Licensing in Cisco Catalyst SD-WAN

Cisco DNA Software subscriptions for Cisco Catalyst SD-WAN gives the flexibility to consume the latest technology, either on the Cloud or On-Premises across the entire routing stack. Cisco DNA Software subscriptions provide customers with four key benefits:

  • Investment protection of software purchases through software-services-enabled license portability

  • Software suites that address typical customer use-case scenarios at an attractive price

  • Flexible licensing models to smoothly distribute your software spending over time

  • Access to new technology from Cisco

Cisco DNA licenses offer both portability and flexibility to move from cloud management (Cisco SD-WAN Manager) to on-premises management (Cisco DNA Center) and across hardware platforms.

Cisco DNA licenses
Overview of Cisco DNA licenses

For information about Cisco DNA Software subscriptions, including a comparison of subscription types, see Cisco DNA Software for SD-WAN and Routing.

Restrictions for Cisco Catalyst SD-WAN Licensing

  • Smart Licensing, a standardized licensing platform that simplifies the Cisco software experience, is supported across ISR Series, ASR series, CSR1000V, and ISRv routers. However, Cisco Catalyst SD-WAN does not support Smart Licensing, which is distinct from Smart License Using Policy. Although you can use the Cisco Catalyst SD-WAN functionalities through the CSR1000V 17.2.1r image - controller mode, Cisco Catalyst SD-WAN does not support Smart Licensing.

  • Beginning with Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and Cisco vManage Release 20.5.1, Cisco Catalyst SD-WAN supports Smart License Using Policy. For more information about Smart Licensing Using Policy, see Manage Licenses for Smart Licensing Using Policy.

  • You cannot view license consumption information on Cisco IOS XE Catalyst SD-WAN devices and Cisco vEdge devices.

Configure Cisco Catalyst SD-WAN Licensing

For devices operating with Cisco Catalyst SD-WAN, note the following:

  • Cisco CSR1000V, Cisco Catalyst 8000V, and Cisco Integrated Services Virtual Router (ISRv) devices operating with a throughput of up to 250 Mbps do not require any manual configuration for licensing.

  • Cisco CSR1000V, Cisco Catalyst 8000V, and Cisco Integrated Services Virtual Router (ISRv) devices operating with a throughput of more than 250 Mbps require Cisco Smart Licensing, as described in this section.

     Note

    The Pay-As-You-Grow (PAYG) license has throughput of upto 20 Mbps only.

To configure Smart Licensing, do the following:

  1. Configure Smart Call Home.

  2. Generate the token or authorization ID on Cisco Smart Software Manager (Cisco SSM) satellite.

  3. Register the ISR, CSR1000v, or ISRv device to Cisco SSM.

You can purchase Cisco Catalyst SD-WAN licenses by placing a sales order. For more information, contact your Cisco sales team.

Configure Licensing for Integrated Services Router Series

For Cisco Integrated Services Routers, if you want more than 250 Mbps of IPSec throughput, you must have a HSECK9 license. This requirement is due to the US export control regulations. If you ordered the HSECK9 license when you ordered the router, the HSECK9 license is installed by default. If the HSECK9 license was not installed by default, you must get a HSECK9 PAK license file and install the license file on each router.

Configure Licensing for Cisco CSR1000V, Cisco Catalyst 8000V, and Cisco ISRv Routers

For virtual routers such as the Cisco CSR1000V, Cisco Catalyst 8000V, and Cisco Integrated Services Virtual Router (ISRv), if you want more than 250 Mbps throughput, perform one of the following configurations to configure the call-home profile and then perform the other steps to configure a Smart License.

Default Configuration

For platforms other than the Cisco Catalyst 8000V, the following call-home configuration is a part of the default configuration. This minimal configuration is applicable for direct cloud access either using the Smart Call Home Transport Gateway or using the HTTPS proxy, where the device reaches out to the cloud-hosted Cisco SSM service. You can verify whether this configuration is applied by executing the show running-config all command.
call-home
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

For Cisco Catalyst 8000V platforms, the following call-home configuration is part of the default configuration:

smart license url default
license smart transport smart

Configure a Device With Multiple Interfaces

To configure two or more interfaces that can reach the Cisco SSM portal, execute the ip http client source interface CLI so that the device uses that specific interface to reach out to the Cisco SSM portal.
ip http client source-interface <interface-name>                     <===
call-home
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

Verifying Call Home Configuration

To verify the call-home configuration, use the show call-home detail command:

router# show call-home detail
Profile Name: CiscoTAC-1
    Profile status: ACTIVE
    Profile mode: Full Reporting
    Reporting Data: Smart Call Home, Smart Licensing
    Preferred Message Format: xml
    Message Size Limit: 3145728 Bytes
    Transport Method: http
    HTTP  address: https://tools.cisco.com/its/service/oddce/services/DDCEService
    Other address(es): default
 
    Periodic configuration info message is scheduled every 17 day of the month at 14:07
 
    Periodic inventory info message is scheduled every 17 day of the month at 13:52
 
    Alert-group               Severity
    ------------------------  ------------
    crash                     debugging  
    inventory                 normal     
 
    Syslog-Pattern            Severity
    ------------------------  ------------
    .*                        major

Verify Throughput and License Status Before Registration

router# show platform hardware throughput level
The current throughput level is 250000 kb/s
 
router#show license status
Smart Licensing is ENABLED
Utility:
 Status: DISABLED
 
Data Privacy:
 Sending Hostname: yes
 Callhome hostname privacy: DISABLED
 Smart Licensing hostname privacy: DISABLED
 Version privacy: DISABLED
 
Transport:
 Type: Callhome
 
Registration:
 Status: UNREGISTERED
 Export-Controlled Functionality: NOT ALLOWED
 
License Authorization:
 Status: No Licenses in Use
 
Export Authorization Key:
 Features Authorized:
<none>

Note the throughput level of 250000 kb/s when the license is in the Unregistered state.

Verify Throughput Level and License Status After Registration

router# show platform hardware throughput level
The current throughput level is 200000000 kb/s
 
router#show license status
Smart Licensing is ENABLED
  
Utility:
  Status: DISABLED
  
Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED
  
Transport:
  Type: Callhome
  
Registration:
  Status: REGISTERED
  Smart Account: InternalTestDemoAccount8.cisco.com
  Virtual Account: RTP-CSR-DT-Prod
  Export-Controlled Functionality: ALLOWED
  Initial Registration: SUCCEEDED on May 19 04:49:46 2020 UTC
  Last Renewal Attempt: None
  Next Renewal Attempt: Nov 15 04:49:45 2020 UTC
  Registration Expires: May 19 04:44:44 2021 UTC
  
License Authorization:
  Status: AUTHORIZED on May 19 04:49:49 2020 UTC
  Last Communication Attempt: SUCCEEDED on May 19 04:49:49 2020 UTC
  Next Communication Attempt: Jun 18 04:49:49 2020 UTC
  Communication Deadline: Aug 17 04:44:48 2020 UTC
  
Export Authorization Key:
  Features Authorized:
    <none>

Note that the Throughput level is 200000000 kb/s after the license enters the Registered state.

Configuration Output When License Registration Fails

router# show license status
Smart Licensing is ENABLED
 
Utility:
  Status: DISABLED
 
Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED
 
Transport:
  Type: Callhome
 
Registration:
  Status: REGISTERING - REGISTRATION IN PROGRESS
  Export-Controlled Functionality: NOT ALLOWED
  Initial Registration: FAILED on May 19 04:40:14 2020 UTC
    Failure reason: Fail to send out Call Home HTTP message.
  Next Registration Attempt: May 19 04:46:34 2020 UTC
 
License Authorization:
  Status: No Licenses in Use
           
Export Authorization Key:
  Features Authorized:
    <none>
 
Miscellaneus:
  Custom Id: <empty>
 Note

If the configuration fails, to begin with, check the reachability of the Cisco SSM portal from the device, whether you are out of licenses, and whether your token and account is valid.

Verify Call Home Configuration for On-Prem

router# show running config all
call-home
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  destination address http https://<on-prem-cssm-server>/path/to/http/service

For an On-Prem or a Satellite CSSM where a manual or periodic sync updates the license information to the cloud, the destination address http CLI must point to the corresponding Satellite CSSM service.