Cloud Operating Mode for Catalyst Cloud-Managed Switches Overview
The firmware required for Catalyst cloud-managed switches operating in cloud mode, cloud-native IOS XE, is currently a stable release candidate (RC). The latest version 17.15.3, is now available!
For cloud-managed Catalyst switches running CS firmware upgrading to cloud-native IOS XE 17.15.3 version: Please note that after upgrading to any cloud-native IOS XE release, downgrading to CS firmware is restricted. Factory reset may be required, and support assistance will be necessary. Learn more
With the release of IOS XE 17.15, we are beginning an exciting transition from a container-based architecture to one based on native IOS XE with support for Meraki cloud management.
This drastically simpler architecture unlocks many benefits for your cloud-managed Cisco Catalyst switches, including the 9300-M, 9300X-M, 9300L-M and MS390 families. This includes faster boot and initialization performance, especially for stacks, and the start of a new generation of capabilities we will deliver with faster speed. It also introduces the ability to perform CLI show commands directly from Dashboard!
Starting with cloud-native IOS XE 17.15.1, your switch(es) can upgrade and transition from CS firmware to the latest cloud-native IOS XE version 17.15.3, managed by Meraki Cloud.
Key highlights
-
Introducing a new onboarding flow for cloud and hybrid operating modes: two powerful ways to manage your Catalyst 9000 switches from the Meraki dashboard. These modes give you the flexibility to choose between a fully cloud-managed experience (cloud operating mode) or a hybrid approach (previously referred to as cloud monitoring), that offers configuration via an embedded cloud CLI while leveraging the cloud for monitoring and troubleshooting. Learn more.
-
Management Interface Architecture Change: a dedicated management interface is no longer required.
-
Default Network Module: this enhancement simplifies and consolidates network module configuration into 8 default ports that get applied dynamically to any inserted network module. (Watch this video to learn more about this change or see the Cloud Operating Mode for Catalyst Cloud-Managed Switches Overview documentation)
-
Standardized Cisco Logging and Interface Naming
-
Configuration Templates
-
Adaptive Policy
-
Storm Control
-
Radius Multi-Auth (dot1X)
-
Device Uptime
-
802.1X Control Direction
-
Meraki Authentication (Meraki Auth)
-
Alternate Management Interface (AMI)
-
Port Schedules
-
C9200L Hardware Platform Support (see supported models below)
-
SNMPv3
-
Encrypted Traffic Analytics
-
Energy Efficient Ethernet
-
MAC Allow Lists
For further details, please refer to the release notes on the cloud dashboard.
Share Your Post-upgrade Feedback!
We value your feedback on our latest release! Please take a moment to complete this brief 5-minute survey and share your experience with us.
Available Firmware and Migration Paths
Category |
Product |
Firmware Needs |
Path |
Firmware Upgrade for Cloud-Managed Catalyst Switching
|
Cloud-Managed Catalyst 9300/MS390 |
NEW! Cloud native IOS XE (currently available as a stable release candidate, version 17.15.3) |
Upgrade from CS16/17 to Cloud Native IOS XE following the steps documented in Upgrade Steps for Cloud-Managed Catalyst Switches in Cloud Operating Mode. |
Cloud-Managed Catalyst 9300/MS390 |
CS17 GA |
Stay or upgrade to CS17 (container-based) by referring to our documentation on MS and CS Firmware Features Directory |
|
Switching Migration from DNA Management Mode to Meraki Management Mode
|
Catalyst 9300 and C9200L from DNA |
NEW! Cloud native IOS XE (currently available as a stable release candidate, version 17.15.3) |
* Special release required. Follow the migration process documented in Migration from CLI-managed Catalyst Switches to Meraki Cloud Operating Mode. (Note that C9200L migration is only supported with Cloud Native IOS XE) |
Catalyst 9300 |
CS17 GA |
Follow the migration process documented in Migrating DNA Management Mode to Meraki Management Mode (Migrated switches will run CS) |
Prerequisites
Cloud-managed Catalyst switches that are being scheduled for an upgrade from any CS firmware version to the latest Cloud-native IOS XE version (17.15.x) should first meet the minimum CS firmware requirement of CS16 or CS17 version before upgrading.
Supported Models
ATTEMPTING TO MIGRATE UNSUPPORTED MODELS SUCH AS C9200CX MAY RESULT IN A UNUSABLE SWITCH, AND MAY VOID THE DEVICE WARRANTY. PLEASE REVIEW THE LIST OF SUPPORTED MODELS BEFORE PROCEEDING WITH THE UPGRADE.
9200L stacks of 5 or more switches running IOS XE 17.15.3 or earlier versions may encounter an issue migrating to cloud operating mode or upgrading firmware. For stacks of 5 or more 9200L switches, it is recommended to wait for IOS XE 17.15.4.
Family | Models |
Catalyst 9200L |
C9200L-24T-4X , C9200L-24P-4X, C9200L-48T-4X , C9200L-48P-4X , C9200L-48PL-4X , C9200L-24PXG-4X , C9200L-48PXG-4X , C9200L-24PXG-2Y , C9200L-48PXG-2Y , C9200L-24T-4G , C9200L-24P-4G , C9200L-48T-4G , C9200L-48P-4G , C9200L-48 PL-4G |
Catalyst 9300-M |
C9300-24T-M, C9300-24P-M, C9300-24U-M , C9300-24UX-M , C9300-48T-M , C9300-48P-M , C9300-48U-M , C9300-48UXM-M , C9300-48UN-M , C9300-24S-M, C9300-48S-M , C9300X-12Y-M, C9300X-24Y-M, C9300X-48HXN-M, C9300X-24HX-M, C9300X-48HX-M, C9300X-48TX-M, C9300L-24P-4X-M, C9300L-24T-4X-M, C9300L-24UXG-4X-M, C9300L-48P-4X-M, C9300L-48PF-4X-M, C9300L-48T-4X-M, C9300L-48UXG-4X-M, and its corresponding Catalyst switch SKUs for migration. |
MS390 |
MS390-24-HW, MS390-24P-HW, MS390-24U-HW, MS390-24UX-HW, MS390-48-HW, MS390-48P-HW, MS390-48U-HW, MS390-48UX-HW, MS390-48UX2-HW |
Before You Upgrade or Migrate: Key Considerations
Downgrading from Cloud-Native IOS XE is restricted
Due to complexities in restoring the container-based architecture, downgrades from cloud-native IOS XE to any prior CS firmware via the dashboard is restricted. A factory reset may be required and support assistance will be necessary. Please consider this before upgrading your production network to the cloud-native IOS XE version.
Please note that it could take longer than normal - up to a day, to assign an appropriate support team to assist with a downgrading request.
Onboarding your CLI/DNA-managed Catalyst
After migrating to cloud management, please note that remote access (serial console and SSH) are no longer available. All management access can now be accessed through the cloud dashboard or the local status page via the rear management port.
Migrating a Layer 3 (L3) Switch
Prior to cloud-native IOS XE, L3 switches required at least two IP addresses, one for the management IP and a second for the L3 Switch Virtual Interface (SVI). You cannot route traffic through the management-IP, it essentially worked as an out-of-band management interface. In cloud-native IOS XE, the Meraki management interface is now combined with a Layer 3 uplink SVI, using one single IP address, rather than two.
To use Layer3 SVI's with cloud-native IOS XE, the following requirements/conditions apply:
-
Static IP on management/uplink SVI. It's highly recommended to configure your management interface to use a static IP address prior to upgrading. If your L3 SVIs default-route and management interface gateways are NOT the same, then all switch traffic will use the management interfaces DHCP acquired gateway as a next hop.
-
If you upgrade from Container-based (CS) firmware to Cloud-Native IOS-XE be aware of the following:
-
If you have the management interface on the same VLAN as a configured L3 SVI, the SVI IP address will override the management interface address, and the management interface IP address will be erased. This is done to attempt to preserve L3 routability in the network, but may result in the loss of management traffic such as SNMP or RADIUS when the management IP address changes. For example:
-
Management interface has a static IP of 10.10.10.130 on vlan 10
-
There is also an SVI on VLAN 10 configured for 10.10.10.254 with a default route of 10.10.10.1
-
After the upgrade, the switch will use 10.10.10.254
-
-
If you have the management interface on a unique VLAN with no overlapping SVI, then the management interface will become a new uplink SVI.
-
-
L3 SVI's configured as a client DHCPv4 server cannot also be configured as a preferred uplink. Configuring an interface as an uplink that is already configured as a DHCP server will have the DHCP server configuration removed.
-
Alternate Management Interface (AMI) configuration now requires a dedicated L3 SVI interface to be created on the switch. It is no longer configured from the switches side-bar. If you have configured the network to support AMI on a VLAN (ex. VLAN10), then every switch in that network must have a L3 SVI on the specified VLAN in order to use that interface as an AMI. If there is no L3 SVI interface on a switch that matches the AMI VLAN, then the management/uplink interface will be used as default.
Configure your network to cloud-native IOS XE firmware before adding your Catalyst switch operating in cloud mode to the network.
To onboard a DNA/CLI-managed switch to the dashboard in cloud mode, ensure you add the switch into a network already configured for cloud-native IOS XE firmware. Adding a switch into a network configured for CS firmware may have unexpected results.
Licensing
The same 30-day grace period is available for Catalyst switches onboarded to the Cloud Dashboard, enabling customers to trial cloud mode before making a full commitment. A valid DNA license can be converted to a Meraki cloud license through a qualified promotion process. Refer to the quick start guide page 4 for more details. http://cs.co/9005aw6VH
Changes in Behavior
Management Interface Architecture
The management interface is now a Layer 3 (L3) interface. Previously, switches running CS firmware needed a specific management IP address. Now, management is handled by any L3 interface. All settings related to management connectivity and L3 interfaces can now be found on the Routing & DHCP page. For switches that only support Layer 2 (L2), DHCP functionality is available, but enabling L3 functionality requires setting a static management IP address first.
Watch this video to learn more about this change.
Step-by-step guide to configure a switch with Static IP
1. Navigate to your switch details side bar.
2. Set the option to “Static IP”.
2. You will be automatically redirected to the Router & DHCP page.
3. On the Router & DHCP page, create a new Layer 3 (L3) Interface.
4. Select "V4 Uplink" to designate this interface as the uplink.
4. To change back to DHCP, go to the Switch Details Side Bar.
5. Change the setting from "Static IP" back to "DHCP."
Step-by-step guide to change your uplink L3 interface
1. Either create a new L3 interface or choose an existing one.
2. Select “V4 Uplink”.
3. Enter the required Gateway and DNS values.
Please see the following additional scenarios for details:
Layer 2 Migration:
When a L2 switch is upgraded to Cloud-native IOS XE, the management interface settings are transitioned to an L3 interface. A DHCP management interface will be converted to a DHCP L3 interface, while static management interfaces will be converted to static L3 interfaces.
L3 Migration – with overlapping VLANs
When the Management-IP VLAN overlaps with an L3 interface VLAN, the L3 interface is migrated.
This may impact:
- AMI
- RADIUS
- Syslog
- SNMP
Resolve the overlap prior to upgrade or reconfigure services after.
L3 Migration – with unique VLANs
When the Management IP VLAN is different from the L3 interface VLANs, both VLANs are migrated. This results in two default routes:
- Management traffic uses one route, determined by the UAC (use the command sh uac uplink)
- User traffic is load balanced
You will need to decide which route to retain.
Default Port Modules
Upgrading to the cloud-native IOS XE 17.15 firmware simplifies the network module configuration. When a module is not installed, the configuration is consolidated into eight default ports. Once a network module is installed, these ports are automatically mapped to the appropriate interfaces. Previously, each potential network module required its own unique configuration. For instance, configuring a 48-port switch required configuring 98 ports to accommodate every possible module. Now, there are only 56 ports (48+8) needed to support both current and future modules.
Watch this video to learn more about this change.
Safe-Config and Rollback
When upgrading to the cloud-native IOS XE firmware, if your switch fails to come online after transitioning from CS firmware, it will automatically revert to the CS/Container firmware after a period of 2 hours.
It is important not to reboot or factory reset the switch during this 2-hour window, as this may corrupt the rollback configuration and hinder the switch's recovery and will ultimately corrupt the rollback configuration. If, after 2 hours, the switch has not recovered or connected to the dashboard, please contact support. Once the switch has successfully recovered, it will not attempt the upgrade again for another 2 hours.
Additionally, if the switch successfully upgrades to the cloud-native firmware, ensure it remains online and connected for 30 minutes following the upgrade. This duration allows the configuration to be marked as safe and committed.
Layer 3 SVI Behavior
Prior to cloud-native IOS XE, Layer3 Meraki switches required at least two IP addresses, one for the management IP and a second for the Layer3 Switch Virtual Interface (SVI). You cannot route traffic through the management-IP, it essentially worked as an out-of-band management interface. In cloud-native IOS XE, the Meraki management interface is now combined with a Layer 3 uplink SVI, using one single IP address, rather than two.
To use Layer3 SVI's with cloud-native IOS XE, the following requirements/conditions apply:
- The management/uplink SVI must be configured for a static IP address. It's highly recommended to configure your management interface to use a static IP address prior to upgrading.
- If you upgrade from Container-based (CS) firmware to Cloud-Native IOS-XE be aware of the following:
- If you have the management interface on the same VLAN as a configured L3 SVI, the SVI IP address will override the management interface address, and the management interface IP address will be erased. This is done to attempt to preserve L3 routability in the network, but may result in the loss of management traffic such as SNMP or RADIUS when the management IP address changes. For example:
- Management interface has a static IP of 10.10.10.100 on vlan 10
- There is also an SVI on VLAN 10 configured for 10.10.10.200.
- After the upgrade, the switch will use 10.10.10.200.
- If you have the management interface on a unique VLAN with no overlapping SVI, then the management interface will become a new uplink SVI.
- If your management IP is configured for DHCP, you be required to assign a static IP address to the uplink SVI before other L3 SVIs can be created. Static addressing is considered a Cisco best practice for Layer 3 switch deployments.
- If you have the management interface on the same VLAN as a configured L3 SVI, the SVI IP address will override the management interface address, and the management interface IP address will be erased. This is done to attempt to preserve L3 routability in the network, but may result in the loss of management traffic such as SNMP or RADIUS when the management IP address changes. For example:
Spanning Tree Changes
Spanning-Tree Protocol (STP) behaves differently in cloud-native IOS XE 17.15.1 onwards.
- CS17 and cloud-native IOS XE 17.15.1+ exhibit different behaviors in their handling of Spanning Tree Protocol (STP).
- Cloud-native IOS XE runs Multiple Spanning Tree Protocol (MSTP) with PVST simulation enabled and changes the MSTP region identifier to the switch's MAC ID.
-
For spanning-tree root bridges, MSTP is preferred and remains compatible with Rapid-PVST+ as long as VLAN 1 is allowed on the trunk. If VLAN 1 is not configured on the uplink, the downstream Cloud-Native IOS XE/MSTP switch will become the root for all VLANs.
LED Behavior
The system LED on the switch indicates the system status, including the progress of booting and connecting to the Meraki dashboard without logging in into the system or Dashboard. The MS390 switch has a rainbow system LED to indicate the system state. This rainbow LED is not available on Catalyst 9000 hardware. Blue Beacon LED button and the System LED are instead used on Catalyst 9000 hardware to indicate the system status.
- Cloud Native IOS XE firmware continues to use the rainbow LED in the MS390 and Blue Beacon and system LEDs in Catalyst 9000 to provide system status.
-
For the LED behaviour of cloud-managed Catalyst 9000 switches please refer to the table in our Catalyst 9300/X/L-M Series Installation Guide. It stays the same in the cloud-native IOS XE firmware.
-
For the LED behaviour of MS390 please refer to our documentation on MS390 Series Installation Guide. However, cloud-native IOS XE with MS390 adds two additional stages (taken from Catalyst 9000), described below:
-
MS390 Stage |
Rainbow LED |
Comments |
System error: Switch failed to complete local provisioning |
Solid Amber |
New LED Scheme |
There is a fault with the power supply, fan, or network module (not traffic-related) |
Alternatively blinking Amber and White |
New LED Scheme |
Upgrade Paths to Cloud-Native IOS XE
Product | How to move to cloud-native IOS XE | Process Documentation |
C9300-M/MS390 (Cloud-Managed Catalyst) |
Firmware Upgrade for Cloud-Managed Catalyst Switching (CS16/17 to Cloud Native IOS XE) via Meraki Dashboard |
|
C9300 and C9200L (DNA-managed Catalyst) |
Switch Migration from DNA Management Mode to Meraki Management Mode via CLI |
Migration from CLI-managed Catalyst Switches to Meraki-managed Mode |
Unsupported features on IOS XE 17.15.3
Please note that the following features are not yet available in cloud-native IOS XE but will be addressed in subsequent releases.
-
SmartPorts
-
MAC Blocklist
-
Digital Optical Monitoring (DOM)
-
RSPAN / VLAN SPAN
-
IPv6 RA Guard / DHCP Guard
-
WarmSpare / VRRP
-
HTTP Proxy
-
Sticky MAC
-
Dynamic ARP Inspection (DAI) Auto-Uplink
-
Client Tracking on 10G-MGig
-
Netflow on IPv6
-
SecurePort
-
Sticky MAC
-
Geo cloud - Canada, China, or India Cloud
We value your feedback on our latest release! Please take a moment to complete this brief 5-minute survey and share your experience with us.
What's next? Watch this in-depth session recording to learn more about this new architecture and get an exclusive preview of future advancements.