Limitations and Restrictions
-
ISSU between any Cisco IOS XE software version and Cisco IOS XE Dublin 17.11.99SW software version is not supported.
Cisco IOS XE Dublin 17.11.99SW software version is limited to Catalyst 9000 Series Switches only.
Cisco IOS XE Dublin 17.11.99SW software version does not support No Payload Encryption (NPE) software.
-
Control Plane Policing (CoPP)—The show run command does not display information about classes configured under
system-cpp policy
, when they are left at default values. Use the show policy-map system-cpp-policy or the show policy-map control-plane commands in privileged EXEC mode instead. -
Cisco TrustSec restrictions—Cisco TrustSec can be configured only on physical interfaces, not on logical interfaces.
-
Flexible NetFlow limitations
-
You cannot configure NetFlow export using the Ethernet Management port (GigabitEthernet0/0).
-
You can not configure a flow monitor on logical interfaces, such as layer 2 port-channels, loopback, tunnels.
-
You can not configure multiple flow monitors of same type (ipv4, ipv6 or datalink) on the same interface for same direction.
-
-
Hardware Limitations (Optics)—Multi-rate SFPs are not preferred for SVL or DAD links because auto-negotiation may lead to speed mismatches on some ports. If they are used, set both sides to the same speed; highest speed is recommended (example, 25G for SFP-10/25G and 100G for QSFP-40/100G). Also, both sides of the link should be multi-rate SFPs and all the other SVL or DAD link ports should use multi-rate SFPs. Use the show interfaces transceiver command to view the physical properties of SFPs used in the device.
-
Hardware limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, autonegotiation is enabled by default. If the other end of the line does not support autonegotation, the link does not come up.
-
Interoperability limitations—When you use Cisco QSFP-4SFP10G-CUxM Direct-Attach Copper Cables, if one end of the 40G link is a Catalyst 9400 Series Switch and the other end is a Catalyst 9500 Series Switch, the link does not come up, or comes up on one side and stays down on the other. To avoid this interoperability issue between devices, apply the the speed nonegotiate command on the Catalyst 9500 Series Switch interface. This command disables autonegotiation and brings the link up. To restore autonegotiation, use the no speed nonegotiation command.
-
In-Service Software Upgrade (ISSU)
-
Within a major release train (16.x or 17.x or 18.x ), ISSU is supported between any two EMs that are released not more than 3 years apart.
-
Within a major release train, ISSU is supported from:
-
Any EM (EM1, EM2, EM3) to another EM (EM1, EM2, EM3)
Example: 16.9.x to 16.12.x, 17.3.x to 17.6.x, 17.6.x to 17.9.x
-
Any release within the same EM
Example: 16.9.2 to 16.9.3 or 16.9.4 or 16.9.x, 16.12.1 to 16.12.2 or 16.12.3 or 16.12.x, 17.3.1 to 17.3.2 or 17.3.3 or 17.3.x
-
-
Between major release trains, ISSU is not supported from:
-
An EM of a major release train to an EM of another major release train
Example: 16.x.x to 17.x.x or 17.x.x to 18.x.x is not supported
-
An SM to EM or EM to SM
Example: 16.10.x or 16.11.x to 16.12.x is not supported
-
-
ISSU is not supported on engineering special releases and .s (or similar) images.
-
ISSU is not supported between Licensed Data Payload Encryption (LDPE) and No Payload Encryption (NPE) Cisco IOS XE software images.
-
ISSU downgrades are not supported.
-
While performing ISSU from Cisco IOS XE Fuji 16.9.x to Cisco IOS XE Gibraltar 16.12.x, if interface-id snmp-if-index command is not configured with OSPFv3, packet loss can occur. Configure the interface-id snmp-if-index command either during the maintenance window or after isolating the device (by using maintenance mode feature) from the network before doing the ISSU.
-
While ISSU allows you to perform upgrades with zero downtime, we recommend you to do so during a maintenance window only.
-
If a new feature introduced in a software release requires a change in configuration, the feature should not be enabled during ISSU.
-
If a feature is not available in the downgraded version of a software image, the feature should be disabled before initiating ISSU.
-
-
M.2 SATA SSD drive: With bootloader version 16.6.2r, you cannot access the M.2 SATA SSD drive at the ROMMON prompt (
rommon> dir disk0
). The system displays an error message indicating that the corresponding file system protocol is not found on the device. The only way to access the drive when on bootloader version 16.6.2r, is through the Cisco IOS prompt, after boot up. -
No service password recovery—With ROMMON versions R16.6.1r and R16.6.2r, the 'no service password-recovery' feature is not available.
-
QoS restrictions
-
When configuring QoS queuing policy, the sum of the queuing buffer should not exceed 100%.
-
Policing and marking policy on sub interfaces is supported.
-
Marking policy on switched virtual interfaces (SVI) is supported.
-
QoS policies are not supported for port-channel interfaces, tunnel interfaces, and other logical interfaces.
-
Stack Queuing and Scheduling (SQS) drops CPU bound packets exceeding 1.4 Gbps.
-
-
Redundancy—The supervisor module (hardware) supports redundancy. Software redundancy is supported starting with Cisco IOS XE Everest 16.6.2. However, the associated route processor redundancy (RPR) feature is not supported. Quad-supervisor with Route Processor Redundancy (RPR) with Cisco StackWise Virtual is also not supported.
Before performing a switchover, use the show redundancy , show platform , and show platform software iomd redundancy commands to ensure that both the SSOs have formed and that the IOMD process is completed.
In the following sample output for the show redundancy , note that both the SSOs have formed. Switch# show redundancy Redundant System Information : ------------------------------ Available system uptime = 3 hours, 30 minutes Switchovers system experienced = 2 Standby failures = 0 Last switchover reason = active unit removed Hardware Mode = Duplex Configured Redundancy Mode = sso Operating Redundancy Mode = sso Maintenance Mode = Disabled Communications = Up Current Processor Information : ------------------------------- Active Location = slot 3 Current Software state = ACTIVE Uptime in current state = 2 hours, 57 minutes Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Tue 27-Mar-18 13:43 by mcpre BOOT = bootflash:packages.conf; CONFIG_FILE = Configuration register = 0x1822 Peer Processor Information : ---------------------------- Standby Location = slot 4 Current Software state = STANDBY HOT Uptime in current state = 2 hours, 47 minutes Image Version = Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.8.1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Tue 27-Mar-18 13:43 by mcpre BOOT = bootflash:packages.conf; CONFIG_FILE = Configuration register = 0x1822
In the following sample output for the show platform software iomd redundancy command, note that both SSOs have formed and the HA_STATE
field isready
.Switch# show platform software iomd redundancy Configured Redundancy Mode = sso Operating Redundancy Mode = sso Local RF state = ACTIVE Peer RF state = STANDBY HOT slot PSM STATE SPA INTF HA_STATE HA_ACTIVE 1 ready started ready 00:01:16 2 ready started ready 00:01:22 3 ready started ready 00:01:27 ***active RP 4 ready started ready 00:01:27 <output truncated>
In the following sample output for the show platform command, note that the State
for all the linecards and supervisor modules isok
. This indicates that the IOMD processes are completed.Switch# show platform Chassis type: C9407R Slot Type State Insert time (ago) --------- ------------------- --------------------- ----------------- 1 C9400-LC-24XS ok 3d09h 2 C9400-LC-48U ok 3d09h R0 C9400-SUP-1 ok, active 3d09h R1 C9400-SUP-1 ok, standby 3d09h P1 C9400-PWR-3200AC ok 3d08h P2 C9400-PWR-3200AC ok 3d08h P17 C9407-FAN ok 3d08h <output truncated>
-
Secure Shell (SSH)
-
Use SSH Version 2. SSH Version 1 is not supported.
-
When the device is running SCP and SSH cryptographic operations, expect high CPU until the SCP read process is completed. SCP supports file transfers between hosts on a network and uses SSH for the transfer.
Since SCP and SSH operations are currently not supported on the hardware crypto engine, running encryption and decryption process in software causes high CPU. The SCP and SSH processes can show as much as 40 or 50 percent CPU usage, but they do not cause the device to shutdown.
-
-
Smart Licensing Using Policy: Starting with Cisco IOS XE Amsterdam 17.3.2a, with the introduction of Smart Licensing Using Policy, even if you configure a hostname for a product instance or device, only the Unique Device Identifier (UDI) is displayed. This change in the display can be observed in all licensing utilities and user interfaces where the hostname was displayed in earlier releases. It does not affect any licensing functionality. There is no workaround for this limitation.
The licensing utilities and user interfaces that are affected by this limitation include only the following: Cisco Smart Software Manager (CSSM), Cisco Smart License Utility (CSLU), and Smart Software Manager On-Prem (SSM On-Prem).
This limitation is removed from Cisco IOS XE Cupertino 17.9.1. If you configure a hostname and disable hostname privacy (no license smart privacy hostname global configuration command), hostname information is sent from the product instance and displayed on the applicable user interfaces (CSSM, CSLU, SSM On-Prem). For more information, see the command reference for this release.
-
TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode.
-
Uplink Symmetry—When a redundant supervisor module is inserted, we recommend that you have symmetric uplinks, to minimize packet loss during a switchover.
Uplinks are said to be in symmetry when the same interface on both supervisor modules have the same type of transceiver module. For example, a TenGigabitEthernet interface with no transceiver installed operates at a default 10G mode; if the matching interface of the other supervisor has a 10G transceiver, then they are in symmetry. Symmetry provides the best SWO packet loss and user experience.
Asymmetric uplinks have at least one or more pairs of interfaces in one supervisor not matching the transceiver speed of the other supervisor.
-
USB Authentication—When you connect a Cisco USB drive to the switch, the switch tries to authenticate the drive against an existing encrypted preshared key. Since the USB drive does not send a key for authentication, the following message is displayed on the console when you enter password encryption aes command: Device(config)# password encryption aes Master key change notification called without new or old key
-
MACsec is not supported on Software-Defined Access deployments.
-
VLAN Restriction—It is advisable to have well-defined segregation while defining data and voice domain during switch configuration and to maintain a data VLAN different from voice VLAN across the switch stack. If the same VLAN is configured for data and voice domains on an interface, the resulting high CPU utilization might affect the device.
-
YANG data modeling limitation—A maximum of 20 simultaneous NETCONF sessions are supported.
-
Embedded Event Manager—Identity event detector is not supported on Embedded Event Manager.
-
The File System Check (fsck) utility is not supported in install mode.