Skip to main content

 

Cisco Meraki Documentation

Cloud-Native IOS XE Overview

  1. Last updated
  2. Save as PDF
This article provides an overview of the new cloud-native IOS XE and what are the impacts and highlights of the transition to the new architecture for cloud-managed switches. Learn more about the supported models and behavioral changes for the Meraki management interface.

Introduction

The release of cloud-native IOS XE to the Meraki Dashboard marks the transition from a container-based architecture to one that is based on native IOS XE, with support for Meraki cloud management.

  • The native IOS XE based architecture unlocks many benefits for your cloud-managed Cisco Catalyst switches, including the 9300-M, 9300X-M, 9300L-M and MS390 families. This includes faster boot and initialization performance, especially for stacks, and the start of a new generation of capabilities we will deliver with faster speed.
  • It introduces the ability to perform CLI show commands directly from Meraki dashboard.
  • With the beta release, your switch(es) will upgrade and transition from CS firmware to cloud-native IOS XE 17.15.2, managed by Meraki Cloud.
  • With customer approval, support access via SSH can be permitted over the secured crypto TLS tunnel used by devices to connect to the Meraki Dashboard.

Existing cloud-managed Catalyst switches should be running on CS16 or CS17 firmware before upgrading to the latest version of Cloud-native IOS XE 17.15.2.

Supported Models

NOTE: ATTEMPTING TO MIGRATE UNSUPPORTED MODELS SUCH AS C9200CX MAY RESULT IN A UNUSABLE SWITCH, AND MAY VOID THE DEVICE WARRANTY. PLEASE REVIEW THE LIST OF SUPPORTED MODELS BEFORE PROCEEDING WITH THE UPGRADE.

Family  Models

Catalyst 9200L
(Migration only)

C9200L-24T-4X , C9200L-24P-4X, C9200L-48T-4X , C9200L-48P-4X , C9200L-48PL-4X , C9200L-24PXG-4X , C9200L-48PXG-4X , C9200L-24PXG-2Y , C9200L-48PXG-2Y , C9200L-24T-4G , C9200L-24P-4G , C9200L-48T-4G , C9200L-48P-4G , C9200L-48 PL-4G

Catalyst 9300-M

C9300-24T-M, C9300-24P-M, C9300-24U-M , C9300-24UX-M , C9300-48T-M , C9300-48P-M , C9300-48U-M , C9300-48UXM-M , C9300-48UN-M , C9300-24S-M, C9300-48S-M , C9300X-12Y-M, C9300X-24Y-M, C9300X-48HXN-M, C9300X-24HX-M, C9300X-48HX-M, C9300X-48TX-M, C9300L-24P-4X-M, C9300L-24T-4X-M, C9300L-24UXG-4X-M, C9300L-48P-4X-M, C9300L-48PF-4X-M, C9300L-48T-4X-M, C9300L-48UXG-4X-M, and its corresponding Catalyst switch SKUs for migration.

MS390

MS390-24-HW, MS390-24P-HW, MS390-24U-HW, MS390-24UX-HW, MS390-48-HW, MS390-48P-HW, MS390-48U-HW, MS390-48UX-HW, MS390-48UX2-HW

Before You Upgrade or Migrate: Key Considerations

Downgrading from Cloud-Native IOS XE is restricted

Due to complexities in restoring the container-based architecture, downgrades from cloud-native IOS XE to any prior CS firmware via the dashboard is restricted. A factory reset may be required and support assistance will be necessary. Please consider this before upgrading your production network to the cloud-native IOS XE version. 

Please note that it could take longer than normal - up to a day, to assign an appropriate support team to assist with a downgrading request. 

Onboarding your CLI/DNA-managed Catalyst

After migrating to cloud management, please note that remote access (serial console and SSH) are no longer available. All management access can now be accessed through the cloud dashboard or the local status page via the rear management port.

Migrating a Layer 3 (L3) Switch 

Prior to cloud-native IOS XE, L3 switches required at least two IP addresses, one for the management IP and a second for the L3 Switch Virtual Interface (SVI). You cannot route traffic through the management-IP, it essentially worked as an out-of-band management interface. In cloud-native IOS XE, the Meraki management interface is now combined with a Layer 3 uplink SVI, using one single IP address, rather than two.

To use Layer3 SVI's with cloud-native IOS XE, the following requirements/conditions apply:

  • Static IP on management/uplink SVI. It's highly recommended to configure your management interface to use a static IP address prior to upgrading.

  • If you upgrade from Container-based (CS) firmware to Cloud-Native IOS-XE be aware of the following:

    • If you have the management interface on the same VLAN as a configured L3 SVI, the SVI IP address will override the management interface address, and the management interface IP address will be erased. This is done to attempt to preserve L3 routability in the network, but may result in the loss of management traffic such as SNMP or RADIUS when the management IP address changes. For example:

      • Management interface has a static IP of 10.10.10.130 on vlan 10

      • There is also an SVI on VLAN 10 configured for 10.10.10.254 with a default route of 10.10.10.1

      • After the upgrade, the switch will use 10.10.10.254

    • If you have the management interface on a unique VLAN with no overlapping SVI, then the management interface will become a new uplink SVI.

    • If your management IP is configured for DHCP, you are required to assign a static IP address to the uplink SVI before other L3 SVIs can be created. Static addressing is considered a Cisco best practice for Layer 3 switch deployments.

Set your network to cloud-native IOS XE firmware first

To onboard a DNA-managed switch to the dashboard in cloud mode, ensure you claim the switch into a network already configured for cloud-native IOS XE. Claiming it into a network configured for CS firmware may have unexpected results.

Licensing

The same 30-day grace period is available for Catalyst switches onboarded to the Cloud Dashboard, enabling customers to trial cloud mode before making a full commitment. A valid DNA license can be converted to a Meraki cloud license through a qualified promotion process. Refer to the quick start guide page 4 for more details. http://cs.co/9005aw6VH

Changes in Behavior

Management Interface Architecture


The management interface is now a Layer 3 (L3) interface. Previously, switches running CS firmware needed a specific management IP address. Now, management is handled by any L3 interface. All settings related to management connectivity and L3 interfaces can now be found on the Routing & DHCP page. For switches that only support Layer 2 (L2), DHCP functionality is available, but enabling L3 functionality requires setting a static management IP address first.

Watch this video to learn more about this change.

Screenshot 2025-01-30 at 9.41.24 PM.png

Step-by-step guide to configure a switch with Static IP

1. Navigate to your switch details side bar.

2. Set the option to “Static IP”.

2025-01-31_14-19-36 (1).gif

2. You will be automatically redirected to the Router & DHCP page.

3. On the Router & DHCP page, create a new Layer 3 (L3) Interface.

4. Select "V4 Uplink" to designate this interface as the uplink.

2025-01-31_14-36-26 (1).gif

4. To change back to DHCP, go to the Switch Details Side Bar.

5. Change the setting from "Static IP" back to "DHCP."
2025-01-31_14-31-08 (1).gif

Step-by-step guide to change your uplink L3 interface

1. Either create a new L3 interface or choose an existing one.

2. Select “V4 Uplink”.

3. Enter the required Gateway and DNS values.

Screenshot 2025-01-30 at 9.44.01 PM.png

Please see the following additional scenarios for details:

Layer 2 Migration:

When a L2 switch is upgraded to Cloud-native IOS XE, the management interface settings are transitioned to an L3 interface. A DHCP management interface will be converted to a DHCP L3 interface, while static management interfaces will be converted to static L3 interfaces.

Screenshot 2025-01-30 at 9.47.28 PM.png

L3 Migration – with overlapping VLANs

When the Management-IP VLAN overlaps with an L3 interface VLAN, the L3 interface is migrated.

This may impact: 

  • AMI
  • RADIUS
  • Syslog
  • SNMP

Resolve the overlap prior to upgrade or reconfigure services after.

Screenshot 2025-01-30 at 9.48.10 PM.png

L3 Migration – with unique VLANs

When the Management IP VLAN is different from the L3 interface VLANs, both VLANs are migrated. This results in two default routes:

  • Management traffic uses one route, determined by the UAC (use the command sh uac uplink)
  • User traffic is load balanced

You will need to decide which route to retain.

clipboard_e9f3faac8a8fae7bf7ba06e284b7751a3.png

Default Port Modules

Upgrading to the cloud-native IOS XE 17.15 firmware simplifies the network module configuration. When a module is not installed, the configuration is consolidated into eight default ports. Once a network module is installed, these ports are automatically mapped to the appropriate interfaces. Previously, each potential network module required its own unique configuration. For instance, configuring a 48-port switch required configuring 98 ports to accommodate every possible module. Now, there are only 56 ports (48+8) needed to support both current and future modules.

Watch this video to learn more about this change.

 

clipboard_ec333ddb296a8acd09e422072be40f09f.png

Safe-Config and Rollback

When upgrading to the cloud-native IOS XE firmware, if your switch fails to come online after transitioning from CS firmware, it will automatically revert to the CS/Container firmware after a period of 2 hours.

It is important not to reboot or factory reset the switch during this 2-hour window, as this may corrupt the rollback configuration and hinder the switch's recovery and will ultimately corrupt the rollback configuration. If, after 2 hours, the switch has not recovered or connected to the dashboard, please contact support. Once the switch has successfully recovered, it will not attempt the upgrade again for another 2 hours.

Additionally, if the switch successfully upgrades to the cloud-native firmware, ensure it remains online and connected for 30 minutes following the upgrade. This duration allows the configuration to be marked as safe and committed.

Layer 3 SVI Behavior

Prior to cloud-native IOS XE, Layer3 Meraki switches required at least two IP addresses, one for the management IP and a second for the Layer3 Switch Virtual Interface (SVI). You cannot route traffic through the management-IP, it essentially worked as an out-of-band management interface. In cloud-native IOS XE, the Meraki management interface is now combined with a Layer 3 uplink SVI, using one single IP address, rather than two.

To use Layer3 SVI's with cloud-native IOS XE, the following requirements/conditions apply:

  • The management/uplink SVI must be configured for a static IP address. It's highly recommended to configure your management interface to use a static IP address prior to upgrading.
  • If you upgrade from Container-based (CS) firmware to Cloud-Native IOS-XE be aware of the following:
    • If you have the management interface on the same VLAN as a configured L3 SVI, the SVI IP address will override the management interface address, and the management interface IP address will be erased. This is done to attempt to preserve L3 routability in the network, but may result in the loss of management traffic such as SNMP or RADIUS when the management IP address changes. For example:
      • Management interface has a static IP of 10.10.10.100 on vlan 10
      • There is also an SVI on VLAN 10 configured for 10.10.10.200.
      • After the upgrade, the switch will use 10.10.10.200.
    • If you have the management interface on a unique VLAN with no overlapping SVI, then the management interface will become a new uplink SVI.
    • If your management IP is configured for DHCP, you be required to assign a static IP address to the uplink SVI before other L3 SVIs can be created. Static addressing is considered a Cisco best practice for Layer 3 switch deployments.

Spanning Tree Changes

Spanning-Tree Protocol (STP) behaves differently in cloud-native IOS XE 17.15.1 onwards.

  • CS17 and cloud-native IOS XE 17.15.1+ exhibit different behaviors in their handling of Spanning Tree Protocol (STP).
  • Cloud-native IOS XE runs Multiple Spanning Tree Protocol (MSTP) with PVST simulation enabled and changes the MSTP region identifier to the switch's MAC ID. 

spanning tree mode

  • For spanning-tree root bridges, MSTP is preferred and remains compatible with Rapid-PVST+ as long as VLAN 1 is allowed on the trunk. If VLAN 1 is not configured on the uplink, the downstream Cloud-Native IOS XE/MSTP switch will become the root for all VLANs.

LED Behavior

The system LED on the switch indicates the system status, including the progress of booting and connecting to the Meraki dashboard without logging in into the system or Dashboard. The MS390 switch has a rainbow system LED to indicate the system state. This rainbow LED is not available on Catalyst 9000 hardware. Blue Beacon LED button and the System LED are instead used on Catalyst 9000 hardware to indicate the system status.

  • Cloud Native IOS XE firmware continues to use the rainbow LED in the MS390 and Blue Beacon and system LEDs in Catalyst 9000 to provide system status.

    • For the LED behaviour of cloud-managed Catalyst 9000 switches please refer to the table in our Catalyst 9300/X/L-M Series Installation Guide. It stays the same in the cloud-native IOS XE firmware.

    • For the LED behaviour of MS390 please refer to our documentation on MS390 Series Installation Guide. However, cloud-native IOS XE with MS390 adds two additional stages (taken from Catalyst 9000), described below:

MS390 Stage

Rainbow LED

Comments

System error: Switch failed to complete local provisioning

Solid Amber

New LED Scheme

There is a fault with the power supply, fan, or network module (not traffic-related)

Alternatively blinking Amber and White

New LED Scheme

Upgrade Paths to Cloud-Native IOS XE

Product How to move to cloud-native IOS XE Process Documentation

C9300-M/MS390 (Cloud-Managed Catalyst)

Firmware Upgrade for Cloud-Managed Catalyst Switching (CS16/17 to Cloud Native IOS XE) via Meraki Dashboard

Upgrade Steps for Cloud-managed Catalyst Switches

C9300 and C9200L (DNA-managed Catalyst)

Switch Migration from DNA Management Mode to Meraki Management Mode via CLI

Migration from CLI-managed Catalyst Switches to Meraki-managed Mode

Unsupported features on IOS XE 17.15.2

Please note that the following features are not yet available in cloud-native IOS XE but will be addressed in subsequent releases. 

  • SmartPorts 

  • MAC Blocklist

  • Digital Optical Monitoring (DOM)

  • RSPAN / VLAN SPAN

  • IPv6 RA Guard / DHCP Guard

  • WarmSpare / VRRP

  • HTTP Proxy 

  • SNMP v3 

  • Sticky MAC 

  • Encrypted Traffic Analytics (ETA)

  • Dynamic ARP Inspection (DAI) Auto-Uplink

  • Alternate Management Interface (AMI)

  • Port Schedules

  • Meraki Auth

  • Client Tracking on 10G-MGig, 25G, 40G and 100G ports

  • Netflow on IPv6

  • Adaptive Policy and SGT

We value your feedback on our latest release! Please take a moment to complete this brief 5-minute survey and share your experience with us.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Final
  2. Tags
    This page has no tags.