Cisco DNA Software SD-WAN and Routing Matrix

Cisco DNA Software for SD-WAN Feature Matrix

Cisco DNA Essentials Cisco DNA Advantage
License type 3-, 5-, or 7-year term subscription License type Includes Cisco DNA Essentials
3-, 5-, or 7-year term subscription
Management options CLI, Web UI
Cisco Catalyst SD-WAN Manager1
CLI, Web UI
Cisco Catalyst SD-WAN Manager1
Cisco DNA Essentials
License type 3- or 5-year term subscription
Management options CLI, Web UI Cisco Catalyst SD-WAN Manager1
Cisco DNA Advantage
License type Includes Cisco DNA Essentials 3-, 5-, or 7-year term subscription
Management options CLI, Web UI Cisco Catalyst SD-WAN Manager1
  < >

Cisco DNA for SD-WAN subscription features

  < >

Cisco DNA for SD-WAN subscription features

Cisco DNA for SD-WAN perpetual features

 

Network Essentials Perpetual software with base routing and security capabilities, bundled with Cisco DNA Essentials subscription license

Network Advantage Perpetual software with full routing, security, voice, and AppX capabilities, bundled with Cisco DNA Advantage and Cisco DNA Premier subscription licenses

Cisco Catalyst SD-WAN functionality is a pure subscription-based product offering. Upon expiration of your Cisco DNA Subscription for SD-WAN, you are no longer licensed to access the Cisco Catalyst SD-WAN feature set.

Repurposing eligible hardware platforms from Cisco Catalyst SD-WAN to traditional routing deployments is possible. Network Essentials and Network Advantage perpetual licenses are included on eligible hardware platforms with every Cisco DNA for SD-WAN subscription. The Cisco vEdge router family is not compatible with Network Essentials and Network Advantage, and therefore is not eligible for Network Essentials and Network Advantage licenses.

For a full listing of the traditional routing capabilities of the Network Essentials and Network Advantage perpetual licenses, please see the Cisco DNA for Routing perpetual license feature matrix below.

1 The Cisco Catalyst Cloud SD-WAN subscription provides the right to use SD-WAN solution only with the cloud controller. The Cisco Catalyst on-premise SD-WAN subscription provides the right to use SD-WAN solution only with the on-premise controller.

2 With Cisco DNA software licenses, customers receive embedded SWSS, which covers 24x7x365 Cisco Technical Assistance Center (TAC) support and software release updates. This is valid only for the Cisco DNA software subscription stacks (Cisco DNA Essentials and Advantage). Embedded SWSS DOES NOT cover the Network Stack.

For full hardware support, including the network stack (Network Essentials/Advantage), customers are required to additionally purchase either Smart Net Total Care on the hardware itself, or Cisco’s premium support services: Solution Support and/or Success Tracks. These premium services must be purchased on both your Cisco DNA software license and the hardware.

3 Cisco Catalyst SD-WAN Analytics, Cisco Catalyst SD-WAN hosted in the Cisco cloud environment, cloud-delivered Cisco Catalyst SD-WAN, and other cloud features cannot be used by customers headquartered or mainly based in mainland China.

4 Requires purchase of additional licenses.

Cisco DNA Software for Routing Feature Matrix

Catalyst Routing Essentials Cisco DNA Essentials Cisco DNA Advantage
Subscription license 7-year term only Subscription license 3-, 5-, or 7-year 3-, 5-, or 7-year
Network stack Term based Perpetual Perpetual
Management options CLI, Web UI, Cisco Catalyst SD-WAN Manager, Cisco Catalyst Center CLI, Web UI, Cisco Catalyst SD-WAN Manager, Cisco Catalyst Center CLI, Web UI, Cisco Catalyst SD-WAN Manager, Cisco Catalyst Center
Cisco Catalyst SD-WAN Manager5 (SD-Routing) On-Prem On-Prem/Cloud On-Prem/Cloud
Cisco Catalyst Center On-Prem On-Prem On-Prem
Catalyst Routing Essentials
Subscription license 7-year term only
Network stack Term based
Management options CLI, Web UI, Cisco Catalyst SD-WAN Manager, Cisco Catalyst Center
Cisco Catalyst SD-WAN Manager5 (SD-Routing) On-Prem
Cisco Catalyst Center On-Prem
Cisco DNA Essentials
Subscription license 3-, 5-, or 7-year
Network stack Perpetual
Management options CLI, Web UI, Cisco Catalyst SD-WAN Manager, Cisco Catalyst Center
Cisco Catalyst SD-WAN Manager5 (SD-Routing) On-Prem/Cloud
Cisco Catalyst Center On-Prem
Cisco DNA Advantage
Subscription license 3-, 5-, or 7-year
Network stack Perpetual
Management options CLI, Web UI, Cisco Catalyst SD-WAN Manager, Cisco Catalyst Center
Cisco Catalyst SD-WAN Manager5 (SD-Routing) On-Prem/Cloud
Cisco Catalyst Center On-Prem
  < >

Platform based routing features
(Most features included with the perpetual network stack)

1 No SSL VPN support except on Catalyst 8000V Edge Software.

2 Requires purchase of additional licenses.

3 In a BNG or iWAG deployment, these features require a separate and distinct Broadband Feature License apart from the Cisco DNA subscription license.

4 Supported only with SD-Routing.

5 The Cisco Catalyst Cloud SD-WAN Manager subscription provides the right to use the solution only with the cloud controller. The Cisco Catalyst on-premise SD-WAN Manager subscription provides the right to use the solution only with the on-premise controller.

  < >

Cisco Catalyst SD-WAN Manager (SD-Routing) features
(All features require an active Catalyst Routing or Cisco DNA subscription)

1 With Cisco DNA software licenses, customers receive embedded SWSS, which covers 24x7x365 Cisco Technical Assistance Center (TAC) support and software release updates. This is valid only for the Cisco DNA software subscription stacks (Cisco DNA Essentials and Advantage). Embedded SWSS DOES NOT cover the Network Stack.

For full hardware support, including the network stack (Network Essentials/Advantage), customers are required to additionally purchase either Smart Net Total Care on the hardware itself, or Cisco’s premium support services: Solution Support and/or Success Tracks. These premium services must be purchased on both your Cisco DNA software license and the hardware.

  < >

Cisco Catalyst Center features
(All features require an active Catalyst Routing or Cisco DNA subscription)

1 With Cisco DNA software licenses, customers receive embedded SWSS, which covers 24x7x365 Cisco Technical Assistance Center (TAC) support and software release updates. This is valid only for the Cisco DNA software subscription stacks (Cisco DNA Essentials and Advantage). Embedded SWSS DOES NOT cover the Network Stack.

For full hardware support, including the network stack (Network Essentials/Advantage), customers are required to additionally purchase either Smart Net Total Care on the hardware itself, or Cisco’s premium support services: Solution Support and/or Success Tracks. These premium services must be purchased on both your Cisco DNA software license and the hardware.

Cloud or on-premises management, flexible topology including hub/spoke, full mesh and partial mesh, app- and SLA-based routing policy, VNF lifecycle management, DSL, 4G LTE, and multilink router interfaces, NTP client, zero-touch provisioning and onboarding, global and site topology.

Static and dynamic routing (BGP, OSPF), routing protocol redistribution (EIGRP, OSPF, BGP), EIGRP (service side), route maps, BFD PMTU, CoS marking (802.1P), static and service side NAT, NAT pool support for DIA, NAT using loopback interface address, HQoS, per-tunnel QoS, Ethernet subinterface QoS, WAN loopback support, OMP redistribution, service VPN redistribution, mapping BGP communities to OMP tags, match and set communities during BGP to OMP redistribution (localized and centralized policy), secondary IP address support on SVI (interface VLAN), TLOC extension, DHCP options support, BFD for BGP/OSPF/EIGRP - CLI template, NTP server support, DIA Tracker: Interface tracker for DIA, ability to track static route on service VPN, per-class/DSCP BFD for AAR, ACL matching ICMP, enhanced policy-based routing (CLI template), jumbo frames (1GE interface), custom app support (for application aware routing), SD-AVC, flexible Netflow, EVPN, MACSec Support, automated service chaining and insertion.

Dual stack support (for transport), inbound and outbound filtering, support for NAT64 devices (DIA), dual-stack service-side interface support (Gigabit, subinterface, SVI, loopback), unicast addressing (link-local, unique-local, and global), anycast addressing, QoS, QoS policer, QoS DSCP rewrite (inbound and outbound), IP name server, ICMP redirects, VRRP, DHCP relay agent, SSH, traceroute, SNMP logging server, automated service chaining and insertion.

Cloud OnRamp for Multicloud (GCP, AWS, Azure) – Site to Cloud connectivity, Cloud OnRamp for SaaS, monitoring capabilities for Multicloud and SaaS via Cisco Catalyst SD-WAN Manager, SD-WAN Application Intelligence Engine (SAIE), automated service chaining and insertion.

3rd party cloud security providers, Cisco Catalyst SD-WAN auto-register and IPsec auto-tunnel to Cisco Umbrella®, Cisco Umbrella DNS monitoring (visibility only), Cisco Umbrella app discovery.

Cisco AMP, geo location-based filtering, interface zone support, high speed logging, URL filtering, TLS/SSL proxy support with Cisco Catalyst SD-WAN, FQDN support, enterprise certificate support, ACL, pairwise key support for IPsec, SSH login with key, syslog over TLS, enterprise firewall with Talos® powered IPS and application controls, RADIUS, Micro and Micro Segmentation (ICE/SGT), Cisco Secure Malware Analytics support4.

DNS (including local bypass), basic path optimization with FEC and packet duplication, AppQoE: TCP optimization, ZBFW – multiple prefix list, rule-set support, microtenancy: RBAC by VPN, policy based routing to SIG, weighted load-balancing for multiple SIG tunnels.

CUBE (IP to IP).

Software support services that also offer license portability and ongoing innovation in the subscription software stack, including 24-hour TAC support.

Success Tracks and/or Solution Support.

Per-VPN QoS, adaptive QOS support, dynamic on-demand tunnel support, Hierarchical Cisco Catalyst SD-WAN, automated service chaining and insertion - service creation/discovery.

IGMPv3, PIM SSM, auto RP, app-aware routing policy support for multicast.

Cisco Catalyst SD-WAN Manager (design, deploy, monitor) for virtualized platforms, AppQoE – multiple service nodes, DRE and LZ (including SSL proxy).

Cloud OnRamp for SaaS with Cisco Catalyst SD-WAN Analytics3 and telemetry, Cloud OnRamp for Multicloud – Site to Site and Cloud to Cloud connectivity via mid-mile with Cloud Interconnect/Cloud Backbone, M365 Informed Network Routing, Webex telemetry, automated service chaining and insertion - service creation/discovery, Cloud OnRamp for Colocation, Cisco Catalyst SD-WAN Analytics3, Predictive Path Recommendations (powered by ThousandEyes WAN Insights).

Cisco AMP and SSL proxy, URL filtering, TLS/SSL proxy support with SD-WAN, FQDN support, Cisco Umbrella auto-registration, Cisco Umbrella app discovery, enterprise certificate support.

Integrated border for campus (SD-Access), integration with Cisco ACI® for application SLA.

Non-secure TDM/PSTN SIP trunk with digital cards (T1/E1) and analog cards (FXO/FXS), non-secure DSP farm services (media termination point, transcoder and conference bridge), SIP SRST4.

Cisco AnyConnect® protects your employees even when they are off the VPN. Enjoy seamless protection against malware, phishing, and command-and-control callbacks wherever your users go.

Receive detailed reporting with full URL addresses, user and network identity and ability to allow or block actions, plus the external IP address. Also permits content filtering by category or specific URLs to block destinations.

Provides app discovery, details, and risk information, plus the ability to block the use of offensive or inappropriate cloud applications in the work environment. Apply granular controls to block specific user activities (e.g., file uploads to Box and Dropbox, attachments to Gmail, posts or shares on Facebook, Twitter, etc.).

Prevent the download of specific file types via policy. Block risky files (executables that may cause instability or risk data leaks) or block media and video files (bandwidth hogs, possible copyright issues).

Advanced antivirus and antimalware protection powered by Cisco Talos threat intelligence. Cisco’s AMP engine searches billions of events per day and blocks over 20 billion threats each day.

Advanced file sandboxing using static and dynamic threat intelligence to detect and report on malicious files that make it through Cisco’s AMP inspection.

Provides visibility and control for Internet traffic across all ports and protocols, IPsec tunnel support for secure traffic routing to cloud infrastructure, automated reporting logs, and customizable IP, port, and protocol policies displayed in a secure dashboard.

Cisco AnyConnect® protects your employees even when they are off the VPN. Enjoy seamless protection against malware, phishing, and command-andcontrol callbacks wherever your users go.

RIP, OSPF, BGP, EIGRP, IGRP, IS-IS, On-Demand Routing (ODR), Point-to-Point Protocol (PPP), Multi-Link PPP (MLP), TR-069, TR069-CWMP, TCP (ECN, Window scaling, MSS) Stream Control Transmission Protocol (SCTP).

LACP, PAgP, EtherChannel, LLDP, 802.1Q.

HSRP, FHRP, GLBP (global load balancing).

IPSLA initiator/responder, echo, jitter, path (ICMP, UDP, and multicast), TCP connect, HTTP, FTP, DHCP, MQC including classification, policing, re-marking, scheduling; HQoS, NBAR2 (standard protocol packs).

DNS, Dynamic DNS, NTPv4, Cisco Discovery Protocol, Control Plane Policing (CoPP).

NetFlow, Flexible NetFlow (FNF), IPFIX, performance monitoring, Flexible Packet Matching (FPM), Policy-Based Routing (PBR), ACL, ARP, DHCP, BDI, NAT, PAT – IPv4/v6, Reverse Path Forwarding (URPF), 802.1P.

Switch Port Analyzer (SPAN).

NETCONF/YANG support, Zero Touch Support (PnP/ZTP), EEM Support, RESTCONF, TACACS+, AAA, GNMI, gRPC.

Public Key Infrastructure (PKI), Challenge Handshake (CHAP) and Password Authentication (PAP), Certificate Authority (CA).

Zone-based firewall, ACL.

IPsec (point to point).

MACsec Key Agreement Protocol, LAN MACsec (128-bit), WAN MACSec (125-/256-bit).

Trustworthy system.

Bi-Di PIM, IGMP, Protocol Independent Multicast (PIM), mVPN, CGMP, AutoRP, Bootstrap Router (BSR), mroute, MLD (v1, v2), extending SSM support (PIM-SSM, IGMPv3 with SSM), SSM-Mapping, Multicast Source Discovery Protocol (MSDP).

PPP over Ethernet (PPPoE), PPPoA (PPP over ATM) for DSL support, L2TPv2.

GRE tunnel, IPv6 over v4 and IPv4 over v6 tunnels, per-tunnel QoS.

Easy Virtual Network (EVN), vRF-Lite, Multi-VRF, VRF support, Cisco TrustSec® (SGT, SGACL, SGX).

802.1X feature support, RADIUS integration, TACACS/TACACS+ support, SHA-1, SHA-2, MD5.

Connectivity Fault Management (CFM-802.1ag), Operations and Admin Management (OAM - 802.3ah), E-OAM (op, admin, maint), E-CFM (connectivity fault management).

Zero touch provisioning through Cisco Plug and play, guided workflow for quick connect, Inventory, discovery, topology, software image management, site management, network settings, credential update, integrity verification, predefined reports.

Dashboards, overall health, network health, site health, topology, pre-canned reports, troubleshooting tools such as ping, traceroute, speed test, packet capture and Network-wide Path Insights (NWPI).

Application visibility (name, throughput).

Guided workflows for configuration management and CLI templates.

Software support services that also offer license portability and ongoing innovation in the subscription software stack, including 24-hour TAC support.

Success Tracks and/or Solution Support.

Guided workflow for NGFW (on-box security), Configuration support for DMVPN, GET VPN, FlexVPN.

BranchConnect for AWS, BranchConnect for Azure.

Management for advanced NGFW and Cloud security.

Inventory, discovery, topology, software image management, site management, network settings, credential update, integrity verification, template programmer, predefined reports, Plug and Play application.

Dashboards, overall health, network health, client health, topology, pre-canned reports, custom thresholds.

Basic router monitoring, basic WAAS monitoring, basic ENFV monitoring (ENCS, UCSE, vRouter, vWAAS).

Application visibility (name, throughput).

Software support services that also offer license portability and ongoing innovation in the subscription software stack, including 24-hour TAC support.

Success Tracks and/or Solution Support.

Router deployment: day-0 and day-2 changes, NFV provisioning on ENCS and Cisco UCS® E-Series, Cisco VNF – ISRv, vASA.

Advanced Cisco DNA Automation – device management.

IWAN application, security at the edge, VNF management (third party and applications).

360 pages, health score, time travel, targeted insights, neighbor topology, path trace, KPIs, baselining, trends, custom reports (AppX, SD-Access, Wi-Fi KPIs, etc.), compliance, global insights integrations (Cisco® Unified Communications Manager, Skype for Business, ETA/SW, Tableau, etc.), router 360, ENFV 360, router underlay insights, ENFV insights.

App health (router, switch, NAM based), app 360, app performance in client/device 360s (jitter, loss, latency).

IPS/IDS, Cisco AMP4, URL Filtering4.

DMVPN, GET VPN, FlexVPN.

CUBE (IP to IP).

Carrier grade NAT2, Bidirectional Forwarding (BFD).

Unidirectional Link Routing (UDLR), guest shell support, application hosting (app hosting on containers).

Stateful interchassis redundancy.

Encapsulated Remote SPAN (ERSPAN).

Application Layer Gateway (ALG), NBAR2 (standard and custom protocol packs), Application Visibility and Control (SD-AVC).

ISDN BRI, X.25 and XOT support, basic CLNS functionality.

Radio-Aware Routing (RAR, PPPoE based-RFC 5578), mobile IP, Proxy Mobile IP (PMIP), network positioning system.

Multicast Segment Routing, Pragmatic General Multicast (PGM), Router Group Management Protocol (RGMP), multicast service reflection, multicast VPN.

Ethernet local management Interface (ELMI), Ethernet Virtual Circuit (EVC), Ethernet flow point.

MPLS Layer 2 and Layer 3 VPN, Layer 2 VPN Pseudowire (PW), Ethernet over MPLS (EoMPLS), Any Transport over MPLS (AToM), MPLS Traffic Engineering (TE), Label Distribution Protocol (LDP), Virtual Private LAN Services(VPLS, H-VPLS), EVPN, Segment Routing.

ISATAP tunnels, 6RD tunnels, Layer 2 Tunnel Protocol v3 (L2TPv3)3, LAC3, LNS3, Layer 2 Protocol Tunneling (L2PT), Virtual Private Data Networks (VPDN)3, Layer 2 forwarding, Ethernet over GRE (EoGRE)3.

VoIP (UDP jitter, RTP, H323, MOS), video ops, TWAMP, monitor, schedule, disc (for LSP), Y.1731, MPLS OAM.

Web Cache Routing Protocol (WCCP), object tracking.

Overlay Transport Virtualization (OTV), VRF-Aware Software Infrastructure (VASI), VXLAN.

Analog cards (FXO/FXS/BRI/E&M) and digital cards (E1/T1), call control (SIP, SIP line “WxC and CUCM”, STCAPP, MGCP), DSP farm services (media termination point, transcoder and conference), SRST2, CME2.

Analog cards (FXO/FXS/BRI/E&M) and digital cards (E1/T1), call control (SIP, SIP line “WxC and CUCM”, STCAPP, MGCP), DSP farm services (media termination point, transcoder and conference), SRST2, CME2.

RIP, OSPF, BGP, EIGRP, IS-IS, IGRP (routing protocols), On-Demand Routing (ODR), NSF awareness, Point-to-Point Protocol (PPP), Multi-Link PPP (MLP), EVPN, Segment Routing.

NetFlow, Flexible NetFlow (FnF), IPFIX, performance monitoring, Flexible Packet Matching (FPM), Bidirectional Forwarding (BFD), LLDP, ACL, ARP, DHCP, BDI, Cisco Discovery Protocol, Control Plane Policing (CoPP), NAT, DNS, Dynamic DNS, NTPv4, TR-069, TR069-CWMP, TCP-ECN, Window, MSS, etc., Stream Control Transmission Protocol (SCTP), 802.1P, 802.1Q, LACP, PAgP, EtherChannel, box-to-box HA, FHRP, GLBP (global load balancing), NAT, PAT – IPv4/v6, Reverse Path Forwarding (URPF), Switch Port Analyzer (SPAN), Encapsulated Remote SPAN (ERSPAN), Connectivity Fault Management (CFM-802.1ag), carrier grade NAT4.

NETCONF/YANG support, Zero Touch Support (PnP/ZTP), EEM Support, RESTCONF, TACACS+, AAA, GNMI, gRPC.

Zone-based firewall, IPS/Snort, Public Key Infrastructure (PKI), ACL, trustworthy system, Challenge Handshake (CHAP) and Password Authentication (PAP), Certificate Authority (CA).

MACsec Key Agreement Protocol, LAN MACsec (128-bit), WAN MACSec (125-/256-bit).

IPsec (point to point), DMVPN, GET VPN, FlexVPN.

MQC including classification, policing, re-marking, scheduling; HQoS, Application Visibility and Control (AVC/SD-AVC), NBAR2 (standard protocol packs), IPSLA (Initiator), Deep Packet Inspection, Policy-Based Routing (PBR).

TACACS+, NETCONF, AAA, RESTCONF, gRPC, YANG.

Bi-Di PIM, IGMP, Protocol Independent Multicast (PIM), mVPN, Multicast Segment Routing, CGMP, AutoRP, Bootstrap Router (BSR), mroute, MLD (v1, v2), extending SSM support (PIM-SSM, IGMPv3 with SSM), SSM-Mapping, Multicast Source Discovery Protocol (MSDP).

PPP over Ethernet (PPPoE), PPPoA (PPP over ATM) for DSL support, L2TPv2.

Easy Virtual Network (EVN), vRF-Lite, Multi-VRF.

GRE tunnel, IPv6 over v4 and IPv4 over v6 tunnels, per-tunnel QoS.

VRF support, Cisco TrustSec® (SGT, SGACL, SGX).

IPSLA responder, echo, jitter, path (ICMP, UDP, and multicast), TCP connect, HTTP, FTP, DHCP.

802.1X feature support, RADIUS integration, TACACS/ TACACS+ support, SHA-1, SHA-2, MD5.

CUBE (IP to IP).

Success Tracks and/or Solution Support.

Operations and Admin Management (OAM - 802.3ah), Unidirectional Link Routing (UDLR), guest shell support, application hosting (app hosting on containers).

Cisco Umbrella® connector support, URL filtering support.

Performance Routing (PfR/ OER), Application Layer Gateway (ALG), NBAR2 (standard and custom protocol packs).

ISDN BRI, X.25 and XOT support, basic CLNS functionality.

Radio-Aware Routing (RAR, PPPoE based-RFC 5578), mobile IP, Proxy Mobile IP (PMIP), network positioning system.

Pragmatic General Multicast (PGM), Router Group Management Protocol (RGMP), multicast service reflection, multicast VPN.

E-OAM (op, admin, maint), E-CFM (connectivity fault management), Ethernet local management Interface (ELMI), Ethernet Virtual Circuit (EVC), Ethernet flow point.

MPLS Layer 2 and Layer 3 VPN, Layer 2 VPN Pseudowire (PW), Ethernet over MPLS (EoMPLS), Any Transport over MPLS (AToM), MPLS Traffic Engineering (TE), Label Distribution Protocol (LDP), Virtual Private LAN Services (VPLS, H-VPLS) , EVPN, Segment Routing.

ISATAP tunnels, 6RD tunnels, Layer 2 Tunnel Protocol v3 (L2TPv3)4, LAC4, LNS4, Layer 2 Protocol Tunneling (L2PT), Virtual Private Data Networks (VPDN)4, Layer 2 forwarding, Ethernet over GRE (EoGRE) 4.

VoIP (UDP jitter, RTP, H323, MOS), video ops, TWAMP, monitor, schedule, disc (for LSP), Y.1731, MPLS OAM

Web Cache Routing Protocol (WCCP), object tracking.

Overlay Transport Virtualization (OTV), VRF-Aware Software Infrastructure (VASI), VXLAN.

Analog cards (FXO/FXS/BRI/E&M) and digital cards (E1/T1), call control (SIP, SIP line "WxC and CUCM", STCAPP, MGCP), DSP farm services (media termination point, transcoder and conference), SRST3, CME3.

Communications Manager Express (CME), Cisco Unified Communications Manager, Survivable Remote Site Telephony (SRST), Interactive Voice Response (IVR).

Encrypted Traffic Analytics (ETA), Cisco SD Bonjour (mDNS), Embedded Packet Capture (EPC), Cisco In-Service Software Upgrade (ISSU), Software Maintenance Upgrade (SMU), Locator ID Separator ID (LISP).