Cisco's release of IOS XE Cupertino 17.8 on April 22, 2022, has brought numerous features and enhancements to the routing portfolio. The release includes enhancements covering technologies such as Security, Virtual Platforms, Voice, QoS, and Services. Most of the features are traditional routing-based and include SD-WAN platform-specific improvements.
With that said, let's get into more details about each of these features.
MACsec Fallback
This is a Layer 2 encryption feature for the MACsec deployments over Ethernet WAN transports such as L3/L2 P2P, Metro ethernet P2P, or Multi-point connections or Datacenter interconnect links.
Today's Challenge
MKA sessions are not established when the primary Pre-Shared Key (PSK) fails to establish due to key mismatch and thus experiences traffic loss.
Enhancements Starting with 17.8
This feature is introduced on ASR1K and Catalyst 8500 to ensure the same fallback keys are configured on both peer ends, even before encountering the fallback scenario (MKA session not secured with primary keys).
LACP support for Layer 2 Switch Ports
Another Layer 2 feature is to provide Port-channel/Etherchannel support on L2 switch ports in ISR1131 and C1100TG terminal gateway platforms. The LACP (802.3ad) for Gigabit Interfaces feature bundles individual Gigabit Ethernet links into a single logical link that provides the aggregate bandwidth of up to 4 physical links.
Today's Challenge
Currently, Etherchannels are not supported on L2 integrated ports on ISR1131 and C1100TG Terminal gateway platforms.
Enhancements Starting with 17.8
With 17.8, LACP Etherchannels can be configured on ISR1131 and C1100TG platforms with integrated switch ports and connect to downstream switching infrastructure to aggregate the bandwidth. Additionally, Equal cost load balancing across all four links is also supported.
Flex-Algo Redistribution Between Process
Flex Algo is the abbreviation of Flexible Algorithm and is the algorithm used to define the best path calculated by IGP in Segment routing deployments in MPLS designs. It supports Prefix definitions and Prefix-ID advertisements.
Today's Challenge
Today we support only SR algorithm 0 prefix SIDs (regular SPF) to be redistributed from one IS-IS instance to another. SR algorithms 1 (Strict SPF) and Flex Algo 128-255 algorithms were not distributed. SID or segment identifier is associated with an IP prefix.
Enhancements Starting with 17.8
- Allows redistribution of strict and flexible algorithms prefix SIDs from IS-IS to another IS-IS instance or protocols.
- Flex-Algo is automatically enabled when you configure redistribution of IS-IS Routes with strict or Flexible Algorithm SIDs.
- Supported on ASR1000, C8500 platforms only
IPsec: show platform hardware qfp active feature ipsec state
The first is related to IPSEC state monitoring in the data plane or QFP. For various solutions like SDWAN, there is a need to be able to show the required IPsec counters and statistics via the Yang model.
Today's Challenge
Today IPsec counters and statistics are supported using the below manual CLI commands on the router, which are not supported for Yang model.
show platform hardware qfp active feature ipsec datapath drops
show platform hardware qfp active feature ipsec state
Enhancements Starting with 17.8
Yang model support is introduced on these CLI commands to view the tunnel drops, statistics, and state centrally example SD-WAN vManage, that are validated on ISR4000 and ISR1100 platforms.
HSEC and Aggregate Bandwidth Tier Throttling
This security feature is more related to the DNA licensing for BW Tier for the licensed customers to purchase. With this added feature, it is easier to understand the DNA BW definitions and the BW flow on C8K platforms.
Current crypto throughput throttling implementation on C8K platforms is done in a bidirectional approach. For competitive reasons, the ask from marketing is to implement crypto throughput throttling in an aggregate fashion, thereby providing more control to the customer while maintaining export control compliance.
Today's Challenge
In a bidirectional fashion, for IPSEC, the customer can push only max 1Gbps in each direction, essentially a 50:50 ratio bidirectionally, with HSEC enabled.
Enhancements Starting with 17.8
- In an Aggregate fashion, IPSEC traffic can be sent in each direction in any proportion ratio, which will not exceed the aggregate throughput based on bandwidth tier enabled. For example with 1G bandwidth license, traffic can be in a proportion 60:40, 70:30, 90:10 with HSEC installed.
- In Aggregate fashion, IPSEC, can send traffic in each direction in any proportion ratio; starting in 17.8, we are bringing in the Aggregate fashion, which means if customers purchase a 1G BW, which will be "Aggregate" in definition, a customer will get 2Gbps Aggregate (inbound + outbound)
- The significant advantage is that customers don't need to follow the 50:50 proportion strictly; traffic can be of any ratio 60:40, 70:30, 90:10, but aggregate up to 2Gbps in total.
- This feature is enabled on C8300/C8200, which are the platforms that support T0-T3 BW Tiers.
IPsec within AnyConnect Profile Download
This security feature is specific to AnyConnect profile download with IOS XE. Cisco AnyConnect is a unified security endpoint agent that delivers multiple security services to protect the enterprise.
It contains profiles-XML files with configuration settings for the core client with optional Network Access Manager, Posture, and telemetry.
Today's Challenge
Today we support only SSL-based profile downloads from the Head-end IOS or IOS XE platforms.
Enhancements Starting with 17.8
Starting 17.8 release onwards, users connecting using the AnyConnect client on a flex VPN enabled head-end IOS XE router can now download the AnyConnect profile for IPSEC/IKEv2 based deployments. PKI-based authentication is the only supported model for AnyConnect-based profile download for this release. It is essential to note that this feature is supported in both SD-WAN and traditional deployments. This feature will add value to customers looking for automatic profile download for their remote users from C8K, ISR4K, or ASR1K platforms deployed as the head-end VPN router for FlexVPN Remote access VPNs.
TLS1.3 support in IOS-XE
TLS is the core security protocol of internet securing internet communication between applications (like web browsers) and servers. It uses asymmetric cryptography for connection establishment, with the shared secret key being negotiated at the beginning of a session, referred to as a TLS handshake. The shared key is for symmetric cryptography after connection establishment.
Today's Challenge
TLS 1.3 is supported with existing Crypto Ciphers and ECDSA in IOS-XE but is unavailable on the next generation Ciphers and ECDSA. TLS 1.2 supports vulnerable Cipher suites like Static RSA and Diffie-Hellman
Enhancements Starting with 17.8
With 17.8, TLS 1.3 is supported with NG Ciphers and ECDSA for SSL VPN. TLS 1.3 will now support public key exchange and provide Perfect forwards secrecy (PFS), a mechanism to regenerate new keys for every Security association. This feature will be available on SSL-based VPN on the C8000v platform because this is the only platform that supports SSL VPN in IOS XE today.
Support enable trap on tunnel level
Another security feature for remote access is virtual dial-up clients or VPDN. A VPDN is a network that extends remote access to dial-up clients to a private network. VPDN tunnels use either Layer 2 forwarding (L2F) or Layer 2 Tunnel Protocol (L2TP). Cisco introduced L2F in RFC 2341. They are additionally utilized to forward PPP sessions for Multi-chassis Multilink PPP.
Today's Challenge
Currently, we support SNMP Trap on VPDN session creation/deletion event for L2TP tunnels.
VPDN implementation does not support VPDN Trap/notification on L2TP Tunnel creation/deletion and logging VPDN Tunnel up/established in Syslog.
Enhancements Starting with 17.8
New VPDN notifications will be added to VPDN MIB to support Traps on tunnel creation/deletion events. Tested on ASR1000 platforms only, 17.8 introduces a new CLI to support this feature.
RAR with DLEP Support
DLEP runs between C8Kv and attached radio devices. Using the link characteristics communicated by the radio devices, the router will make routing decisions for IPv4/IPv6 networks.
Today's Challenge
We support PPPoE (Point to point o Ethernet) in IOS XE, but not with DLEP protocol support. The DLEP project will heavily leverage the existing PPPoE implementation, specifically, common infrastructure such as the code pertaining to VMI interfaces, neighbor creation, and deletion.
Enhancements Starting with 17.8
Starting with 17.8, Customers will be able to use the C8Kv to communicate with their white box radios that use DLEP. Some of the key highlights for the phase-1 feature include 3 DLEP clients per head-end router supported and up to 10 remote peers per VMI. The performance tested aggregate throughout on C8Kv is 300MB IMIX (352 bytes average) per radio, so total ~ 1Gbps IMIX throughput on the head-end router.
Increase scaling for tunnels and VRFs
This feature is for SD-WAN, specifically requested by many customers for their large KVM-based deployment with C8KV platforms. This test-only feature for increased scale for tunnels and VRFs in SD-WAN.
Today's Challenge
SD-WAN scale for C8Kv for most of the features in the scale sheet are tested to be very low in 17.7 XE and need more testing and scale improvements on 17.8 XE
Enhancements Starting with 17.8
Test-only effort to improve the scale on C8KV 8vCPU/8GB, 4vCPU/4GB instances for IPSEC, GRE tunnels, and VRFs (VPN)
Validate Long Reach optics for X520 and X710 NICs
Support for both 1GE and 10GE optics (short (<1km) AND Long Reach (10km)) for X520 AND X710 NICs on CSP-5444 and CSP-5456 platforms.
Today's Challenge
1GE and 10GE optics (short (<1km) AND Long Reach (10km) are not tested today on the X520 and X710 NICs
Enhancements Starting with 17.8
SDWAN Test-only effort to test the SFPs on CSP-5000 series NFVIS cloud virtual platforms. Later the support will be officially in NFVIS 4.8 image to support customer deployments.
SWMTP support
Another C8Kv feature is Software Media Termination Points (SWMTP) an essential component of large-scale deployments of Cisco Unified Communications Manager (CUCM). It bridges the media streams between two connections allowing CUCM to relay calls that are routed through SIP or H.323 endpoints via Skinny Call Control Protocol (SCCP) commands.
Today's Challenge
Currently, this feature is supported only on Physical ISRs and C8K platforms.
Enhancements Starting with 17.8
With IOS-XE release 17.8, Enterprise customers using voice will be able to Leverage SWMTP for Voice on C8Kv large-scale deployments.
New 'show drops' output
IOS-XE 17.8 added this serviceability enhancement to C8KV to support the "Show drops" command outputs.
Today's Challenge
Currently, this feature is supported only on Physical ISR and C8K platforms.
Enhancements Starting with 17.8
As a serviceability enhancement for the C8000V, New CLIs should be designed to show drops at different levels of the platform and features to identify the drop cause and place.
SIP Line side registration (Supplementary services)
This is a Unified communication enhancement to extend the FXS ports to be supported as SIP endpoints in CUCM.
Today's Challenge
Currently, FXS ports on the voice gateway can be treated as SCCP or MGCP endpoints but not SIP endpoints. And to the CUCM, they are just analog endpoints. This enhancement supports additional features on FXS ports, such as call-forward-all.
Enhancements Starting with 17.8
Starting 17.8, we are extending this support to other ISR4Ks supporting voice, VG400,420,450, and C8300, C8200/L. In addition, new CLIs will be introduced into the IOS XE software to support this feature.
UC FXS/FXO caller-id CLI support
Cisco had introduced support for FXS/FXO-related CLI configurations in the 17.2 release. However, the support introduced was at the MVP level. That is the config gap with Cisco's UC/Voice SD-WAN offering at cEdge.
Today's Challenge
Not all the CLI-related configurations are supported today for NIM FXS/FXO ports in SD-WAN.
Enhancements Starting with 17.8
To address the gap with CLI configs to support FXS/FXO ports introduced earlier in 17.2 XE
These CLIs are supported on C8300, C8200, and ISR4K, which can be added to these voice ports from vManage as CLI templates.
BNG performance Improvements for QoS
So, what is Broadcast Network Gateway or BNG?
This feature serves as an intelligent service gateway for broadband network subscribers, widely used in Service provider networks that provide broadband internet or other services to their customers, who are the subscribers in this case. The services can be internet, voice, video, etc. Today we support BNG on ASR platforms only.
We all know QoS or Quality of service. ISPs providing BNG services rely on the QoS feature to provide the level of services or service level agreements with the subscribers who opted for broadband services. This is how ISPs implement rate-limiting, policing, and shaping with QoS features for the BW allocated to their customers.
Today's Challenge
With the current HQF design, whenever a new session layer comes up or is torn down, the parameters of hierarchical queues must be recalculated from the parent layer of the sessions to the bottom-most class layer of the tree. More such events lead to CPU spikes leading to the performance issue of the software.
Enhancements Starting with 17.8
This internal software process has been reworked to improve the performance on ASR1000 platforms that supports the BNG feature. As a result, the CPU performance has been enhanced between 10%-35%, thus processing more BNG packets in the data plane.
Thousand Eyes Support Phase 3
What is Thousand Eyes? Most of us know it as a network monitoring tool, but it can do more. This intelligent tool provides a rich set of analytics and 360-degree visibility to your network, monitored centrally from a single dashboard. For the routers to support Thousand Eyes, we know that the router should support Container services with enough virtual CPUs in the service plane cores.
Additionally, we need a min of 8GB CP DRAM and storage. We install TE agents as container services. The agent collects the network data across applications and services that traverse along the data path of the router and sends rich monitored data to the cloud to have it monitored centrally.
Today's Challenge
Phase-1 introduced Thousand Eyes support on ISR4K, C8300, and C8200 platforms that support containerized app-hosting inside service cores part of Phase-1 and phase-2; we added support for ISR1100X-6G.
Enhancements Starting with 17.8
Starting 17.8, We will extend the TE agent support on other ASR1000 and C8500 series platforms for application visibility and intelligent monitoring.
Minor Updates
Performance license
17.8 introduces the "boost license" for the C1100TG and C1100TGX platforms.
This boost license removes the platform's 500 Mb/sec performance limiter. With a boost license, performance is not artificially limited and is gated only by hardware forwarding capacity.
X.25/XOT support
We also enable X.25/XOT WAN serial protocol support to send X.25 packets over secure XOT tunnels over TCP/IP network over WAN connections in the Terminal services gateway platforms. This feature is currently available on ISR, ASR, and Catalyst 8K and was introduced on C1100TG and C1100TGX platforms.
Geo-Fencing - Phase 3 NIM support test only effort
Geo-Fencing and Geolocation are SD-WAN features that help customers to track the current location of the devices, manually enter the site, and define Geo fencing boundaries of the device. In addition, users must set the cloud and device policy and action based on device location changes. GPS capability is supported on ISR4000 w/ NIM-LTEA-EA, NIM-LTEA-LA LTE modules
Bidirectional support for conditional debugging match filter
If we need to run packet-trace for bidirectional traffic for a given flow, we'd have to define an ACL. As part of this feature, we enable support to specify the match condition from exec CLI itself without configuring the ACL using" debug platform condition match ipv4 host 1.1.1.1 host 2.2.2.2 both bidirectional". This support is on C8K, ISR4K, and ISR1K platforms.
FBD- FlowDB Rate Monitoring
Flow-based distribution and Rate monitoring, observe the utilization of the Data plane cores when flow bandwidth varies over time.
set platform hardware qfp active fbd-flowdb monitor-flow-weight on
set platform hardware qfp active fbd-flowdb monitor-flow-weight off
CLI commands defined here can be used to ON/OFF Data plane core monitoring. The "show platform hardware qfp active fbd-flowdb monitor-flow-weight" commands provide you with real-time statistics on data plane monitoring. Today we support FBD only on C8500L platforms.
Egress Interface option template for Netflow export
The last feature update for the 17.8 release is the "Egress interface option template" for NetFlow. Currently, the interface table (option template) is exporting the ingress interface only. This feature aims to include an egress interface in the interface table exported by Netflow. This enhancement is validated on ASR1000 and will include all IOS XE platforms that support Netflow today.
Reference Links
https://salesconnect.cisco.com/#/content-detail/4eb1bc70-9fea-4e1c-bbce-145044e233b0
https://software.cisco.com/download/home
-> ‘’Browse the Platform’’ and ‘’Select the Platform’’ and choose the ‘’IOS XE software-Cupertino-17.8.1a(ED)’’ for image download
Release Owner
