Information About Available Licenses
This section provides information about the licenses that are available on Cisco Catalyst 9600 Series Switches running Cisco IOS-XE software. The information applies to all models in the series, unless indicated otherwise.
Base and Add-On Licenses
The software features available on the switch fall under base or add-on license levels.
A base license is a perpetually valid, or permanent license. There is no expiration date for such a license.
An add-on license provides Cisco innovations on the switch, and on the Cisco Digital Network Architecture Center (Cisco DNA Center). An add-on license is valid only until a certain date. You can purchase an add-on license for a three, five, or seven year subscription period.
The following base and add-on licenses are available:
Base Licenses
Network Advantage
Add-On Licenses
DNA Advantage
Guidelines for Using Base and Add-On Licenses
-
A base license (Network-Advantage) is ordered and fulfilled only with a perpetual or permanent license type.
-
An add-on license (DNA Advantage) is ordered and fulfilled only with a subscription or term license type.
-
An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it. If you don't want to continue using DNA features, deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.
-
To know which license level a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.
Export Control Key for High Security
Products and features that provide cryptographic functionality are within the purview of U.S. export control laws 1. The Export Control Key for High Security (HSECK9 key) is an export-controlled license, which authorizes the use of cryptographic functionality.
This subsection provides information about the Cisco Catalyst 9600 Series Switches that support the HSECK9 key, the cryptographic features that require the HSECK9 key, what to consider when ordering it, prerequisites, and how to configure it on supported platforms.
Supported Platforms and Releases
The HSECK9 key is supported on the Cisco Catalyst 9600 Series 40-Port 50G, 2-Port 200G, 2-Port 400G Line Card (C9600-LC-40YL4CD), starting with Cisco IOS XE Cupertino 17.8.1. This line card is compatible only with Cisco Catalyst 9600 Series Supervisor Engine 2 (C9600X-SUP-2).
For more information about the line card and compatibility, see Cisco Catalyst 9600 Series Line Card Installation Note and Cisco Catalyst 9600 Series Switches Hardware Installation Guide.
When an HSECK9 Key Is Required
An HSECK9 key is required only if you want to use certain cryptographic features that are restricted by U.S. export control laws. You cannot enable restricted cryptographic features without it.
The WAN MACsec feature requires an HSECK9 key. More specifically, the HSECK9 key is required on customer edge devices in a point-to-point (P2P) and point-to-multipoint (P2MP) network where the WAN MACsec feature is configured.
Prerequisites for Using an HSECK9 Key
Ensure you meet the following requirements:
-
The device is one that supports the HSECK9 key. See Supported Platforms and Releases.
-
You have configured the DNA Advantage license on the device. You cannot use an HSECK9 key without DNA Advantage configured.
-
You have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in Cisco Smart Software Manager (CSSM).
The HSECK9 key is tied to the chassis. Each chassis UDI where you want to use a cryptographic feature requires one HSECK9 key. To understand this requirement in the context of a High Availability setup, see High Availability Considerations.
-
You have implemented one of the supported Smart Licensing Using Policy topologies. This enables you to install a Smart Licensing Authorization Code (SLAC) for each HSECK9 key you want to use.
An HSECK9 key requires authorization before use, because it is restricted by U.S. trade-control laws (export-controlled). A SLAC provides this authorization and allows activation and continued use of an export-controlled license. A SLAC is generated in and obtained from CSSM. There are multiple ways in which a device can be connected to CSSM, to obtain a SLAC. Each way of connecting to CSSM is called a topology. The configuration section shows you how to obtain a SLAC with each topology (Installing SLAC for an HSECK9 Key).
Note
To obtain and install SLAC on supported platforms that are within the scope of this document (Supported Platforms and Releases), refer to the configuration section in this document. There are differences in the configuration process when compared to other Cisco products.
-
You configure the cryptographic feature only after you have installed SLAC. If not, you have to reconfigure the cryptographic feature after installing SLAC.
-
The interface on which you configure the cryptographic feature must correspond with a linecard slot where a line card supporting the cryptographic feature is installed.
Ordering Considerations
This section covers important ordering considerations for an HSECK9 key.
The HSECK9 key is tied to the chassis UDI. Regardless of whether you have a single or dual supervisor set-up, and regardless of the number of linecards where the cryptographic feature is configured, only one license is required for a chassis. A separate HSECK9 key is required for each chassis UDI where you want to use a cryptographic feature.
If you plan to use cryptographic functionality on new hardware that you are ordering (supported platforms), provide your Smart Account and Virtual Account information with the order. This enables Cisco to factory-install SLAC.
For information about ordering the key, see the Cisco Catalyst 9600 Series Switches Ordering Guide.
High Availability Considerations
This section covers the High Availability considerations that apply when using the HSECK9 key.
-
Supported High Availability setups:
A dual-supervisor setup, where two supervisor modules are installed in a chassis, one being the active and the other, the standby.
All licensing information, such as trust codes, SLAC, RUM reports, are stored on the active supervisor (active product instance) and synchronised with the standby.
Note
You cannot use the HSECK9 key in any other High Availability setup. For example, it is not supported in a Cisco Staskwise Virtual setup and in a Quad-Supervisor setup (Quad-Supervisor with Route Processor Redundancy).
-
The number of HSECK9 keys required in a High Availability setup:
The HSECK9 key is tied to the chassis UDI and regardless of the number of supervisors installed, only one HSECK9 key is required for each chassis UDI. The following sample output shows you how the chassis UDI is displayed. The same chassis UDI is also displayed for the active and standby: Device# show license udi UDI: PID:C9606R,SN:FXS241201WP <<< chassis UDI HA UDI List: Active:PID:C9606R,SN:FXS241201WP Standby:PID:C9606R,SN:FXS241201WP
-
The number of SLACs required in a High Availability setup:
Each HSECK9 key requires one SLAC. The following sample output shows you how SLAC information is displayed. Note how the same SLAC installation timestamp and confirmation code are displayed for all connected devices, because they have the same UDI. Also note the Total available count
, for HSECK9 key - only one is required for each chassis.Device# show license authorization Overall status: Active: PID:C9606R,SN:FXS241201WP Status: SMART AUTHORIZATION INSTALLED on Dec 13 05:18:07 2021 UTC Last Confirmation code: 7cf1f54a Standby: PID:C9606R,SN:FXS241201WP Status: SMART AUTHORIZATION INSTALLED on Dec 13 05:18:07 2021 UTC Last Confirmation code: 7cf1f54a Authorizations: C9K HSEC (Cat9K HSEC): Description: HSEC Key for Export Compliance on Cat9K Series Switches Total available count: 1 <output truncated>
-
Behavior in the event of a switchover:
The system continues uninterrupted operation of the cryptographic feature in case of a switchover.
Because the HSECK9 key is tied to the chassis UDI and not a supervisor module, and because licensing information on the active is synchronized with the standby, a switchover can never result in an interruption in the operation of the cryptographic feature.
-
Removal and replacement considerations in a High Availability setup:
Hardware Removal and Replacement
The following constitues the basis of what you must consider when removing and replacing a supervisor module or linecard
-
The HSECK9 key is tied to the chassis.
-
Licensing information is saved on the active product instance (active supervisor module). In a High Availability setup, licensing information is synchronized with the standby.
-
The cryptographic feature is configured in interface configuration mode. It corresponds with the line card slot where a linecard supporting the cryptographic feature is installed.
The above principles have the following implications when you remove and replace a supervisor module or a linecard:
-
In a single supervisor set-up, if you remove the active supervisor and replace it with another one, you have to install SLAC again.
-
In a dual supervisor set-up, you can remove and replace either the active or the standby. As long as you are removing and replacing only one supervisor module at-a-time, the system continues operation of the cryptographic functionality, without any interruptions. It is only if you remove both supervisor modules simultaneously that you must install SLAC again, because removing both supervisor modules means that required licensing information is no longer available on the device.
-
You can remove and replace a linecard without any interruptions in the operation of the cryptographic functionality, as long as the replacement line card is installed in the same line card slot.
If you remove a linecard where cryptographic functionality is configured and install the replacement linecard in a different slot, you may have to reconfigure the cryptographic feature.
For information about the removal and replacement procedures, refer to the Cisco Catalyst 9600 Series Supervisor Engine Installation Note and Cisco Catalyst 9600 Series Line Card Installation Note as required.