Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2907
Views
2
Helpful
0
Replies

What's New? Cisco IOS XE 17.11 Routing Release Update

mmanusan
Cisco Employee
Cisco Employee

‎05-11-2023 09:01 AM - edited ‎05-11-2023 09:50 AM

Numerous enhancements to Cisco's routing portfolio were introduced with the release of IOS XE Cupertino 17.11 in April 2023. Among the technologies updated in this release are Hardware Support, IOS CG enhancements, LTE, VXLAN, C8000v enhancements, Layer 3, a few minor updates to some of our Catalyst 8000 Edge platforms, and Cellular Gateway.

Now that we've established that, let's dive deeper into the specifics of each of these features.

Hardware Support

ISR1K Flex L2/L3 Ports

Today's challenge: 

ISR1K products typically have up to 2 L3 ports and up to 8 L2 ethernet ports.  There is no flexibility in case we need more L3 Ports

Enhancement Starting 17.11: 

  • This feature is to enable Flex L2/L3 capability for current ISR1K switchports to offer more L3 port flexibility.
  • This feature is a software-only upgrade, with no hardware change for existing ISR1K family
  • With this feature support, two interfaces will be supported as Flex L2/L3 ports.​ Switch ports with highest numbering which are close to the L3 port will be flex L2/L3 configurable 

Screenshot 2023-05-11 at 10.55.49 AM.pngScreenshot 2023-05-11 at 10.55.58 AM.png

Caveat:

  • There is no 802.3x TX pause support on Flex L3 ports just align with the original L2 ports
  • There is no PLIM QoS support on Flex L3 ports​
  • All ingress L3/SVI traffic will be throttled if there is Flow Control received from the host​

Configuration Guide for L2/L3 Flex Port

L2/L3 ETher Switch NIMs

Today's challenge: 

  • Today, we only support 1-port  or 2-port WAN modules in C8300 and C8200, which are​
    • C-NIM-1X (1 x 1/10G on C8300)​
    • C-NIM-2T (2 x 1G on C8300, C8200)

Enhancement Starting 17.11: 

  • Brings the next generation, NIM form-factor L2/L3 switch modules proposed for the Catalyst 8300 and 8200 series platforms.​
  • It provides 4-Ports & 8-Ports options with SFP+ , mGig and SFP ports(10G, 2.5G & 1G), 256-bit MACSec and BT PoE(90W).​
  • SD-WAN support from Day-1​
  • Full parity with onboard WAN ports​
  • Comes in 3 flavors of PIDs​
    C-NIM-4X​
    C-NIM-8M​
    C-NIM-8T​

Screenshot 2023-05-11 at 11.12.27 AM.png

Caveat: None

UCS-E1100D-M6/K9

Today's challenge: 

  • UCS-E M3 CPU is old generation and slow speed compared to market
  • I/O speeds do not suffice the requirements of new use cases & apps
  • Limited throughput and 2X 1Gbps backplane interfaces
  • No central management support with Intersight 
  • With WAAS EoS, limited AppQoE with current UCS-E M3

Enhancement Starting 17.11: 

  • 2 X increase in CPU speed per core compared to the current UCS-E M3 gen 
  • NVMe SSD disks and DDR4 DRAM (3200 Mhz)
  • 2x 10G backplane and 2x 10G front panel interfaces 
  • Intersight capable hardware (Intersight support roadmap)
  • Tested for high-end AppQoE data and scale requirements
  • Intel VROC RAID (RAID-0, RAID-1 & RAID-5) with NVMe
  • Certified with ESXi 7.0 and RHEL 8.3AppQoE ready
  • UCS-E management is configurable using vManage
  • Supported in C8300-2N2S-6T and C8300-2N2S-4T2X

Screenshot 2023-05-11 at 11.17.09 AM.png

Caveat: None

Self Encrypting Drive (SED) Support

Today's challenge: 

  • C8200, C8300, and C8500L support flexible external storage upgrade slots or FRU via NVMe hard disk (SSD). Currently, all information being stored on the flash device is unencrypted. This poses a potential security risk

Enhancement Starting 17.11: 

  • This feature enables the use of self-encrypting drive storage on C8500L, C8300, and C8200 routers​
  • New CLIs will be added to take advantage of encrypted drives
    • TCG Storage Opal SSC v2.01 Rev1.00 Specification​
    • Field Replaceable Units (FRUable)​
    • Hardware FDE based on AES-256 (no perf hit)​
    • Supported in vManage with CLI template​
    • Yang models ​

Caveat: None

IOS CG Enhancements

Support for additional Cipher Suites

Today's challenge: 

  • Weak encryption, in the existing implementation, only AES-128-SHA1 and GCM are supported for both Phase 1 and Phase 2 negotiation. ​

Enhancement Starting 17.11: 

  • CG113 only supports IKEv2, which is faster and more secure than IKEv1
  • Stronger encryption algorithms are added to the CG113 IPsec policies
  • See the table below for more information

Screenshot 2023-05-11 at 11.45.01 AM.png

Caveat: None

Traditional RA Workflow Enhancement on CG113

Today's challenge: 

  • Static configuration for DNS, remote private subnets, and local private subnets 
  • No headend redundancy and ability to configure full tunnel ​

Enhancement Starting 17.11: 

The enhancement allows

  • Dynamic Attributes​ - DNS​, Remote Private Subnet, and Local Private Subnets​
  • Added Headend Redundancy ​
  • FQDN support​
  • Supports Full and Split tunnels

Caveat: None

SD-WAN TA Support on CG113

Today's challenge: 

End user challenges

  • Poor application experience​
  • Capacity challenges​
  • Operational Complexity​
  • Security blind spots

Enhancement Starting 17.11: 

  • Integrate CG113 with the SD-WAN RA solution. From a single pane of glass such as vManage, users can configure and control SD-WAN Fabric and RA users in the same place. CG113 can initiate an IPsec tunnel request using IKEv2 to the public IP of the SD-WAN RA headend.

Caveat: None

Add RSRP and RSRQ as link recovery parameters

Today's challenge: 

  • Currently, cellular modem link recovery is based only on Received Signal Strength Indicator (RSSI) value. No other parameters are used to define the threshold. For LTE modems, Reference Signal Received Power (RSRP) and Reference Signal Received Quality (RSRQ) are better parameters to measure cellular signal strength and quality of the signal compared to RSSI. ​

Enhancement Starting 17.11: 

  • The Cellular Modem Link Recovery feature is used to check whether the modem functions properly and bring back the modem to normal operation state if the modem is in an inoperative state. When an inoperative state is identified, the modem is reset. 

Caveat: 

  • We can change the values of link recovery parameters for RSSI, RSRP, and RSRQ. Only one of the three parameters RSSI, RSRP, and RSRQ can be configured at a time.

LTE

Clean-up LTE Modem Profile 

Today's challenge: 

  • Today, when the user presses the factory reset button on the router, the cellular modem profile is not restored to the factory-default state ​

Enhancement Starting 17.11: 

  • New CLI has been introduced under “controller cellular 0/x/0” to clean up manually configured cellular profiles​
  • By adding the CLI command under the configuration and performing the Factory Reset hereafter will delete the Cellular modem profiles

Caveat:

  • The ROMMON version should be 17.5.x and above.​
  • This feature is applicable to “Generic Firmware” only.​
  • Load an IOS XE image onto the router and bring up the module with “Generic Firmware”.​

Catalyst 8000V Enhancements

C8000V On-Prem Throughput Performance Enhancement (16vCPU)

Today's challenge: 

  • Customers want to achieve higher throughput on-prem. This can be difficult to achieve without taking advantage of additional cores.
  • Increased throughput performance on Catalyst 8000V has been a customer ask as well as a competitive positioning statement

Enhancement Starting 17.11: 

  • This feature adds new on-prem 16-Core support to the Catalyst 8000V on KVM hypervisors to achieve higher IMIX IPsec traffic throughput​

Caveat:

  • No CLI configuration is needed, but the expectation on the host (KVM) is to have non-Hyper Threaded physical cores on a single socket

C8000V SD-WAN Enterprise Certificate Support​

Today's challenge: 

  • Customers require the device certificates communicating with vBond to be registered under the customer’s name.​
  • Currently, this is not supported with SD-WAN virtual routing devices​

Enhancement Starting 17.11: 

  • Each device has a list of certificate authorities (CAs) from which it will accept certificates
  • This feature will allow users the ability to configure their certificate organization name
  • This will add support to virtual edge devices when using enterprise certificates and enable the user to utilize their own enterprise certificate authority (CA) ​

Caveat: None

VXLAN

EVPN+ VXLAN Integration Phase2

Today's challenge: 

  • Previous support in 17.10 included integrated bridging and routing support for connectivity but the configuration was more complex and didn’t have some optimizations. This update includes the optimization for the ARP/ND population and multicast groups for Broadcast unknown Unicast and Multicast (BUM) traffic instead of all unicast for that traffic

Enhancement Starting 17.11: 

  • This feature is an extension of EVPN BGP phase 1 which was included in 17.10.  IOS XE, 17.11 continues the EVPN enhancements by simplifying configuration.  No longer are EFPs and BDI interfaces required for configuration for L2 EVPN.  BD-VIF are now supported.  IP addresses now have mobility and EVPN RT2 updates will generate ARP entries automatically. L2 EVPN VxLAN integration includes:
    • BD-VIF on L2-EVPN​
    • L2 EVPN without EFP or BDI​
    • MAC/IP learning of aliased ARP​
    • IP mobility between MAC address
    • ARP/ND from EVPN RT2 route​
    • underlay multicast group for BUM traffic

Caveat:

  • EVPN Multihoming will not be supported
  • Static multicast underlay for BUM traffic will not be supported
  • EVPN VXLAN IPV6 underlay is not supported
  • Tenant Routed Multicast (TRM) related features are not supported
  • An EVPN instance consists of multiple broadcast domains where each VLAN has one bridge-domain

Layer3

Apply Color in Service VRF-Definition

Today's challenge: 

  • Color-extended community assignment to a prefix was only possible via neighbor prefix advertisements (identify the neighbor and assign a color for each path)

Enhancement Starting 17.11: 

  • BGP uses color and next-hop prefixes to create an SR Policy and automatically steer traffic to the destination​​
  • The color of a route is specified by its color extended community attribute​​
  • Color can be used to indicate certain treatments (High BW, Encrypted Path, Low Latency, etc.)​
  • Support was added to ASR1K as part of the Cisco IOS XE 17.7 release

Caveat: None

VPN-SIP with HGW Support

Today's challenge: 

  • NTT offers the dataconnect (aka VPN-SIP) service based on SIP. This dataconnect service is set to replace an ISDN for backup network functionality

Enhancement Starting 17.11: 

  • This enhancement enhances the router to support dynamic local numbers behind NTT’s HGW. ​
  • The data transmission will share the same physical subscription line as the analog phone. Based on User-to-Network Interface (UNI) protocol, dataconnect service can be moved to reference point 1 as shown in the picture.​

Screenshot 2023-05-11 at 12.33.26 PM.png

Caveat: None

 

GRE-in-UDP encapsulation for SD-WAN

Today's challenge: 

  • In the current Cisco SD-WAN design, we support only two types of encapsulations​
    • ​IPSEC encapsulation​
    • GRE encapsulation

Enhancement Starting 17.11: 

  • The IETF RFC 8086 base feature to support a new header encapsulation for GRE-based packets in IPv6/IPv4 transport
  • GRE encapsulation header inside UDP (GRE-in-UDP encapsulation) packets with IPv6/IPv4 transport
  • Allows a UDP source port field to be used as an entropy field
  • Allows load-balancing of GRE traffic using ECMP mechanisms
  • Introduce a new command under SD-WAN GRE encapsulation configuration to enable the UDP option, this will put GRE inside the UDP header.

Caveat: 

  • Support is available only using CLI-template option

ISIS Flex Algorithm: TE Metric Support

Today's challenge: 

  • In today’s world, Full fledged Flex Algo is available in IOS XR software platforms like ASR 9000 series routers.​
  • We do also support a sub-set of ISIS Flex Algo feature in IOS XE platforms ASR1K & C8500, which are​
    • Prefix SID Redistribution ​
    • Affinity support

Enhancement Starting 17.11: 

  • Flex Algo or Flexible algorithm is a segment routing feature that provides a TE (Traffic Engineered) path automatically computed by the IGP to any destination reachable by IGP
  • Use 24-bit TE link metrics​
  • TE metric advertisements for metric configured under interfaces, SR Traffic engineering, and MPLS Traffic engineering.​

Screenshot 2023-05-11 at 12.37.34 PM.png

Caveat: None

IPv6 multicast over RAR PPPoE

Today's challenge: 

  • Currently, IOS XE doesn’t support IPv6 multicast over RAR (Radio Aware Routing) PPPoE
  • Parity gap between IOS and IOS XE is preventing migration from ISR G2 to Catalyst 8K platforms

Enhancement Starting 17.11: 

  • The enhancement supports IPv6 multicast over RAR PPPoE on IOS XE routing platforms
  • IPv6 multicast configuration is available for PPPoE-based RAR sessions

Caveat: 

  • For IPv6 multicast over RAR PPPoE to function properly, the following must be configured:
    • PPPoE (Virtual-template, VMI and Physical interface)
    • IPv6 Unicast and Multicast routing
    • IPv6 PIM BSR (Protocol Independent Multicast Bootstrap)
    • IPv6 MLD (Multicast Listen Discovery)

Reference

C8500 Image can be downloaded from here

C8500L Image can be downloaded from here

C8300 Image can be downloaded from here

C8200 Image can be downloaded from here

C8200L Image can be downloaded from here

C8000V Image can be downloaded from here

CG113 Image can be downloaded from here

 Release Notes are here

0 Replies 0
Customers Also Viewed These Support Documents