Table 1 provides information about the recommended Rommon and CPLD versions for releases prior to Cisco IOS XE Everest 16.4.1.

Table 1. Recommended Firmware Versions

Cisco 4000 Series ISRs	Existing RoMmon	Cisco Field-Programmable Devices
Cisco 4451 ISR	16.7(4r)	15010638 Note  Upgrade CLI output has a typo and it would show the version incorrectly as 15010738 instead of 15010638. This does not impact the upgrade.
Cisco 4431 ISR	16.7(4r)	15010638 Note  Upgrade CLI output has a typo and it would show the version incorrectly as 15010738 instead of 15010638. This does not impact the upgrade.
Cisco 4351 ISR	16.7(5r)	14101324
Cisco 4331 ISR	16.7(5r)	14101324
Cisco 4321 ISR	16.7(5r)	14101324
Cisco 4221 ISR	16.7(5r)	14101324

For information about ROMMON compatability matrix, and ROMMON upgrading procedure, see the ROMMON Compatability Matrix and "ROMMON Overview and Basic Procedures” sections in the Upgrading Field-Programmable Hardware Devices for Cisco 4000 Series ISRs.

The hardware-programmable firmware is upgraded when Cisco 4000 Series ISR contains an incompatible version of the hardware-programmable firmware. To do this upgrade, a hardware-programmable firmware package is released to customers.

Generally, an upgrade is necessary only when a system message indicates one of the field-programmable devices on the Cisco 4000 Series ISR needs an upgrade, or a Cisco technical support representative suggests an upgrade.

From Cisco IOS XE Release 3.10S onwards, you must upgrade the CPLD firmware to support the incompatible versions of the firmware on the Cisco 4000 Series ISR. For upgrade procedures, see the Upgrading Field-Programmable Hardware Devices for Cisco 4000 Series ISRs.

There are no new hardware features for this release.

The following features are supported by the Cisco 4000 Series Integrated Services Routers for Cisco IOS XE Gibraltar 16.11.1:

• Channel-Based Metrics Measurement—Configures the performance monitors used by PfRv3 to employ a data collection method combining metadata and traffic sampling to provide traffic metrics.

• Cisco Unified Border Element Smart Licensing—Cisco Unified Border Element Smart Licensing—Cisco Smart Software Licensing provides a simple cloud-based solution for managing and tracking the use of your licenses and entitlements across your business. License requirements for the use of CUBE trunk sessions are reported to Cisco Smart Licensing.

  For a more detailed overview on Cisco Licensing, go to https://cisco.com/go/licensingguide.

• CPE WAN Management Protocol for Cellular Interfaces—CPE WAN Management Protocol (CWMP), is used for communications between a customer premise equipment (CPE) and an auto-configuration server (ACS). The TR-069 Agent feature manages a collection of CPEs, with the primary capability for auto-configuration and dynamic service provisioning, software image management, status and performance monitoring and diagnostics. With the addition of CWMP support on cellular interfaces, an ACS can establish a connection with a CPE, over cellular network and implement traffic monitoring.

• Configuring Dynamic Application Policy Routing—Dynamic Application Policy Routing (DAPR) dynamically steers overlay and underlay egress application traffic flows between multihomed sites connected over RAR links (virtual-access interfaces). This feature extends the existing path management solution of PfRv2 to virtual access interfaces. DAPR routes your traffic based on policy criteria such as link preference and load balancing to meet performance requirements such as delay and jitter.

• Enhanced Policy Based Routing – Application-Based Routing—The Enhanced Policy-based Routing (ePBR) routing enables application-based routing. Application-based routing provides a flexible, device-agnostic policy routing solution, while also ensuring application performance.

• PfRv3 Intelligent Load Balance—The PfRv3 Intelligent Load Balance feature detects the remote bandwidth overrun at the earliest possible. It helps to reduce the packet drop caused by per tunnel QoS and increases the bandwidth utilization.

• FlexVPN Event Trace—Displays event trace messages for FlexVPN.

• IPv6 Object Group ACL—This feature extends object group-based policy application to IPv6 ACLs. The Object group for access control list (ACL) allows you to classify users, devices, or applications into groups and apply those groups to ACLs to create access control policies for those groups. Object group-based ACL approach reduces configuration size, makes ACLs easily readable and easier to manage, thus minimizing complex and larger ACL configurations.

• Kill Telemetry Subscription—The ability to delete a dynamic model driven telemetry dynamic subscription using either:

  • The clear telemetry ietf subscription Cisco IOS command, or

    • The <kill-subscription> RPC

• IPFIX Support for ETA—IP Flow Information Export (IPFIX) protocol is another way for transmitting traffic flow information over the network. Support for ipfix keyword in flow destinations was added.

• Mapping of Address and Port using Translation and Encapsulation—The MAP-E feature in this release complements the existing MAP-T capability by providing connectivity to IPv4 hosts across IPv6 domains on CE devices while encapsulating the original IPv4 packet. MAP-E also enables mapping of address between IPv6 and IPv4 addresses, and across transport layer ports. Additionally, the CE device performs NAPT44 translation between a customer private IPv4 address and the MAP-E NAT64 translation to ensure that different CE devices share a common public IPv4 address.

• NETCONF and RESTCONF Service Level Access Control Lists—Enable you to configure an IPv4 or IPv6 access control list (ACL) for NETCONF and RESTCONF sessions.Clients that do not conform to the configured ACL are not allowed to access the NETCONF or RESTCONF subsystems. When service-level ACLs are configured, NETCONF and RESTCONF connection requests are filtered based on the source IP address.

• PKI-EST CA Certs on Reykey—This feature enables client devices to obtain CA certificate automatically as part of rekey. The CA certificate certifies a new public key for a device.

• ROMMON Upgrade—ROMMON upgrade is a bootstrap program that initializes the hardware and boots the Cisco IOS XE software when you power on or reload a device.

• Security Enhanced (SE) Linux Permissive Mode—Makes it possible for the practical implementation of “principle of least privilege” by enforcing Mandatory Access Control (MAC) on the IOS-XE platform. SELinux provides the capability to define policies to control the access from an application process to any resource object, thereby allowing for the clear definition and confinement of process behavior. In this introductory release for the feature, operation in a permissive mode is available - with the intent of confining specific components (process or application) of the IOS-XE platform. In the permissive mode, access violation events are detected and system logs are generated, but the event or operation itself is not blocked. The solution operates mainly in an access violation detection mode. No user configuration is required for the feature. See Interface and Hardware Commands. (Network Essentials and Network Advantage)

• Security Readiness Criteria (SRC) Closure—Security Readiness Criteria (SRC) closure for Cisco Unified Border Element—SRC is a program to meet a set of security criteria before releasing the product offering to the customers. SRC helps to prioritize security requirements that are necessary to reduce the associated risk. For detailed information: see the following Cisco documents:

  • SRTP-SRTP Interworking

  • Network-Based Recording Using CUBE

  • Overview of Cisco Unified Border Element

  • Commands—authentication (dial peer), authentication (SIP UA), credentials (SIP UA)

  • Command—stun flowdata shared-secret

• Specific License Reservation—With Specific License Reservation, you can deploy a Smart License on a device without directly connecting it to the Cisco Cloud.

• SRC Closure-CME—In accordance with the SRC compliance requirements, Unified CME and Unified SRST 12.6 Release introduces support for Simple Network Management Protocol Version 3 (SNMPv3), Toll Fraud Prevention for Line Side SIP, and enforces adherence to password policy and encryption guidelines. Unified CME 12.6 and later releases do not support Graphical User Interface and Computer Telephony Integration (CTI) Computer Supported Telecommunications Applications (CSTA) protocol suite.

• Support for SCRYPT as Default Encryption Type: Support for SCRYPT as the Default Encryption Type: The CLI parser view supports SCRYPT as the default type from Cisco IOS XE Gibraltar 16.11.1. Additionally, the CLI parser view also supports the encryption type PBKDF2 from this release.

• Source Interface Support for ETA Netflow Records—Support for source-interface interface-name for ETA Netflow records was added.

• Show Commands for ETA—Simplified show commands to display ETA configurations, flow statistics, and export statistics for quick troubleshooting.

• Support Certificate CN/SAN Validation—

  Server Identity Validation on Cisco Unified Border Element—Cisco Unified Border Element supports server identity validation through Common Name (CN) and Subject Alternate Name (SAN) fields in the server certificate during client-side SIP/TLS connections. Validation of CN and SAN fields of the server certificate ensures that the server-side domain is a valid entity.

• Web User Interface—Supports an embedded GUI-based device-management tool that provides the ability to provision the router, simplifies device deployment and manageability, and enhances user experience. The following features are supported on Web User Interface from Cisco IOS XE Gibraltar 16.11.1:

  • Nat Statistics

  • IPv6 Support for AAA

  • For information on how to access the Web User Interface, see Configure the Router for Web User Interface section.

• YANG Data Models—For the list of Cisco IOS XE YANG models available with this release, navigate to https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/16111. Revision statements embedded in the YANG files indicate if there has been a model revision. The README.md file in the same GitHub location highlights changes that have been made in the release.

This section contains the following topics:

All open bugs for this release are available in the Cisco Bug Search Tool.

Caveat ID Number	Description
CSCvo04856	DataPlane (DP) crash observed in MMOH call flow
CSCvo17113	Show call media Forking match failed.
CSCvo47436	IOSXE - firewall corrupts half open list
CSCvo60849	Crash noticed when routes are getting imported twice(from vpnv4 to vrf to evpn) with route churn
CSCvo66216	IPSec-Session count in "show crypto eli" reaches max causing VPN failure
CSCvo79193	Router configured with ZBFW reloads with a last reload reason of LocalSoft
CSCvo12799	Call is not getting connected in Forking Re-INVITE scenario.
CSCvo17113	Show call media forking match failed.
CSCvo04856	DataPlane (DP) crash observed in MMOH call flow.
CSCvo00221	Crash observed on secure srst with secure sccp and stcapp configs.

All resolved bugs for this release are available in the Cisco Bug Search Tool.

Caveat ID Number	Description
CSCvb03610	Watchdog crash after "% AAA/AUTHEN/CONT: Bad state in aaa_cont_login().".
CSCvh57657	NAT MIB not populated when using traditional NAT.
CSCvi32156	Router crashes when DMVPN tunnel moves accoss ports.
CSCvi58996	Several OID from CISCO-CLASS-BASED-QOS-MIB stop working when performing upgrade to Denali-16.3.x.
CSCvi63425	Cisco 4400 ISR router cpp crashed when configured HSRP with PMIPv6.
CSCvi79674	CPP 0 failure Stuck Thread resulting in Unexpected Reboot.
CSCvi81216	Cisco 4000 Series ISRs: Ping src Looback(lo is EID) has been dropped after reloading.
CSCvj02081	CPP crash on L2TP router.
CSCvj08248	Packet throughput drops down when enable tunnel visibility with single tcp flow(>1MPPS).
CSCvj11876	Provide Passthrough Reason in IOS-XE for AppNav.
CSCvj13382	IOS-XE FIPS mode is enabled by default in QFP even if it is not enabled in CLI.
CSCvj17326	Cisco 4400 ISR crashes in o2_cavm_pci_unlock when forwarding large packets for VPLS.
CSCvj20302	Cisco 4000 Series ISRs MTP not performing RFC2833 payload type conversion.
CSCvj47957	Packet trace does not work with re-injected UTD packets.
CSCvj50005	Cisco 4000 Series ISRs PPE ucode crash when processing ipsec traffic on CWS tunnel.
CSCvj50410	Cisco 4331 ISR no collisions count up on duplex mismatch condition.
CSCvj71853	"sdavc_ppdk.pack force" command not accepted during boot up.
CSCvj76662	GetVPN TBAR failure does not generate syslogs.
CSCvj78083	Path of Last Resort Sending Probes in standby state.
CSCvj86876	Cisco 4000 Series ISRs- IOS 16.8 - crypto-related issues seen with a single AF configured in VRF definition.
CSCvj89345	AVC license should be activated only in case of smart licensing model.
CSCvj90814	Crash due to Memory corruption in Cisco 4000 Series ISRs.
CSCvk00074	cBR-8 crash after issuing show platform hardware qfp active infrastructure bqs.
CSCvk02072	Hoot-n-holler multicast traffic marked with DSCP 0.
CSCvo47436	IOS XE - firewall corrupts half open list.
CSCvo49381	LISP to OSPF redistribution failing.
CSCvk12152	Unable to remove command ip nat inside destination.
CSCvk15062	Modification to ZBFW access-lists do not reflect in TCAM.
CSCvk34152	Invalid throughput level in the "show version" output.
CSCvk53938	IOS-XE : IPv6 ACL for Tunnel QoS not matched.
CSCvk63602	WAAS Policy Configuration push may caused AppNav Class-maps programming issue in TCAM.
CSCvk65072	Crash due ZBF + NAT.
CSCvm08377	IPSEC in DOWN-NEGOTIATING on HSRP Standby router with local-address config
CSCvm14346	Cisco 4000 Series ISR - Memory Corruption of mdl_tbl due to fia-history CLI
CSCvm20374	Router - CPUHog - SNMP ENGINE crashed with Watchdog timeout.
CSCvm56670	ACL dropping packets after updating it - %CPPEXMEM-3-NOMEM.
CSCvm76295	[SAP] syncfd fails to start on reload after upgrade to new ES image.
CSCvm80502	Traceroute not working when sourced from NAT Inside interface.
CSCvm94970	[UniScale]Crash seen on csr1k during NAT44 hsl scale test when clearing max NAT translations.
CSCvm96663	An IOS-XE router crashes after umbrella is configured.
CSCvn02419	Router crash occurs while running Dell software update.
CSCvn07614	Out of Band DTMF Events Not Passing to CUCM via SCCP When Using IOS MTP.
CSCvn13257	Unable to reconfigure VTY lines on Cisco 4221 once deleted
CSCvn31658	Removal of loopback interface causes router to crash and erases the conf register settings.
CSCvn37915	Crash in cpp_bqs_rm_yoda_proc_pend_fc_cb.
CSCvn40315	FMANFP-6-IPACCESSLOGP message have IP address byte reversed.
CSCvn46969	Cisco 4000 Series ISRs: hang up when executing "sh ip nat tran" with static NAT entries.
CSCvn51553	QFP crashes with a HW interrupt.
CSCvn82245	EIGRP session is not coming up if the dynamic PBR is applied on interface.
CSCvo00664	SUP Crash after running the command " show plat hard qfp act infr bqs debug qmrt_dump ".

For information about the Cisco 4000 Series ISRs and associated services and modules, see:

Documentation Roadmap for the Cisco 4000 Series ISRs,Cisco IOS XE 16.x .

The Cisco IOS XE Fuji 16.x software documentation set consists of Cisco IOS XE Fuji 16.x configuration guides and Cisco IOS command references. The configuration guides are consolidated platform-independent configuration guides organized and presented by technology. There is one set of configuration guides and command references for the Cisco IOS XE Fuji 16.x release train. These Cisco IOS command references support all Cisco platforms that are running any Cisco IOS XE Fuji 16.x software image.

See http://www.cisco.com/en/US/products/ps11174/tsd_products_support_series_home.html

Information in the configuration guides often includes related content that is shared across software releases and platforms.

Additionally, you can use Cisco Feature Navigator to find information about feature, platform, and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn . An account on cisco.com is not required.