Information About Available Licenses
This section provides information about the licenses that are available on Cisco Catalyst 9500 Series Switches running Cisco IOS-XE software. The information applies to all models in the series, unless indicated otherwise.
Base and Add-On Licenses
The software features available on the switch fall under base or add-on license levels.
A base license is a perpetually valid, or permanent license. There is no expiration date for such a license.
An add-on license provides Cisco innovations on the switch, and on the Cisco Digital Network Architecture Center (Cisco DNA Center). An add-on license is valid only until a certain date. You can purchase an add-on license for a three, five, or seven year subscription period.
The following base and add-on licenses are available:
Base Licenses
-
Network Essentials
-
Network Advantage: Includes features available with the Network Essentials license and more.
Add-On Licenses
-
DNA Essentials
-
DNA Advantage: Includes features available with the DNA Essentials license and more.
Guidelines for Using Base and Add-On Licenses
-
A base license (Network Essentials and Network-Advantage) is ordered and fulfilled only with a perpetual or permanent license type.
-
An add-on license (DNA Essentials and DNA Advantage) is ordered and fulfilled only with a subscription or term license type.
-
An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it. If you don't want to continue using DNA features, deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.
When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:
Table 1. Table 4. Permitted Combinations DNA Essentials DNA Advantage Network Essentials Yes No Network Advantage Yes1 Yes 1 You will be able to purchase this combination only at the time of DNA license renewal and not when you purchase DNA-Essentials the first time -
To know which license level a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.
Export Control Key for High Security
Products and features that provide cryptographic functionality are within the purview of U.S. export control laws 2. The Export Control Key for High Security (HSECK9 key) is an export-controlled license, which authorizes the use of cryptographic functionality.
This subsection provides information about the Cisco Catalyst 9500 Series Switches that support the HSECK9 key, the cryptographic features that require the HSECK9 key, what to consider when ordering it, prerequisites, and how to configure it on supported platforms.
Supported Platforms and Releases
The HSECK9 key is available only on Cisco Catalyst 9500X Series Switches, starting with Cisco IOS XE Cupertino 17.8.1.
For information about the available SKUs in the series, see the Cisco Catalyst 9500 Series Switches Hardware Installation Guide.
When an HSECK9 Key Is Required
An HSECK9 key is required only if you want to use certain cryptographic features that are restricted by U.S. export control laws. You cannot enable restricted cryptographic features without it.
The WAN MACsec feature requires an HSECK9 key. More specifically, the HSECK9 key is required on customer edge devices in a point-to-point (P2P) and point-to-multipoint (P2MP) network where the WAN MACsec feature is configured.
Prerequisites for Using an HSECK9 Key
Ensure you meet the following requirements:
-
The device is one that supports the HSECK9 key. See Supported Platforms and Releases.
-
You have configured the DNA Advantage license on the device. You cannot use an HSECK9 key without DNA Advantage configured.
-
You have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in Cisco Smart Software Manager (CSSM).
Each UDI where you want to use a cryptographic feature requires one HSECK9 key.
Note
The HSECK9 key is supported only in a standalone setup.
-
You have implemented one of the supported Smart Licensing Using Policy topologies. This enables you to install a Smart Licensing Authorization Code (SLAC) for each HSECK9 key you want to use.
An HSECK9 key requires authorization before use, because it is restricted by U.S. trade-control laws (export-controlled). A SLAC provides this authorization and allows activation and continued use of an export-controlled license. A SLAC is generated in and obtained from CSSM. There are multiple ways in which a device can be connected to CSSM, to obtain a SLAC. Each way of connecting to CSSM is called a topology. The configuration section shows you how to obtain a SLAC with each topology (Installing SLAC for an HSECK9 Key).
Note
To obtain and install SLAC on supported platforms that are within the scope of this document (Supported Platforms and Releases), refer to the configuration section in this document. There are differences in the configuration process when compared to other Cisco products.
-
You configure the cryptographic feature only after you have installed SLAC. If not, you have to reconfigure the cryptographic feature after installing SLAC.
Ordering Considerations
This section covers important ordering considerations for an HSECK9 key.
A separate HSECK9 key is required for each UDI where you want to use a cryptographic feature.
If you plan to use cryptographic functionality on new hardware that you are ordering (supported platforms), provide your Smart Account and Virtual Account information with the order. This enables Cisco to factory-install SLAC.
For information about ordering the key, see the Cisco Catalyst 9500 Ordering Guide.
High Availability Considerations
This section covers the High Availability considerations that apply when using the HSECK9 key.
Note |
High Availability is not supported on the Cisco Catalyst 9500X Series Switches. |