r/Cisco

Cisco just launched some major updates to their certification portfolio:

• CCNA v2.0
• CCIE practical exam AI DOO module
• CCIE automation v1.2

The new CCNA will add more focus on:

• Troubleshooting production issues under pressure
• Evaluating what an AI assistant recommends and knowing when it’s wrong
• Securing an environment by design, not as an afterthought

It's going to be a lot more practical. Troubleshooting will be a key factor for the entire exam. Security is no longer only a separate domain, it's woven throughout the exam. There's going to be some AI in there, of course, and the focus will be on practical assessment. Expect more scenarios and labs, and less memorization of commands.

The CCIE practical exams are getting an AI DOO module. Basically a separate 1h module where you can use assistant(s). This means DES will be 2h instead of 3h to make room for this new module. The tooling available will depend on what exam you take. First to launch, in Jun 2027, will be the CCIE DC.

The CCIE Automation is getting updated to version 1.2. It will also have a troubleshooting first approach, gets increased focus on AI, MCP, etc, and removes some things like NSO while adding network as code. The lab exam environment is also getting updated with new images for devices, and updates to the candidate workstation.

If you want to know more, I've written a blog post covering all of this in detail.

In process of recruiting for variety of fldp and leadership finance positions. No public data available for position and curious about salary range in RDU area.. thanks!

Multiple machines at multiple locations - all in the US - are giving us an error that based on our IP info, we are in a prohibited territory not authorized to receive Cisco products without an export license.

All of the IPs are in the United States, and every geoip check I do verifies that.

Is this a widespread issue, or maybe something with our account?

I ran into a really odd forwarding issue on IOS-XR (reproduced on XR 6.4, 6.8 and 7.0) on ASR9Ks and was curious if anyone else has seen something similar.

Scenario:

• OSPF external route installed normally
• RIB looked correct
• CEF looked correct
• show cef exact-route also pointed to the expected next-hop/interface
• No recursive weirdness or obvious stale adjacency
• Interfaces and adjacencies all healthy

Example:

ASR9K showed traffic for the destination should forward directly out BE20/BE21 toward router .209:

show cef exact-route <src> <dst>

via Bundle-Ether20
next-hop x.x.x.209
local adjacency

However, live traffic behavior did not match that forwarding path.

Traceroutes and interface counters showed the traffic was actually traversing an entirely different inter-router link to another XR/NCS router first, then returning, and only THEN forwarding toward the final destination.

Example path observed:

... -> x.x.x.252 -> x.x.x.240 -> x.x.x.241 -> x.x.x.209 -> destination

The .240/.241 link is an internal P2P between the ASR9K and an NCS box that should not have been in the forwarding path at all for this destination.

This was not just a traceroute artifact either. I confirmed the unexpected path by watching symmetric traffic counters on the inter-router link carrying the actual flow traffic.

What made this especially confusing:

• The ASR9K routing table never showed the NCS as a next-hop
• CEF never showed the NCS as a next-hop
• show cef exact-route still showed the “correct” adjacency
• Downstream routers also appeared to have sane FIB entries

Yet IPv4 traffic clearly traversed the wrong path before returning.

Even stranger:

• IPv6 for the same destination family/path behaved correctly
• Issue only appeared in IPv4

While digging around I found references to:

cef adjacency route override rib

possibly affecting this type of behavior, but I have not enabled/tested it yet until I better understand the implications.

Has anyone run into XR forwarding behavior where:

• actual packet forwarding diverges from visible RIB/CEF output
• traffic traverses a non-installed adjacency/path
• or where adjacency override / distributed CEF programming caused unexpected transit paths?

Curious whether this is:

• an XR forwarding quirk
• stale distributed FIB programming
• adjacency rewrite behavior
• LC vs RP FIB inconsistency

We move our switches alot and use them on multiple locations so I am looking for a way where I can have a DHCP and static IP for the same switch, the static just for backup.

Any good way to do this, I know a SVI can't have both a primary ip from DHCP and a static secondary, so is the only option and other clan and just having 2 SVI interfaces?

my monitoring environments has gradually become its own engineering project. every new device onboarding requires manual tweaks, custom thresholds, dependency adjustments and alert cleanup. we reached a point where only one or two people fully understand how everything is weird together which makes troubleshooting stressful whenever they are unavaible. i still want detailed visibility and reliable alerting but maintaining the monitoring stack itself shouldnt feel like a second full time job. want to know how other teams reduced operational overhead without sacrificing monitoring quality.

Hey All, I’m starting to get into Catalyst Center and building some simple templates to automate stuff like pushing vlans and other small configs.

I’m not very good with the scripting part yet,so not sure if that’s the answer to my issue. I’m wondering if I can use Catalyst Center to not only push the vlans to each switch, but would it be able to trunk the vlan also?

I don’t mean typing the interface in the template and adding it that way. I mean having catalyst center, or a script, being able to ID ports tha are already trunked and adding the new vlan to those trunked ports.

We have some switches which act like cores so they have like 8 trunks going to the LAN, and the other side of that is the opposite end is only using one interface to trunk. So can Catalyst Center do that and if so, is it a script?

Would love to hear your experiences with this

Hello there. My institution was doing giveaways and i managed to get a catalyst 9130AXI access point. I changed it to EWC, tested it and it works as it should be. However i have a problem. The switch that im using supports the 30W PoE+ that this AP needs to work, BUT it isnt capable to do LLDP negotiation power on the AP. It is basically an injector. I tested it with a splitter and its maximun capacity per port is 35W before shutting down the port. I've read another post with a similar problem and someone suggested to turn off CDP and USB, but neither of those worked, the AP still sits in MIMO 1x1. Anyone has any idea to fix this or if there is a method to make the AP "think" it has full PoE budget? Right now buying more equipment such as a PoE+ switch or the cisco injector is really difficult and not in mind. Thanks, any help is welcome

If I join on June month of the year will I be eligible for Hike & promotion for Sep-Oct Appraisal cycle?

I have a Cisco 3802i AP running 17.15.4 but need to downgrade so I can join a WLC version of 8.2.170.0

When I try to downgrade using the archive download-sw it says it can't downgrade because the OS is to old. I'm trying to load 15.3.3 JC15 onto it. I tried to get it to downgrade from the U-Boot menu, but had no luck. I cannot upgrade the controller. I've been at this for a couple hours and couldn't get anywhere.

We have a VXLAN-EVPN multisite fabric running on Nexus 9K hardware. The swithes run NX-OS and the fabric was provisioned by Ansible. No ACI. No Cisco Nexus Dashboard.

License usage reported by the switches running NX-OS 10.4(6):

# spine# show license summary
License Usage:
License                    Entitlement tag                   Count   Status
LAN license for Nexus 9... (LAN\_ENTERPRISE\_SERVICES\_PKG)    1     IN USE

# leaf# show license summary
License Usage:
License                    Entitlement tag                   Count   Status
LAN license for Nexus 9... (LAN\_ENTERPRISE\_SERVICES\_PKG)    1     IN USE

# border-leaf# show license summary
License Usage:
License                    Entitlement tag                   Count   Status
FAB License for Nexus 9... (VPN\_FABRIC)                       1     IN USE
LAN license for Nexus 9... (LAN\_ENTERPRISE\_SERVICES\_PKG)    1     IN USE
ACI Security Add-On Lic... (SECURITY\_PKG)                     1     IN USE

According to the "Cisco NX-OS Licensing Options Guide", these are Feature-Based Licenses (End of Sale).

The fabric has been running for years, and support and subscription entitlements are now up for renewal. In order to stay compliant, we have been told to purchase the DCN Essentials (leaf/spine), DCN Advantage (border-leaf) and Security add-on license (border-leaf) subscriptions, which align with Table 2 in the tier based licenses model. However, I'm having a hard time understanding what we initial bought (feature-based licenses) and what we are actually "renewing". Is there no difference between NX-OS and ACI in terms of licenses anymore, and do I even have to renew these EOL feature based licenses to stay compliant?

There is also a license navigator for Cisco Nexus, which in this case seems to point towards perpetual NX-OS advantage licenses. However, we are told that this isn't really being sold anymore.

A couple of CVEs dropped at 16:00 GMT.

CVE-2026-20224: Critical

CVE-2026-20182: Critical

There's also a couple of Medium ones as well.

Apparently CVE-2026-20182 is being seen in the wild - according to Cisco this is in a "limited" way. Whatever that means.

Best of luck all & Happy Patching.

Edit:

Added URLs

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Cisco%20Catalyst%20SD-WAN%20Controller%20Authentication%20Bypass%20Vulnerability%26vs_k=1

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Cisco%20Catalyst%20SD-WAN%20Manager%20Vulnerabilities%26vs_k=1

Does anyone know if the emulators hosted on Cisco's site can be modified? When I go in and make changes and apply nothing sticks. I know it's not actually passing traffic or anything but I'd like to be able to get my changes to stick so I can see the changes across the screens. I could then take screenshots and send them to people who use these models and need some help. Specifically I'm looking at the Catalyst 1200 and 1300 switches but it doesn't seem to stick for any of them. Here's the site: https://www.cisco.com/c/en/us/support/smb/product-support/small-business/Device-Emulators-Small-Business.html

Hi everyone,

I'm interested in finding FEC counters on my switchports, but I can't seem to actually find anything that shows this.

> show interface fec

This only shows the admin state and the operational state, but no table containing corrections.

> show interface etherhetnet 1/1 counters errors

This doesn't show anything relating to FEC.

> show system internal ethpm info interface ethernet 1/1

This doesn't return anything FEC related besides the interface's operational FEC state.

I've also opened a guestshell and checked ifconfig and ethtool, but I can't see anything related there. I'm running NXOS 10.4(4) on the following hardware:

C93180YC-FX

C93180YC-FX3

C9332D-GX2B

And NXOS 10.5(4) on C9332D-H2R

Does anyone know how I can go about this?

Many thanks for any help.

Purchased used from a government auction. I'm attempting to reset it to factory defaults.

When I get to the prompt of:

Would you like to reset the system back to the default configuration (y/n)?Y

The system just hangs. I let it run for about 3 hours before I rebooted it. I've tried twice now. Am I doing something wrong?

1.Hold Mode button while plugging it in.
2.Hold Mode button until the boot hangs (at USB Console INIT)

3. Let mode button go, and the above message (with a disclaimer about password-recovery mechanism is disabled.)

Am I doing something wrong here?

Hi Folks, cisco umbrella support is super bad they are not able to figure out why devices are not showing up on cisco umbrella admin portal.

https://preview.redd.it/b0ua1aegl41h1.png?width=389&format=png&auto=webp&s=45f5105a972c0f39b373b48b1d01f0e19fc3f50d

If I'm not mistaken this looks like a licensing issue, on umbrella it shows we have 180 seats does it mean we can only register 180 devices ?

Smart Account License Registration

Hello, I am new to Cisco's smart account system and I bought switches at auction that have prepaid licenses that are "not covered" after registering them to my account.

I just want to start from scratch and not "overuse" licenses from the previous owner how do I go about wiping all licensed features off of these switches and registering them as default new devices to my smart account so I can put proper in compliance licenses on them?

The switches are four catalyst 3650-PS's

The current IOS code is 9.16.12.05.