Cisco IOS XE 17.17 Update Version 17.17.1

Cisco Catalyst 9400 Series Switches, Cisco IOS XE 17.17.x adds CTS Role-Based Enforcement, Strict-KEX, uplink sequencing, and new hardware support including QSFP-100G-LR-S and C9400-PWR-2100ACT. Release 17.17.1 also resolves several switch and link issues and includes upgrade, ROMMON, and CPLD guidance.

• CTS Role-Based Enforcement enhances Cisco TrustSec by enforcing SGACLs at the port-channel level.
• Strict-KEX strengthens SSH security by terminating connections on unexpected or out-of-sequence packets and resetting sequence numbers after key exchange.
• Support for sensitive CLIs with CRUD on Meraki introduces secure SNMPv3 user configuration via NETCONF with AES, DES, and DES3 encryption and avoids plaintext exposure in running-config and get-config.

• Resolved link flap between C9400X-SUP-2XL and Nexus 9300 with specific QSFP 40Gig optics.
• Resolved interfaces on Haig48 Prime LC not coming up with SFP-10G-T-X.
• Resolved C9400-LC-48U port group entering err-disable due to internal packet looping.
• Resolved link not coming up for QSFP-100G-AOCxM.

• Cisco 100GBASE QSFP-100G module support for QSFP-100G-LR-S on C9400X-SUP-2 and C9400X-SUP-2XL.
• C9400-PWR-2100ACT 2100W AC Titanium power supply support.
• On-change subscriptions for location-aware YANG models.
• Uplink Sequencing to bring uplinks up before downlinks during boot.
• WebUI has no new features in this release.

• Open caveat: CSCvu14870, Cat9k archive command can cause bulk sync failure and standby reload.
• CoPP running-config output does not show default classes under system-cpp policy; use policy-map commands instead.
• Flexible NetFlow cannot use the Ethernet management port, logical interfaces, or multiple same-type monitors in the same direction on one interface.
• ISSU is not supported between major release trains, on engineering special releases, or between LDPE and NPE images.
• Golden ROMMON upgrade is only applicable to Cisco IOS XE Amsterdam 17.3.5 and later, and fails if FPGA version is 17101705 or older.

• Upgrade in install mode requires booting from boot flash:packages.conf and at least 1 GB free flash space.
• Do not power cycle the switch or remove supervisor modules during upgrade; simultaneous dual-supervisor upgrade from Cisco IOS XE Everest 16.6.1 can damage hardware.
• ROMMON upgrades may occur automatically on the primary SPI flash; golden ROMMON must be upgraded manually with upgrade rom-monitor capsule golden switch.
• CPLD upgrades are manual and can temporarily interrupt uplink connectivity; upgrade supervisors one at a time in HA or StackWise Virtual setups.
• Use SSH version 2 only; SSH version 1 is not supported.
• Starting with Cisco IOS XE 17.10, diffie-hellman-group14-sha1, hmac-sha1, hmac-sha2-256, and hmac-sha2-512 are removed from the default SSH algorithm list.
• The command service-routing mdns-sd is deprecated; use mdns-sd gateway instead.
• The legacy tacacs-server host command is deprecated and can cause authentication failures on Cisco IOS XE Gibraltar 16.12.2 and later.

• Cisco IOS XE YANG models for 17.17.1
  https://github.com/YangModels/yang/tree/main/vendor/cisco/xe/17171
• Transceiver Module Group compatibility matrix
  https://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
• Catalyst 9400 data sheet
  https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-data-sheet-cte-en.html
• Catalyst 9600 line data sheet
  https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9600-series-line-data-sheet-cte-en.html
• Catalyst 9400 supervisor engine data sheet
  https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-sup-eng-data-sheet-cte-en.html

Product Information

Vendor: Cisco

Product: IOS XE

Version: 17.17.1

Release date: Mar 31, 2025