Cisco Catalyst 9000 Series Switches: The Complete 2026 Guide
Everything you need to evaluate, compare, and select the right Catalyst 9000 switch — from the entry-level 9200 to the 400G 9600 core — in one place.
The Cisco Catalyst 9000 family is the most widely deployed enterprise switching portfolio in the world, and for good reason: a single hardware and software architecture stretches from a compact closet switch all the way to a redundant 400G modular core. That consistency is the whole point. The same Cisco IOS XE image, the same programmable ASICs, the same security and automation model run across every series, so a feature you learn on a 9300 behaves the same way on a 9500. This guide walks the entire portfolio the way a network architect actually evaluates it — by role in the network, by form factor, and by the capabilities that decide a purchase.
We will cover what the Catalyst 9000 series is, the shared architecture underneath it, a portfolio-wide comparison, each series in detail (with the real line-card and stacking data), the platform capabilities that matter most — resiliency, application hosting, MACsec, the on-box ASAc firewall, and Software-Defined Access — plus management options, licensing, migration paths off older Catalyst switches, and a practical decision framework. If you are sizing a refresh or replacing end-of-life hardware, this is the reference to keep open.

Quick answer: which Catalyst 9000 switch should you choose?
Choose the Catalyst 9000 switch by network role first, then by PoE, uplink speed, availability, and management model. Most access refreshes start with Catalyst 9200 or 9300; chassis access and distribution designs use Catalyst 9400; aggregation and core designs move to Catalyst 9500 or 9600.
| Requirement | Start with | Why it fits |
|---|---|---|
| Cost-sensitive branch or standard campus access | Catalyst 9200 / 9200L | Entry access switching with Cisco IOS XE, stacking, PoE options, and Catalyst Center support. |
| Compact access, retail, classrooms, or shallow spaces | Catalyst 9200CX / 9300LM | Compact or shallow-depth designs for locations where a standard 1RU access switch does not fit. |
| Premium access with high PoE, mGig, modular uplinks, and richer security | Catalyst 9300 / 9300X | The default enterprise access choice, with higher stacking bandwidth, UPOE+ options, app hosting, and stronger expansion paths. |
| Modular access or distribution with supervisor redundancy | Catalyst 9400 / 9400X | A chassis platform for high-density access, line-card flexibility, redundant supervisors, and long-lived wiring-closet deployments. |
| Fixed aggregation or collapsed core | Catalyst 9500 / 9500X | Fixed core and aggregation switching where high-speed uplinks and StackWise Virtual are needed without a chassis. |
| Large campus core with maximum availability and line-card flexibility | Catalyst 9600 / 9600X | Modular core switching for supervisor redundancy, high port density, 100G/400G growth, and long-term chassis investment protection. |
A practical way to size a deployment is to answer five questions for each layer:
- What is the role? Access, distribution, or core. This narrows the family immediately — access points you toward 9200/9300, the core toward 9500/9600.
- How much PoE do endpoints need? Basic PoE+ may suit a 9200; 90W UPOE+ for advanced cameras, lighting, and high-end access points points toward 9300 or a 9400 UPOE+ line card.
- What uplink speed back to distribution/core? 1/10G is fine for many access blocks; 25G, 40G, or 100G for high-density access argues for 9300X uplinks or a 9500/9600 aggregation tier; 400G in the core points to the 9500X/9600X.
- How important is availability? If a failure in this block is unacceptable, choose a chassis (9400/9600) with redundant supervisors, or a StackWise Virtual pair, over a single fixed switch.
- What capabilities are mandatory? Hardware MACsec, on-box ASAc firewall, SD-Access fabric role, application hosting — confirm the chosen model and license tier support them.
To translate that into typical recommendations: for cost-sensitive branch and campus access, the 9200/9200L (or 9200CX where space is tight) deliver intent-based essentials at the lowest cost. For premium access that must last and host advanced services, the 9300 (or 9300X for the highest uplink and stack bandwidth, 9300LM where depth is constrained) is the default choice. For access or distribution that demands chassis redundancy, the 9400 brings supervisor and power redundancy with high-power line cards. For aggregation and collapsed cores, the fixed 9500 (or 9500X for 400G) is efficient and simple. For the large campus core that an entire site depends on, the modular 9600 (or 9600X for 400G and maximum scale) provides the redundancy, density, and long-term line-card upgrade path that justify a chassis.
Need help sizing or sourcing a Catalyst 9000 deployment?
Layer23-Switch supplies brand-new, factory-sealed Cisco Catalyst 9000 switches, supervisors, line cards, and uplink modules, with global shipping, 3-year warranty, and BOM review support. Browse our Catalyst 9000 range or contact our team for a bill-of-materials review against your design.
What is the Cisco Catalyst 9000 series?
The Cisco Catalyst 9000 series is Cisco’s flagship enterprise switching portfolio, spanning fixed and modular Ethernet switches for the campus access, distribution, and core layers. It comprises five primary families — Catalyst 9200, 9300, 9400, 9500, and 9600 — that all run a common Cisco IOS XE operating system on programmable ASICs, and all support the same intent-based networking, Software-Defined Access, telemetry, and security capabilities. Models range from compact 8-port fanless switches to redundant 10-slot chassis delivering 400G.
What sets the Catalyst 9000 apart from previous Cisco switching generations is design intent. These switches were built for a world of wireless-everywhere access, distributed applications, and zero-trust security, rather than retrofitted for it. Three ideas run through the entire portfolio: programmable hardware (custom Cisco UADP and Cisco Silicon One ASICs that can be updated in the field), an open and model-driven operating system (Cisco IOS XE with NETCONF, RESTCONF, and YANG), and on-box compute (an x86 CPU that can host containerized applications directly on the switch). Together they make a Catalyst 9000 switch far more than a port-forwarding device.
The portfolio is positioned as a single system rather than a collection of products. A campus built entirely on Catalyst 9000 switches shares one licensing model, one automation controller (Cisco Catalyst Center), one assurance and telemetry pipeline, and one security fabric. That coherence reduces operational complexity, shortens troubleshooting, and means an investment in skills and tooling pays off across every layer of the network.
Why choose Catalyst 9000, and who is it for?
Catalyst 9000 switches are designed for enterprise and public-sector organizations that need a long-lived, securable, automatable campus network. They are the right choice when you want consistent capabilities from the wiring closet to the core, hardware-based encryption and segmentation, on-box application hosting, and the option to manage on-premises (Catalyst Center) or from the cloud (Meraki dashboard) without changing hardware.
The portfolio suits a wide range of buyers. A mid-size business standardizing its first intent-based network gains a clean upgrade path: start with 9200 or 9300 access and grow into 9500 aggregation without re-platforming. A large enterprise or campus benefits from the resiliency and density of the 9400 and 9600 modular systems and from Software-Defined Access for identity-based segmentation at scale. Organizations with strict compliance requirements — finance, healthcare, government — lean on the Catalyst 9000’s trustworthy-systems foundation, MACsec encryption, and the ability to insert a stateful firewall directly into the access layer.
Three buyer scenarios recur. First, the greenfield campus, where the goal is a future-ready fabric and the decision is mostly about sizing each layer. Second, the refresh, where older Catalyst 2960, 3650, 3850, or 4500 hardware is reaching end-of-life and the 9000 series provides the modern replacement with an investment-protection story. Third, the targeted upgrade, where a specific capability — 90W UPOE+ for new devices, multigigabit for Wi-Fi 6/6E access points, 100G or 400G uplinks, or on-box security — drives the purchase. This guide addresses all three.
The shared architecture: ASICs, IOS XE, and on-box compute
Every Catalyst 9000 switch is built from the same three building blocks: a programmable ASIC (Cisco UADP on most platforms, Cisco Silicon One on the newest “X” core models), the Cisco IOS XE operating system, and an x86 multicore CPU for application hosting. Because the building blocks are shared, the same binary image and the same feature set run across platforms, which is what makes the portfolio behave as one system.

Programmable ASICs: UADP and Silicon One
The data plane is where Cisco invests most heavily. Most Catalyst 9000 switches use the Unified Access Data Plane (UADP) ASIC, a programmable chip whose microcode can be updated to support new protocols and features without replacing hardware. UADP has evolved across generations (for example UADP 2.0 and UADP 3.0 on different 9300, 9400, and 9500 models), each adding capacity, buffering, and encryption throughput. The newest core-class “X” platforms — the Catalyst 9500X and 9600X — introduce Cisco Silicon One (the Q200 generation), the same routing-and-switching silicon family Cisco uses in service-provider and data-center products, bringing very high scale, deep buffers, and 400G readiness to the campus core.
The practical takeaway for a buyer is that programmability protects your investment. Features that arrive in later IOS XE releases — new encryption modes, segmentation behaviors, telemetry — are often delivered to hardware already in the field, because the ASIC was designed to absorb them.
Cisco IOS XE: one open, model-driven OS

Cisco IOS XE is the single operating system across the portfolio, and it is built on four pillars. It is modular, so it supports patching and in-service software upgrades rather than monolithic reloads. It is programmable, exposing the network through open, standards-based interfaces — NETCONF, RESTCONF, gNMI, gRPC — and YANG data models, which is what allows automation tools and controllers to configure devices at scale. It is secure, with industry-first hardware trust anchors and runtime defenses (more on this below). And it is resilient, with high-availability features built into the OS. One OS across every layer means one configuration model, one automation surface, and one set of skills.
On-box application hosting
Because each switch carries an x86 CPU with its own memory and storage, Catalyst 9000 platforms can host containerized (Docker) applications directly on the switch. This turns the access layer into a distributed compute fabric for network-adjacent services — running a monitoring agent such as Cisco ThousandEyes natively on the switch, hosting a lightweight security function, or running custom tooling at the edge. We return to specific use cases in the capabilities section, but architecturally it is one of the defining differences between the Catalyst 9000 and conventional switches.
Catalyst 9000 portfolio at a glance
The five families map cleanly to network roles: the 9200 and 9300 are fixed access switches (entry and premium), the 9400 is a modular access/aggregation chassis, and the 9500 (fixed) and 9600 (modular) serve aggregation and the campus core. Compact variants — 9200CX, 9300LM — extend the access families into space-constrained and shallow-depth deployments.
The table below summarizes how the families differ. Treat it as a routing map for the detailed sections that follow; exact port counts, uplink modules, and licensing depend on the specific model.
| Series | Form factor | Primary role | Typical uplinks | Stacking | PoE up to |
|---|---|---|---|---|---|
| Catalyst 9200 / 9200L | Fixed 1RU | Entry access | Fixed or modular 1/10/25G | StackWise-160/80 | UPOE / PoE+ |
| Catalyst 9200CX | Fixed compact, fanless | Compact access | Fixed | — | UPOE / 60W mGig |
| Catalyst 9300 / 9300X | Fixed 1RU, stackable | Premium access | Modular 1/10/25/40/100G | StackWise-480 / StackWise-1T | UPOE+ (90W) |
| Catalyst 9300LM | Fixed, shallow depth | Compact / closet access | Fixed uplinks | StackWise | UPOE / PoE+ |
| Catalyst 9400 / 9400X | Modular chassis (4/7/10-slot) | Access & aggregation | Supervisor uplinks | Supervisor redundancy | UPOE+ (90W) |
| Catalyst 9500 / 9500X | Fixed 1–2RU | Aggregation / core | 10/25/40/100/400G | StackWise Virtual | — (non-PoE) |
| Catalyst 9600 / 9600X | Modular chassis (6-slot) | Campus core | Line-card 40/100/200/400G | StackWise Virtual | — (non-PoE) |

The fixed-versus-modular choice underlies much of the portfolio. Fixed switches (9200, 9300, 9500) are simpler, lower-cost, and quick to deploy, and they scale by stacking. Modular chassis (9400, 9600) cost more and add complexity, but they deliver supervisor and power redundancy, in-chassis serviceability, and the ability to mix line cards as needs change. As a rule of thumb: stack fixed switches where you want simplicity and pay-as-you-grow access; choose a chassis where you need maximum availability, the highest port densities, or long-lived investment protection through line-card upgrades.
Where each switch fits in campus design
In a classic three-tier campus, the access layer connects endpoints, the distribution layer aggregates access, and the core provides high-speed transit between distribution blocks. Catalyst 9200/9300/9300LM/9200CX serve access; 9400 serves access and distribution; 9500 serves distribution and small cores; and 9600 serves the campus core. Smaller sites often collapse distribution and core into a single tier built on 9500 or 9600.

Campus networks are organized around endpoint access. The access layer is where users, phones, access points, cameras, and IoT devices connect, so it is where port density, PoE, and security enforcement matter most. The distribution layer aggregates many access switches and applies policy and routing. The core moves traffic between distribution blocks at the highest speeds with the least delay. Not every network needs all three physical tiers — a single building may use a collapsed core that merges distribution and core — but the logical roles always exist, and matching the right Catalyst 9000 platform to each role is the essence of design.

Access positioning also depends on the environment. A simple branch may need only entry-level 9200 switches with basic PoE. A business-critical branch benefits from 9300 access with redundancy, multigigabit, and richer security. A secure, resilient campus combines 9300 or 9400 access, 9500 or 9600 aggregation and core, and Software-Defined Access for segmentation. The sections that follow take each series in turn, starting at the access edge and moving toward the core.
Entry and compact access: Catalyst 9200, 9200L, and 9200CX
The Catalyst 9200 is the entry-level access switch in the portfolio, bringing intent-based networking essentials to cost-sensitive deployments. It offers fixed or modular uplinks, StackWise-160/80 stacking with Stateful Switchover, and the same IOS XE foundation as the rest of the family. The 9200L is a streamlined fixed-uplink variant, and the 9200CX is a compact, fanless switch for distributed and space-constrained sites.

The Catalyst 9200 delivers the essentials of the Catalyst 9000 experience at an accessible price point. It runs Cisco IOS XE, supports Full-Flexible NetFlow streaming telemetry, includes hardware-based MACsec on capable models, and participates in Catalyst Center automation — so an organization standardizing on intent-based networking does not have to drop to a different operating model for its budget-tier access. Models come with fixed uplinks or modular uplinks (1/10/25G), and with a range of PoE options, letting you match the switch to branch and campus access roles.

The 9200 supports StackWise-160 (and StackWise-80 on certain models) with Stateful Switchover, so up to eight switches operate as a single resilient unit with consistent management — a meaningful capability at this tier, where stacking is often where competitors cut corners. As with the 9300, the same Cisco IOS XE and license are required across all members of a stack. The dedicated stacking kit (cables and adapters) connects the members at the rear.

The Catalyst 9200CX is a compact, fanless switch for places a standard 1RU switch cannot go — open offices, retail spaces, classrooms, and other distributed locations. It is offered in 12-port and 8-port models, including data, PoE+, and pass-through variants, and a multigigabit 60W option for higher-power devices. Despite its size it carries the Catalyst 9000 software foundation, including MACsec encryption and Catalyst Center manageability, and is positioned as the modern, secure replacement for older compact switches such as the Catalyst 3560-CX.
Fixed-access stackables: Catalyst 9300, 9300X, and 9300LM
The Catalyst 9300 is Cisco’s premium fixed-access stackable switch, and the most popular member of the entire portfolio. It offers modular uplinks (1G to 100G), high-bandwidth stacking (StackWise-480, or StackWise-1T on the 9300X), 90W UPOE+, on-box application hosting, and full security and SD-Access support. The 9300X adds higher uplink speeds and stacking bandwidth; the 9300LM is a shallow-depth, fixed-uplink variant for space-constrained closets.

The Catalyst 9300 is where most enterprise endpoints connect. It comes in copper and fiber models with port counts from 24 to 48 (and high-density variants), and its defining feature is modularity through swappable uplink modules: you can equip the same switch with 1G, 10G, 25G, 40G, or 100G uplinks depending on how much capacity the access block needs back to distribution. Combined with up to 90W UPOE+ per port, multigigabit options for Wi-Fi 6/6E access points, and on-box app hosting, the 9300 is a genuinely future-ready access switch rather than a commodity edge device.

The Catalyst 9300X is the high-performance evolution of the 9300. It raises uplink options up to 100G and doubles stacking bandwidth with StackWise-1T (1 Tbps of stack capacity), and it strengthens on-box capabilities including application hosting and hardware encryption. Where a standard 9300 covers most access needs, the 9300X suits access blocks that must push far more traffic back to the core, or that will host more demanding on-box workloads.
Catalyst 9300 stacking

Stacking is central to the 9300 value proposition. StackWise lets multiple physical switches operate as one logical switch with a single management point, shared uplinks, and resilient data paths. The standard 9300 uses StackWise-480 (480 Gbps of stack bandwidth); the 9300X uses StackWise-1T (1 Tbps). One important planning rule: you stack like with like — modular 9300 models stack with other modular 9300 models, and fixed-uplink models stack with their own kind — so mixing radically different model types in one stack is not supported. Plan a stack as a homogeneous group.
Catalyst 9300LM

The Catalyst 9300LM is a shallow-depth, fixed-uplink member of the 9300 family aimed at closets and cabinets where a full-depth switch will not fit. It carries the 9300’s software stack — the same IOS XE, security, and Catalyst Center support — in a compact chassis with fixed (rather than modular) uplinks. It is also positioned as the modern replacement for older compact switches such as the Catalyst 3650-mini, which we cover in the migration section. For organizations that love the 9300 feature set but are constrained by physical depth, the 9300LM is the answer.
Modular access and aggregation: Catalyst 9400
The Catalyst 9400 is a modular chassis for the access and distribution layers, available in 4-slot, 7-slot, and 10-slot models. It combines chassis-grade redundancy — redundant supervisors and power — with high-density, high-power access, including 90W UPOE+ line cards. It is the platform of choice when you want modular serviceability and supervisor redundancy at the access edge rather than only in the core.

The Catalyst 9400 brings the benefits of a chassis to the access layer. The C9404R (4-slot), C9407R (7-slot), and C9410R (10-slot) accommodate different densities while sharing supervisors and line cards. Redundant supervisors deliver Stateful Switchover so that an access block can survive a control-plane failure, and redundant, hot-swappable power and fans keep the system serviceable in production. For a wiring closet or building distribution that aggregates hundreds of endpoints — and where downtime is costly — the 9400’s redundancy is the differentiator over stacked fixed switches.

Like the 9600, the 9400 has multiple supervisor options. The original Supervisor-1 and Supervisor-1XL anchor the standard 9400, optimized for rich access features and high per-slot bandwidth. The newer 9400X supervisors — Supervisor-2 and Supervisor-2XL — raise per-slot bandwidth substantially, which is what lets the same Gen 1 line cards deliver more throughput when paired with a Gen 2 supervisor. The chassis is common across supervisor generations, so a 9400 can be upgraded to 9400X bandwidth by swapping supervisors rather than replacing the chassis.
Catalyst 9400 line cards

The 9400’s flexibility comes from its line cards. Copper cards span plain data, PoE+, UPOE, and 90W UPOE+, plus multigigabit options for high-speed Wi-Fi access points; fiber cards provide SFP/SFP+ and higher-speed options for uplinks and fiber-attached devices. Choosing line cards is how you tune a 9400 to its role — for example, UPOE+ cards for a floor full of powered devices, or multigigabit cards where new access points exceed 1G.
Catalyst 9400 supervisor + line-card support matrix
Per-port bandwidth depends on the supervisor and chassis. The matrix below shows the throughput each line card achieves with the Gen 1 supervisors (per chassis slot count) versus the 9400X Gen 2 supervisors. Gen 2 line cards are not supported on the Gen 1 supervisors.

| Line card | Type | SUP-1/1XL (9404R / 9407R / 9410R) | 9400X SUP-2 | 9400X SUP-2XL |
|---|---|---|---|---|
| C9400-LC-48HX | UPOE+ | Not supported | 240 | 480 |
| C9400-LC-48XS | Fiber | Not supported | 240 | 480 |
| C9400-LC-24XY | Fiber | – | 240 | 480 |
| C9400-LC-12QC | Fiber | – | 240 | 480 |
| C9400-LC-48UX | UPOE | 80/240 · 80/120 · 80 | 240 | 240 |
| C9400-LC-24XS | Fiber | 80/240 · 80/120 · 80 | 240 | 240 |
| C9400-LC-48HN | UPOE+ | 80/120 · 80/120 · 80 | 240 | 240 |
Bandwidth in Gbps. The headline benefit: pairing existing Gen 1 line cards with a SUP-2XL delivers up to 3× bandwidth uplift (80G→240G) on a 10-slot chassis and 2× (120G→240G) on a 7-slot chassis — investment protection without replacing line cards.
Core switches: Catalyst 9500 and 9600 (and the X models)
The Catalyst 9500 is a fixed core/aggregation switch and the Catalyst 9600 is a modular core chassis; together they cover the full range of campus core requirements. The 9500 suits collapsed cores, fabric borders, and aggregation where a fixed form factor is sufficient. The 9600 suits large campus cores that need supervisor redundancy, line-card flexibility, and the highest densities. The newer 9500X and 9600X add Cisco Silicon One for 400G and very large scale.

The 9500 and 9600 occupy the same tier but answer different questions. Choose the 9500 when a fixed switch provides enough ports and you value simplicity and lower cost — common in collapsed cores, SD-Access fabric borders and control nodes, and distribution layers. Choose the 9600 when you need a chassis: redundant supervisors for the highest availability, the ability to grow and mix line cards over a long lifecycle, and the largest port counts in a single managed system. Both support StackWise Virtual, which pairs two switches into a single logical device for resilient, loop-free designs.

Cisco frames the choice as feature-optimized versus performance-optimized. The feature-optimized path — Catalyst 9500 and 9600 with their original supervisors — delivers the rich campus feature set most enterprises need. The performance-optimized path — Catalyst 9500X and 9600X built on Cisco Silicon One Q200 — targets the highest throughput, the deepest buffers, and 400G, for cores that must scale for years. If your roadmap includes 100G to the distribution today and 400G in the core tomorrow, the X models are designed for that trajectory.
Catalyst 9600 modular chassis

The Catalyst 9600 is a 6-slot modular chassis (the C9606R) engineered for the campus core. It accepts redundant supervisor engines and multiple line cards, with redundant power supplies and fans, so that no single component failure takes the system down. Supervisor redundancy in particular — an active and a standby supervisor running Stateful Switchover — is what lets the 9600 ride through a control-plane failure without dropping the network. For a core that an entire campus depends on, that redundancy is the reason to choose a chassis over a fixed switch.

The 9600 has two supervisor generations. The original Supervisor 1 (C9600-SUP-1) anchors the feature-optimized 9600. The newer Supervisor 2 (C9600X-SUP-2), based on Silicon One, anchors the performance-optimized 9600X and unlocks higher throughput, larger route scale, and 400G line cards. Critically, the chassis is common across both, so a 9600 can be upgraded toward 9600X capabilities by changing supervisors and line cards rather than replacing the system — a strong investment-protection story for a core platform.
Catalyst 9600 line-card support matrix
The line cards available to a 9600 depend on the supervisor installed. The matrix below reflects which cards are supported on the Supervisor 1 versus the 9600X Supervisor 2, along with their port configurations — the single most useful reference when planning a 9600 build.

| Line card | On C9600-SUP-1 | On C9600X-SUP-2 |
|---|---|---|
| C9600-LC-24C | 24× 40G or 12× 100G | 24× 40G/100G (no MACsec) |
| C9600-LC-48YL | 48× 1/10G and 25G | 48× 10/25G and 50G* (no MACsec, no 1G) |
| C9600-LC-48TX | 48× 1/2.5/5G and 10G (multigigabit) | 48× 10G (no MACsec, no 1/2.5/5G) |
| C9600-LC-48S | 48× 1G SFP | Not supported |
| C9600-LC-40YL4CD | 40× 1/10G and 25G + 2× 40G and 100G | 40× 10/25G and 50G* + 2× 40/100G and 200G* + 2× 40/100/200G* and 400G (MACsec and WAN MACsec, no 1G) |
| C9600-LC-32CD | Not supported | 30× 40/100G + 2× 40/100/200G* and 400G (MACsec and WAN MACsec, no 1G) |
| C9600X-LC-56YL4C | Not supported | 56× 10/25G and 50G* + 4× 40/100G (MACsec and WAN MACsec, no 1G) |
*Roadmap/line-rate notes follow Cisco’s published support matrix. A key planning rule: the 9600X Supervisor 2 does not support 1GE or below, so if you need 1GE downlinks in the core, position Supervisor 1.
Catalyst 9500 fixed core, and the 9500X / 9600X

The Catalyst 9500 is a fixed-configuration core and aggregation switch, available in purpose-built models that range from high-density 25G to 40G and 100G, with StackWise Virtual for resilient pairs. It is the workhorse for collapsed cores and fabric roles where a chassis would be overkill. The Catalyst 9500X extends the line with Silicon One: notable models include the C9500X-28C8D and the C9500X-60L4D, bringing 100G and 400G interfaces, deep buffers, and advanced encryption (LAN and WAN MACsec) to a compact fixed form factor. For organizations standardizing on high-speed fixed cores, the 9500X pairs the simplicity of a fixed switch with core-class scale.
Key platform capabilities
Beyond ports and speeds, the Catalyst 9000’s value lies in shared capabilities: high availability at every layer, on-box application hosting, native telemetry and assurance, and high-power PoE (up to 90W UPOE+). Because these capabilities live in the common architecture, they are available consistently across the access, distribution, and core platforms.

Resiliency on the Catalyst 9000 is layered. Platform resiliency comes from hardware: stacking on the 9300/9200, redundant supervisors on the 9400/9600, and redundant fans and power across the chassis platforms, so a single component failure does not bring down the switch. Design resiliency comes from features such as StackWise Virtual (two switches as one logical device) and non-stop forwarding with graceful restart, which keep traffic moving during a failover. Operational resiliency comes from software serviceability: In-Service Software Upgrade (ISSU) and patching let you update code with minimal or no traffic loss, and GIR (Graceful Insertion and Removal) lets you take a device out of service for maintenance without disruption. Downtime is expensive, and these features exist to eliminate it at every level.

Application hosting turns the switch into an edge compute node. Supported Catalyst 9000 platforms can run signed Docker containers on their x86 CPU, using dedicated app-hosting resources so that hosted workloads do not interfere with switching. The flagship example is running the Cisco ThousandEyes agent natively on a 9300 or 9400 — each switch becomes a vantage point for end-to-end visibility into application and service delivery, with no separate appliance to deploy. Other uses include lightweight security functions and custom monitoring or automation tooling at the edge. This is a capability conventional switches simply do not have.
The portfolio also leads on Power over Ethernet. Catalyst 9000 access platforms support the full range up to 90W UPOE+, enough to power lighting, advanced cameras, building sensors, and high-end access points directly from the switch — a foundation for smart, converged buildings where the network powers IT and operational-technology devices alike. PoE analytics in Catalyst Center help plan and right-size power across a deployment.
Security on Catalyst 9000
Security is built into the Catalyst 9000 hardware and software, not bolted on. It includes hardware-based MACsec encryption (Layer 2 and WAN MACsec), trustworthy-systems integrity protections, IPsec for site-to-site connectivity, the ability to host a stateful ASAc firewall directly on the switch, and full participation in Cisco Software-Defined Access for identity-based segmentation. Together these turn every switch into an enforcement point in a zero-trust architecture.

Encryption is performed in hardware so it does not cost throughput. Catalyst 9000 platforms support MACsec (including 256-bit MACsec on capable models) to encrypt traffic at Layer 2, and the higher-end platforms add WAN MACsec to secure traffic across a service-provider Layer 2 service or directly connected Layer 3 links between campuses. For organizations that must encrypt data in transit between buildings or sites — an increasingly common compliance requirement — hardware MACsec on the switch removes the need for separate encryption appliances.

One of the most distinctive Catalyst 9000 security capabilities is hosting the Cisco ASAc — a containerized ASA firewall — directly on the switch using the app-hosting infrastructure. The ASAc runs in routed mode and provides stateful inspection at the access layer, which is exactly where it is needed for IT/OT convergence and east-west segmentation: traffic that moves laterally between zones can be inspected near its source rather than being tunneled to a centralized firewall. The architectural payoff is fewer physical appliances, fewer complex tunnels, and lower latency for inspected traffic — particularly valuable in industrial and manufacturing environments where different zones must be separated by a firewall but deploying a physical firewall per zone is impractical.

Software-Defined Access (SD-Access) is Cisco’s fabric for the campus, and the Catalyst 9000 is its foundation. SD-Access creates a single automated fabric for wired and wireless, decouples policy from VLANs and IP addresses (so segmentation follows identity rather than network location), and adds AI-driven insight and telemetry. The result is consistent, identity-based policy enforced everywhere — the practical expression of zero trust for the workplace. Because every Catalyst 9000 switch can act as a fabric node, an organization can extend segmentation all the way to the access edge without special-purpose hardware.
Management: Catalyst Center and cloud monitoring
Catalyst 9000 switches can be managed on-premises with Cisco Catalyst Center or from the cloud with the Meraki dashboard — using the same hardware. Catalyst Center provides full automation, assurance, and SD-Access; cloud monitoring and cloud management via Meraki give a simpler, dashboard-driven operating model. This “your IT, your way” flexibility means the management choice is not locked to the switch you buy.

Cisco Catalyst Center (formerly Cisco DNA Center) is the on-premises controller and analytics platform at the heart of an intent-based campus. It provides a single management plane for the whole network, an automation engine for provisioning and configuration (including SD-Access fabric), and an assurance engine that uses telemetry and machine learning to surface issues, often before users notice them. It is available as a physical appliance or as a virtual appliance, and it is how large Catalyst 9000 deployments are operated at scale.

For organizations that prefer cloud simplicity, Catalyst switches can be monitored and, increasingly, fully managed from the Meraki dashboard — the same Catalyst 9000 hardware, a different operating model. Cloud monitoring gives device, client, and traffic visibility and a unified topology across IOS XE switches; cloud management brings dashboard-driven configuration. The spectrum runs from high-touch (Catalyst Center, maximum control and automation) to low-touch (Meraki cloud, maximum simplicity), and a buyer can choose — or change — without swapping switches.
Licensing: Network Essentials vs. Advantage
Catalyst 9000 switches use tiered software licensing — Network Essentials and Network Advantage — now delivered through the Cisco Catalyst software subscription for switching. Essentials covers core switching, routing, and security; Advantage adds advanced automation, SD-Access, and richer assurance. The subscription bundles the license, software support, and access to Cisco’s CX Cloud, and the Advantage tier includes embedded Cisco ISE entitlements for zero-trust security.

Licensing has been simplified over the life of the portfolio. The two functional tiers are Network Essentials and Network Advantage. Essentials provides the foundational Layer 2/Layer 3 features most networks run day to day. Advantage layers on the advanced capabilities — flexible automation, SD-Access fabric, advanced segmentation, and deeper assurance — that organizations adopt as they mature toward intent-based operations. The license tier is chosen per switch and should match the role the switch plays: Advantage where you run fabric and advanced automation, Essentials where you do not.
These licenses are now packaged in the Cisco Catalyst software subscription for switching, which combines the software license, base product-level support (including hardware replacement under the extended-lifetime warranty), and access to the CX Cloud experience into a single subscription. The model is designed to simplify procurement — one subscription rather than separately purchased licenses, support, and tools — and to keep software entitlements current over the subscription term.

A notable inclusion: the Advantage tier embeds Cisco Identity Services Engine (ISE) entitlements for zero-trust network security, with a number of endpoint sessions included per switch that scales by series — larger platforms (9600, 9500) include more endpoint sessions than smaller ones (9400, 9300). For organizations building identity-based segmentation, having ISE entitlements bundled with the switch subscription removes a separate licensing step and accelerates deployment. The ISE virtual machine is cloud-ready, simplifying the rollout of authentication and authorization across the campus.
Migration and replacement: moving off older Catalyst switches
The Catalyst 9000 series is the designated successor to Cisco’s previous-generation enterprise switches. Common upgrade paths are Catalyst 3650/3850 to Catalyst 9300, Catalyst 4500-E to Catalyst 9400, Catalyst 6500/6800 to Catalyst 9600, Catalyst 2960 to Catalyst 9200, Catalyst 3650-mini to Catalyst 9300LM, and Catalyst 3560-CX to Catalyst 9200CX. Always confirm the current end-of-sale and end-of-support dates and the exact replacement model on Cisco’s official lifecycle notices before you plan a migration.

Most enterprises arrive at the Catalyst 9000 through a refresh rather than a greenfield build, and the portfolio is explicitly structured to make those transitions clean. At the access layer, the 9300 replaces the 3650 and 3850 with a richer feature set, modular uplinks, and on-box capabilities; the 9300LM replaces the shallow-depth 3650-mini; and the 9200 and 9200CX replace the 2960 and 3560-CX families. In the chassis space, the 9400 is the modern equivalent of the 4500-E, and the 9600 succeeds the venerable 6500/6800 in the campus core. Each pairing delivers an investment-protection story: more bandwidth, modern security, and a longer support horizon.
One caution that matters for procurement: end-of-life dates and replacement mappings change, and they should always be verified against Cisco’s official end-of-sale and end-of-support announcements for the specific part number, not inferred from a model name. The comparison above (9300LM vs. 3650-mini) illustrates the feature-by-feature uplift, but the authoritative source for any migration plan is Cisco’s published lifecycle documentation for your exact SKU.
Buying considerations: warranty, support, and Catalyst vs. Meraki
Three factors decide a Catalyst 9000 purchase beyond the model itself: the warranty and support attached to it, whether to operate it with Catalyst Center or the Meraki cloud, and sourcing genuine, factory-sealed hardware. Catalyst 9000 switches carry Cisco’s Enhanced Limited Lifetime Warranty (E-LLW) with next-business-day hardware replacement, and base product-level support is included in the Catalyst software subscription.
On warranty and support, the Catalyst 9000 hardware is covered by Cisco’s Enhanced Limited Lifetime Warranty, which provides hardware replacement for as long as you own the product, typically with next-business-day advance replacement. Software support and access to Cisco’s TAC and CX Cloud come through the Catalyst software subscription tiers. For mission-critical sites, Cisco offers higher support levels (such as Success Tracks and Solution Support) that add faster response objectives and guided, use-case-driven adoption assistance. When budgeting a deployment, account for both the hardware and the subscription term, since the subscription is what keeps software entitlements and support current.
On Catalyst vs. Meraki, the question is not which hardware but which operating model, because Catalyst 9000 switches can be driven either way. Choose Catalyst Center when you want maximum control, full automation, SD-Access fabric, and deep, on-premises assurance — the right fit for large or highly regulated networks with dedicated network teams. Choose Meraki cloud management when you want operational simplicity, a single dashboard, and minimal on-premises infrastructure — often preferred by lean IT teams and distributed organizations. Because the same Catalyst hardware supports both, you are not locked in: you can start with one model and shift toward the other as your operations evolve.
On sourcing, enterprise switching is a target for counterfeit and gray-market hardware, and the risks — no warranty, no software entitlement, no TAC support, and potential security exposure — are real. Buying brand-new, factory-sealed units from a Cisco-authorized channel ensures the warranty and subscription entitlements actually apply, and that the hardware is genuine. Confirm that quoted part numbers match your design exactly (chassis, supervisor, line cards, uplink modules, power supplies, and the correct PoE budget), since a chassis platform in particular is only complete once every component is specified.
Frequently asked questions
What is the difference between Catalyst 9300 and 9500?
The Catalyst 9300 is a fixed-access stackable switch for connecting endpoints (with PoE, modular uplinks, and StackWise stacking), while the Catalyst 9500 is a fixed aggregation and core switch for high-speed transit between distribution blocks (with 25G/40G/100G interfaces, no PoE, and StackWise Virtual). In short, the 9300 lives at the access edge and the 9500 lives in aggregation or the collapsed core.
Is the Catalyst 9000 series still current in 2026?
Yes. The Catalyst 9000 remains Cisco’s flagship enterprise switching portfolio, and Cisco continues to extend it — most recently with the Silicon One-based 9500X and 9600X for 400G, the 9300X with StackWise-1T, and compact models such as the 9200CX and 9300LM. As always, verify the lifecycle status of any specific part number on Cisco’s official end-of-sale and end-of-support notices before purchasing.
What is the difference between Network Essentials and Network Advantage?
Network Essentials provides foundational Layer 2/Layer 3 switching, routing, and security features. Network Advantage adds advanced automation, Software-Defined Access fabric support, advanced segmentation, deeper assurance, and (in the current subscription) embedded Cisco ISE endpoint entitlements. Choose Advantage where you run SD-Access or advanced automation; Essentials is sufficient for standard switching.
Can Catalyst 9000 switches be managed from the cloud?
Yes. Catalyst 9000 switches can be managed on-premises with Cisco Catalyst Center or monitored and managed from the cloud via the Meraki dashboard — using the same hardware. This lets organizations choose between a high-touch, fully automated model (Catalyst Center) and a simpler, dashboard-driven cloud model (Meraki) without changing switches.
What is UPOE+ and which switches support it?
UPOE+ delivers up to 90W of power per port over Ethernet — enough for lighting, advanced cameras, building sensors, and high-end access points. Among Catalyst 9000 platforms, 90W UPOE+ is supported on capable Catalyst 9300 models and on Catalyst 9400 UPOE+ line cards. Lower tiers (PoE+, UPOE) are available across the access portfolio for less demanding devices.
What stacking technologies do Catalyst 9000 switches use?
The Catalyst 9200 uses StackWise-160/80, the Catalyst 9300 uses StackWise-480, and the Catalyst 9300X uses StackWise-1T (1 Tbps). Fixed core/aggregation switches (9500, 9600) use StackWise Virtual to pair two switches into one logical device. As a rule, switches stack with their own model type, so plan each stack as a homogeneous group.
Can a Catalyst 9000 switch run a firewall?
Yes. Supported Catalyst 9000 platforms can host the Cisco ASAc — a containerized ASA firewall — directly on the switch using the on-box application-hosting infrastructure. Running in routed mode, it provides stateful inspection at the access layer, which is useful for IT/OT segmentation and east-west traffic inspection without deploying a separate physical firewall per zone.
Which Catalyst 9000 switch replaces the Catalyst 3850 (or 3650)?
The Catalyst 9300 is the designated successor to the Catalyst 3650 and 3850 at the access layer, offering modular uplinks, higher stacking bandwidth, on-box application hosting, and modern security. For shallow-depth 3650-mini deployments, the 9300LM is the equivalent. Always confirm the exact replacement SKU and lifecycle dates on Cisco’s official documentation for your specific part number.
What is the difference between Catalyst 9300 and 9300X?
The Catalyst 9300X is the higher-performance evolution of the 9300. It raises uplink options up to 100G (versus up to 40G on the standard 9300), doubles stacking bandwidth with StackWise-1T (1 Tbps versus StackWise-480), and strengthens on-box capabilities such as application hosting and hardware encryption. Choose the standard 9300 for typical premium access; choose the 9300X for access blocks that must push much more traffic to the core or host more demanding on-box workloads.
Do Catalyst 9000 switches support Wi-Fi 6E access points and multigigabit?
Yes. Catalyst 9000 access switches offer multigigabit (mGig) ports — 2.5G, 5G, and 10G over existing copper cabling — on capable 9300, 9400, and 9200 models, which is exactly what high-speed Wi-Fi 6 and Wi-Fi 6E access points need to exceed 1G. Combined with 90W UPOE+ to power those access points, the portfolio is designed to support modern high-density wireless without recabling.
What is StackWise Virtual?
StackWise Virtual is a technology that combines two physical switches — typically Catalyst 9500 or 9600 — into a single logical switch with one control plane and one management point. It enables resilient, loop-free network designs by presenting the pair as one device to neighboring switches, simplifying topologies and improving availability. It differs from StackWise stacking on the 9200/9300, which joins multiple fixed access switches over dedicated stacking cables.