A new candidate switchCatalyst firmware version is available. Firmware IOS XE 17.15.4.1 was just released on 2025-11-14 and has been in this firmware category since 2025-11-13.
After upgrading to Cloud Management with IOS XE 17.15 it is not possible to downgrade to any CS firmware via Dashboard. In order to downgrade to CS a factory reset may be required, and support assistance will be necessary. Please consider this before upgrading your network to Cloud Management with IOS XE. Learn more - http://cs.co/9002xhAan
Stacking Limit for C9200L: C9200L series models support stacking configurations of up to 5 members. Please ensure your stacks for these models adhere to this limit. Exceeding 5 members may lead to unexpected behavior. This will be resolved in a future release.
Switch Templates with bound networks cannot directly upgrade from CS firmware to IOS XE firmware. We recommend unbinding and migrating networks independently, and then rebinding into an IOS XE switch template.
After upgrading from CS to IOS XE please allow at least 30 minutes for configuration to be marked safe. Rebooting/reloading within 30 minutes of upgrading may cause the switchports to revert to default configuration
Cloud management with ios xe overview
Cloud management with IOS XE introduces a significant architectural shift from the previous container-based design to a cloud-native framework, unlocking benefits for your cloud-managed Cisco Catalyst switches, including the C9300-M, C9300L-M, C9300X-M, C9200L and MS390 families. These include faster boot and initialization performance, especially for stacks, and the start of a new generation of capabilities as we enable more underlying IOS-XE capabilities, and a Cloud CLI Terminal that introduces the ability to run Show CLI commands directly from Dashboard!
CS16 or CS17 are prerequisites before initiating this upgrade. We do not recommend attempting to upgrade to IOS XE from other firmware versions.
Release highlights
In this release, we are excited to support the following features and enhancements. Below are the key highlights:
UAC Auto Fallback feature allows customers the option to automatically switch back to their selected uplink interface once network connectivity to Dashboard has been restored via that preferred interface. Simply opt in on the Switch Settings page under the Management Connectivity section to enable this feature.
Improved firmware upgrade flow, including pre-flight and in-flight checks, improved image upgrade visibility, along with other and bug fixes and enhancements to the upgrade process
Firmware Upgrade Visibility: Firmware Upgrade Status for Cloud-Managed IOS XE switches is now visible in Cloud Management - Configuration Source: Cloud, enabling administrators to monitor the progress of upgrades. Upgrade status can be viewed at both the switch list and a clear staged progress bar when you drill into each switch. This enhancement will be deployed gradually over the next week and will become available to all organizations once the rollout is complete.
After migrating CLI/DNA managed switches to cloud configuration source, please note that console and SSH access are no longer available. All management access is only available via the cloud Dashboard or the local status page through the rear management port.
Downgrades from Cloud Management with IOS XE to any prior CS firmware via the dashboard is restricted.
Catalyst devices need ICMP ping connectivity to several destinations to test uplink connectivity to the dashboard. For successful upgrades and continued connectivity post-upgrade, ensure that outbound ICMP pings from Catalyst devices are permitted to the following destinations: config-2037.meraki.com, catalyst.meraki.com, google.com, 8.8.8.8 (Google DNS) and 2001:4860:4860::8888 (Google DNS)
For successful upgrades and continued connectivity post-upgrade, resolve all alerts on the Organization > Alerts page that are associated with the switches being upgraded.
Resolve “Bad IP assignment” and “VLAN mismatch” alerts on the uplink interfaces, and stacking related alerts such as “Misconfigured Switch”, “Unconfigured Switch” and “Switch Not Connected to Stack” to ensure a successful upgrade.
Layer 3 switches cannot run DHCP servers on uplink interfaces with IOS XE 17.15+. Post-upgrade, Interfaces with both Preferred Uplink and DHCP server configurations will have the DHCP server configuration disabled on that interface.
Switches using the Alternative Management Interface (AMI) will require an L3 SVI to be configured for the same VLAN assigned to AMI. For AMI to work, your network must have AMI configured and your switch must have an SVI configured matching that AMI VLAN.
After upgrading from CS to Cloud Management with IOS XE firmware, port mirroring configurations on module ports will not be retained. Users will need to reconfigure port mirroring on module ports following the upgrade.
The 30-day grace period applies to licensing for Catalyst switches onboarded to Meraki Dashboard, allowing customers to trial cloud mode prior to fully committing. Valid DNA licenses can be converted to Meraki licenses through a qualified promotion process. Refer http://cs.co/9005aw6VH for more details.
UDLD now uses Cisco UDLD Aggressive mode on fiber ports and will not be enabled on copper interfaces. Please see documentation for more details
A safe timer has been added to prevent unexpected device failures caused by configuration changes during upgrades. This may increase the total upgrade time by approximately 30 minutes.
Known issues
To configure new SVI interfaces for switches running a CS firmware version in a network set to IOS XE 17.15+ please use the legacy version of the Routing and DHCP page to make configuration changes.
Due to a known issue certain clients may not have a description/name or cannot not be renamed erroring out with a "Mac can't be blank" error.
When configuring and applying an access policy to a switchport, the Critical Authentication Voice VLAN setting is not applied, even though other configurations are applied successfully.
There may be some unexpected behaviors when moving a switch on CS firmware set to IOS XE 17.15+ - such as Cisco TrustSec policies (Adaptive Policy) fail to download to the devices running CS firmware and static IP for management changes to DHCP. It is recommended to upgrade CS devices to IOS-XE in a different network before moving to the target network set to IOS-XE 17.55+.
There may be some unexpected behaviors in configuring CS firmware devices in networks set to IOS XE 17.15+ such as Cloning of device configuration is not supported CS firmware switches, warm spare that is only supported for MS is configurable on CS or IOS-XE devices and causes spare to go down and packet capture fails on CS firmware devices,
Changing the subnet mask is not allowed on DHCP configuration with fixed IP assignments. It is recommended to remove and reconfigure the DHCP server.
The dashboard incorrectly displays an alert stating ‘A power supply is offline,’ even though no PSU is installed in slot B for the standby switch.
Whenever a SAML admin selects and runs any command from the 'Show CLI' tool dropdown menu, a 'Command failed to run. User doesn't have permission' error is returned.
The old UI does not support using an FQDN for the RADIUS server. If an FQDN is configured in the old UI, the access policy is saved without any RADIUS servers, which causes issues with fetching the configuration. To resolve this, it is recommended to delete the affected access policy so the configuration fetch process can continue.
A NM-2Y 25Gbps interface on C9300-48UXM connecting to Nexus 93180YC-EX fails to establish the link with default Meraki management config (FEC auto/25Gbps). Manual configuration via CLI is required as a workaround.
Named VLAN configuration for stacks generates configuration errors
CFLOW data may be missing when capturing packets from the uplink port
Client Tracking does not work on ports at speeds of10G or more.
Attempting to create a DHCP server using DHCP option 135 (DNS Suffix) with hex value greater than 180 characters results in an error
Switch Client Summary displays incorrect VLAN for specific ports — marked resolved but pending confirmation.
Exported Netflow flow displays an incorrect Adaptive Policy group (trustSecID)
Client devices that don’t support link auto-negotiation may cause their connected Port to show as disconnected on Dashboard
Download config keeps failing on port-security with uplink ports
Intelligent Packet capture fails with 500 error on non-active stack members
AAA Accounting Configuration Not Pushed to Template-Bound Switches
When RADIUS caching is enabled and RADIUS server becomes ALIVE, an automatic port bounce is not triggered causing client to stay in critical VLAN until a manual port bounce is performed.
When Adaptive Policy is enabled on a network, a crash on C9300X switches is observed.
Fixed issues
Resolved an SNMP Denial of Service and Remote Code Execution vulnerability affecting Cisco IOS and IOS XE Software.
Includes dashboard connectivity, device configuration push and security improvements
Remedied an issue where, after the preferred uplink VLAN connection was reestablished, the preferred VLAN could not reach the dashboard.
Rectified an issue where the next tunnel failed to come up when UAC received vlan1 as the uplink VLAN, which does not have external connectivity.
Addressed an issue in the Live Tool where MTR Exec failed to report MTR data
Numerous improvements and optimizations around dashboard connectivity, firmware upgrade reliability, switch stacking and device configuration application
Firmware upgrade/ downgrade hardening and optimization enhancements
Fixed a bug where storm control config was lost on device reboot
Numerous enhancements added to improve network-wide client data visibility and accuracy
Fixed an issue where a configured SNMP privacy mode such as AES128 is incorrectly pushed to the switches.
Fixed a bug where Catalyst switches/MS390 unexpectedly configured as a single-member stack - needs verification
Resolved an issue where switch with a network module uplink may experience upgrade failures
Fixed an issue where LACP configuration fails to apply for a C9300X-NM-8Y network module on a C9300X switch stack
Fixed an issue where a client with DHCP binding/Fixed IP assignment in multiple subnets fails to retrieve a DHCP IP address from one of the VLANs.
Fixed an issue where SNMPv3 privacy mode set to DES causes to an upgrade failure
Fixed an issue where Modifying the default DSCP-to-COS Mappings in the Quality of Service section of Switch settings results in errors.
Fixed an issue where the C9300L (-M) series switches that experience problems upgrading from a CS version to IOS XE 17.15.4 may encounter an issue rolling back to the original software image, and then fail to properly boot.
Fixed an issue where dashboard configuration changes were not applied to network module ports when the switch is bound to a switch template
Fixed an issue where Adaptive Policy Custom ACL Change failed with configuration sync error
Fixed an issue where Peer SGT capable and Adaptive Policy Group settings were not getting applied to the 40G QSFP module interfaces on an MS390 series switch
Fixed an issue where device uptime was incorrectly reported for standby stack member
Switch configuration is cleared after an immediate reboot following an upgrade from CS firmware to IOS XE firmware, causing the upstream Port-channel to enter a suspended state.
Resolved an issue where events were not populating under Network-wide → Event Logs for certain networks
Resolved an issue where Attempting to use the MTR live tool in Dashboard may not correctly return data results, and may return errors
Fixed an issue where LACP Config was getting removed from module ports during upgrade to IOS XE 17.15
Resolved an issue where the dashboard incorrectly alerts 'A power supply is offline' even when both PSUs are operational
Resolved an issue where using MAC allow list on the default or currently installed network module ports may result in a config apply failure, requiring a factory reset to resolve
The Default VLAN profile API appends new configurations instead of overwriting existing ones potentially leading to unexpected behavior.
Share your post-upgrade feedback!
We value your feedback on our latest release! Please take a moment to complete this brief 5-minute survey (https://forms.office.com/r/eyh1BZWMZq) and share your experience with us.
Transitioning from cs to ios xe 17.15: unsupported features
The following CS features are not supported in this release:
Sticky MAC
Gov (Federal), Canada, China, or India Cloud
Meraki Dashboard HTTP proxy
Port mirroring (SPAN) configuration will need to be reconfigured post upgrade
Certain features will be added to the IOS XE versions in future releases. Refer to the Cloud Management with IOS XE documentation for further details: http://cs.co/9001Q4ALF
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
