Available Licenses

Information About Available Licenses

This section provides information about the licenses that are available on Cisco Catalyst 9500 Series Switches running Cisco IOS-XE software. The information applies to all models in the series, unless indicated otherwise.

Base and Add-On Licenses

The software features available on the switch fall under base or add-on license levels.

A base license is a perpetually valid, or permanent license. There is no expiration date for such a license.

An add-on license provides Cisco innovations on the switch, and on the Cisco Digital Network Architecture Center (Cisco DNA Center). An add-on license is valid only until a certain date. You can purchase an add-on license for a three, five, or seven year subscription period.

The following base and add-on licenses are available:

Base Licenses

  • Network Essentials

  • Network Advantage: Includes features available with the Network Essentials license and more.

Add-On Licenses

  • DNA Essentials

  • DNA Advantage: Includes features available with the DNA Essentials license and more.

Guidelines for Using Base and Add-On Licenses

  • A base license (Network Essentials and Network-Advantage) is ordered and fulfilled only with a perpetual or permanent license type.

  • An add-on license (DNA Essentials and DNA Advantage) is ordered and fulfilled only with a subscription or term license type.

  • An add-on license level is included when you choose a network license level. If you use DNA features, renew the license before term expiry, to continue using it. If you don't want to continue using DNA features, deactivate the add-on license and then reload the switch to continue operating with the base license capabilities.

    When ordering an add-on license with a base license, note the combinations that are permitted and those that are not permitted:

    Table 1. Table 4. Permitted Combinations
    DNA Essentials DNA Advantage
    Network Essentials Yes No
    Network Advantage Yes1 Yes
    1 You will be able to purchase this combination only at the time of DNA license renewal and not when you purchase DNA-Essentials the first time

  • To know which license level a feature is available with, use Cisco Feature Navigator. To access Cisco Feature Navigator, go to https://cfnng.cisco.com. An account on cisco.com is not required.

Export Control Key for High Security

Products and features that provide cryptographic functionality are within the purview of U.S. export control laws 2. The Export Control Key for High Security (HSECK9 key) is an export-controlled license, which authorizes the use of cryptographic functionality.

This subsection provides information about the Cisco Catalyst 9500 Series Switches that support the HSECK9 key, the cryptographic features that require the HSECK9 key, what to consider when ordering it, prerequisites, and how to configure it on supported platforms.

When an HSECK9 Key Is Required

An HSECK9 key is required only if you want to use certain cryptographic features that are restricted by U.S. export control laws. You cannot enable restricted cryptographic features without it.

The WAN MACsec feature requires an HSECK9 key. More specifically, the HSECK9 key is required on customer edge devices in a point-to-point (P2P) and point-to-multipoint (P2MP) network where the WAN MACsec feature is configured.

Prerequisites for Using an HSECK9 Key

Ensure you meet the following requirements:

  • The device is one that supports the HSECK9 key. See Supported Platforms and Releases.

  • You have configured the DNA Advantage license on the device. You cannot use an HSECK9 key without DNA Advantage configured.

  • You have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in Cisco Smart Software Manager (CSSM).

    Each UDI where you want to use a cryptographic feature requires one HSECK9 key.


    Note

    The HSECK9 key is supported only in a standalone setup.

  • You have implemented one of the supported Smart Licensing Using Policy topologies. This enables you to install a Smart Licensing Authorization Code (SLAC) for each HSECK9 key you want to use.

    An HSECK9 key requires authorization before use, because it is restricted by U.S. trade-control laws (export-controlled). A SLAC provides this authorization and allows activation and continued use of an export-controlled license. A SLAC is generated in and obtained from CSSM. There are multiple ways in which a device can be connected to CSSM, to obtain a SLAC. Each way of connecting to CSSM is called a topology. The configuration section shows you how to obtain a SLAC with each topology (Installing SLAC for an HSECK9 Key).


    Note

    To obtain and install SLAC on supported platforms that are within the scope of this document (Supported Platforms and Releases), refer to the configuration section in this document. There are differences in the configuration process when compared to other Cisco products.

  • You configure the cryptographic feature only after you have installed SLAC. If not, you have to reconfigure the cryptographic feature after installing SLAC.

Ordering Considerations

This section covers important ordering considerations for an HSECK9 key.

A separate HSECK9 key is required for each UDI where you want to use a cryptographic feature.

If you plan to use cryptographic functionality on new hardware that you are ordering (supported platforms), provide your Smart Account and Virtual Account information with the order. This enables Cisco to factory-install SLAC.

For information about ordering the key, see the Cisco Catalyst 9500 Ordering Guide.

High Availability Considerations

This section covers the High Availability considerations that apply when using the HSECK9 key.


Note

High Availability is not supported on the Cisco Catalyst 9500X Series Switches.

How to Configure Available Licenses

This section provides information about how to configure available licenses.

Configuring Base and Add-On Licenses

After you order and purchase a base or add-on license, you must configure the license on the device before you can use it.

This task sets a license level and requires a reload before the configured changes are effective. You can use this task to

  • Change the current license.

  • Add another license. For example, if you are currently using Network Advantage and you also want to use features available with the corresponding Digital Networking Architecture (DNA) Advantage license.

  • Remove a license.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 3

license boot level license_level

Example:

Device(config)# license boot level network-advantage 
add-on dna-advantage

Activates the configured license on the product instance. In the accompanying example, the DNA Advantage license will be activated on the product instance after reload.

Step 4

exit

Example:

Device(config)# exit

Returns to the privileged EXEC mode.
Step 5

copy running-config startup-config

Example:

Device# copy running-config startup-config

Saves changes in the configuration file.
Step 6

show version

Example:

Device# show version

<output truncated>
Technology Package License Information:

------------------------------------------------------------------
Technology-package                              Technology-package
Current              Type                       Next reboot
------------------------------------------------------------------
network-advantage    Smart License              network-advantage
                     Subscription Smart License dna-advantage

<output truncated>

Shows currently configured license information and the license that is applicable after reload.

The “Technology-package Next reboot” column displays the change in the configured license that is effective after reload, only if you save the configuration change.

In the accompanying example, the current license level is Network Advantage. Because the configuration change was saved, the “Technology-package Next reboot” column shows that the DNA Advantage license will be activated after reload.

Step 7

reload

Example:

Device# reload

Reloads the device.
Step 8

show version

Example:

Device# show version

<output truncated>
Technology Package License Information:
 
--------------------------------------------------------------------
Technology-package                              Technology-package
Current              Type                       Next reboot
--------------------------------------------------------------------
network-advantage    Smart License              network-advantage
dna-advantage        Subscription Smart License dna-advantage
 
<output truncated>

Shows currently configured license information and the license that is applicable after reload.

What to do next

After you configure a license level, the change is effective after a reload. To know if reporting is required, you can wait for a system message or refer to the policy-using show commands.

  • The system message, which indicates that reporting is required: %SMART_LIC-6-REPORTING_REQUIRED: A Usage report acknowledgment will be required in [dec] days.

    [dec] is the amount of time (in days) left to meet reporting requirements.

  • If using show commands, refer to the output of the show license status privileged EXEC command and check the Next ACK deadline field. This means a RUM report must be sent and the ACK must be installed by this date.

The method that you can use to send the RUM report, depends on the topology you have implemented. Refer to the workflow for the applicable topology in the How to Configure Smart Licensing Using Policy: Workflows by Topology section of the Smart Licensing Using Policy chapter in this guide.

Installing SLAC for an HSECK9 Key

This section shows you the various methods of installing SLAC for an HSECK9 key. Each method corresponds with a particular topology in the Smart Licensing Using Policy environment.

For information about all the supported topologies, see the Supported Topologies section of the Smart Licensing Using Policy chapter in this guide.


Note

The only topology that you cannot implement if you want to use an HSECK9 key, is Connected to CSSM Through a Controller. The "controller" here is Cisco DNA Center. The Cisco DNA Center GUI does not provide an option to generate a SLAC for Cisco Catalyst switches that support HSECK9.

Installing SLAC: Connected Directly to CSSM

This task shows you how to request and install SLAC when the device (product instance), is directly connected to CSSM.

Before you begin
Procedure
  Command or Action Purpose
Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode. Enter your password, if prompted.
Step 2

license smart authorization request {add | replace} feature_name {all | local}

Example:
Device# license smart authorization request add hseck9 local

Requests a SLAC from CSSM or CSLU or SSM On-Prem.

  • Specify if you want to add to or replace an existing SLAC:

    • add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the existing SLAC, and the requested key.

    • replace : This replaces the existing SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic feature.

  • feature_name : Enter the name of the export-controlled license for which you want to request an addition or a replacement of the SLAC. Enter "hseck9" to request and install SLAC for the HSECK9 key.

  • Specify the device by entering one of these options:

    • all : Gets the authorization code for all devices in a High Availability and stacking set-up.

      Note 

      For stacking scenarios only: If you have added a device (where SLAC is not installed) to an existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot request SLAC for a particular member. Your only options are: either the active, or the entire stack.

    • local : Gets the authorization code for the active device in a High Availability and stacking set-up. This is the default option.

Step 3

(Optional) license smart sync {all | local}

Example:
Device# license smart sync local

Triggers the product instance to synchronize with CSSM, or CSLU, or SSM On-Prem, to send and receive any pending data.

This step is optional and applies only to scenarios where the product instance is connected to CSSM, or CSLU or SSM On-Prem, and where the product instance initiates communication. The corresponding topologies are: Connected Directly to CSSM, Connected to CSSM Through CSLU (product instance-initiated), and SSM On-Prem Deployment (product instance-initiated communication).

Here, the command manually triggers synchronization and completes the SLAC installation process. Otherwise SLAC is applied to the product instance the next time the product instance contacts CSLU or SSM On-Prem.

What to do next

Required Tasks After Installing SLAC

Installing SLAC: No Connectivity to CSSM and No CSLU

This task shows you how to request and install SLAC in an air-gapped network, where a device (product instance) cannot communicate online, with anything outside its network.

Here you generate and save the SLAC request to a file, upload it to the CSSM Web UI, download the SLAC code from the CSSM Web UI, and finaly, install it on the product instance.

Before you begin
Procedure
  Command or Action Purpose
Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode. Enter your password, if prompted.
Step 2

license smart authorization request {add | replace} feature_name {all| local}

Example:
Device# license smart authorization request add hseck9 local

Generates a SLAC request with the required HSECK9 key and UDI details.

Specify if you want to add to or replace an existing SLAC:

  • add : Adds the requested key to an existing SLAC. The new authorization code will contain all the keys of the existing SLAC, and the requested license.

  • replace : Replaces the existing SLAC. The new SLAC will contain only the requested HSECK9 key. All keys in the existing SLAC are returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding feature.

For feature_name , enter the name of the export-controlled license for which you want to request an addition or a replacement of the SLAC. Enter "hseck9" to request and install SLAC for the HSECK9 key.

Specify the device by entering one of these options:

  • all : Gets the SLAC for all devices in a High Availability set-up

    Note 

    If you have added a device (where SLAC is not installed), to an existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot request SLAC for a particular member. Your only options are: either the active, or the entire stack.

  • local : Gets the SLAC for the active device in a High Availability set-up. This is the default option.

Step 3

license smart authorization request savepath

Example:
Device# license smart authorization request save bootflash:slac.txt

Saves the required UDI and HSECK9 key details for the SLAC request in a .txt file, in the specified location.

Step 4

Uploading Data or Requests to CSSM and Downloading a File

This task is performed on the CSSM Web UI.

Note 

This provision to upload a SLAC request file and to then download a SLAC file is supported starting with Cisco IOS XE Cupertino 17.7.1 only. With earlier releases, you have to enter the required information in the CSSM Web UI, generate a SLAC code in the CSSM Web UI, and then download and install it. The older method continues to be available, but the new method is prone to fewer manual errors and is the recommended way for this topology.

Step 5

copy source filename bootflash:

Example:
Device# copy tftp://10.8.0.6/user01/example.txt bootflash:

(Optional) Copies the file from its source location or directory to the flash memory of the product instance. You can also import the file directly from a remote location and install it on the product instance (next step).

  • source : This is the source location of file. The source can be either local or remote.

  • bootflash: : This is the destination for boot flash memory.

Step 6

license smart import filepath_filename

Example:
Device# license smart import bootflash:example.txt

Imports and installs the file on the product instance. For filepath_filename, specify the location, including the filename. After installation, a system message displays the type of file you installed.

What to do next

Required Tasks After Installing SLAC

Installing SLAC: Connected to CSSM Through CSLU (Product Instance-Initiated)

This task shows you how to request and install SLAC when the device (product instance) is connected to CSSM through CSLU and where the product instance initiates communication, that is, the product instance is configured to push the required information to CSLU.

Before you begin
Procedure
  Command or Action Purpose
Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode. Enter your password, if prompted.
Step 2

license smart authorization request {add | replace} feature_name {all | local}

Example:
Device# license smart authorization request add hseck9 local

Requests a SLAC from CSSM or CSLU or SSM On-Prem.

  • Specify if you want to add to or replace an existing SLAC:

    • add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the existing SLAC, and the requested key.

    • replace : This replaces the existing SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic feature.

  • feature_name : Enter the name of the export-controlled license for which you want to request an addition or a replacement of the SLAC. Enter "hseck9" to request and install SLAC for the HSECK9 key.

  • Specify the device by entering one of these options:

    • all : Gets the authorization code for all devices in a High Availability and stacking set-up.

      Note 

      For stacking scenarios only: If you have added a device (where SLAC is not installed) to an existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot request SLAC for a particular member. Your only options are: either the active, or the entire stack.

    • local : Gets the authorization code for the active device in a High Availability and stacking set-up. This is the default option.

Step 3

(Optional) license smart sync {all | local}

Example:
Device# license smart sync local

Triggers the product instance to synchronize with CSSM, or CSLU, or SSM On-Prem, to send and receive any pending data.

This step is optional and applies only to scenarios where the product instance is connected to CSSM, or CSLU or SSM On-Prem, and where the product instance initiates communication. The corresponding topologies are: Connected Directly to CSSM, Connected to CSSM Through CSLU (product instance-initiated), and SSM On-Prem Deployment (product instance-initiated communication).

Here, the command manually triggers synchronization and completes the SLAC installation process. Otherwise SLAC is applied to the product instance the next time the product instance contacts CSLU or SSM On-Prem.

What to do next

Required Tasks After Installing SLAC

Installing SLAC: Connected to CSSM Through CSLU (CSLU-Initiated)

This task shows you how to request and install SLAC when the device (product instance) is connected to CSSM through CSLU and where CSLU initiates communication, that is, CSLU is configured to pull the required information from the product instance.

This task requires you to configure certain commands on the product instance, certain tasks in the CSSM Web UI, and certain tasks in the CSLU interface.

Before you begin
Procedure
  Command or Action Purpose
Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode. Enter your password, if prompted.
Step 2

license smart authorization request {add | replace} feature_name {all | local}

Example:
Device# license smart authorization request add hseck9 local

Requests a SLAC from CSSM or CSLU or SSM On-Prem.

  • Specify if you want to add to or replace an existing SLAC:

    • add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the existing SLAC, and the requested key.

    • replace : This replaces the existing SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic feature.

  • feature_name : Enter the name of the export-controlled license for which you want to request an addition or a replacement of the SLAC. Enter "hseck9" to request and install SLAC for the HSECK9 key.

  • Specify the device by entering one of these options:

    • all : Gets the authorization code for all devices in a High Availability and stacking set-up.

      Note 

      For stacking scenarios only: If you have added a device (where SLAC is not installed) to an existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot request SLAC for a particular member. Your only options are: either the active, or the entire stack.

    • local : Gets the authorization code for the active device in a High Availability and stacking set-up. This is the default option.

Step 3

Requesting SLAC for One or More Product Instance (CSLU Interface)

This task is performed on the CSLU interface.
Step 4

Generating and Downloading SLAC from CSSM to a File

This task is performed on the CSSM Web UI.
Step 5

Import from CSSM (CSLU Interface)

This task is performed on the CSLU interface. After you have completed it, the uploaded codes are applied to the product instances the next time CSLU runs an update.

What to do next

Required Tasks After Installing SLAC

Installing SLAC: SSM On-Prem Deployment (Product Instance-Initiated)

This task shows you how to request and install SLAC when the device (product instance) is connected to SSM On-Prem and where the product instance initiates communication, that is, the product instance is configured to push the required information to SSM On-Prem.

Here you first create a request file in SSM On-Prem, upload the request in the CSSM Web UI, generate SLAC, import the SLAC into the SSM On-Prem server. Finally configure the commands on the product instance to request and install SLAC.

Before you begin
Procedure
  Command or Action Purpose
Step 1

Submitting an Authorization Code Request (SSM On-Prem UI)

This task is performed on the SSM On-Prem UI.
Step 2

Generating and Downloading SLAC from CSSM to a File

This task is performed on the CSSM Web UI.
Step 3

enable

Example:
Device> enable

Enables privileged EXEC mode. Enter your password, if prompted.
Step 4

license smart authorization request {add | replace} feature_name {all | local}

Example:
Device# license smart authorization request add hseck9 local

Requests a SLAC from CSSM or CSLU or SSM On-Prem.

  • Specify if you want to add to or replace an existing SLAC:

    • add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the existing SLAC, and the requested key.

    • replace : This replaces the existing SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic feature.

  • feature_name : Enter the name of the export-controlled license for which you want to request an addition or a replacement of the SLAC. Enter "hseck9" to request and install SLAC for the HSECK9 key.

  • Specify the device by entering one of these options:

    • all : Gets the authorization code for all devices in a High Availability and stacking set-up.

      Note 

      For stacking scenarios only: If you have added a device (where SLAC is not installed) to an existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot request SLAC for a particular member. Your only options are: either the active, or the entire stack.

    • local : Gets the authorization code for the active device in a High Availability and stacking set-up. This is the default option.

Step 5

(Optional) license smart sync {all | local}

Example:
Device# license smart sync local

Triggers the product instance to synchronize with CSSM, or CSLU, or SSM On-Prem, to send and receive any pending data.

This step is optional and applies only to scenarios where the product instance is connected to CSSM, or CSLU or SSM On-Prem, and where the product instance initiates communication. The corresponding topologies are: Connected Directly to CSSM, Connected to CSSM Through CSLU (product instance-initiated), and SSM On-Prem Deployment (product instance-initiated communication).

Here, the command manually triggers synchronization and completes the SLAC installation process. Otherwise SLAC is applied to the product instance the next time the product instance contacts CSLU or SSM On-Prem.

What to do next

Required Tasks After Installing SLAC

Installing SLAC: SSM On-Prem Deployment (SSM On-Prem-Initiated)

This task shows you how to request and install SLAC when the device (product instance), is connected to SSM On-Prem and where SSM On-Prem initiates communication, that is, SSM On-Prem is configured to pull the required information from the product instance.

Here you create a request file in SSM On-Prem, upload the request in the CSSM Web UI, generate SLAC, import it into the SSM On-Prem server. Finally, synchronize SSM On-Prem with the product instance.

Before you begin
Procedure
  Command or Action Purpose
Step 1

Submitting an Authorization Code Request (SSM On-Prem UI).

This task is performed in the SSM On-Prem UI.
Step 2

In the SSM On-Prem UI, navigate to Reports > Synchronisation pull schedule with the devices > Synchronise now with the device.

This step is optional. If you don't synchronize immediately after importing the codes, the uploaded codes are applied to the product instances the next time SSM On-Prem runs an update.

What to do next

Required Tasks After Installing SLAC

Required Tasks After Installing SLAC

This task shows you the activities that you must complete after installing SLAC. The information here applies to all methods of installing SLAC.

Procedure
Step 1

Verify SLAC installation and HSECK9 key usage.

  • Check that the output of the show license authorization privileged EXEC command displays a timestamp and a last confirmation code.

    In the Overall Status section of the output, look for Status: SMART AUTHORIZATION INSTALLED on <timestamp> and Last Confirmation code: <code>. This means SLAC is installed.

  • Check that the usage count and status in the output of the show license summary privileged EXEC command displays 0 and NOT IN USE respectively. This means that the HSECK9 key is available but is not in-use yet.

  • The following system messages are displayed after SLAC installation:

    • Error Message %SMART_LIC-6-AUTHORIZATION_INSTALL_SUCCESS: A new licensing authorization code was successfully installed on: [chars].

      [chars] is the UDI where the SLAC was installed.

    • %SMART_LIC-6-EXPORT_CONTROLLED: Usage of export controlled features is allowed for feature hseck9.

Example:
Device# show licence authorization
Overall status:
  Active: PID:C9500X-28C8D,SN:FDO25040MV2
      Status: SMART AUTHORIZATION INSTALLED on Feb 01 09:11:18 2022 UTC
      Last Confirmation code: 0702e31c

Authorizations:
  C9K HSEC (Cat9K HSEC):
    Description: HSEC Key for Export Compliance on Cat9K Series Switches
    Total available count: 1
    Enforcement type: EXPORT RESTRICTED
    Term information:
      Active: PID:C9500X-28C8D,SN:FDO25040MV2
        Authorization type: SMART AUTHORIZATION INSTALLED 
        License type: PERPETUAL
          Term Count: 1

Purchased Licenses:
  No Purchase Information Available
Device# show license summary
Account Information:
  Smart Account: Eg-SA As of Sep 27 10:04:01 2021 UTC
  Virtual Account: Eg-VA

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------------
  network-advantage       (C9500X_NW_A)                     1 IN USE
  dna-advantage           (C9500X_DNA_A)                    1 IN USE
  C9K HSEC                (Cat9K HSEC)                      0 NOT IN USE
Step 2

Configure the cryptographic feature.

The following WAN MACsec configuration is for example purposes only. For information about configuring the feature, see the MACsec Encryption chapter of the Security Configuration Guide, Cisco IOS XE <applicable release number> (Catalyst 9500 Switches)

Example:
Device# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Device(config)# interface HundredGigE1/0/35/3
Device(config-if)# macsec dot1q-in-clear 1
Device(config-if)#
*Feb  1 09:12:04.221: %SMART_LIC-6-EXPORT_CONTROLLED: Usage of export controlled features is allowed for feature hseck9
Device(config-if)# end

Device# show running-config interface HundredGigE1/0/35/3
Building configuration...

Current configuration : 158 bytes
!
interface HundredGigE1/0/35/3
 no switchport
 no ip address
 macsec dot1q-in-clear 1
 eapol destination-address broadcast-address
 eapol eth-type 876F
end
Step 3

Again check HSECK9 key usage.

After you configure the cryptographic feature, the usage count and status in the output of the show license summary privileged EXEC command changes to 1 and IN USE, respectively.

Example:
Device# show license summary   
Account Information:
  Smart Account: Eg-SA As of Sep 27 10:04:01 2021 UTC
  Virtual Account: Eg-VA

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------------
  network-advantage       (C9500X_NW_A)                     1 IN USE
  dna-advantage           (C9500X_DNA_A)                    1 IN USE
  C9K HSEC                (Cat9K HSEC)                      1 IN USE
Step 4

Check if reporting is required. The method that you can use to send the RUM report, depends on the topology you have implemented. Refer to the workflow for the applicable topology in the How to Configure Smart Licensing Using Policy: Workflows by Topology section of the Smart Licensing Using Policy chapter in this guide.

To know if reporting is required, you can wait for a system message or refer to the policy using show commands.

  • The system message, which indicates that reporting is required: %SMART_LIC-6-REPORTING_REQUIRED: A Usage report acknowledgement will be required in [dec] days.

    [dec] is the amount of time (in days) left to meet reporting requirements.

  • If using show commands, refer to the output of the show license status privileged EXEC command. Check the Next ACK deadline field. You must send the RUM report and ensure that the ACK is installed by this date.

Returning a SLAC

This task shows you how to return a SLAC and return the HSECK9 key to your license pool in CSSM. You can use this task with all topologies.

You may want to return a SLAC and HSECK9 key under these circumstances:

  • You no longer want to use the cryptographic feature, which requires an HSECK9 key.

  • You want to return the device for Return Material Authorization (RMA), or decommission it permanently. When you return a device to Cisco, you have to configure the licence smart factory reset privileged EXEC command, which removes all licensing information (except the licenses in-use) from the product instance, including any authorization codes, RUM reports and so on. Before you perform a factory reset, return the SLAC code. We also recommend that you send a RUM report to CSSM before removing licensing information from the product instance.

Before you begin

Disable or unconfigure the cryptographic feature for which you used the HSECK9 key.

When the cryptographic feature you are disabling is the WAN MACsec feature, note the following: Even after disabling the cryptographic feature, the output of the show license summary command displays the usage count and status for the HSECK9 key as 1 and IN USE. This is as expected. The steps in this task show you how to release the key, which changes the count and status to 0 and NOT IN USE. But you must disable the WAN MACsec feature before you try to release the HSECK9 key.

Procedure
  Command or Action Purpose
Step 1

enable

Example:
Device> enable

Enables privileged EXEC mode. Enter your password, if prompted.
Step 2

show license summary

Example:
Account Information:
  Smart Account: Eg-SA As of Sep 27 10:04:01 2021 UTC
  Virtual Account: Eg-VA

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------
  network-advantage       (C9500X_NW_A)                     1 IN USE
  dna-advantage           (C9500X_DNA_A)                    1 IN USE
  C9K HSEC                (Cat9K HSEC)                      1 IN USE

(Optional) Displays license usage summary. This step applies only if you are returning a SLAC.

If the status of the HSECK9 key is displayed as NOT IN USE skip to Step 5.

If the status of the HSECK9 key is displayed as IN USE even after the cryptographic feature is disabled, then perform the next step. This is the case in the accompanying example.

Step 3

platform wanmacsec hsec-license-release

Example:
Device# configure terminal 
Device(config)# platform wanmacsec hsec-license-release 
HSEC license is released
Device(config)# exit

Enters the global configuration mode, releases the HSECK9 license, and returns to privileged EXEC mode.
Step 4

show license summary

Example:
Account Information:
  Smart Account: Eg-SA As of Sep 27 10:04:01 2021 UTC
  Virtual Account: Eg-VA

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------
  network-advantage       (C9500X_NW_A)                     1 IN USE
  dna-advantage           (C9500X_DNA_A)                    1 IN USE
  C9K HSEC                (Cat9K HSEC)                      0 NOT IN USE

(Optional) Displays license usage summary. This step applies only if you are returning a SLAC.

Ensure that the status of the license that you want to return is NOT IN USE.

Step 5

license smart authorization return {all |local} {offline [path] |online}

Example:
Device# license smart authorization return all online

OR

Device# license smart authorization return all offline
Enter this return code in Cisco Smart Software Manager portal: 

UDI: PID:C9500X-28C8D,SN:FDO25040MV2

Return code: Cr9JHx-L1x5Rj-ftwzg1-h9QZAU-LE5DT1-babWeL-FABPt9-
Wr1Dn7-Rp7

OR
Device# license smart authorization return all 
offline bootflash:return-code.txt

Returns an authorization code back to the license pool in CSSM. A return code is displayed after you enter this command.

Specify the product instance:

  • all: Performs the action for all connected product instances in a High Availability or stacking set-up.

  • local: Performs the action for the active product instance. This is the default option.

Specify if you are connected to CSSM or not:

  • If connected to CSSM, or if you have implemented a topology where the product instance-initiates communication (CSLU or SSM On-Prem), enter online . The code is automatically returned to CSSM and a confirmation is returned and installed on the product instance. If you choose this option, the return code is automatically submitted to CSSM.

  • If not connected to CSSM, or if you have implemented a topology with CSLU-initiated or SSM On-Prem initiated communication, enter offline [filepath_filename] .

    • If you enter only the offline keyword, copy the return code that is displayed on the CLI and enter it in the CSSM Web UI.

      Complete this task to enter the return code in the CSSM Web UI: Entering a SLAC Return Code in CSSM and Removing a Product Instance.

    • If you save the return code to a file, upload the file to CSSM Web UI.

      For example: Device# license smart authorization return local offline bootflash:return-code.txt

      Note 

      This method of returning SLAC is supported starting with Cisco IOS XE Cupertino 17.7.1 only.

      Complete this task to upload the return request in the CSSM Web UI: Uploading Data or Requests to CSSM and Downloading a File.

Step 6

show license authorization

Example:
Device# show license authorization                                   
Overall status:
  Active: PID:C9500X-28C8D,SN:FDO25040MV2
      Status: NOT INSTALLED
      Last return code: Cr9JHx-L1x5Rj-ftwzg1-h9QZAU-LE5DT1-
babWeL-FABPt9-Wr1Dn7-Rp7

<output truncated>

Displays licensing information. Check under the License Authorizations header in the output. If the return process is completed correctly, the Last return code: field displays the return code.

Feature History for Available Licenses

This table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Everest 16.5.1a

Base and Add-On Licenses

This feature was introduced.

The software features available on Cisco Catalyst 9500 Series Switches fall under base and add-on license levels.

Support for this feature was introduced on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches.

See Base and Add-On Licenses and Configuring Base and Add-On Licenses.

Cisco IOS XE Fuji 16.8.1a

Base and Add-On Licenses

With the introduction of the High Performance models in this release, this feature is also supported on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches.

See Base and Add-On Licenses and Configuring Base and Add-On Licenses.

Cisco IOS XE Cupertino 17.7.1

Base and Add-On Licenses

With the introduction of Cisco Catalyst 9500X Series Switches in this release, this feature is supported on the C9500X-28C8D model of the Cisco Catalyst 9500 Series Switches.

See Base and Add-On Licenses and Configuring Base and Add-On Licenses.

Cisco IOS XE Cupertino 17.8.1

Export Control Key for High Security (HSECK9)

Support for the HSECK9 key was introduced on the Cisco Catalyst 9500X Series Switches.

Note 

The HSECK9 is supported only on the Cisco Catalyst 9500X Series Switches and not on any of the other models in the Cisco Catalyst 9500 Series Switches.

The HSECK9 key is an export-controlled license, which authorizes the use of cryptographic features that are restricted by U.S. export control laws. If you want to use a restricted cryptographic feature, an HSECK9 key is required.

See Export Control Key for High Security and Installing SLAC for an HSECK9 Key.

Use the Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.

2 the U.S. Government Encryption and Export Administration Regulations (EAR)