Information About Available Licenses
This section provides information about the licenses that are available on Cisco Catalyst 9300 Series Switches running Cisco IOS-XE software. The information applies to all models in the series, unless indicated otherwise.
Base and Add-On Licenses
The following base and add-on licenses are available:
Base Licenses
A base license is a perpetually valid, or permanent license. There is no expiration date for such a license.
-
Network Essentials
-
Network Advantage: Includes features available with the Network Essentials license and more.
Add-On Licenses
An add-on license provides Cisco innovations on the switch, and on the Cisco Digital Network Architecture Center (Cisco DNA Center).
An add-on license is valid only until a certain date. You can purchase an add-on license for a three, five, or seven year subscription period.
-
DNA Essentials
-
DNA Advantage: Includes features available with the DNA Essentials license and more.
Guidelines for Using Base and Add-On Licenses
-
Base licenses (Network Essentials and Network-Advantage) are ordered and fulfilled only with a perpetual or permanent license type.
-
Add-on licenses (DNA Essentials and DNA Advantage) are ordered and fulfilled only with a subscription or term license type.
-
An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it. If you don't want to continue using DNA features, deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.
When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:
Table 1. Table 4. Permitted Combinations DNA Essentials DNA Advantage Network Essentials Yes No Network Advantage Yes1 Yes 1 You will be able to purchase this combination only at the time of DNA license renewal and not when you purchase DNA-Essentials the first time -
To know which license levels a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.
Export Control Key for High Security
Products and features that provide cryptographic functionality are within the purview of U.S. export control laws 2. The Export Control Key for High Security (HSECK9 key) is an export-controlled license, which authorizes the use of cryptographic functionality.
This subsection provides information about the Cisco Catalyst 9300 Series Switches that support the HSECK9 key, the cryptographic features that require the HSECK9 key, what to consider when ordering it, prerequisites, and how to configure it on supported platforms.
Supported Platforms and Releases
The HSECK9 key is available only on Cisco Catalyst 9300X Series Switches, starting with Cisco IOS XE Bengaluru 17.6.2.
For information about the available SKUs in the series, see the Cisco Catalyst 9300 Series Switches Hardware Installation Guide.
When an HSECK9 Key Is Required
An HSECK9 key is required only if you want to use certain cryptographic features that are restricted by U.S. export control laws. You cannot enable restricted cryptographic features without it.
The IPsec feature requires an HSECK9 key.
Prerequisites for Using an HSECK9 Key
Ensure you meet the following requirements:
-
The device is one that supports the HSECK9 key. See Supported Platforms and Releases.
-
You have configured the DNA Advantage license on the device. You cannot use an HSECK9 key without DNA Advantage configured.
-
You have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in Cisco Smart Software Manager (CSSM). Each UDI where you want to use a cryptographic feature requires one HSECK9 key. Ensure that you have read the stacking considerations for the number of keys you require. See Stacking Considerations.
-
You have implemented one of the supported Smart Licensing Using Policy topologies. This enables you to install a Smart Licensing Authorization Code (SLAC) for each HSECK9 key you want to use.
An HSECK9 key requires authorization before use, because it is restricted by U.S. trade-control laws (export-controlled). A SLAC provides this authorization and allows activation and continued use of an export-controlled license. A SLAC is generated in and obtained from CSSM. There are multiple ways in which a device can be connected to CSSM, to obtain a SLAC. Each way of connecting to CSSM is called a topology. The configuration section shows you how to obtain a SLAC with each topology (Installing SLAC for an HSECK9 Key).
Note
To obtain and install SLAC on supported platforms that are within the scope of this document (Supported Platforms and Releases), refer to the configuration section in this document. There are differences in the configuration process when compared to other Cisco products.
-
You configure the cryptographic feature only after you have installed SLAC. If not, you have to reconfigure the cryptographic feature after installing SLAC.
Ordering Considerations
This section covers important ordering considerations for an HSECK9 key.
A separate HSECK9 key is required for each UDI where you want to use a cryptographic feature. If you have a device stack see the Stacking Considerations section for information about the number of keys you require.
If you plan to use cryptographic functionality on new hardware that you are ordering (supported platforms), provide your Smart Account and Virtual Account information with the order. This enables Cisco to factory-install SLAC.
For information about ordering the key, see the Cisco Catalyst 9300 Series Ordering Guide.
Stacking Considerations
This section covers HSECK9 considerations and requirements that apply to a device stack with an active, a standby, and one or more members.
-
Mixed stacking is not supported - all the devices in the stack must be Cisco Catalyst 9300X Series Switches. For information about the available C9300X SKUs in the series, see the Cisco Catalyst 9300 Series Switches Hardware Installation Guide.
-
At a minimum, you must obtain an HSECK9 key and install SLAC for the active device in a stack. For uninterrupted use of the cryptographic feature in the event of a switchover, we recommend that you obtain an HSECK9 key for the standby also. Consider the following scenarios:
Scenario 1: Device stack where the standby has an HSECK9 key and SLAC. When a switchover occurs, the system continues operation of the cryptographic functionality on the new active without any interruptions.
Scenario 2: Device stack where the standby does not have an HSECK9 key.
-
A daily system message is displayed to alert you to the fact that the current standby does not have the requisite HSECK9 key and cryptographic functionality may be disabled when a switchover occurs. It does not affect the functioning of HSECK9-enabled features on the currently active device: %IOSXE_SMART_AGENT-6-STANDBY_NOT_AUTHORIZED: Standby is in 'not authorized' state for license hseck9
-
After the switchover occurs and the standby (without an HSCECK9 key) becomes the new active, the following system messages are displayed. They alert you to the fact that the new active does not have an HSECK9 key and that the device is reloading: %PLATFORM_IPSEC_HSEC-3-UNAUTHORIZED_HSEC: Switchover happened with IPSec configured but HSEC unauthorized, reloading.
%PMAN-5-EXITACTION: F0/0: pvp: Process manager is exiting: reload fp action requested
%PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting: rp processes exit with reload switch code
There are two possible outcomes at stack bootup after reload:
-
If the next new active selected at stack bootup after reload has an HSECK9 key, then the cryptographic functionality in the startup configuration is applied or accepted and the system resumes operation of the cryptographic functionality.
-
If the next new active selected at stack bootup after reload does not have an HSECK9 key either, then the cryptographic functionality in the startup configuration is rejected and cryptographic functionality is disabled in the entire stack.
-
-
-
To add a device to an existing stack where cryptographic functionality is already being used, follow either one of these sequences:
-
Add the device to the stack, and request SLAC for the entire stack again. See Example: Requesting and Installing SLAC - Adding a Member and Requesting SLAC Again.
-
Install SLAC on the standalone, configure the cryptographic functionality on the standalone device, and finally add the device to the existing stack. See Example: Requesting and Installing SLAC - Requesting SLAC on a Standalone Then Adding Member.
-