Cisco Catalyst 9000 Licensing White Paper
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document explains the concept of Smart Licensing and its application in the context of the Cisco Catalyst™ 9000 family of switches. Smart Licensing is a licensing model developed by Cisco to simplify license management for its customers, allowing them to easily purchase, activate, and manage software licenses across their entire network. The Catalyst 9000 family is one of the key products that support Smart Licensing, offering customers enhanced visibility and control over their license usage and entitlements. With Smart Licensing Using Policy on the Catalyst 9000 family of switches, organizations can manage licenses efficiently, optimize license utilization, maintain compliance, and minimize the risk of licensing violations. This document provides an overview of Smart Licensing Using Policy and its benefits.
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco® portfolio and across your organization. And it’s secure—you control what users can access. With Smart Licensing you get:
● Easy activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more product activation keys.
● Unified management: My Cisco Entitlements provides a complete view into all your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.
● License flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).
For a more detailed overview of Cisco Licensing, go to cisco.com/go/licensingguide.
Read on to learn more about licensing in the context of the Catalyst 9000 family of switches.
Subscription licenses: Software with the right to use for the length of the subscription term. Subscription models generally provide faster access to our latest features and innovations and more predictable cost structures.
Perpetual licenses: Software with the right to use for an indefinite period. Perpetual licenses are typically locked to the device, and additional annual fees are required to maintain support and maintenance.
Add-on licenses: Entitlement allowing for configuration of additional features. In the context of the Catalyst 9000 switches, these are High Security (HSEC) licenses that allow for configuration of WAN-MACsec/IPsec tunnels on the Catalyst 9300X, 9400X Supervisor Engine-2, 9500X-60L4D, and 9600X Supervisor Engine-2 switches. The throughput on the tunnels is not linked to the license but to the capability of the switch in use.
Table 1. License types for the Catalyst 9000 family
| License type |
License options |
Products |
Period |
| Perpetual |
Network-Essentials Network-Advantage |
Entire Catalyst 9000 Family |
Mandatory one-time purchase during product order |
| Subscription |
Cisco DNA Essentials Cisco DNA Advantage |
Entire Catalyst 9000 Family |
Valid for 3/5/7 years. Mandatory during product order. |
| Add-on licenses |
HSEC Licenses |
C9300X, C9400X-Sup2, C9500X, C9600X-Sup2 |
Optional one-time purchase |
Traditionally, our products used Right-to-Use (RTU) licenses. With RTU licensing, customers are granted the right to use software features for a specific period without the need for a separate license key. Our older products like the Catalyst 2000, 3000, 4000, and 6000 Series switches were designed to be used with RTU licenses.
The Catalyst 9000 family of switches, however, was designed to work with Smart Licensing. Therefore, with Cisco IOS® XE Release 16.9.1 and later, all switches belonging to the Catalyst 9000 family use Smart Licensing.
With Release 17.3.2 onward, we introduced Smart Licensing Using Policy, which simplified a lot of components of Smart Licensing and made it much more friendly to use.
Cisco licensing models
Note that only one licensing model is active on Cisco IOS XE. All images later than IOS XE 17.3.2 will support only Smart Licensing Using Policy and will not support either Smart Licensing or RTU licensing.
RTU and Smart Licensing differ in their approach to licensing and license management. RTU licensing provides the right to use specific features on a device for a specific period, while Smart Licensing Using Policy simplifies license management through a centralized control plane, enabling license activation on any device within the network and providing real-time visibility into license usage.
The advantages of centralized visibility and control of licenses across your network can best be illustrated with the simple example below.
Scenario
Consider a case where you have two Catalyst 9300 Series switches on site A. One of the switches used Network Advantage and the other switch uses the Network Essentials license set. On a different site B, we have one Catalyst 9300 Series switch running on Network Advantage. Now suppose that you want to stack two switches in site A together. However, the two switches need to use the same license set before they can be stacked.
Using RTU licenses
With RTU licenses, since the licenses are node-locked, that is, the licenses are locked physically to the devices, the only way to stack two switches in site A would be to physically move the switch from site B to site A to get two switches with matching licenses.
With Smart Licensing Using Policy
With Smart Licensing Using Policy, since we have a centralized repository of licenses, we can simply swap the licenses between the switches on site A and site B. Physically moving the switches is not needed.
Smart Account: The centralized repository
The first step in using Smart Licensing is to set up a Smart Account on Cisco Software Central (software.cisco.com).
This webpage is the Cisco Smart Software Manager (CSSM) and acts as the centralized licensing repository, giving you an overarching view all the licenses and devices linked to that Smart Account. You can also use the Smart Account when placing orders via Cisco Commerce (CCW) to help ensure that the licenses are automatically deposited to your account when an order is placed. The image below shows an overview of the licensing page.
View of the CSSM page
Within your Smart Account, you can have Virtual Accounts. As an easy way to understand Virtual Accounts, let’s take an example of a university. Within the university, you have different departments, such as the physics department and the chemistry department. Each department might have its own set of devices in use. Using Virtual Accounts allows for easy demarcation of licenses within the Smart Account. In this example, you can have a Physics Virtual Account and a Chemistry Virtual Account nested within the main Smart Account.
There is no limit to the number of Virtual Accounts you can have. You can have as many as you need.
Example of Virtual Accounts
Within a Virtual Account, you will be able to view the licenses as well as the product instances that have communicated with the centralized repository.
Populating and building this centralized repository
There are two repositories we track:
● First are the licenses present under a given Virtual Account. This gives you a view of the licenses purchased as well as how many licenses are currently in use and the balance of licenses that are left (if any).
● Second, we have the product instances. These show the products that have reported to the CSSM and how many licenses and what types of licenses the products are using.
When a customer places an order via CCW, the license is deposited to the specified Smart Account and Virtual Account. Both the Smart Account and Virtual Account are mandatory information when placing an order. At the factory, before the product is shipped out, the first reporting is performed, thereby populating the product instances as well as recording license consumption.
Any licensing changes on any product must be reported to the CSSM for the update to be reflected in the database.
Licensing and the ordering process
Day N: Smart Licensing Using Policy
Smart Licensing Using Policy is the licensing method used on all Catalyst 9000 family switches starting with IOS XE Release 17.3.2.
Note: This is the default and only licensing model supported on IOS XE 17.3.2 and later.
In simple terms, the implementation of Smart Licensing Using Policy on Cisco Catalyst 9000 switches involves sending a file called a RUM (Resource Usage Measurement) report to the CSSM to update the device license information on the centralized repository. Optionally, the CSSM generates an Acknowledgment (ACK) for each report uploaded, which can be sent back to the device for confirmation of receipt.
The Catalyst 9000 switches generate these RUM reports under the following conditions. In each of these conditions, the contents of the reports remain the same.
● Periodically using a preset time hard coded on the switches
● Immediately when there is a change in licensing level
● Immediately upon boot
Every RUM report file contains the following information:
● The serial number and Product ID (PID) of the switch that generated the report
● The timestamp when the report was generated
● The configured license state that is currently in use, along with the count of licenses
● A digital signature from the device that generated the report
Example: A stack of three Catalyst 9300 Series switches, each configured with the Network Advantage and Cisco DNA Advantage license set, will generate a report containing:
● Serial numbers and PIDs of all three switches in the stack
● Timestamp taken from the active switch
● Configured license state and count: three Network Advantage and three Cisco DNA Advantage
● Digital signature of the active switch
The decision to send the report to the CSSM is always taken by the switch. Under no circumstances will the CSSM ever initiate the conversation. The switch always initiates the conversation, and the CSSM simply responds with an ACK.
The switch will periodically attempt to communicate with the CSSM and send the latest report.
Smart Licensing Using Policy uses a set of parameters collectively called the policy that define and determine the product behavior with respect to licensing. The policy is used by the product instance (in this case the switch) to determine:
● When to attempt to send the first report and follow-up reports to the CSSM for perpetual licenses
● When to attempt to send the first report and follow-up reports to the CSSM for subscription licenses
● Whether an ACK is needed from the CSSM
● Behavior when the license level is changed
All switches have a default set of values for these parameters, which collectively is called the default policy. The default values on the switch are illustrated in the image below.
Example of a default policy
All of these parameters are locked and cannot be edited or changed using configuration commands on the switch. However, the parameters can be changed using what is called a custom policy. These custom policies, where applicable, are hosted on the CSSM.
Custom policy
Smart Licensing Using Policy is inherently an offline, air-gapped, high-trust licensing model. The default policy parameters have very relaxed timelines regarding licensing reporting and are put in place to ensure that the CSSM entries are relatively up to date.
If, however, there is a business case for setting the parameters to values other than the default policy, you can request a custom policy in which one or more parameters can be changed from the default value.
To request a custom policy, please get in touch with your account team, and state the business case. The business case will be reviewed before a decision is made.
If a custom policy is approved, it shows up in the CSSM. In the CSSM, navigate to Reports -> Reporting Policy. Your custom policies will appear here. You can either view the policy parameters on the CSSM itself or download the policy file, which can be manually copied to the switch for the custom policy to take effect on the switch.
There are two ways for the custom policy to take effect on the switch:
● Send a RUM report from the switch to the CSSM. If the Virtual Account under which the license and product instance is present has a custom policy in place, the ACK from the CSSM will contain a copy of the custom policy that will take effect on the switch once the switch receives the ACK from the CSSM.
● Alternatively, download the custom policy as a file from the CSSM. The file can then be loaded manually to the switch for the custom parameters to take effect. The command to install a policy file downloaded from the CSSM is below.
Device#license smart import flash:ACK_sle
Import Data Successful
A reload of the switch is not needed for custom policies to take effect.
License consumption
For fixed platforms, both the perpetual and subscription licenses are tied to the product instance. However, for modular platforms like the Catalyst 9400 and 9600, the perpetual license is tied to the supervisor engine, whereas the subscription license is tied to the chassis.
Let’s look at an example to understand this concept better.
Stack of six Catalyst 9300 Series switches
The licenses are tied to the individual switches, so each switch in the stack uses one perpetual license and one subscription license. So, in total, to run this stack, we need six perpetual licenses and six subscription licenses.
Quad-supervisor 10-slot Catalyst 9400 StackWise Virtual Link setup: The modular advantage
In a modular setup, the licenses are implemented a little differently. The perpetual license is tied to the supervisor engine, whereas the subscription license is tied to the chassis. In this scenario, we have a total of four supervisor engines but only two chassis. So, we need a total of four perpetual licenses and only two subscription licenses. Hence, by using the modular switch offerings, not only are you getting best-in-class redundancy and high availability features, but you are also reducing the recurring revenue, since you need to renew fewer subscription licenses.
The following figure shows the licensing consumption for devices in the Catalyst 9000 family of switches.
Licensing consumption for fixed and modular platforms
Depending on the requirements posed by the network, the switch supports the following reporting methods.
Many of the methods use a new tool called Cisco Smart License Utility (SLU), which can either be installed on a computer (supports Windows and Linux operating systems) or hosted in existing on-premises solutions like SSM On-Prem or Cisco Catalyst Center.
● Direct online reporting
● Cisco SLU offline and online reporting
● Cisco SLU on SSM On-Prem offline and online reporting
● Cisco SLU on Catalyst Center offline and online reporting
● Manual offline reporting using IOS XE commands
● Custom application reporting using API calls
TIP: You need to choose just one reporting method, depending on your requirements.
Choosing the reporting method depends on the total number of devices you are looking to manage.
Factors in choosing a reporting method
The Cisco SLU supports air-gapped networks by providing an offline reporting option in addition to the online reporting option for each of the reporting options.
For high device scales and devices spread across different Virtual Accounts, the Cisco SLU on SSM On-Prem is the best available option.
Online reporting: Direct connectivity to the CSSM
If the device has direct connectivity to the outside internet and is able to communicate with the CSSM directly, you can use smart transport to have the switch send its licensing information directly to the CSSM. The following commands help set up online reporting using smart transport:
Switch(config)#license smart url smart
https://smartreceiver.cisco.com/licservice/license
Switch(config)#license smart transport smart
The first command points to the URL for the CSSM (the switch must have access to a DNS server that can translate this URL), and the second sets the transport method to smart.
For the communication to occur, however, there must be a trust code installed on the system in question. All devices when shipped have a trust code installed by Cisco Manufacturing. If absent, you can install a trust code using the commands below.
On the CSSM under Inventory, you will see an option to generate a new token. (You create a token under the Virtual Account. Confirm that you are in the correct Virtual Account before generating a token.)
Fill in the required information.
Copy the generated token ID. On the switch, you can install this token using the command below.
Switch#license smart trust idtoken < > all/local
Generating the token is a one-time requirement. While the trust code is installed on the device, you will not be required to perform this step again. With the trust code installed, the device will be able to communicate directly with the CSSM. The “show license status” command on the switch can be used to keep track of the state of the token ID.
Switch#show license status
Transport:
Type: smart
Usage Reporting:
Next report push: Aug 04 19:02:17 2023 UTC
Last report push: Jul 05 19:02:17 2023 UTC
Trust Code Installed: Jul 05 19:01:43 2023 UTC
Smart transport was introduced with IOS XE Release 17.3.2. Smart transport will eventually replace the call home method used prior to IOS XE 17.3.2. If you have devices that are using call home, you are encouraged to migrate them to smart transport. The configuration is simpler and easier to read compared to call home.
Offline reporting: Turn off license usage reporting
The switch will periodically try to send its usage data to the CSSM using the configured reporting option.
Important: If you want to stop the switch from sending or receiving any Smart Licensing related data, you have the option to turn off all Smart Licensing related communications using the command “licensing smart transport off” under the Configuration menu:
Switch(config)#license smart transport off
Note: This will stop the switch from sending the reports; however, the report themselves will still be generated periodically in the switch flash. If you need to report the device usage to the CSSM, you will have to use the air-gapped method by manually copying the report and uploading it to the CSSM. You can generate the latest, unreported RUM reports and save them to a file manually using the command below.
Switch#license smart save usage unreported file bootflash:<file-name>
You can then copy the generated file from the switch and upload it to the CSSM.
The CSSM ACK, once generated, can then be copied back to the switch and installed using the command below.
Switch#license smart import bootflash:<file-name>
Import Data Successful
Switch#
Nov 11 20:23:06.783: %SMART_LIC-6-POLICY_INSTALL_SUCCESS: A new licensing policy was successfully installed
Switch#
The Cisco SLU provides a method for collecting and sending reports and acknowledgements between the CSSM and the switch. By using the Login to Cisco option on the SLU, you can use the SLU to interface between the switch and the CSSM (called online mode).
Alternatively, you can disable the SLU to prevent it from trying to reach the CSSM and work in offline mode. In offline mode, you will be able to automate the collection of reports from multiple devices, which can be combined into a single file to be uploaded to the CSSM manually. This helps address the common pain point of offline reporting where you must collect reports manually from every device and upload each file individually to the CSSM.
There are two modes of operation, PUSH and PULL. The difference between the two modes is determined by which side initiates the conversation.
● PUSH mode: The switch “pushes” the report to the Cisco SLU.
● PULL mode: The SLU “pulls” the report from the switch.
Note: This applies only to communications between the SLU and the switch. Communications between the SLU and the CSSM will always be initiated by the SLU.
The CSSM, as stated before, will never initiate a conversation.
To use the SLU, the first step is to set the transport method to CSLU.
Switch(config)#license smart transport cslu
Conversations between the SLU and the device occur over API calls, and hence you must have YANG enabled on the device:
Switch(config)#netconf-yang
Switch(config)#netconf ssh
Once you have set the transport method to CSLU, the configuration steps differ depending on whether you intend to use the PULL or PUSH method.
PUSH mode
In PUSH mode, the switch initiates the conversation, and hence the switch must have knowledge of how to reach the SLU. You have two options here:
● Explicitly state the IP address of the computer where the Cisco SLU is installed:
switch(config)#license smart url cslu http://<IP_of_CSLU>:8182/cslu/v1/pi
● Alternatively, the switch can reach a DNS server that can translate calls to “cslu-local” to the correct IP address.
PULL mode
In PULL mode, the SLU initiates the conversation, and thus the SLU must have details about the switch. You can either enter the details for each device individually on the SLU or use an Excel file as input to have the SLU communicate with devices at scale.
Click the Add Single Product button on the Cisco SLU main page. The Product Instance Login Credentials allow you to specify the login username and password for the device. For bulk operations, you can provide an Excel file to the switch. You can upload the Excel file or a template file to add details under the Product Instances -> Upload Product Instances option.
If you are using the SLU in offline mode, where you are not connected to the CSSM, the consolidated file can be downloaded from the tool under Product Instances -> Download All for Cisco.
If you are working with devices across different Virtual Accounts or have a very high number of devices to manage across geographical locations, Cisco SLU on SSM On-Prem can be a viable option. Here the On-Prem image can be downloaded and hosted on a virtual machine. The SSM On-Prem acts, for all intents and purposes, as a locally hosted CSSM. The Cisco SLU runs as a tool on top of SSM On-Prem, allowing you to use both PUSH as well as PULL modes of operation.
You would create tenants on the SSM On-Prem machine, and each tenant will be associated with a different Virtual Account on the CSSM. Periodically, the SSM On-Prem and CSSM will sync with each other, and the license counts and availability across the Virtual Accounts with corresponding tenants configured will be updated to the CSSM.
You can use the appropriate transport option and the URL can be chosen from the On-Prem GUI under the Local Virtual Account view.
High Security (HSEC) licensing
Cisco Catalyst switches that use secure transport encryption technologies (WAN MACsec or IPsec) require an additional license called the HSEC license. These HSEC licenses are needed to comply with local laws and regulations regarding use of these devices to send encrypted traffic across the WAN border.
As of the time of this document was written, the Catalyst 9300X, 9400X Supervisor Engine-2, 9500X, and 9600X Supervisor Engine-2 switches support either IPsec or WAN-MACsec technologies.
Enabling either of the above features will not be allowed unless the HSEC license is installed on the switch. HSEC licenses are installed using a feature called the Smart License Authorization Code (SLAC). This process is a one-time installation process, and once reported there is no requirement for periodic reporting. Use the following command to install it:
Device# license smart authorization request add hseck9 local
To place an order, visit the Cisco Ordering homepage at https://www.cisco.com/en/US/ordering/or13/or8/order_customer_help_how_to_order_listing.html.
Platform-specific data sheets are linked below. Each document contains a section on ordering information that also includes the licensing PIDs for ordering. Please refer to this section for details.
Catalyst 9200 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9200-series-switches/nb-06-cat9200-ser-data-sheet-cte-en.html
Catalyst 9300 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-cat9300-ser-data-sheet-cte-en.html
Catalyst 9400 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9400-series-switches/nb-06-cat9400-ser-data-sheet-cte-en.html
Catalyst 9500 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/nb-06-cat9500-ser-data-sheet-cte-en.html
Catalyst 9600 Series: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9600-series-switches/nb-06-cat9600-series-data-sheet-cte-en.html
In conclusion, Smart Licensing Using Policy offers a transformative approach to licensing that emphasizes simplicity and a hands-off approach for license management. It retains the best aspects of both Smart Licensing and right-to-use licensing to provide a simple, robust, and high-trust licensing model to help manage licenses across the network without getting in the way of day-to-day operations.
Use the following links for more information on Smart Licensing Using Policy.
Cisco Licensing portal: https://www.cisco.com/c/en/us/buy/licensing.html
CSSM login: https://software.cisco.com/software/csws/ws/platform/home?locale=en_US#
Introduction to Smart Licensing Using Policy: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216545-smart-licensing-using-policy-on-catalyst.html