Cisco IOS XE 17.17 Update Version 17.17.1

Views
1

Your rating
Rate update installation process

Log in to rate this update.
Login

Risk factor
No ratings yet. Be the first to rate this update.

Smooth installs 0%
Minor issues 0%
Major issues 0%

Update Summary

Cisco Catalyst 9300 Series Switches Cisco IOS XE 17.17.1 adds CTS role-based enforcement, LLDP on the management port for 9300-L, and new programmability and security enhancements. It also renames `ecomode` to `auto-off` and includes caveat CSCvu14870.

Update Details

Security

  • Strict-KEX strengthens SSH by terminating connections on unexpected or out-of-sequence packets and resetting sequence numbers after key exchange.
  • CTS Role-Based Enforcement enables SGACL enforcement at the port-channel level for Cisco TrustSec.
  • Support for sensitive CLIs with CRUD on Meraki adds secure SNMPv3 user configuration via NETCONF with AES, DES, and DES3 encryption and avoids plaintext exposure in running-config and get-config.
  • Cisco TrustSec can be configured only on physical interfaces, not logical interfaces.
  • MACsec switch-to-host connections in an overlay network are not supported; Cisco recommends switch-to-switch MACsec only.

New Features

  • CTS Role-Based Enforcement for SGACL enforcement at the port-channel level.
  • LLDP support on the management port of Cisco Catalyst 9300-L Series Switches for Zero-Touch provisioning.
  • On-change subscriptions for location-aware YANG models.
  • New YANG data models are available for this release.
  • Support for sensitive CLIs with CRUD on Meraki via NETCONF.

Known Issues

  • CSCvu14870: Cat9k archive command can cause a bulk sync failure and reload the standby switch.

Hints

  • The hw-module switch ecomode command is renamed to hw-module switch auto-off, and ecomode under stack power configuration is replaced with auto-off.
  • Use install commands for upgrades and downgrades; request platform software commands are deprecated.
  • For install-mode upgrades, the switch must boot from flash:packages.conf.
  • When downgrading from newer releases to older ones, microcode may need to be downgraded manually for some UPOE models if install commands are not used.
  • ROMMON in the primary SPI flash upgrades automatically on first upgrade to a release with a newer ROMMON; the golden SPI flash ROMMON must be upgraded manually.
  • Starting with Cisco IOS XE 17.10, diffie-hellman-group14-sha1, hmac-sha1, hmac-sha2-256, and hmac-sha2-512 are removed from the default SSH algorithm list.
  • Hidden commands now require service internal for Category 1 commands and generate a %PARSER-5-HIDDEN syslog message when used.

Links

Product Information

Vendor: Cisco

Product: IOS XE

Version: 17.17.1

Release date: Mar 31, 2025

View All Updates