Support Store Sign In
Overview
System
Network
Services
Identities
Policies
Billing
Archives
Instruments
Installation
Lab Manual
Portal Customization
RESTful API
Miscellaneous
View as one page

Cisco Catalyst IOS-XE Switches

Cisco Catalyst IOS-XE switches are modern enterprise switches running the IOS-XE operating system, including the Catalyst 9000 series. IOS-XE provides enhanced programmability, modern firmware management via install mode, gRPC telemetry support, and improved performance compared to classic IOS.

Supported Models

Model/Series Notes
Catalyst 9200 Series Entry-level access switches (C9200L, C9200)
Catalyst 9300 Series Stackable access/distribution switches (C9300, C9300L)
Catalyst 9400 Series Modular access switches
Catalyst 9500 Series Fixed core/aggregation switches
Catalyst 9600 Series Modular core switches

Note: For classic IOS switches (Catalyst 2960, 3560, 3750, 3850, etc.), see the Cisco IOS documentation.

Features Supported

Feature Supported Description
Config Sync Yes Automatic configuration synchronization from rXg
Auto Bootstrap Yes Zero-touch onboarding from factory-default state via DHCP discovery
SNMP Monitoring Yes CPU, memory, and port statistics collection
gRPC Telemetry Yes Streaming telemetry for real-time metrics
LLDP Neighbor Discovery Yes Automatic detection of connected devices
Switch Port Import Yes Automatic import and management of switch ports
802.1X Authentication Yes Port-based network access control (EAP)
MAC Authentication Bypass (MAB) Yes MAC-based authentication for non-802.1X devices
MAB + EAP Combined Yes MAB first with EAP fallback
Dynamic VLAN Assignment Yes RADIUS-assigned VLAN based on authentication
DHCP Snooping Yes Protection against rogue DHCP servers
Firmware Management Yes Install mode via HTTP/HTTPS/TFTP
STP Protection Yes PortFast, BPDU guard, and root guard
Connection Pooling Yes Efficient SSH connection management
SPB-m Fabric No Not supported

Prerequisites

Firmware Requirements

  • IOS-XE 16.x or later recommended
  • IOS-XE 17.x for latest features and gRPC telemetry
  • SSH enabled with RSA keys generated

Licensing Requirements

  • Network Essentials or Network Advantage license
  • DNA licensing may be required for certain advanced features

Network Requirements

  • Management IP connectivity to rXg
  • SSH access (TCP port 22)
  • SNMP access (UDP port 161)
  • RADIUS connectivity (UDP ports 1812, 1813)
  • HTTP/HTTPS access from switch to rXg for firmware upgrades (TCP port 80/443)
  • gRPC connectivity (TCP port 57000 default) for streaming telemetry

Onboarding Process

Automatic Onboarding

Cisco Catalyst IOS-XE switches support automatic onboarding from factory-default state. The rXg detects factory-default switches by checking for the absence of rXg-specific configuration (SNMP community, RADIUS server, dot1x system-auth-control).

Prerequisites for Auto-Bootstrap:

  1. The switch must be connected to the network and obtain a DHCP address from rXg
  2. A switch record must exist in rXg with the switch's MAC address configured
  3. The target management IP address must be configured in the switch record
  4. Valid SSH credentials must be provided (factory default or pre-configured)

Auto-Bootstrap Process:

  1. The rXg looks up the switch's current DHCP IP address using the configured MAC address
  2. SSH connection is established to the DHCP IP
  3. The system checks for factory-default state by verifying absence of:
    • snmp-server community public RO
    • radius server rXg
    • dot1x system-auth-control
  4. If factory-default, bootstrap configuration is automatically applied:
    • Management user credentials
    • SSH configuration (domain name, RSA keys, VTY lines)
    • Management VLAN interface with IP
    • SNMP community configuration
    • RADIUS server and AAA configuration (if RADIUS is active)
    • 802.1X system-auth-control
    • gRPC telemetry subscriptions
  5. Configuration is saved with write memory
  6. The switch reconnects on its new management IP address

Manual Onboarding

For manual configuration, connect to the switch via console or existing network access and apply the bootstrap commands below.

Bootstrap Commands

Enter Configuration Mode:

enable
configure terminal

Set Hostname:

hostname <switch-name>

Configure Management User:

username <admin-user> privilege 15 secret <password>

Configure SSH:

ip domain-name local
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh time-out 120
ip ssh authentication-retries 3

Configure VTY Lines:

line vty 0 15
 transport input ssh
 login local
 exec-timeout 30 0
 privilege level 15
 exit

Configure Management VLAN Interface:

For VLAN 1: interface Vlan1 ip address <switch-ip> <subnet-mask> no shutdown exit

For non-default management VLAN: interface Vlan<management-vlan> ip address <switch-ip> <subnet-mask> no shutdown exit

Configure Default Route:

ip route 0.0.0.0 0.0.0.0 <gateway-ip>

Configure SNMP:

snmp-server community <community-string> RO
snmp-server enable traps

Configure AAA and RADIUS (if using 802.1X/MAB):

For IOS-XE 15.2+: aaa new-model radius server rXg address ipv4 <rxg-ip> auth-port 1812 acct-port 1813 key <radius-secret> exit aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting update periodic 5 dot1x system-auth-control authentication mac-move permit

Configure Dynamic Authorization (CoA):

aaa server radius dynamic-author
 client <rxg-ip> server-key <radius-secret>
 exit

Save Configuration:

end
write memory

Configuration

Connection Settings

Configure the switch in the Network::Wired::Switches scaffold with:

  • Host: Target management IP address
  • MAC Address: Required for auto-bootstrap DHCP lookup
  • Username/Password: SSH credentials (privilege 15)
  • Enable Password: If different from login password
  • Management VLAN: VLAN for management traffic (default: 1)
  • SNMP Community: Community string for monitoring (default: public)

RADIUS / AAA Configuration

When a RADIUS Server Option is active in rXg, the system supports three authentication modes per port:

MAB Only (mac): interface <port> authentication event fail action next-method authentication host-mode multi-auth authentication order mab authentication periodic authentication timer inactivity server mab

802.1X EAP Only (eap): interface <port> authentication event fail action next-method authentication host-mode single-host authentication order dot1x authentication periodic authentication timer inactivity server authentication timer reauthenticate server authentication violation restrict dot1x pae authenticator dot1x timeout tx-period 10

MAB + EAP Combined (maceap): interface <port> authentication event fail action next-method authentication host-mode multi-auth authentication order mab dot1x authentication periodic authentication timer inactivity server authentication timer reauthenticate server authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10

VLAN Configuration

VLANs are automatically managed through Switch Port Profiles:

  • Access ports: switchport mode access with switchport access vlan <id>
  • Trunk ports: switchport mode trunk with switchport trunk allowed vlan <list>
  • VTP mode is automatically set to transparent for proper VLAN management

STP Protection

Switch Port Profiles support:

  • PortFast: spanning-tree portfast for edge ports
  • BPDU Guard: spanning-tree bpduguard enable
  • BPDU Filter: spanning-tree bpdufilter enable
  • Root Guard: spanning-tree guard root
  • UDLD: udld port aggressive

gRPC Telemetry

IOS-XE switches support gRPC streaming telemetry for real-time monitoring. The rXg automatically configures telemetry subscriptions for:

  • Interface statistics (/interfaces-ios-xe-oper:interfaces/interface)
  • CPU utilization (/process-cpu-ios-xe-oper:cpu-usage/cpu-utilization)
  • Memory statistics (/memory-statistics/memory-statistic)
  • PoE data (/poe-oper-data)
  • VLAN information (/vlans/vlan)
  • STP details (/stp-details)
  • Environment sensors (/environment-sensors/environment-sensor)

Telemetry configuration example: telemetry ietf subscription <id> encoding encode-kvgpb filter xpath <xpath> source-address <switch-ip> stream yang-push update-policy periodic 3000 receiver ip address <rxg-ip> 57000 protocol grpc-tcp

Monitoring Capabilities

Metric Collection Method Notes
CPU Usage SNMP / gRPC Real-time with gRPC telemetry
Memory Usage SNMP / gRPC Real-time with gRPC telemetry
Port Statistics SNMP / gRPC Packets in/out, errors, discards
Port Status SNMP / gRPC Up/down, speed, duplex
PoE Status SNMP / gRPC Power consumption, status per port
Environment gRPC Temperature, fan status, power supply
STP State gRPC Spanning tree port states
Device Info SSH Serial number, model, firmware version, MAC address

Firmware Upgrade

IOS-XE switches use install mode for firmware upgrades, which provides atomic updates with automatic rollback capability.

Supported Upload Methods: - HTTP (recommended) - HTTPS - TFTP

Upgrade Process:

  1. Upload firmware file to rXg via Device Firmwares scaffold
  2. Associate firmware with the switch
  3. Initiate upgrade from the switch record
  4. The rXg:
    • Cleans up inactive packages (install remove inactive)
    • Copies firmware via HTTP/HTTPS/TFTP to bootflash
    • Saves configuration (write memory)
    • Executes one-shot install command
    • Switch reloads automatically

Firmware Upgrade Commands:

! Clean up old packages
install remove inactive
y

! Copy firmware to bootflash
copy http://<rxg-ip>/firmware/catalystiosxeswitch/<filename> bootflash:

! Save configuration
write memory

! One-shot install (add, activate, commit)
install add file bootflash:<filename> activate commit prompt-level none

Note: The prompt-level none option bypasses confirmation prompts for unattended operation.

Troubleshooting

Common Issues

Issue: Switch shows offline in rXg

Symptom: Switch appears offline despite being reachable via ping Cause: SSH connectivity issues, SNMP community mismatch, or connection pool exhaustion Resolution: - Verify SSH credentials match switch configuration - Check SNMP community string matches - Ensure SSH is enabled: show ip ssh - Check for locked-out IP (60 second lockout after failed attempts) - Verify VTY line configuration allows SSH

Issue: Auto-bootstrap fails

Symptom: Switch detected at DHCP IP but bootstrap doesn't complete Cause: Credential issues or switch not in factory-default state Resolution: - Verify factory default credentials are correct - Check if switch already has partial configuration - Look for existing SNMP, RADIUS, or dot1x configuration - Try manual bootstrap via console

Issue: Config sync fails with "VTP mode" error

Symptom: VLAN changes fail to apply Cause: VTP mode is set to client Resolution: - Config sync automatically sets vtp mode transparent - If persistent, manually run: vtp mode transparent

Issue: Firmware upgrade fails

Symptom: Firmware install fails or switch doesn't boot new image Cause: Insufficient bootflash space, incompatible firmware, or network issues Resolution: - Check bootflash space: show bootflash: - Run cleanup: install remove inactive - Verify HTTP connectivity from switch to rXg - Check firmware file integrity - Review install log: show install log

Issue: gRPC telemetry not working

Symptom: No telemetry data received by rXg Cause: Firewall blocking gRPC port or misconfigured subscriptions Resolution: - Verify port 57000 is open - Check subscription status: show telemetry ietf subscription all - Verify receiver configuration: show telemetry receiver all

Diagnostic Commands

General: show version show running-config show ip interface brief show interfaces status show vlan brief

SSH and Authentication: show ip ssh show users show aaa sessions show authentication sessions show dot1x all

RADIUS: show radius statistics show aaa servers

Firmware: show bootflash: show install summary show install log

Telemetry: show telemetry ietf subscription all show telemetry receiver all show telemetry internal connection

Known Limitations

  • SPB-m fabric not supported
  • Some advanced features require DNA licensing
  • gRPC telemetry requires IOS-XE 16.x or later
  • Install mode firmware upgrades cause automatic reload

Operational Caveats

  • Install Mode: IOS-XE uses install mode for firmware, which differs from classic IOS copy/boot method. The switch automatically reloads after install add activate commit.
  • Connection Pooling: The rXg maintains a pool of SSH connections for efficiency. Connections idle for more than 5 minutes are automatically closed.
  • IP Lockout: IOS-XE temporarily locks out IP addresses (60 seconds) after multiple failed SSH authentication attempts.
  • VTP Mode: Config sync automatically sets VTP mode to transparent. If the switch is a VTP client, VLAN changes will fail until mode is changed.
  • RADIUS Server Configuration: IOS-XE 15.2+ uses the radius server command syntax instead of the legacy radius-server host command.
  • gRPC Source Address: For multi-interface switches, configure the gRPC source IP to ensure telemetry reaches the rXg.
  • DNA Licensing: Some advanced features (SD-Access, Assurance) require Cisco DNA licensing beyond Network Essentials/Advantage.

External References

About

RG Nets is the premium provider of gateways and centralized-authentication appliances designed to manage, provision, and protect revenue-generating networks. Our mission is to create tools that are so good, we would use our own money to buy them.

Company Links

Contact

316 California Ave.
Suite 331
Reno, NV 89509
+1 (408) 441 0100
[email protected]
Copyright 2026 RG Nets, Inc.
v2026.01-65-geeeac
Cookies help us deliver our services. By using our services, you agree to our use of cookies.