Licenses and Licensing Models

This chapter provides information about the licenses that are available on Cisco Catalyst 8000 Edge Platforms Family, supported throughput options, and how to configure the available licenses and throughput. It also outlines the licensing models available on Cisco Catalyst 8000 Edge Platforms Family.


Note


The information in this chapter applies predominantly to a device operating in the autonomous mode. References to the controller mode are included in certain sections for the sake of comparison and completeness. Where the information applies to controller mode, this has been called-out categorically.


For a more detailed overview on Cisco Licensing, go to https://cisco.com/go/licensingguide.

This chapter includes the following major sections:

Feature Information for Available Licenses and Licensing Models

The following table provides a summary of license related changes applicable to the Cisco Catalyst 8000 Edge Platforms Family. The table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1. Feature Information for Available Licenses and Licensing Models

Feature Name

Release

Feature Information

500 Mbps Aggregate for Tier 1 and 250 Mbps Throughput Configuration in Autonomous Mode

Cisco IOS XE 17.14.1a

On virtual platforms - when you configure a throughput of 250 Mbps or T1, if an HSECK9 license is available on the device, then throughput is capped at 500 Mbps transmitted (Tx) data only. In earlier releases, throughput was capped at 200 Mbps Tx.

On physical platforms - when you configure a throughput of 250 Mbps or T1, if an HSECK9 license is available on the device, then aggregate throughput throttling is effective. Throughput is capped at 500 Mbps and any distribution of traffic in the upstream and downstream direction is allowed. In earlier releases, bidirectional throughput throttling was applicable to T1 and 250 Mbps - throughput was capped at 250 Mbps in each direction.

See Release-Wise Changes in Throttling Behavior.

Aggregate Throughput Throttling - Virtual Platforms

Cisco IOS XE Cupertino 17.9.1a

On virtual platforms of the Cisco Catalyst 8000 Edge Platforms Family, for all throughput levels, when you configure a bidirectional throughput value on the device, aggregate throughput throttling is effective.

This enhancement does not change the throttling behaviour that has always been applicable to virtual platforms: any throttling applies only to data that is transmitted (Tx). Data that is received (Rx) is unthrottled.

See Throughput and Numeric and Tier-Based Throughput.

Aggregate Throughput Throttling - Physical Platforms

Cisco IOS XE Cupertino 17.8.1a

On the physical platforms of Cisco Catalyst 8000 Edge Platforms Family, for throughput levels greater than 250 Mbps and Tier 2 and higher tiers, when you configure the bidirectional throughput value on the device, aggregate throughput throttling is effective. This means that traffic is throttled in an aggregate manner irrespective of the distribution of the traffic in the upstream and downstream direction.

The bidirectional throughput is represented in the license PID (For example, DNA-C-500M-E-3Y and DNA-C-T2-E-3Y). The aggregate throughput is double the bidirectional throughput.

See Release-Wise Changes in Throttling Behavior.

Tier-Based Licenses

Cisco IOS XE Cupertino 17.7.1a

Support for tier-based throughput configuration was introduced in addition to existing bandwidth-based (numeric) throughput configuration.

Starting with the lowest throughput level, the available tiers are Tier 0 (T0), Tier 1 (T1), Tier 2 (T2), and Tier3 (T3). Each tier represents a throughput level.

If the license PID for a product is tier-based, the license is displayed with the tier value in the CSSM Web UI.

For a product with a tier-based license, you can configure a tier-based throughput value, and you can also convert to a tier-based throughput value.

See Throughput and Numeric and Tier-Based Throughput.

Cisco Digital Network Architecture (DNA) licenses

Cisco IOS XE Amsterdam 17.3.2

Support for Cisco DNA licenses was introduced on Cisco Catalyst 8000 Edge Platforms Family.

Cisco DNA Licenses are categorised into network-stack licenses and a DNA-stack add-on licenses.

See Cisco DNA License.

High Security License (HSECK9)

Cisco IOS XE Amsterdam 17.3.2

Support for the HSECK9 license was introduced on Cisco Catalyst 8000 Edge Platforms Family.

See High Security License.

Cisco Unified Border Element license (Cisco UBE license)

Cisco Unified Communications Manager Express license (Cisco Unified CME license)

Cisco Unified Survivable Remote Site Telephony license (Cisco Unified SRST license)

Cisco IOS XE Amsterdam 17.3.2

Support for Cisco UBE, Cisco Unified CME, Cisco Unified SRST licenses was introduced on Cisco Catalyst 8000 Edge Platforms Family

See Cisco CUBE License, Cisco Unified CME License, and Cisco Unified SRST License.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Available Licenses

This section lists all the licenses that are available on Cisco Catalyst 8000 Edge Platforms Family, usage guidelines, and ordering considerations.

Cisco DNA License

A Cisco Digital Network Architecture (DNA) software license combines several feature-specific licenses.


Note


A Cisco DNA license includes all feature licenses except the following: High Security (HSECK9), Cisco Unified Border Element (Cisco UBE), Cisco Unified Communications Manager Express (Cisco Unified CME), and Cisco Unified Survivable Remote Site Telephony (Cisco Unified SRST). See Ordering Considerations for a Cisco DNA License.


Cisco DNA licenses are categorized into network-stack licenses and DNA-stack add-on licenses.

Cisco DNA Licenses Available on Catalyst 8000V Edge Software, Catalyst 8200, and 8300 Series Edge Platforms:

Network-stack licenses:

  • Network Essentials

  • Network Advantage: includes features available with Network Essentials, and more.

  • Network Premier: includes features available Network Essentials, Network Advantage, and more.

DNA-stack add-on licenses:

  • Cisco DNA Essentials: add-on license available only with Network Essentials.

  • Cisco DNA Advantage: add-on license available only with Network Advantage. Includes features available with DNA Essentials and more.

  • Cisco DNA Premier: add-on license available only with Network Premier. Includes features available with DNA Essentials, DNA Advantage and more.

Cisco DNA Licenses Available on Catalyst 8500 Series Edge Platforms:

Network-stack licenses:

  • Network Advantage

  • Network Premier: includes features available Network Advantage, and more.

DNA-stack add-on licenses:

  • Cisco DNA Advantage

  • Cisco DNA Premier: add-on license available only with Network Premier. Includes features available with DNA Advantage and more.

Guidelines for Using a Cisco DNA License

  • Guidelines that apply to all platforms in the Cisco Catalyst 8000 Edge Platforms Family:

    • A network-stack license is a perpetual or permanent license and has no expiration date.

    • A DNA-stack add-on license is a subscription or term license and is valid only until a certain date. A 3-year and 5-year option is available for all DNA-stack add-on licenses. A 7-year subscription option is available for certain DNA-stack add-on licenses.

    • Tier 3 (T3) or higher tiers are not supported with the Network Essentials and DNA Essentials licenses.

      This also means that if you have configured T3 or higher tiers as the throughput, you cannot change the boot level license to Network Essentials and DNA Essentials.

      For information about the various tiers available with Cisco DNA Licenses, see Tier and Numeric Throughput Mapping.

  • Guidelines that apply only to Catalyst 8000V Edge Software:

    On Catalyst 8000V Edge Software, when you configure a network-stack license, you must also configure the corresponding DNA-stack add-on license.

  • Guidelines that apply only to Catalyst 8200, 8300, 8500 Series Edge Platforms:

    • The DNA-stack add-on license that is available with each network-stack license is optional. You can configure a network-stack license without a DNA-stack add-on license, but you cannot configure DNA-stack add-on license without the corresponding network-stack license.

    • If you use a DNA-stack add-on license, renew the license before term expiry to continue using it, or deactivate the DNA-stack add-on license and then reload the device to continue operating with the network-stack license capabilities.

Ordering Considerations for a Cisco DNA License

A Cisco DNA license subsumes all performance, boost, and technology package licenses (securityk9, uck9, and appxk9). This means that when you order a Cisco DNA network-stack license, or a Cisco DNA-stack add-on license, if a performance, boost, and technology package license is required or applicable, it is automatically added to the order.

The license Product ID (PID) you purchase can only be a DNA-stack add-on license PID.

Even if you order a Cisco DNA license along with new hardware, the license is not preconfigured on the device. You must configure the boot level license and then the throughput, on the device.

When ordering a Cisco DNA license, you are also specifiying a throughput value. If the throughput you order is greater than 250 Mbps, an HSECK9 license is required on all variants of Cisco Catalyst 8000 Edge Platforms Family - except for Catalyst 8500 and 8500L/8530L Series Edge Platforms. For more information, see High Security License.

When you order a license PID with a tier-based throughput value of T1, an HSECK9 license is automatically added to the order.

High Security License

The High Security license (HSECK9 license) is an export-controlled license and is restricted by U.S. export control laws. This license is required for the use of full cryptographic functionality, that is, throughput greater than 250 Mbps, and tunnel count over and above a certain number (refer to table below). This requirement applies to all devices of Cisco Catalyst 8000 Edge Platforms Family except for Catalyst 8500 and 8500L Series Edge Platforms.

Only on Catalyst 8500 and 8500L/8530L Series Edge Platforms, throughput and tunnel scale are not impacted by the non-availability of the HSECK9 license. On these platforms, the HSECK9 license is required only for compliance purposes. On all remaining models of Cisco Catalyst 8000 Edge Platforms Family, supported tunnel count and throughput are restricted in the absence of an HSECK9 license. The table below specifies supported tunnel count and supported throughput without the HSECK9 license:

PID

No. Of Tunnels Without HSECK9 License

Supported Throughput Without HSECK9 License

C8000V

150

T0, T1

C8200-1N-4T

1000

T0, T1

C8200L-1N-4T

1000

T0, T1

C8300-1N1S-4T2X

1000

T0, T1

C8300-1N1S-6T

1000

T0, T1

C8300-2N2S-4T2X

1000

T0, T1

C8300-2N2S-6T

1000

T0, T1

C8500-12X4QC

N/A

N/A

C8500-12X

N/A

N/A

C8500-20X6C

N/A

N/A

C8500L-8S4X

N/A

N/A

C8530L-8S8X4Y

N/A

N/A

C8530L-8S2X2Y

N/A

N/A


Note


The term "throughput" refers to encrypted throughput on physical platforms. On virtual platforms, it refers to encrypted and unencrypted throughput - combined.


By using an HSECK9 license, the tunnel count restriction is lifted and you can also configure throughput greater than 250 Mbps. For detailed information about the available throughput options, see Tier and Numeric Throughput Mapping.

To know if an HSECK9 license is being used on a device, enter the show license summary command in privileged EXEC mode. On all devices in the Cisco Catalyst 8000 Edge Platforms Family, the HSECK9 license as displayed as: Router US Export Lic. for DNA (DNA_HSEC). For example:
Device# show license summary

Account Information:
  Smart Account: Eg-SA As of Dec 03 15:26:02 2021 UTC
  Virtual Account: Eg-VA

License Usage:
  License                 Entitlement Tag               Count Status
  ---------------------------------------------------------------------------
  network-advantage_T2    (NWSTACK_T2_A)                    1 IN USE
  dna-advantage_T2        (DSTACK_T2_A)                     1 IN USE
  Router US Export Lic... (DNA_HSEC)                        1 IN USE

Guidelines for Using an HSECK9 License

The HSECK9 license is tied to the chassis. Therefore, one HSECK9 license is required for each chassis UDI where you want to use cryptographic functionality.

An HSECK9 license requires authorization before use. This authorisation is provided by a Smart Licensing Authorization Code (SLAC). You must install a SLAC for each HSECK9 license you use. A SLAC is generated in and obtained from CSSM. How you obtain SLAC from CSSM depends on the topology you have implemented. For more information, see Installing SLAC for an HSECK9 License.

To know if SLAC is installed, enter the show license authorization command in privileged exec mode, to confirm. If SLAC is installed, the status field displays: SMART AUTHORIZATION INSTALLED on <timestamp>. For example:
Device# show license authorization
Overall status:
  Active: PID:C8300-1N1S-4T2X,SN:FDO2250A0J5
      Status: SMART AUTHORIZATION INSTALLED on Dec 03 08:24:35 2021 UTC
      Last Confirmation code: 418b11b3

Authorizations:
  Router US Export Lic. for DNA (DNA_HSEC):
    Description: U.S. Export Restriction Compliance license for DNA based Routers
    Total available count: 1
    Enforcement type: EXPORT RESTRICTED
    Term information:
      Active: PID:C8300-1N1S-4T2X,SN:FDO2250A0J5
        Authorization type: SMART AUTHORIZATION INSTALLED 
        License type: PERPETUAL
          Term Count: 1

Purchased Licenses:
  No Purchase Information Available

Ordering Considerations for an HSECK9 License

If you order your DNA licenses in the same order as Catalyst 8000 hardware platforms, the option to order an HSECK9 license is available or is selected, if applicable. For example, in case of Catalyst 8500 Series Edge Platforms, when you order hardware, an HSECK9 license is automatically added to the order, because throughput support starts at greater than 250 Mbps on these platforms. Further, the requisite SLAC for the HSECK9 license is also factory-installed on the device.

If you order your DNA licenses in an order that is separate from your Catalyst 8000 hardware platforms, you must separately order the HSECK9 license in the order for the Catalyst 8000 hardware platforms, if required.

If you plan to use an HSECK9 license with new hardware that you are ordering, provide your Smart Account and Virtual Account information with the hardware order. This enables Cisco to factory-install SLAC for the HSECK9 license on the hardware. You must still configure throughput on the device before you start using it.


Note


If the HSECK9 license is ordered separately (not with the hardware order), SLAC cannot be factory-installed.


Cisco CUBE License

A Cisco Unified Border Element License (Cisco UBE license) does not require any boot level configuration before you enable it. After purchase, you can refer to the configuration guide to configure the available Cisco UBE features.

For information about the features available with a Cisco UBE license, see the Cisco Unified Border Element Configuration Guide for the required release at: https://www.cisco.com/c/en/us/support/unified-communications/unified-border-element/products-installation-and-configuration-guides-list.html.

For information about supported platforms and about purchasing a Cisco UBE license, see the datasheet at: https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/data-sheet-c78-729692.html. You must order a Cisco UBE license separately if required. It is not automatically included with any other license.

For information about how to report usage of a Cisco UBE license, see Smart Licensing Using Policy for Cisco Enterprise Routing Platforms. In the context of this licensing model, a Cisco UBE license is an unenforced license.

Cisco Unified CME License

A Cisco Unified Communications Manager Express License (Cisco Unified CME license) does not require any boot level configuration before you enable it. After purchase, you can refer to the configuration guide to configure the available features.

For information about the features available with a Cisco Unified CME license, see the Cisco Unified Communications Manager Express System Administrator Guide.

For information about supported platforms and about purchasing a Cisco Unified CME license, see the datasheet at: https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-communications-manager-express/datasheet-c78-744069.html. You must order a Cisco Unified CME license separately if required. It is not automatically included with any other license.

For information about how to report usage of a Cisco Unified CME license, see Smart Licensing Using Policy for Cisco Enterprise Routing Platforms. In the context of this licensing model, a Cisco Unified CME license is an unenforced license.

Cisco Unified SRST License

A Cisco Unified Survivable Remote Site Telephony License (Cisco Unified SRST license) does not require any boot level configuration before you enable it. After purchase, you can refer to the configuration guide to configure the available Unified SRST features.

For information about the features available with a Cisco Unified SRST license, see the Cisco Unified SCCP and SIP SRST System Administrator Guide (All Versions).

For information about supported platforms and about purchasing a Cisco Unified SRST license, see the datasheet at: https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-communications-manager-express/datasheet-c78-744069.html. You must order a Cisco Unified SRST license separately if required. It is not automatically included with any other license.

For information about how to report usage of a Unified SRST license, see Smart Licensing Using Policy for Cisco Enterprise Routing Platforms. In the context of this licensing model, a Unified SRST license is an unenforced license.

Throughput

The throughput tells you how much data is allowed to be transferred through the device. You configure this value in the autonomous mode. Data is then transmitted (Tx) and received (Rx) at the configured rate.

If you don’t explicitly configure a throughput, default throughput is effective.

To know the configured throughput of a device, enter the applicable command:

  • For physical platforms enter the show platform hardware throughput crypto command, in privileged EXEC mode.

  • For virtual platforms enter the show platform hardware throughput level command, in privileged EXEC mode.

The following sections provide information about how a throughput value is represented, whether the throughput on a device refers to encrypted or unencrypted throughput and what this means, and if and how a limit may be enforced on device throughput.

Numeric and Tier-Based Throughput

The throughput you are entitled to, is specified in the device’s Cisco DNA license product ID (PID). It is a value that can be represented by a number or by a tier. It is this same value that is also configured on the device.

Numeric Throughput Value

When throughput is represented by a number, it is called a numeric throughput value. For example, DNA-C-10M-E-3Y is a license PID with a numeric throughput value of 10M, that is, 10 Mbps.

Depending on the device, some of the other available numeric throughput values are: 15M, 25M, 50M, 100M, 250M, 500M, 1G, 2.5G, 5G, 10G, and so on. Throughput greater than 250 Mbps requires an HSECK9 license.

Tier-Based Throughput Value

When throughput is represented by a tier, it is called a tier-based throughput value. A tier represents a throughput level and is mapped to a numeric throughput value. For example, DNA-C-T0-E-3Y is a license PID with a tier-based throughput value of T0. The numeric equivalent it is mapped to is a throughput of up to 25 Mbps.


Note


Tier-based throughput configuration is supported starting with Cisco IOS XE Cupertino 17.7.1a. From this release onwards, tier-based throughput configuration is also the recommended way of configuring throughput on the device.


Starting with the lowest throughput level, the available tiers are Tier 0 (T0), Tier 1 (T1), Tier 2 (T2), Tier 3 (T3), Tier 4 (T4), and Tier 5 (T5). T2 and higher tiers require an HSECK9 license.

Note the following about tiers:

  • Not all tiers are available with all Cisco DNA licenses.

    For example, T3 and higher tiers are not available with the Network Essentials and DNA-Essentials licenses. This also means that if you have T3 as the configured throughput, you cannot change the boot level license to Network Essentials and DNA Essentials.

  • Each tier maps to or means a different numeric value for different platforms.

    The different platforms in the Cisco Catalyst 8000 Edge Platforms Family support different maximum throughput levels. For example, T2 means 1G throughput for C8300-2N2S-4T2X, 500M for C8200-1N-4T, and 250M for C8200L-1N-4T.

To know which tiers are available with a particular DNA License and to know the numeric equivalent of each tier for a particular platform and see the Tier and Numeric Throughput Mapping section in this chapter.

To know when to configure a numeric throughput value and when to configure tier-based throughput on your device, see the Numeric vs. Tier-Based Throughput Configuration section in this chapter.

Encrypted and Unencrypted Throughput

Encrypted throughput, also known as crypto throughput, is throughput that is protected by a cryptographic algorithm.

Unencrypted throughput on the other hand, is in plain text. Unencrypted throughput is also referred to as Cisco Express Forwarding (CEF) traffic.


Important


In case of physical platforms (Catalyst 8200, 8300, and 8500 Series Edge Platforms), all references to “throughput” in this document refer to cryptographic throughput.

In case of virtual platforms (Catalyst 8000V Edge Software), all references to “throughput” in this document refer to encrypted and unencrypted throughput, combined.


Throttled and Unthrottled Throughput

Throttled throughput, is throughput on which a limit has been enforced. (When you configure a throughput value, you are throttling device throughput to the configured extent.)

Unthrottled throughput means that no limit is enforced, and the device throughput is at the maximum capability of the device.


Note


On virtual platforms, if throughput is throttled, throttling applies only to Tx data. Rx is always unthrottled. On physical platforms, if throughput is throttled, throttling applies to Tx and Rx data.

On physical platforms (Catalyst 8200, 8300, and 8500 Series Edge Platforms), unencrypted throughput (Tx and Rx), is unthrottled by default.


Types of Throttling Behavior: Aggregate and Bidirectional

The system can impose throttling in a bidirectional manner or an aggregate manner.

Bidirectional throughput throttling

Here the system throttles data in each direction. When bidirectional throttling is effective, Tx data is capped at the bidirectional throughput value and the Rx data is capped at the bidirectional throughput value - separately. (Note the exception that always applies to virtual platforms: Rx is unthrottled.)

For example, if the bidirectional throughput value is 25 Mbps or T0 and bidirectional throughput throttling is effective:

  • On virtual platforms, Tx data is capped at 25 Mbps. Rx is unthrottled.

  • On physical platforms, Tx data is capped at 25 Mbps and Rx data is capped at 25 Mbps.


Note


The value that you see in a license PID (whether numeric or tier-based) represents a bidirectional throughput value.


Aggregate throughput throttling

Here the system doubles the configured value and throttles throughput at this aggregate limit. When aggregate throughput throttling is effective, traffic is not throttled separately in each direction.

For example, if the bidirectional throughput value that is configured is 500 Mbps and aggregate throughput throttling is effective:

  • On virtual platforms, Tx data is capped at 1 Gbps. Rx is unthrottled.

  • On physical platforms, traffic in the upstream and downstream direction can be any ratio within the 1 Gbps aggregate limit. For instance, 800 Mbps Tx and 200 Mbps Rx, or, 300 Mbps Tx and 700 Mbps Rx)

Release-Wise Changes in Throttling Behavior

To know if the throughput on your device will be throttled in a bidirectional manner or in an aggregate manner, check the software version running on the device, and refer to the release-wise changes in throttling behavior described below.

  • Until Cisco IOS XE Cupertino 17.7.x: Only bidirectional throughput throttling is effective. This applies to physical and virtual platforms.

  • Starting with Cisco IOS XE Cupertino 17.8.1a:

    • Only on physical platforms, when you configure a throughput value greater than 250 Mbps or T2 and higher tiers, aggregate throughput throttling is effective.

      On C8200L-1N-4T, if you configure a numeric value of 250 Mbps, bidirectional throughput throttling is effective and a maximum of 250 Mbps is available in each direction. But if you configure tier T2, aggregate throttling is effective and 500 Mbps is available for use in any Tx and Rx ratio.

    • On virtual platforms, Tx throttling continues to apply, and Rx continues to remain unthrottled.

  • Starting with Cisco IOS XE Cupertino 17.9.1a: On virtual platforms, for all throughput levels and all tiers, aggregate throughput throttling is effective.


    Note


    If the aggregate for the throughput level you configure on a virtual platform amounts to greater than 250 Mbps, aggregate throughput throttling is not effective unless an HSECK9 license is available on the device (that is, SLAC is installed).


  • Starting with Cisco IOS XE 17.14.1a: On physical and virtual platforms, when you configure a throughput of 250 Mbps or T1, aggregate throughput throttling is effective - as long as an HSECK9 license is available on the device. On virtual platforms, this means that Tx throughput is capped at 500 Mbps. On physical platforms, this means an aggregate limit of 500 Mbps is available for use in any Tx and Rx ratio.

    If an HSECK9 license is not available on the device and you configure a throughput value of 250 Mbps, or T1, then bidirectional throughput throttling is effective. On virtual platforms this means Tx throughput is throttled at 250 Mbps. On physical platforms throughput is throttled at 250 Mbps in each direction.

Tier and Numeric Throughput Mapping

The following tables provide information about about the numeric equivalent of each tier, and the DNA licenses that each tier is available with.


Tip


The mapping tables clarify only the numeric equivalent of a tier. This mapping does not reflect the final throughput that you are entitled to. The entitled throughput depends on the device’s capability, the software version running on the device, and throttling behavior for that version.



Note


When you purchase a license PID with a tier-based throughput value of T1, an HSECK9 license is automatically provided.


: Network Premium and DNA Premium

: Network Advantage and DNA Advantage

: Network Essentials and DNA Essentials

* = HSECK9 license required. On C8500 and C8500L/C8530L, the HSECK9 license is required for compliance purposes only.

Table 2. Tier and Numeric Throughput Mapping for Virtual Platforms (C8000v)
Tiers from 17.9.1a: T0 T1 T2* T3*

T4*

Tiers in 17.7.x, 17.8.x:

T0 T1 T2* T3*

T4*

Numeric Mapping:

15M 25M 50M 100M 250M 500M 1G 2.5G 5G 10G

Un-throttled

Available DNA Licenses:

Table 3. Tier and Numeric Throughput Mapping for Physical Platforms (C8200, C8300, C8500)

Tiers from 17.8.1a:

T0

T1

T2*

T3*

T4*

T5*

Tiers in 17.7.x:

T0

T1

T2*

T3*

n.a.

n.a.

Configured Numeric Value:

10M 15M 25M 50M 100M 250M 500M 1G 2.5G 5G 10G 50G Un-throttled

C8200-1N-4T

C8200L-1N-4T

C8300-1N1S-4T2X

C8300-1N1S-6T

C8300-2N2S-4T2X

C8300-2N2S-6T

C8500-12X

C8500-12X4QC

C8500-20X6C

C8500L-8S4X

C8530L-8S8X4Y

C8530L-8S2X2Y

Entitled Throughput and Throttling Specifications in the Autonomous Mode

These tables tell you about the throughput you are entitled to. This is based on the device, the throughput value, which can be aggregate or numeric, and the release, which determines if throttling is imposed in an aggregate or bidirectional manner.

Table 4. C8000v

Throughput = Encrypted and Unencrypted Throughput

Rx is Unthrottled

* HSECK9 license is required.

Supported Throughput Values

(default 10M)

Entitled Throughput & Throttling in >= 17.4.1a

Entitled Throughput & Throttling in >= 17.7.1a

Entitled Throughput & Throttling in >=17.9.1a

Entitled Throughput & Throttling in >=17.14.1a

10M

10M Tx Only

10M Tx Only

20M Tx Only

20M Tx Only

15M

15M Tx Only

15M Tx Only

30M Tx Only

30M Tx Only

25M

25M Tx Only

25M Tx Only

50M Tx Only

50M Tx Only

50M

50M Tx Only

50M Tx Only

100M Tx Only

100M Tx Only

100M

100M Tx Only

100M Tx Only

200M Tx Only

200M Tx Only

250M

250M Tx Only

250M Tx Only

250M Tx Only

With HSECK9: 500M Tx

Without HSECK9: 250M Tx

500M*

500M Tx Only

500M Tx Only

1G Tx Only

1G Tx Only

1G*

1G Tx Only

1G Tx Only

2G Tx Only

2G Tx Only

2.5G*

2.5G Tx Only

2.5G Tx Only

5G Tx Only

5G Tx Only

5G*

5G Tx Only

5G Tx Only

10G Tx Only

10G Tx Only

10G*

10G Tx Only

10G Tx Only

20G Tx Only

20G Tx Only

T0

-

15M Tx Only

50M Tx Only

50M Tx Only

T1

-

100M Tx Only

200M Tx Only

With HSECK9: 500M Tx

Without HSECK9: 250M Tx

T2*

-

1G Tx Only

2G Tx Only

2G Tx Only

T3*

-

10 Tx Only

20G Tx Only

20G Tx Only

T4*

-

Unthrottled

Unthrottled

Unthrottled

Table 5. C8200-1N-4T

Throughput = Encrypted Throughput

* HSECK9 license is required.

Supported Throughput Values

(default 10M)

Entitled Throughput & Throttling in >= 17.4.1a

Entitled Throughput & Throttling in >= 17.7.1a

Entitled Throughput & Throttling in >= 17.8.1a

Entitled Throughput & Throttling in >= 17.14.1a

10M

10M Bidirectional

10M Bidirectional

10M Bidirectional

10M Bidirectional

15M

15M Bidirectional

15M Bidirectional

15M Bidirectional

15M Bidirectional

25M

25M Bidirectional

25M Bidirectional

25M Bidirectional

25M Bidirectional

50M

50M Bidirectional

50M Bidirectional

50M Bidirectional

50M Bidirectional

100M

100M Bidirectional

100M Bidirectional

100M Bidirectional

100M Bidirectional

250M

250M Bidirectional

250M Bidirectional

250M Bidirectional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

500M*

500M Bidirectional

500M Bidirectional

1G Aggregate

1G Aggregate

T0

-

15M Bidirectional

25M Bidirectional

25M Bidirectional

T1

-

100M Bidirectional

100M Bidirectional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

T2

-

500M Bidirectional

1G Aggregate

1G Aggregate

Table 6. C8200L-1N-4T

Throughput = Encrypted Throughput

* HSECK9 license is required.

Supported Throughput Values

(default 10M)

Entitled Throughput & Throttling in >= >= 17.5.1a

Entitled Throughput & Throttling in >= 17.7.1a

Entitled Throughput & Throttling in >= 17.8.1a

Entitled Throughput & Throttling in >= 17.14.1a

10M

10M Bidirectional

10M Bidirectional

10M Bidirectional

10M Bidirectional

15M

15M Bidirectional

15M Bidirectional

15M Bidirectional

15M Bidirectional

25M

25M Bidirectional

25M Bidirectional

25M Bidirectional

25M Bidirectional

50M

50M Bidirectional

50M Bidirectional

50M Bidirectional

50M Bidirectional

100M

100M Bidirectional

100M Bidirectional

100M Bidirectional

100M Bidirectional

250M

250M Bidirectional

250M Bidirectional

250M Bidirectional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

T0

-

15M Bidirectional

25M Bidirectional

25M Bidirectional

T1

-

100M Bidirectional

100M Bidirectional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

T2*

-

250M Bidirectional

500M Aggregate

500M Aggregate

-

Note

 

From 17.8.1a, On C8200-1N-4T-L, if you configure a numeric value of 250 Mbps, a maximum of 250 Mbps is available in each direction. But if you configure tier-based value T2 (which requires an HSECK9 license), 500 Mbps is available for use in any Tx and Rx ratio.

Table 7. C8300-1N1S-4T2X, C8300-2N2S-4T2X

Throughput = Encrypted Throughput

* HSECK9 license is required.

Supported Throughput Values

(default 10M)

Entitled Throughput & Throttling in >= 17.3.2

Entitled Throughput & Throttling in >= 17.7.1a

Entitled Throughput & Throttling in >= 17.8.1a

Entitled Throughput & Throttling in >= 17.14.1a

10M

10M Bidirectional

10M Bidirectional

10M Bidirectional

10M Bidirectional

15M

15M Bidirectional

15M Bidirectional

15M Bidirectional

15M Bidirectional

25M

25M Bidirectional

25M Bidirectional

25M Bidirectional

25M Bidirectional

50M

50M Bidirectional

50M Bidirectional

50M Bidirectional

50M Bidirectional

100M

100M Bidirectional

100M Bidirectional

100M Bidirectional

100M Bidirectional

250M

250M Bidirectional

250M Bidirectional

250M Bidirectional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

500M*

500M Bidirectional

500M Bidirectional

1G Aggregate

1G Aggregate

1G*

1G Bidirectional

1G Bidirectional

2G Aggregate

2G Aggregate

2.5G*

2.5G Bidirectional

2.5G Bidirectional

5G Aggregate

5G Aggregate

T0

-

15M Bidirectional

25M Bidirectional

25M Bidirectional

T1

-

100M Bidirectional

100M Bidirectional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

T2*

-

1G Bidirectional

2G Aggregate

2G Aggregate

T3*

-

10G Bidirectional

20G Aggregate

20G Aggregate

Table 8. C8300-1N1S-6T, C8300-2N2S-6T

Throughput = Encrypted Throughput

* HSECK9 license is required.

Supported Throughput Values

(default 10M)

Entitled Throughput & Throttling in >= 17.3.2

Entitled Throughput & Throttling in >= 17.7.1a

Entitled Throughput & Throttling in >= 17.8.1a

Entitled Throughput & Throttling in >= 17.14.1a

10M

10M Bidirectional

10M Bidirectional

10M Bidirectional

10M Bidirectional

15M

15M Bidirectional

15M Bidirectional

15M Bidirectional

15M Bidirectional

25M

25M Bidirectional

25M Bidirectional

25M Bidirectional

25M Bidirectional

50M

50M Bidirectional

50M Bidirectional

50M Bidirectional

50M Bidirectional

100M

100M Bidirectional

100M Bidirectional

100M Bidirectional

100M Bidirectional

250M

250M Bidirectional

250M Bidirectional

250M Bidirectional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

500M*

500M Bidirectional

500M Bidirectional

1G Aggregate

1G Aggregate

1G*

1G Bidirectional

1G Bidirectional

2G Aggregate

2G Aggregate

T0

-

15M Bidirectional

25M Bi-directional

25M Bi-directional

T1

-

100M Bidirectional

100M Bi-directional

With HSECK9: 500M Aggregate

Without HSECK9: 250M Bidirectional

T2*

-

1G Bidirectional

2G Aggregate

2G Aggregate

Table 9. C8500-12X, C8500-12X4QC

Throughput = Encrypted Throughput

*HSECK9 license required for compliance purposes only.

Supported Throughput Values

(default 10M)

Entitled Throughput & Throttling in >= 17.3.2

Entitled Throughput & Throttling in >= 17.7.1a

Entitled Throughput & Throttling in >= 17.8.1a

2.5G*

2.5G Bidirectional

2.5G Bidirectional

5G Aggregate

5G*

5G Bidirectional

5G Bidirectional

10G Aggregate

10G*

10G Bidirectional

10G Bidirectional

20G Aggregate

T3*

-

10G Bidirectional

20G Aggregate

Table 10. C8500L-8S4X

Throughput = Encrypted Throughput

*HSECK9 license required for compliance purposes only.

Supported Throughput Values

(default 10M)

Entitled Throughput & Throttling in >= 17.4.1a

Entitled Throughput & Throttling in >= 17.7.1a

Entitled Throughput & Throttling in >= 17.8.1a

1G*

1G Bidirectional

1G Bidirectional

2G Aggregate

2.5G*

2G Bidirectional

2G Bidirectional

5G Aggregate

5G*

5G Bidirectional

5G Bidirectional

10G Aggregate

10G*

10G Bidirectional

10G Bidirectional

20G Aggregate

T2*

-

1G Bidirectional

2G Aggregate

T3*

-

10G Bidirectional

20G Aggregate

Table 11. C8500-20X6C

Throughput = Encrypted Throughput

*HSECK9 license required for compliance purposes only.

Supported Throughput Values

(default T4)

Entitled Throughput and Throttling in >= 17.10.1a

T4*

50G Aggregate

T5*

Unthrottled

Entitled Throughput and Throttling Specifications in the SD-WAN Controller Mode

PID

Introductory Release for PID

Throughput Without HSECK9 - Bi-directional Throughput With HSECK9

(>=17.3.2 and <17.8.1a, Bi-directional)

Throughput With HSECK9

(>17.8.1a, Aggregate)

C8300-1N1S-4T2X

(default 250M)

17.3.2

250M

unthrottled

unthrottled

C8300-2N2S-6T

(default 250M)

17.3.2

250M

1G

2G

C8300-1N1S-6T

(default 250M)

17.3.2

250M

1G

2G

C8300-2N2S-4T2X

(default 250M)

17.3.2

250M

unthrottled

unthrottled

C8200-1N-4T

(default 250M)

17.4.1a

250M

500M

1G

C8200L-1N-4T

(default 250M)

17.5.1a

250M

250M

500M

C8500-12X4QC

(default unthrottled)

17.3.2

unthrottled

unthrottled

unthrottled

C8500-12X

(default unthrottled)

17.3.2

unthrottled

unthrottled

unthrottled

C8500L-8S4X

(default unthrottled)

17.4.1a

unthrott

led

unthrottled

unthrottled

C8500-20X6C

(default T4)

17.10.1a

unthrottled

-

unthrottled

C8000v

(default 250M)

17.4.1a

250M

unthrottled

unthrottled

Numeric vs. Tier-Based Throughput Configuration

With the introduction of tier-based throughput configuration in Cisco IOS XE Cupertino 17.7.1a, when you configure throughput on the device, both numeric and tier-based options are available. This section provides information about when to configure a numeric throughput value and when to configure tier-based throughput.

Identifying whether you have tier-based or numeric licenses

Cisco Smart Software Manager (CSSM) is a portal that enables you to manage all your Cisco software licenses. All the license PIDs you purchase are listed in the CSSM Web UI at: https://software.cisco.comManage licenses. One way of identifying whether you have a tier-based or numeric licenses is to see how the license is displayed in CSSM.

To do this, log in to the portal and in the corresponding Smart Account and Virtual Account, navigate to Inventory > Licences, to display the licenses in the account. The screenshot below shows you how both are displayed:

Figure 1. Numeric and Tier Values Displayed in the CSSM Web UI

Recommendations for whether to configure a numeric or tier-based throughput value

  • If you purchase a numeric license PID, the license is displayed with the numeric throughput value and tier-based value in the CSSM Web UI. For such a license, we recommend that you configure only a numeric throughput value.

    See Configuring a Numeric Throughput.

  • If you purchase a tier-based license PID, the license is displayed with only the tier value in the CSSM Web UI. For such a license, you can either configure a tier-based throughput value to match the display in the CSSM Web UI, or you can configure a numeric throughput value.

    See Configuring a Tier-Based Throughput or Configuring a Numeric Throughput.


    Note


    There is no functional impact if you have tier-based license PID in CSSM and you configure a numeric throughput value on the device.


When to convert the configured value to a numeric or tier-based one

The following scenarios further clarify when you can convert from numeric to tier-based throughput configuration, or from tier-based throughput configuration to numeric, when conversion is required, and when it is optional:

  • You have configured a numeric throughput value on the device and the license PID is a numeric license: You must not convert to tier-based throughput value.

  • You have configured a numeric throughput value on the device and the license PID is a tier-based license: You can convert the throughput configuration to tier-based value - but this is optional. There is no functional impact if you do not convert to a tier-based throughput value.

    If you want to convert to a tier-based value, see Converting From a Numeric Throughput Value to a Tier

  • You are upgrading to a release where tier-based throughput values are supported and the license PID is tier-based: You can convert the throughput to tier-based value after upgrade - but this is optional. There is no functional impact if you do not convert to a tier-based throughput value.

    See Upgrading from a Release Supporting Numeric Throughput to a Release Supporting Tiers.

  • You are upgrading to a release where tier-based throughput values are supported, and your license PID is numeric: You must not convert to a tier-based throughput value.

  • You are downgrading to a release where only numeric throughput values are supported and your license PID and throughput configuration are tier-based: You must change configuration to a numeric throughput value, before you downgrade.

    See Downgrading from a Release Supporting Tiers to a Release Supporting Only Numeric Throughput.

How to Configure Available Licenses and Throughput

This section provides information about the sequence in which you must complete tasks, for the various licenses available on the Cisco Catalyst 8000 Edge Platforms Family - before you can start using them.

For a Cisco DNA license: Configure a Boot Level LicenseConfigure Numeric or Tier-Based Throughput Implement a Smart Licensing Using Policy TopologyReport License Usage (If Applicable).

For an HSECK9 license: Configure a Boot Level LicenseImplement a Smart Licensing Using Policy TopologyInstall SLAC1Enable HSECK9 on applicable platforms2Configure Numeric or Tier-Based Throughput Report License Usage (If Applicable).

For a Cisco UBE, or Cisco Unified CME, or Cisco Unified SRST license: Implement a Smart Licensing Using Policy TopologyReport License Usage (If Applicable).

Configuring a Boot Level License

If you have purchased a Cisco DNA license for a new device, or if you have an existing device and you want to change (upgrade or downgrade, add or remove) the currently configured license on your device, complete the following task.

This sets a boot level license and requires a reload before the configured changes are effective.

Procedure


Step 1

show version

Displays the currently set boot level license.

In the accompanying example, Network Advantage and DNA Advantage licences are configured on the device.

Example:

Device# show version
<output truncated>
Technology Package License Information: 
          
-----------------------------------------------------------------
Technology     Type         Technology-package Technology-package
                            Current            Next Reboot       
-----------------------------------------------------------------
Smart License  Perpetual    network-advantage  network-advantage 
Smart License  Subscription dna-advantage      dna-advantage

<output truncated>

Step 2

configure terminal

Enters global configuration mode.

Example:

Device# configure terminal

Step 3

Depending on whether the device is a physical or virtual one, configure the applicable command:

  • For physical platforms: [no] license boot level {network-advantage [addon dna-advantage] | network-essentials [addon dna-essentials] | network-premier [addon dna-premier] }
  • For virtual platforms: [no] license boot level {network-advantage {addon dna-advantage} | network-essentials {addon dna-essentials} | network-premier {addon dna-premier} }

Sets a boot level license.

On all platforms, first configure a network-stack license. Only after this can you configure the corresponding add-on license.

In the command syntax note how the configuration of a DNA-stack add-on license is optional on physical platforms, but mandatory on virtual platforms.

The accompanying example, shows configuration on a C8300-1N1S-4T2X router, which is a physical platform. The network-stack license, Network Premier and the corresponding add-on license, DNA-Premier are configured.

Example:

Device(config)# license boot level network-premier addon dna-premier
% use 'write' command to make license boot config take effect on next boot

Step 4

exit

Exits global configuration mode and returns to privileged EXEC mode.

Example:

Device# exit

Step 5

copy running-config startup-config

Saves your entries in the configuration file.

Example:

Device# copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]
<output truncated>

Step 6

reload

Reloads the device. License levels configured in Step 3 are effective and displayed only after this reload.

Example:

Device# reload
Proceed with reload? [confirm]

*Dec  8 01:04:12.287: %SYS-5-RELOAD: Reload requested by console. 
Reload Reason: Reload Command.
<output truncated>

Step 7

show version

Displays the currently set boot level license.

In the accompanying example, the output confirms that Network Premier and DNA-Premier licenses are configured.

Example:

Device# show version
<output truncated>
Technology Package License Information: 
          
-----------------------------------------------------------------
Technology     Type         Technology-package Technology-package
                            Current            Next Reboot       
-----------------------------------------------------------------
Smart License  Perpetual    network-premier    network-premier   
Smart License  Subscription dna-premier        dna-premier
<output truncated>

Step 8

show license summary

Displays a summary of license usage, which includes information about licenses being used, the count, and status.

Example:

Device# show license summary

Account Information:
  Smart Account: Eg-SA As of Dec 08 08:10:33 2021 UTC
  Virtual Account: Eg-VA

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------------
  network-premier_T2      (NWSTACK_T2_P)                    1 IN USE
  dna-premier_T2          (DSTACK_T2_P)                     1 IN USE

Step 9

Complete usage reporting - if required

After you configure a license level, you may have to send a RUM report (Resource Utilization Measurement Report) to CSSM to report license usage information. To know if reporting is required, you can wait for a system message or refer to the policy using show commands.

  • The system message, which indicates that reporting is required: %SMART_LIC-6-REPORTING_REQUIRED: A Usage report acknowledgement will be required in [dec] days. [dec] is the amount of time (in days) left to meet reporting requirements.

  • If using show commands, refer to the output of the show license status privileged EXEC command and check the Next ACK deadline field. This means a RUM report must be sent and the acknolwedgement (ACK) from CSSM must be installed by this date.

How you send the RUM report, depends on the topology you have implemented in the Smart Licensing Using Policy environment. For more information, see How to Configure Smart Licensing Using Policy: Workflows by Topology.


Installing SLAC for an HSECK9 License

A Smart Licensing Authorization Code (SLAC) is generated in and obtained from Cisco Smart Software Manager (CSSM) portal.

There are multiple ways in which a product may be connected to the CSSM, in order to obtain a SLAC. Each way of connecting to CSSM is called a topology. You must implement one of the supported topologies so you can then install SLAC in the corresponding method.

For information about all the methods, see the Supported Topologies section of the Smart Licensing Using Policy for Cisco Enterprise Routing Platforms document.


Note


Ensure that a boot level license is already configured on the device. See Configuring a Boot Level License. In the output of the show version privileged EXEC command ensure that a license is mentioned in the License Level field.


Required Tasks After Installing SLAC

Complete the following required tasks after installing SLAC - only if applicable to the platform:

Platform

Required Tasks After Installing SLAC

For Catalyst 8200 and 8300 Series Edge Platforms

Enter the license feature hseck9 command in global configuration mode. This enables the HSECK9 license on these platforms.

For the C8500L/C8530L models of the Catalyst 8500 Series Edge Platforms

Reload the device after installing SLAC.

Configuring a Numeric Throughput

This task shows you how to change the numeric throughput level on physical and virtual platforms. If you do not configure a throughput level, the platform's default throughput level is effective.

Configuration of a throughput level requires a reload on physical platforms (Catalyst 8200, 8300, and 8500 Series Edge Platforms). A reload is not required for virtual platforms (Catalyst 8000V Edge Software).

Before you begin

Procedure


Step 1

Depending on whether the device is a physical or virtual one, enter the applicable command:

  • For physical platforms: show platform hardware throughput crypto
  • For virtual platforms: show platform hardware throughput level

Displays the current throughput level on the device.

In the accompanying example:

  • The show platform hardware throughput crypto sample output is of a physical platform (a C8300-2N2S-4T2X). Here the throughput level is throttled at 250M.

  • The show platform hardware throughput level sample output is of a virtual platform (a C8000V).

Example:

Device# show platform hardware throughput crypto  
Current configured crypto throughput level: 250M
     Level is saved, reboot is not required
Current enforced crypto throughput level: 250M
Crypto Throughput is throttled at 250M
Default Crypto throughput level: 10M
Current boot level is network-advantage  

OR

Device# show platform hardware throughput level
The current throughput level is 1000000 kb/s

Step 2

configure terminal

Enters global configuration mode.

Example:

Device# configure terminal

Step 3

Depending on whether the device is a physical or virtual one, configure the applicable command:

  • For physical platforms: platform hardware throughput crypto {100M | 10M | 15M | 1G | 2.5G | 250M | 25M | 500M | 50M}
  • For virtual platforms: platform hardware throughput level MB {100 | 1000 | 10000 | 15 | 25 | 250 | 2500 | 50 | 500 | 5000}

Configures the throughput level. The displayed throughput options depend on the device.

Note

 

On physical and virtual platforms, ensure that a boot level license is configured. Otherwise the command is not recognized as a valid one on the command line interface.

In the accompanying example:

  • 1 Gbps is configured on the physical platform. The software version running on the device is Cisco IOS XE Cupertino 17.8.1a and this means aggregate throughput throttling applies. After reload, the sum of upstream and downstream throughput will not exceed the 2 Gbps limit.

  • 5000 Mbps is configured on the virtual platform. The software version running on the device is Cisco IOS XE Cupertino 17.8.1a and this means Tx data is throttled at 5000 Mbps. Rx is unthrottled.

Example:

Device(config)# platform hardware throughput crypto ?
  100M  100 mbps bidirectional thput                         
  10M   10 mbps bidirectional thput                          
  15M   15 mbps bidirectional thput                          
  1G    2 gbps aggregate thput                               
  2.5G  5 gbps aggregate thput                               
  250M  250 mbps bidirectional thput                         
  25M   25 mbps bidirectional thput                          
  500M  1gbps aggregate thput                                
  50M   50 mbps bidirectional thput                          
Device(config)# platform hardware throughput crypto 1G
% These values don't take effect until the next reboot. 
Please save the configuration.

OR

Device(config)# platform hardware throughput level MB 5000
%Throughput has been set to 5000 Mbps. 

Step 4

exit

Exits global configuration mode and returns to privileged EXEC mode.

Example:

Device# exit

Step 5

copy running-config startup-config

Saves your entries in the configuration file.

Example:

Device# copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]

Step 6

reload

Reloads the device.

Note

 

Perform this step only if the device you are configuring throughput on a physical platform.

Skip this step if you are configuring throughput on a virtual platform.

Example:

Device# reload

Step 7

Depending on whether the device is a physical or virtual one, enter the applicable command:

  • For physical platforms: show platform hardware throughput crypto
  • For virtual platforms: show platform hardware throughput level

Displays the current throughput level on the device.

Tip

 

On physical platforms, you can also enter the show platform hardware qfp active feature ipsec state privileged EXEC command to display the configured throughput level.

Example:

Device# show platform hardware throughput crypto
Current configured crypto throughput level: 1G
     Level is saved, reboot is not required 
Current enforced crypto throughput level: 1G
Crypto Throughput is throttled at 2G(Aggregate)
Default Crypto throughput level: 10M

OR

Device# show platform hardware throughput level
The current throughput level is 5000000 kb/s

Configuring a Tier-Based Throughput

This task shows you how to configure a tier-based throughput level on physical and virtual platforms. If you do not configure a throughput level, the platform's default throughput level is effective.

Tier-based throughput levels are supported starting with Cisco IOS XE Cupertino 17.7.1a only.

Configuration of a throughput level requires a reload on physical platforms (Catalyst 8200, 8300, and 8500 Series Edge Platforms). A reload is not required for virtual platforms (Catalyst 8000V Edge Software).

Before you begin

  • Read sections Numeric and Tier-Based Throughput and Numeric vs. Tier-Based Throughput Configuration.

  • Ensure that a boot level license is already configured on the device. Otherwise you will not be able to configure a throughput value. See Configuring a Boot Level License. In the output of the show version privileged EXEC command ensure that a license is mentioned in the License Level field.

  • If you are configuring Tier 2 (T2) or a higher tier, you must install a Smart Licensing Authorization Code (SLAC) before you start with this task. See Installing SLAC for an HSECK9 License.

    • On physical platforms, T2 or higher tiers are not displayed if SLAC is not installed.

    • On virtual platforms, all tier options are displayed even if SLAC is not installed. But SLAC is required if you want to configure T2 or a higher tier.

  • If you want to configure Tier 3 (T3) ensure that the boot level license is Network Advantage/ DNA Advantage, or Network Premier/DNA Premier. T3 and higher tiers are not supported with Network Essentials and DNA Essentials.

  • You can configure the T1 value with or without an HSECK9 license. The system allows both. The difference is that aggregate throttling is effective if HSECK9 is available on the device. See: Release-Wise Changes in Throttling Behavior.

  • Note the throughput you are entitled to. This is indicated in the Cisco DNA license PID you purchase.

Procedure


Step 1

Depending on whether the device is a physical or virtual one, enter the applicable command:

  • For physical platforms: show platform hardware throughput crypto
  • For virtual platforms: show platform hardware throughput level

Displays the current throughput level on the device.

In the accompanying example:

  • The show platform hardware throughput crypto sample output is of a physical platform (a C8300-2N2S-4T2X). Here throughput is currently throttled at 250 Mbps.

  • The show platform hardware throughput level sample output is of a virtual platform (a C8000V). Here the current throughput level is 10 Mbps.

Example:

Device# show platform hardware throughput crypto
show platform hardware throughput crypto                              
Current configured crypto throughput level: 250M
     Level is saved, reboot is not required
Current enforced crypto throughput level: 250M
Crypto Throughput is throttled at 250M
Default Crypto throughput level: 10M
Current boot level is network-premier

OR

Device# show platform hardware throughput level
The current throughput level is 10000 kb/s

Step 2

show license authorization

(Optional) Displays SLAC information on the product instance.

In the accompanying example:

  • SLAC is installed on the physical platform. This is so we can configure T2.

  • SLAC is not available on the virtual platform. Note how this affects throughput configuration in the subsequent steps.

Example:

Device# show license authorization
Overall status:
  Active: PID:C8300-2N2S-4T2X,SN:FDO2250A0J5
      Status: SMART AUTHORIZATION INSTALLED on Mar 02 05:05:19 2022 UTC
      Last Confirmation code: 418b11b3

Authorizations:
  Router US Export Lic. for DNA (DNA_HSEC):
    Description: U.S. Export Restriction Compliance license for 
    DNA based Routers
    Total available count: 1
    Enforcement type: EXPORT RESTRICTED
    Term information:
      Active: PID:C8300-1N1S-4T2X,SN:FDO2250A0J5
        Authorization type: SMART AUTHORIZATION INSTALLED 
        License type: PERPETUAL
          Term Count: 1

Purchased Licenses:
  No Purchase Information Available

OR

Device# show license authorization
Overall status:
  Active: PID:C8000V,SN:9I8GRCH8CMN
      Status: NOT INSTALLED

Step 3

configure terminal

Enters global configuration mode.

Example:

Device# configure terminal

Step 4

Depending on whether the device is a physical or virtual one, configure the applicable command:

  • For physical platforms: platform hardware throughput crypto {T0 | T1 | T2 | T3 | T4 | T5}
  • For virtual platforms: platform hardware throughput level MB {T0 | T1 | T2 | T3 | T4 }

Configures a tier-based throughput. The throughput options that are displayed, depend on the device.

Note

 

Only tiers are mentioned in command, for the sake of clarity. When you enter the command on the CLI, numeric and tier values are displayed - as shown in the accompanying example.

The following apply to both physical and virtual platforms:

  • Ensure that you have configured a boot level license already. Otherwise the command for throughput configuration is not recognized as a valid one on the command line interface.

  • If you are configuring T2 or a higher tier, you have installed SLAC.

    On a physical platform, you will not be able to configure T2 or a higher tier if SLAC is not installed.

    On a virtual platform, if you configure T2 or a higher tier without SLAC, the product instance automatically tries to reach CSSM to request and install SLAC. If it is successful, throughput is set to the configured tier. If it is not successful, the system sets the throughput to 250 Mbps. If and when SLAC is installed, the throughput is automatically set to the last configured value.

In the accompanying example:

  • 1 Gbps is configured on the physical platform. The software version running on the device is Cisco IOS XE Cupertino 17.8.1a and this means aggregate throughput throttling applies. After reload, the sum of upstream and downstream throughput will not exceed the 2 Gbps limit.

  • 5000 Mbps is configured on the virtual platform. The software version running on the device is Cisco IOS XE Cupertino 17.8.1a and this means Tx data is throttled at 5000 Mbps. Rx is unthrottled.

  • On the physical platform (platform hardware throughput crypto ), T2 and higher tiers are displayed, because SLAC is installed. If SLAC were not available, T1 would have been the highest tier displayed.

    The software version running on the device is Cisco IOS XE Cupertino 17.8.1a and this means aggregate throughput throttling applies. After reload, the sum of upstream and downstream throughput will not exceed the 2 Gbps limit.

  • On the virtual platform (platform hardware throughput level MB ), all tiers are displayed. After T2 is configured, the system message alerts you to the fact that the configuration is not set, because SLAC is not installed.

Example:

Device(config)# platform hardware throughput crypto ?
  100M  100 mbps bidirectional thput                         
  10M   10 mbps bidirectional thput                          
  15M   15 mbps bidirectional thput                          
  1G    2 gbps aggregate thput                               
  2.5G  5 gbps aggregate thput                               
  250M  250 mbps bidirectional thput                         
  25M   25 mbps bidirectional thput                          
  500M  1gbps aggregate thput                                
  50M   50 mbps bidirectional thput                          
  T0    T0(up to 15 mbps) bidirectional thput                
  T1    T1(up to 100 mbps) bidirectional thput               
  T2    T2(up to 2 gbps) aggregate thput                     
  T3    T3(up to 5 gbps) aggregate thput 

Device(config)# platform hardware throughput crypto T2
% These values don't take effect until the next reboot. 
Please save the configuration.
*Mar 02 05:06:19.042: %CRYPTO_SL_TP_LEVELS-6-SAVE_CONFIG_AND_RELOAD: 
New throughput level not applied until reload; please save config 

OR
Device(config)# platform hardware throughput level MB ?
  100    Mbps
  1000   Mbps
  10000  Mbps
  15     Mbps
  25     Mbps
  250    Mbps
  2500   Mbps
  50     Mbps
  500    Mbps
  5000   Mbps
  T0     Tier0(up to 15M throughput)
  T1     Tier1(up to 100M throughput)
  T2     Tier2(up to 1G throughput)
  T3     Tier3(up to 10G throughput)
  T4     Tier4(unthrottled)

Device(config)# platform hardware throughput level MB T2 
%Requested throughput will be set once HSEC authorization 
code is installed 

Step 5

exit

Exits global configuration mode and returns to privileged EXEC mode.

Example:

Device# exit

Step 6

copy running-config startup-config

Saves your entries in the configuration file.

Example:

Device# copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]

Step 7

reload

Reloads the device.

Note

 

Perform this step only if the device you are configuring throughput on a physical platform.

Skip this step if you are configuring throughput on a virtual platform.

Example:

Device# reload

Step 8

Depending on whether the device is a physical or virtual one, enter the applicable command:

  • For physical platforms: show platform hardware throughput crypto
  • For virtual platforms: show platform hardware throughput level

Displays the current throughput level on the device.

In the accompanying example:

  • On the physical platform, the tier value is set to T2.

    Tip

     

    On a physical platform, you can also enter the show platform hardware qfp active feature ipsec state privileged EXEC command to display the configured throughput level.

  • On the virtual platform, throughput is set to 250 Mbps. If and when SLAC is installed, the throughput will be automatically set to the last configured value, which is T2.

Example:

Device# show platform hardware throughput crypto
Current configured crypto throughput level: T2
     Level is saved, reboot is not required
Current enforced crypto throughput level: 1G
Crypto Throughput is throttled at 2G(Aggregate)
Default Crypto throughput level: 10M
Current boot level is network-premier

OR

Device# show platform hardware throughput level
The current throughput level is 250000 kb/s

Converting From a Numeric Throughput Value to a Tier

This task shows you how to convert a numeric throughput value to a tier-based throughput value. To know how numeric throughput values are mapped to tier values refer to the table here:Tier and Numeric Throughput Mapping .

Converting the throughput level requires a reload on physical platforms (Catalyst 8200, 8300, and 8500 Series Edge Platforms). A reload is not required for virtual platforms (Catalyst 8000V Edge Software).

Before you begin

Procedure


Step 1

Depending on whether the device is a physical or virtual one, enter the applicable command:

  • For physical platforms: show platform hardware throughput crypto
  • For virtual platforms: show platform hardware throughput level

Displays the currently running throughput on the device.

Example:

Device# show platform hardware throughput crypto
Current configured crypto throughput level: 500M
     Level is saved, reboot is not required
Current enforced crypto throughput level: 500M
Crypto Throughput is throttled at 500M
Default Crypto throughput level: 10M
Current boot level is network-premier

OR

Device# show platform hardware throughput level
The current throughput level is 100000 kb/s

Step 2

Depending on whether the device is a physical or virtual one, enter the applicable command:

  • For physical platforms: license throughput crypto auto-convert
  • For virtual platforms: license throughput level auto-convert

Converts the numeric throughput to a tier-based throughput value. The converted tier value is displayed on the CLI.

Example:

Device# license throughput crypto auto-convert
Crypto throughput auto-convert from level 500M to T2

% These values don't take effect until the next reboot. 
Please save the configuration.
*Dec  8 03:21:01.401: %CRYPTO_SL_TP_LEVELS-6-SAVE_CONFIG_AND_RELOAD: 
New throughput level 
not applied until reload; please save config

OR

Device# license throughput level auto-convert
%Throughput tier set to T1 (100 Mbps) 
% Tier conversion is successful. 
Please write memory to save the tier config

Step 3

copy running-config startup-config

Saves your entries in the configuration file.

Note

 

Even though the command you use to convert from numeric to tier-based throughput is a privileged EXEC command, it changes running configuration from a numeric value to a tier-based value. You must therefore save configuration for the next reload to be displayed with a tier value.

Example:

Device# copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]

Step 4

reload

Reloads the device.

Note

 

A reload is required only on physical platforms.

Example:

Device# reload
Proceed with reload? [confirm]
*Dec  8 03:24:09.534: %SYS-5-RELOAD: Reload requested by console. 
Reload Reason: 
Reload Command

Step 5

Depending on whether the device is a physical or virtual one, enter the applicable command:

  • For physical platforms: show platform hardware throughput crypto
  • For virtual platforms: show platform hardware throughput level

Displays the currently running throughput on the device.

Example:

Device# show platform hardware throughput crypto
Current configured crypto throughput level: T2
     Level is saved, reboot is not required
Current enforced crypto throughput level: 1G
Crypto Throughput is throttled at 1G
Default Crypto throughput level: 10M
Current boot level is network-premier


OR

Device# show platform hardware throughput level
The current throughput level is 100000 kb/s

Step 6

Verify that conversion is complete.

  • For physical platforms: license throughput crypto auto-convert
  • For virtual platforms: license throughput level auto-convert

Tip

 

To cross-check that conversion is complete, you can also enter the conversion command again. If the numeric throughput value has already been converted, the system displays a message confirming this.

Example:

Device# license throughput crypto auto-convert
Crypto throughput is already tier based, no need to convert.

OR

Device# license throughput level auto-convert
% Tier conversion not possible since the device is already 
in tier licensing

Upgrading from a Release Supporting Numeric Throughput to a Release Supporting Tiers

If you are upgrading to Cisco IOS XE Cupertino 17.7.1 or later release and the license PID is a tier-based one, you can convert throughput configuration to a tier-based value, or you can retain the numeric throughput configuration.


Note


There is no functional impact if you have tier-based license PID in CSSM and a numeric throughput value is configured on the device.


If you want to convert to a tier-based value note the required action depending on the throughput level that is configured:

Throughput Configuration Before Upgrade

Action Before Upgrade

Action After Upgrade to 17.7.1 or Later

Lesser than 250 Mbps

No action required.

Converting From a Numeric Throughput Value to a Tier

Equal to 250 Mbps

Obtain an HSECK9 license and install SLAC if you want to convert to T2.

Converting From a Numeric Throughput Value to a Tier

Greater than 250 Mbps

No action required.

Converting From a Numeric Throughput Value to a Tier

Downgrading from a Release Supporting Tiers to a Release Supporting Only Numeric Throughput

If you are downgrading to a release where only numeric throughput configuration is supported, you must convert tier-based throughput configuration to a numeric throughput value before downgrade. This is applicable even if the license PID is a tier-based license PID.


Caution


If a tier-based throughput value was configured before downgrade and you downgrade without changing to a numeric value, tier configuration is not recognized by a pre-17.7.1 image and configuration fails. Further, throughput may not be restored to the pre-downgrade level and you have to configure a numeric throughput level after downgrade.


Throughput Configuration Before Downgrade

Action Before Downgrade

Action After Downgrade to a pre-17.7.1 Version

Numeric

No action required.

No action required.

Tier

Configuring a Numeric Throughput

No action required.

Available Licensing Models

The licensing model defines how you account for or report the licenses that you use, to Cisco. The following licensing models are available on the Cisco Catalyst 8000 Edge Platforms Family:

Smart Licensing Using Policy

With this licensing model, you purchase the licenses you want to use, configure them on the device, and then report license usage – as required. You do not have to complete any licensing-specific operations, such as registering or generating keys before you start using the software and the licenses that are tied to it - unless you are using export-controlled and enforced licenses.

This licensing model is supported on all products in the Cisco Catalyst 8000 Edge Platforms Family.

For more information, see Smart Licensing Using Policy for Cisco Enterprise Routing Platforms.

Pay As You Go (PAYG) Licensing


Note


This licensing model is available only on Catalyst 8000V Edge Software.


Cisco Catalyst 8000V supports the PAYG licensing model with Amazon Web Services (AWS) and Microsoft Azure Marketplace - in both the autonomous mode and the controller mode. The Cisco Catalyst 8000V hourly-billed Amazon Machine Image (AMI) or the Pay As You Go licensing model allows you to consume an instance for a defined period of time.

  • In the autonomous mode, you can directly launch an instance from the AWS or Azure Marketplace and start using it. The licenses are embedded in the image and the selected license package and configured throughput level are effective when you launch the instance

  • In the controller mode, which is supported from Cisco IOS-XE Bengaluru 17.5.1, you must first onboard the device into Cisco SD-WAN as per Onboard Cisco Catalyst 8000V Edge Software Hosted by a Cloud Service, Using PAYG Licensing. After this, when you launch the instance from AWS, the device comes-up with the license already installed for unlimited throughput.

Managed Service Licensing Agreement

A Managed Service License Agreement (MSLA) is a buying program agreement, designed for Service Providers.

1 If a SLAC has been factory-installed by Cisco (in case of new hardware), skip this step
2 Enter the license feature hseck9 command in global configuration mode for Catalyst 8200, and 8300 Series Edge Platforms only.