Introduction
This document describes how to configure HSEC licenses using SLP on Offline Catalyst 9300X Series Switches.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Understanding of Cisco Smart Licensing Using Policy (SLP) concepts
- Familiarity with Cisco Catalyst 9300X Series switch hardware and software management
- Experience navigating and managing licenses in Cisco Smart Software Manager (CSSM)
- Ability to use the CLI on Cisco IOS XE devices
- Knowledge of Cisco DNA license entitlement types
- Procedures for device registration and license reservation
Components Used
The information in this document is based on these software and hardware versions:
- Hardware: Cisco Catalyst C9300X-24Y
- Software: Cisco IOS XE 17.12.04
- Smart Licensing infrastructure: Cisco Smart Software Manager (CSSM)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The HSEC (High-Security) license enables advanced security capabilities on Cisco platforms, enhancing network protection, data integrity, and privacy. It provides robust tools for secure communication and compliance with stringent security requirements.
Key features enabled by HSEC include:
- VPN Support facilitates secure, encrypted communication across public networks, such as IPsec and SSL VPNs, for site-to-site and remote access.
- Encryption Capabilities supports strong cryptographic algorithms for data protection, including AES and SHA for ensuring confidentiality, integrity, and authentication.
- WAN MACsec extends Layer 2 encryption (MACsec) capabilities across WAN links, ensuring end-to-end data security over untrusted networks.
- Scalability Enhancements unlocks higher scale for encrypted tunnels, such as VPN sessions, to support large deployments.
- Secure Communication enables features like FlexVPN and DMVPN for dynamic, scalable, and secure connectivity.
Configure
Use the C9300X CLI to configure smart licensing.
Configure smart licensing transport off.
CLI configuration:
device#conf t
Enter configuration commands, one per line. End with CNTL/Z.
device(config)#license smart transport off
Install a Trust ACK request
Generate and save the trust code request for the active product instance in the flash.
CLI configuration:
device#license smart save trust-request flash:trust_request.txt
Upload the trust request file to Cisco SSM and download the ACK file.
- Log in to the Cisco SSM Web UI at https://software.cisco.com. Under Smart Software Licensing, CLIck the Manage licenses link.
- Select the Smart Account that receives the report.
- Select Smart Software Licensing > Reports > Usage Data Files.
- CLIck Upload Usage Data. Browse to the file location (RUM report in tar format), select, and CLIck Upload Data.
Note: You cannot delete a file after it has been uploaded. You can however upload another file, if required.
5. From the Select Virtual Accounts pop-up, select the Virtual Account that receives the uploaded file.
6. The file is uploaded and is listed in the Usage Data Files table in the Reports screen. Details displayed include the file name, the time at which it was reported, which Virtual Account it was uploaded to, the reporting status, number of product instances reported, and the acknowledgement status.
7. In the Acknowledgement column, CLIck Download to save the ACK file for the report or request you uploaded.
Note: You must wait for the file to appear in the Acknowledgement column. If there many RUM reports or requests to process, Cisco SSM must take a few minutes.
After you download the file, import and install the file on the product instance
Copy Trust ACK file
Copy the file from its source location or directory to the flash memory of the product instance.
CLI configuration:
device#copy ftp: flash:
Address or name of remote host []? 192.168.1.1
Source filename []? ACK_ trust_request.txt
Destination filename [ACK_ trust_request.txt]?
Accessing ftp://192.168.1.1/ACK_ trust_request.txt...!
[OK - 5254/4096 bytes]
5254 bytes copied in 0.045 secs (116756 bytes/sec)
Import and install the file on the product instance.
CLI configuration:
device#license smart import flash:ACK_ trust_request.txt
Import Data Successful
device#
*Jun 12 20:01:07.348: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C9300X-24Y,S:XXXXXXXXX.
Install an Authorization Request with all the required information.
Generate and save the Authorization request for the active product instance in the flash.
CLI configuration:
device#license smart authorization request add hseck9 all
Note: HSEC: High Security.
Save the authorization code request for the active product instance in the flash.
device#license smart authorization request save bootflash:auth3.txt
Upload the Authorization Request file to Cisco SSM and download the ACK file.
- Log in to the Cisco SSM Web UI at https://software.cisco.com. Under Smart Software Licensing, CLIck the Manage licenses link.
- Select the Smart Account that receives the report.
- Select Smart Software Licensing > Reports > Usage Data Files.
- CLIck Upload Usage Data. Browse to the file location (RUM report in tar format), select, and CLIck Upload Data.
Note: You cannot delete a file after it has been uploaded. You can however upload another file, if required.
5. From the Select Virtual Accounts pop-up, select the Virtual Account that receives the uploaded file.
The file is uploaded and is listed in the Usage Data Files table in the Reports screen. Details displayed include the file name, the time at which it was reported, which Virtual Account it was uploaded to, the reporting status, number of product instances reported, and the acknowledgement status.
6. In the Acknowledgement column, Click Download to save the ACK file for the report or request you uploaded.
Note: You must wait for the file to appear in the Acknowledgement column. If there many RUM reports or requests to process, Cisco SSM must take a few minutes.
After you download the file, import and install the file on the product instance
CopyAuthorization Request ACK file
Copy the file from its source location or directory to the flash memory of the product instance.
device#copy ftp flash
Address or name of remote host [192.168.1.1]? 192.168.1.1
Source filename [ACK_ auth3.txt]? ACK_auth3.txt
Destination filename [ACK_auth3.txt]?
Accessing ftp://192.168.1.1/ACK_auth3.txt ...!
[OK - 1543/4096 bytes]
1543 bytes copied in 0.041 secs (37634 bytes/sec)
InstallAuthorization Request ACK file
device#license smart import flash:ACK_auth3.txt
Last Confirmation code UDI: PID:C9300X-24Y,SN:XXXXXXXXX
Confirmation code: a4a85361
Import Data Completed
Last Confirmation code UDI: PID:C9300X-24Y,SN:XXXXXXXXX
Confirmation code: a4a85361
device#
*Jun 12 20:05:33.968: %SMART_LIC-6-AUTHORIZATION_INSTALL_SUCCESS: A new licensing authorization code was successfully installed on PID:C9300X-24Y,SN:XXXXXXXXXsh lic
Verify
You can use these command to verify License status:
device#sh license sum
Account Information:
Smart Account: Cisco Systems, TAC As of Jun 12 20:03:03 2025 UTC
Virtual Account: LANSW
License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-advantage (C9300X-12/24Y Network ...) 1 IN USE
dna-advantage (C9300X-12/24Y DNA Adva...) 1 IN USE
C9K HSEC (Cat9K HSEC) 0 NOT IN USE
device#show license authorization
Overall status:
Active: PID:C9300X-24Y,SN:XXXXXXXXXX
Status: SMART AUTHORIZATION INSTALLED on Jun 12 20:05:33 2025 UTC
Last Confirmation code: a4a85361
Authorizations:
C9K HSEC (Cat9K HSEC):
Description: HSEC Key for Export Compliance on Cat9K Series Switches
Total available count: 4
Enforcement type: EXPORT RESTRICTED
Term information:
Active: PID:C9300X-24Y,SN:FJC28281AE2
Authorization type: SMART AUTHORIZATION INSTALLED
License type: PERPETUAL
Term Count: 4
device#sh license all | i Trust
Trust Code Installed: Jun 12 20:01:07 2025 UTC