/17.7.1, we have extended these capabilities to steer EoMPLS traffic to a specific preferred TE tunnel, establish Traffic Engineering Tunnels across multiple areas along with the capability to handle TE label-switched path (LSP) tunnel as a link in Interior Gateway Protocol (IGP).
Catalyst 9K Switches ability to support any architecture on any platform enables adoption of overlay fabrics like the open standards based VxLAN EVPN. This flexibility and enterprise grade feature richness on BGP-EVPN has led to adoption by 300+ customers of varied sizes such from MSDCs to airports. We are continuing to add features in each release to further enhance the solution. With 17.7.1, we have added the MDT DATA support for Layer 3 Tenant Routed Multicast (L3TRM). This helps control unnecessary flooding of Multicast traffic to the leaf’s who don’t have an active receiver for a Multicast Group. When this feature is enabled, Multicast traffic first gets forwarded on MDT DEFAULT group and then eventually switches to DATA MDT and only those leaf’s who have an active receiver will join this group and will receive the traffic, thereby preventing unnecessary traffic flooding and saving bandwidth.
For YANG Model Driven Telemetry, there are enhanced leaf-level filtering capabilities that provide network operators even more granular control of the telemetry data that is collected or sent from IOS XE to the 3rd party data lake. Lastly, the IOS XE 17.10 release which will be available towards the end of 2022, calls for the YANG 1.0 to YANG 1.1 transition. The YANG 1.1 compatible modules have already been published on GitHub alongside the YANG 1.0 modules for each release. Customers using YANG are encouraged to confirm tooling supports YANG 1.1 prior to IOS-XE 17.10 release. However, 1.1 and 1.0 are backwards compatible and have been ratified for some time, therefore, most of the tooling already supports this newer standard. Yang 1.1 modules can be found here - YANG1.1 modules
These key enhancements and new features with 17.7.1 make Catalyst Switching portfolio more feature rich and ready to meet future demands.
For a complete list of features, Release notes, Configuration guide related to 17.7.1 release, please check below.
2 Comments
