Cisco Catalyst 9000 Licensing White Paper

White Paper

Available Languages

Download Options

  • PDF
    (1.9 MB)
    View with Adobe Reader on a variety of devices
Updated:February 26, 2024

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (1.9 MB)
    View with Adobe Reader on a variety of devices
Updated:February 26, 2024
 

 

Introduction

This document explains the concept of Smart Licensing and its application in the context of the Cisco Catalyst 9000 family of switches. Smart Licensing is a licensing model developed by Cisco to simplify license management for its customers, allowing them to easily purchase, activate, and manage software licenses across their entire network. The Catalyst 9000 family is one of the key products that support Smart Licensing, offering customers enhanced visibility and control over their license usage and entitlements. With Smart Licensing Using Policy on the Catalyst 9000 family of switches, organizations can manage licenses efficiently, optimize license utilization, maintain compliance, and minimize the risk of licensing violations. This document provides an overview of Smart Licensing Using Policy and its benefits.

Smart Licensing overview

Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco® portfolio and across your organization. And it’s secure—you control what users can access. With Smart Licensing you get:

     Easy activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more product activation keys.

     Unified management: My Cisco Entitlements provides a complete view into all your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.

     License flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.

To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).

For a more detailed overview of Cisco Licensing, go to cisco.com/go/licensingguide.

Read on to learn more about licensing in the context of the Catalyst 9000 family of switches.

License types

Subscription licenses: Software with the right to use for the length of the subscription term. Subscription models generally provide faster access to our latest features and innovations and more predictable cost structures.

Perpetual licenses: Software with the right to use for an indefinite period. Perpetual licenses are typically locked to the device, and additional annual fees are required to maintain support and maintenance.

Add-on licenses: Entitlement allowing for configuration of additional features. In the context of the Catalyst 9000 switches, these are High Security (HSEC) licenses that allow for configuration of WAN-MACsec/IPsec tunnels on the Catalyst 9300X, 9400X Supervisor Engine-2, 9500X-60L4D, and 9600X Supervisor Engine-2 switches. The throughput on the tunnels is not linked to the license but to the capability of the switch in use.

Table 1.           License types for the Catalyst 9000 family

License type

License options

Products

Period

Perpetual

Network-Essentials

Network-Advantage

Entire Catalyst 9000 Family

Mandatory one-time purchase during product order

Subscription

Cisco DNA Essentials

Cisco DNA Advantage

Entire Catalyst 9000 Family

Valid for 3/5/7 years. Mandatory during product order.

Add-on licenses

HSEC Licenses

C9300X, C9400X-Sup2, C9500X, C9600X-Sup2

Optional one-time purchase

History of licensing

Traditionally, our products used Right-to-Use (RTU) licenses. With RTU licensing, customers are granted the right to use software features for a specific period without the need for a separate license key. Our older products like the Catalyst 2000, 3000, 4000, and 6000 Series switches were designed to be used with RTU licenses.

The Catalyst 9000 family of switches, however, was designed to work with Smart Licensing. Therefore, with Cisco IOS® XE Release 16.9.1 and later, all switches belonging to the Catalyst 9000 family use Smart Licensing.

With Release 17.3.2 onward, we introduced Smart Licensing Using Policy, which simplified a lot of components of Smart Licensing and made it much more friendly to use.

Cisco licensing models

Figure 1.               

Cisco licensing models

Note that only one licensing model is active on Cisco IOS XE. All images later than IOS XE 17.3.2 will support only Smart Licensing Using Policy and will not support either Smart Licensing or RTU licensing.

The case for Smart Licensing

RTU and Smart Licensing differ in their approach to licensing and license management. RTU licensing provides the right to use specific features on a device for a specific period, while Smart Licensing Using Policy simplifies license management through a centralized control plane, enabling license activation on any device within the network and providing real-time visibility into license usage.

The advantages of centralized visibility and control of licenses across your network can best be illustrated with the simple example below.

Scenario

Consider a case where you have two Catalyst 9300 Series switches on site A. One of the switches used Network Advantage and the other switch uses the Network Essentials license set. On a different site B, we have one Catalyst 9300 Series switch running on Network Advantage. Now suppose that you want to stack two switches in site A together. However, the two switches need to use the same license set before they can be stacked.

Using RTU licenses

With RTU licenses, since the licenses are node-locked, that is, the licenses are locked physically to the devices, the only way to stack two switches in site A would be to physically move the switch from site B to site A to get two switches with matching licenses.

With Smart Licensing Using Policy

With Smart Licensing Using Policy, since we have a centralized repository of licenses, we can simply swap the licenses between the switches on site A and site B. Physically moving the switches is not needed.

Smart Account: The centralized repository

The first step in using Smart Licensing is to set up a Smart Account on Cisco Software Central (software.cisco.com).

This webpage is the Cisco Smart Software Manager (CSSM) and acts as the centralized licensing repository, giving you an overarching view all the licenses and devices linked to that Smart Account. You can also use the Smart Account when placing orders via Cisco Commerce (CCW) to help ensure that the licenses are automatically deposited to your account when an order is placed. The image below shows an overview of the licensing page.

View of the CSSM page

Figure 2.               

View of the CSSM page

Within your Smart Account, you can have Virtual Accounts. As an easy way to understand Virtual Accounts, let’s take an example of a university. Within the university, you have different departments, such as the physics department and the chemistry department. Each department might have its own set of devices in use. Using Virtual Accounts allows for easy demarcation of licenses within the Smart Account. In this example, you can have a Physics Virtual Account and a Chemistry Virtual Account nested within the main Smart Account.

There is no limit to the number of Virtual Accounts you can have. You can have as many as you need.

Example of Virtual Accounts

Figure 3.               

Example of Virtual Accounts

Within a Virtual Account, you will be able to view the licenses as well as the product instances that have communicated with the centralized repository.

Example of Virtual Accounts 2

Populating and building this centralized repository

There are two repositories we track:

     First are the licenses present under a given Virtual Account. This gives you a view of the licenses purchased as well as how many licenses are currently in use and the balance of licenses that are left (if any).

     Second, we have the product instances. These show the products that have reported to the CSSM and how many licenses and what types of licenses the products are using.

Day 0: Ordering process

When a customer places an order via CCW, the license is deposited to the specified Smart Account and Virtual Account. Both the Smart Account and Virtual Account are mandatory information when placing an order. At the factory, before the product is shipped out, the first reporting is performed, thereby populating the product instances as well as recording license consumption.

Any licensing changes on any product must be reported to the CSSM for the update to be reflected in the database.

Licensing and the ordering process

Figure 4.               

Licensing and the ordering process

Day N: Smart Licensing Using Policy

Smart Licensing Using Policy is the licensing method used on all Catalyst 9000 family switches starting with IOS XE Release 17.3.2.

Note:       This is the default and only licensing model supported on IOS XE 17.3.2 and later.

In simple terms, the implementation of Smart Licensing Using Policy on Cisco Catalyst 9000 switches involves sending a file called a RUM (Resource Usage Measurement) report to the CSSM to update the device license information on the centralized repository. Optionally, the CSSM generates an Acknowledgment (ACK) for each report uploaded, which can be sent back to the device for confirmation of receipt.

The Catalyst 9000 switches generate these RUM reports under the following conditions. In each of these conditions, the contents of the reports remain the same.

     Periodically using a preset time hard coded on the switches

     Immediately when there is a change in licensing level

     Immediately upon boot

Every RUM report file contains the following information:

     The serial number and Product ID (PID) of the switch that generated the report

     The timestamp when the report was generated

     The configured license state that is currently in use, along with the count of licenses

     A digital signature from the device that generated the report

Example: A stack of three Catalyst 9300 Series switches, each configured with the Network Advantage and Cisco DNA Advantage license set, will generate a report containing:

     Serial numbers and PIDs of all three switches in the stack

     Timestamp taken from the active switch

     Configured license state and count: three Network Advantage and three Cisco DNA Advantage

     Digital signature of the active switch

The decision to send the report to the CSSM is always taken by the switch. Under no circumstances will the CSSM ever initiate the conversation. The switch always initiates the conversation, and the CSSM simply responds with an ACK.

The switch will periodically attempt to communicate with the CSSM and send the latest report.

Smart Licensing Using Policy uses a set of parameters collectively called the policy that define and determine the product behavior with respect to licensing. The policy is used by the product instance (in this case the switch) to determine:

     When to attempt to send the first report and follow-up reports to the CSSM for perpetual licenses

     When to attempt to send the first report and follow-up reports to the CSSM for subscription licenses

     Whether an ACK is needed from the CSSM

     Behavior when the license level is changed

All switches have a default set of values for these parameters, which collectively is called the default policy. The default values on the switch are illustrated in the image below.

Example of a default policy

Figure 5.               

Example of a default policy

All of these parameters are locked and cannot be edited or changed using configuration commands on the switch. However, the parameters can be changed using what is called a custom policy. These custom policies, where applicable, are hosted on the CSSM.

Custom policy

Smart Licensing Using Policy is inherently an offline, air-gapped, high-trust licensing model. The default policy parameters have very relaxed timelines regarding licensing reporting and are put in place to ensure that the CSSM entries are relatively up to date.

If, however, there is a business case for setting the parameters to values other than the default policy, you can request a custom policy in which one or more parameters can be changed from the default value.

To request a custom policy, please get in touch with your account team, and state the business case. The business case will be reviewed before a decision is made.

If a custom policy is approved, it shows up in the CSSM. In the CSSM, navigate to Reports -> Reporting Policy. Your custom policies will appear here. You can either view the policy parameters on the CSSM itself or download the policy file, which can be manually copied to the switch for the custom policy to take effect on the switch.

Example of a default policy 3

There are two ways for the custom policy to take effect on the switch:

     Send a RUM report from the switch to the CSSM. If the Virtual Account under which the license and product instance is present has a custom policy in place, the ACK from the CSSM will contain a copy of the custom policy that will take effect on the switch once the switch receives the ACK from the CSSM.

     Alternatively, download the custom policy as a file from the CSSM. The file can then be loaded manually to the switch for the custom parameters to take effect. The command to install a policy file downloaded from the CSSM is below.

Device#license smart import flash:ACK_sle

Import Data Successful

A reload of the switch is not needed for custom policies to take effect.

License consumption

For fixed platforms, both the perpetual and subscription licenses are tied to the product instance. However, for modular platforms like the Catalyst 9400 and 9600, the perpetual license is tied to the supervisor engine, whereas the subscription license is tied to the chassis.

Let’s look at an example to understand this concept better.

Stack of six Catalyst 9300 Series switches

The licenses are tied to the individual switches, so each switch in the stack uses one perpetual license and one subscription license. So, in total, to run this stack, we need six perpetual licenses and six subscription licenses.

Quad-supervisor 10-slot Catalyst 9400 StackWise Virtual Link setup: The modular advantage

In a modular setup, the licenses are implemented a little differently. The perpetual license is tied to the supervisor engine, whereas the subscription license is tied to the chassis. In this scenario, we have a total of four supervisor engines but only two chassis. So, we need a total of four perpetual licenses and only two subscription licenses. Hence, by using the modular switch offerings, not only are you getting best-in-class redundancy and high availability features, but you are also reducing the recurring revenue, since you need to renew fewer subscription licenses.

The following figure shows the licensing consumption for devices in the Catalyst 9000 family of switches.

Licensing consumption for fixed and modular platforms

Figure 6.               

Licensing consumption for fixed and modular platforms

Reporting methods

Depending on the requirements posed by the network, the switch supports the following reporting methods.

Many of the methods use a new tool called Cisco Smart License Utility (SLU), which can either be installed on a computer (supports Windows and Linux operating systems) or hosted in existing on-premises solutions like SSM On-Prem or Cisco Catalyst Center.

     Direct online reporting

     Cisco SLU offline and online reporting

     Cisco SLU on SSM On-Prem offline and online reporting

     Cisco SLU on Catalyst Center offline and online reporting

     Manual offline reporting using IOS XE commands

     Custom application reporting using API calls

TIP: You need to choose just one reporting method, depending on your requirements.

Choosing the reporting method depends on the total number of devices you are looking to manage.

Related image, diagram or screenshot

Figure 7.               

Factors in choosing a reporting method

The Cisco SLU supports air-gapped networks by providing an offline reporting option in addition to the online reporting option for each of the reporting options.

For high device scales and devices spread across different Virtual Accounts, the Cisco SLU on SSM On-Prem is the best available option.

Online reporting: Direct connectivity to the CSSM

If the device has direct connectivity to the outside internet and is able to communicate with the CSSM directly, you can use smart transport to have the switch send its licensing information directly to the CSSM. The following commands help set up online reporting using smart transport:

Switch(config)#license smart url smart
https://smartreceiver.cisco.com/licservice/license
Switch(config)#license smart transport smart

The first command points to the URL for the CSSM (the switch must have access to a DNS server that can translate this URL), and the second sets the transport method to smart.

For the communication to occur, however, there must be a trust code installed on the system in question. All devices when shipped have a trust code installed by Cisco Manufacturing. If absent, you can install a trust code using the commands below.

On the CSSM under Inventory, you will see an option to generate a new token. (You create a token under the Virtual Account. Confirm that you are in the correct Virtual Account before generating a token.)

Factors in choosing a reporting method  2

 

Fill in the required information.

Factors in choosing a reporting method  3

 

Factors in choosing a reporting method  4

Copy the generated token ID. On the switch, you can install this token using the command below.

Switch#license smart trust idtoken < > all/local

Generating the token is a one-time requirement. While the trust code is installed on the device, you will not be required to perform this step again. With the trust code installed, the device will be able to communicate directly with the CSSM. The “show license status” command on the switch can be used to keep track of the state of the token ID.

Switch#show license status

Transport:

  Type: smart

 

Usage Reporting:

Next report push: Aug 04 19:02:17 2023 UTC

  Last report push: Jul 05 19:02:17 2023 UTC

Trust Code Installed: Jul 05 19:01:43 2023 UTC

Smart transport was introduced with IOS XE Release 17.3.2. Smart transport will eventually replace the call home method used prior to IOS XE 17.3.2. If you have devices that are using call home, you are encouraged to migrate them to smart transport. The configuration is simpler and easier to read compared to call home.

Offline reporting: Turn off license usage reporting

The switch will periodically try to send its usage data to the CSSM using the configured reporting option.

Important: If you want to stop the switch from sending or receiving any Smart Licensing related data, you have the option to turn off all Smart Licensing related communications using the command “licensing smart transport off” under the Configuration menu:

Switch(config)#license smart transport off

Note:       This will stop the switch from sending the reports; however, the report themselves will still be generated periodically in the switch flash. If you need to report the device usage to the CSSM, you will have to use the air-gapped method by manually copying the report and uploading it to the CSSM. You can generate the latest, unreported RUM reports and save them to a file manually using the command below.

Switch#license smart save usage unreported file bootflash:<file-name>

 

You can then copy the generated file from the switch and upload it to the CSSM.

Smart Software Licensing

The CSSM ACK, once generated, can then be copied back to the switch and installed using the command below.

Switch#license smart import bootflash:<file-name>

Import Data Successful

Switch#

Nov 11 20:23:06.783: %SMART_LIC-6-POLICY_INSTALL_SUCCESS: A new licensing policy was successfully installed

Switch#

Cisco SLU reporting

The Cisco SLU provides a method for collecting and sending reports and acknowledgements between the CSSM and the switch. By using the Login to Cisco option on the SLU, you can use the SLU to interface between the switch and the CSSM (called online mode).

Alternatively, you can disable the SLU to prevent it from trying to reach the CSSM and work in offline mode. In offline mode, you will be able to automate the collection of reports from multiple devices, which can be combined into a single file to be uploaded to the CSSM manually. This helps address the common pain point of offline reporting where you must collect reports manually from every device and upload each file individually to the CSSM.

Cisco SLU reporting

 

Related image, diagram or screenshot

There are two modes of operation, PUSH and PULL. The difference between the two modes is determined by which side initiates the conversation.

     PUSH mode: The switch “pushes” the report to the Cisco SLU.

     PULL mode: The SLU “pulls” the report from the switch.

Note:       This applies only to communications between the SLU and the switch. Communications between the SLU and the CSSM will always be initiated by the SLU.

The CSSM, as stated before, will never initiate a conversation.

To use the SLU, the first step is to set the transport method to CSLU.

Switch(config)#license smart transport cslu

Conversations between the SLU and the device occur over API calls, and hence you must have YANG enabled on the device:

Switch(config)#netconf-yang

Switch(config)#netconf ssh

Once you have set the transport method to CSLU, the configuration steps differ depending on whether you intend to use the PULL or PUSH method.

PUSH mode

In PUSH mode, the switch initiates the conversation, and hence the switch must have knowledge of how to reach the SLU. You have two options here:

     Explicitly state the IP address of the computer where the Cisco SLU is installed:

switch(config)#license smart url cslu http://<IP_of_CSLU>:8182/cslu/v1/pi

     Alternatively, the switch can reach a DNS server that can translate calls to “cslu-local” to the correct IP address.

PULL mode

In PULL mode, the SLU initiates the conversation, and thus the SLU must have details about the switch. You can either enter the details for each device individually on the SLU or use an Excel file as input to have the SLU communicate with devices at scale.

Add Product

Click the Add Single Product button on the Cisco SLU main page. The Product Instance Login Credentials allow you to specify the login username and password for the device. For bulk operations, you can provide an Excel file to the switch. You can upload the Excel file or a template file to add details under the Product Instances -> Upload Product Instances option.

Drag and Drop

If you are using the SLU in offline mode, where you are not connected to the CSSM, the consolidated file can be downloaded from the tool under Product Instances -> Download All for Cisco.

Production Instances

Cisco SLU on SSM On-Prem

If you are working with devices across different Virtual Accounts or have a very high number of devices to manage across geographical locations, Cisco SLU on SSM On-Prem can be a viable option. Here the On-Prem image can be downloaded and hosted on a virtual machine. The SSM On-Prem acts, for all intents and purposes, as a locally hosted CSSM. The Cisco SLU runs as a tool on top of SSM On-Prem, allowing you to use both PUSH as well as PULL modes of operation.

You would create tenants on the SSM On-Prem machine, and each tenant will be associated with a different Virtual Account on the CSSM. Periodically, the SSM On-Prem and CSSM will sync with each other, and the license counts and availability across the Virtual Accounts with corresponding tenants configured will be updated to the CSSM.

You can use the appropriate transport option and the URL can be chosen from the On-Prem GUI under the Local Virtual Account view.

Cisco SLU on SSM On-Prem

High Security (HSEC) licensing

Cisco Catalyst switches that use secure transport encryption technologies (WAN MACsec or IPsec) require an additional license called the HSEC license. These HSEC licenses are needed to comply with local laws and regulations regarding use of these devices to send encrypted traffic across the WAN border.

As of the time of this document was written, the Catalyst 9300X, 9400X Supervisor Engine-2, 9500X, and 9600X Supervisor Engine-2 switches support either IPsec or WAN-MACsec technologies.

Enabling either of the above features will not be allowed unless the HSEC license is installed on the switch. HSEC licenses are installed using a feature called the Smart License Authorization Code (SLAC). This process is a one-time installation process, and once reported there is no requirement for periodic reporting. Use the following command to install it:

Device# license smart authorization request add hseck9 local

Ordering information

To place an order, visit the Cisco Ordering homepage at https://www.cisco.com/en/US/ordering/or13/or8/order_customer_help_how_to_order_listing.html.

Platform-specific data sheets are linked below. Each document contains a section on ordering information that also includes the licensing PIDs for ordering. Please refer to this section for details.

Catalyst 9200 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9200-series-switches/nb-06-cat9200-ser-data-sheet-cte-en.html

Catalyst 9300 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-cat9300-ser-data-sheet-cte-en.html

Catalyst 9400 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-data-sheet-cte-en.html

Catalyst 9500 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/nb-06-cat9500-ser-data-sheet-cte-en.html

Catalyst 9600 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9600-series-switches/nb-06-cat9600-series-data-sheet-cte-en.html

Conclusion

In conclusion, Smart Licensing Using Policy offers a transformative approach to licensing that emphasizes simplicity and a hands-off approach for license management. It retains the best aspects of both Smart Licensing and right-to-use licensing to provide a simple, robust, and high-trust licensing model to help manage licenses across the network without getting in the way of day-to-day operations.

References

Use the following links for more information on Smart Licensing Using Policy.

Cisco Licensing portal: https://www.cisco.com/c/en/us/buy/licensing.html

CSSM login: https://software.cisco.com/software/csws/ws/platform/home?locale=en_US#

Introduction to Smart Licensing Using Policy: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216545-smart-licensing-using-policy-on-catalyst.html

 

 

 

Learn more