Cisco DNA Software Subscription Matrix for Switching
Network Essentials Network Advantage Cisco DNA Essentials Cisco DNA Advantage
License type Perpetual license compatible with Cisco DNA Essentials. Cannot be purchased as a standalone license License type Perpetual license compatible with Cisco DNA Advantage. Cannot be purchased as a standalone license 3/5/7 year term subscription Includes Cisco DNA Essentials, 3/5/7 year term subscription
Management options Manual, WebUI Manual, WebUI Automation through Cisco Catalyst Center including Manual, WebUI Automation through Cisco Catalyst Center including Manual, WebUI
Network Essentials
License type Perpetual license, one-time purchase
Management options Manual, WebUI
Network Advantage
License type Perpetual license, one-time purchase
Management options Manual, WebUI
Cisco DNA Essentials
License type 3/5/7 year term subscription
Management options Automation through Cisco Catalyst Center including Manual, WebUI
Cisco DNA Advantage
License type Includes Cisco DNA Essentials, 3/5/7 year term subscription
Management options Automation through Cisco Catalyst Center including Manual, WebUI
License type Includes Cisco DNA Advantage, 3/5/7 year term subscription
Management options Automation through Cisco Catalyst Center including Manual, WebUI
Features >

Roll over each feature for more information.

Network Essentials
Network Advantage
Cisco DNA Essentials
CIsco DNA Advantage
Features >

Roll over each feature for more information.

Network Essentials
Network Advantage
Cisco DNA Essentials
CIsco DNA Advantage

Essential switch capabilities

L3 Routed access

Programmability, NETCONF/RESTCONF/gRPC/YANG

Zero Touch Provisioning

128-bit MACsec encryption

Advanced telemetry SPAN, RSPAN

Streaming telemetry and visibility

Cisco Trustworthy Solutions

Software Image Management (SWIM)

Full L3 routing functionality

Flexible network segmentation

High availability

Patch/SMU lifecycle management***

Optimize bandwidth utilization (Advanced Multicast)

256-bit MACsec encryption

Precision Time Protocol

Audio Video Bridging

Full Flexible NetFlow

Cisco IOS Embedded Event Manager (EEM)

Software Image Management (SWIM)

Overall health dashboard

Overall health dashboard for Device, Network, Application and Client for 24 hours only

Network Plug and Play (PnP) provisioning application

Cisco DNA Service for Bonjour LAN

Out of box reports

Cloud monitoring for Catalyst


Limited visibility

Cisco Spaces Extend

Cisco ThousandEyes Network and Application Synthetics**

Controller Orchestrated Fabric Management and Configuration

Fabric, Segmentation, and eWC

Cisco AI Network Analytics

AI Endpoint Analytics

Group-Based Policy Analytics

AI Trust Analytics

LAN automation

Patch/SMU lifecycle management

Compliance

IPsec

Device 360, Client 360, and Network Health Insights

Application policy creation

Application hosting

Third-party API integration

Encrypted Traffic Analytics (ETA)*: (No Stealthwatch License Included)

Cisco DNA Service for Bonjour WAN

ERSPAN*

Wireshark*

AVC (NBAR2)*

Cisco Prime Infrastructure License

Support

E-LLW

SWSS

SNTC

Optional
Optional

The Cisco DNA Expansion Pack is a flexible way to purchase Cisco ISE, Cisco Spaces, Secure Network Analytics (Stealthwatch), ThousandEyes and other licenses, appliances, and services in one convenient bundle. Enhance your Cisco networking solutions such as SD-Access, Zero Trust solutions, Encrypted Traffic Analytics (ETA), location analytics, and assurance. You can add the pack to your Cisco DNA software licenses and choose the license count that fits your needs.

For more details, contact a Cisco sales or Cisco registered partner.

* Not supported on all platforms ** Each Catalyst 9300 or 9400 Cisco DNA Advantage subscription entitles the customer to run the equivalent of one ThousandEyes network or web test every 5 mins from a ThousandEyes enterprise agent (22 units per month), up to a maximum of 110,000 units per month of ThousandEyes test capacity per customer. ThousandEyes Cloud Agent access is not included in the Cisco DNA license entitlement. Test capacity can be increased and Cloud Agents accessed with purchase of additional ThousandEyes Network and Application Synthetics. ***Supported on Network Advantage from Cisco IOS XE Fuji 16.9.7 onwards. Prior to Cisco IOS Fuji XE 16.9.7, Cisco DNA Advantage is also required.
Download as PDF www.cisco.com/go/dnaswitching

Layer 2, routed access, OSPF, PBR, PIM Stub Multicast, PVLAN, VRRP, PBR, Cisco Discovery Protocol, QoS, FHS, 802.1X, MACsec-128, CoPP, SXP, IP SLA responder, SSO, StackWise (Catalyst 9300/9200).

L3 Routed access (RIP, EIGRP Stub, OSPF (1000 routes)).

Model-driven programmability lets you automate configuration and control of your network devices with programmable interfaces.

Configure 128-bit MACsec for authenticating and encrypting packets between MACsec-capable devices.

Manual/CLI or WebUI configuration of SPAN, RSPAN for providing near real-time access to operational statistics. No automation through Cisco Catalyst Center.

Model-driven telemetry lets you monitor your network by streaming data from network devices, continuously providing near-real-time access to operational statistics.

Help ensure hardware and software authenticity for supply chain trust and strong mitigation against man-in-the-middle attacks that compromise software and firmware.

Manually manage software upgrades and control the consistency of image versions through CLI or WebUI. Automation through Cisco Catalyst Center not supported.

BGP*, OSPF, IS-IS*.

VRF*, VXLAN, LISP,* SGT, MPLS*, BGP-EVPN with VXLAN*.

Support operational continuity and maintain availability during routine maintenance, and perform disaster recovery. NSF*, GIR*, HSRP, Stackwise Virtual*, ISSU*/eFSU*.

Manual/CLI operations or through WebUI only. Automation through Cisco Catalyst Center not supported.

Multicast is used between routers so they can track which multicast packets to forward to each other and to their directly connected LANs. RP Discovery*, PIM BI-DIR*.

Configure 256-bit MACsec* for authenticating and encrypting packets between MACsec-capable devices.

Timing and synchronization for time sensitive applications with PTPv2 as default profile (IEEE 1588v2/PTPv2, gPTP (IEEE 802.1AS), AES67 and G8275.1 profiles with less than 100 nano seconds precision.

Cisco AVB simplifies digitization of audio and video and offers superior quality of experience with standards like IEEE1588v2 PTPv2, AES67 timing profile.

Software services-enabled license portability lets your software licenses stay current through hardware upgrades and replacements at no additional cost.

This next generation in flow technology optimizes the network infrastructure, reducing operating costs and improving capacity planning and security incident detection. (License is required for Manual/CLI, WebUI or automated Cisco Catalyst Center configuration).

Automate software upgrades and control the consistency of image versions through Cisco Catalyst Center.

Automate configurations and deployment of networks with Cisco Catalyst Center.

Gives a high-level overview of the health of every network device/client on the network, wired and wireless, through Cisco Catalyst Center or cloud monitoring for Catalyst.

Gives a high-level overview of the health of wired network devices/clients on the network, managed by Cisco Catalyst Center.

Zero-touch provisioning for new device installation of Cisco devices to be provisioned simply by connecting to the network, managed by Cisco Catalyst Center.

This software-defined, controller-less solution enables Bonjour services discovery and advertisement at for local cache discovery and distribution functions between VLANs. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Cisco Catalyst Center pre-built reports that can be consumed directly or exported to third party tools such as Tableau.

Supports intent-based workflows for simplified wireless deployment and automation, managed by Cisco Catalyst Center appliance.

Create policies based on business intent for a particular part of the network that are network- and device-specific, adjusted dynamically to guarantee services, managed by Cisco Catalyst Center.

Gives a high-level overview of the health of every network device/client on the network, wired and wireless, Cisco and Meraki, managed by Cisco Catalyst Center.

Provides operational status of every network device connected to Cisco Catalyst Center, with suggested remediation for any communication issues, managed by Cisco Catalyst Center.

Displays operational status of every client connected to Cisco Catalyst Center, with suggested remediation for any issues, managed by Cisco Catalyst Center.

Displays overall health of all applications on the network, with special section for business-relevant application issues and suggested remediation, managed by Cisco Catalyst Center.

Enables network devices to send near-real-time telemetry information to Cisco Catalyst Center.

Zero-touch provisioning for new device installation allows off-the-shelf Cisco devices to be provisioned simply by connecting to the network, managed by Cisco Catalyst Center.

Enables policy-based automation with secure segmentation, complete visibility, and delivery of new services quickly on SD-Access devices, managed by Cisco Catalyst Center only.

Any Cisco or a third party controller orchestrating a Fabric like EVPN, MPLS etc.

Automated management of SMU/Patches patching by Cisco Catalyst Center.

Compliance reports managed by Cisco Catalyst Center.

Display devices and client connectivity from any angle or context, providing for very granular troubleshooting in seconds.

Fabric technology is an integral part of SD-Access. Fabric-enabled wireless is a deployment option, managed by Cisco Catalyst Center only.

Assign policies to applications based on business relevance and business-critical QoS priority for life-saving devices, for example through Cisco Catalyst Center.

Allows third-party applications to be hosted in a secure container environment on the switch. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Detect malware within encrypted traffic. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

This software-defined, controller-based solution enables Bonjour services discovery and advertisement at scale across multiple domains. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Monitor and re-direct traffic. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Packet capture for analysis. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Gain application visibility and control through Next-Generation Network-Based Application Recognition. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Provides a single integrated solution for comprehensive lifecycle management of the wired or wireless access, campus, and branch networks, and rich visibility into end-user connectivity and application performance assurance issues. Only available on the Catalyst 9000 switches, not on legacy switches.

Packet capture for analysis. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Gain application visibility and control through Next-Generation Network-Based Application Recognition. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center.

Provides a single integrated solution for comprehensive lifecycle management of the wired or wireless access, campus, and branch networks, and rich visibility into end-user connectivity and application performance assurance issues.

Gain application visibility and control through Next-Generation Network-Based Application Recognition. Does not require Cisco Catalyst Center. Not supported on Cisco Catalyst 9200 Series switches.

Encrypted Traffic Analytics detects malware within encrypted traffic. Manufacturer user description validates the IoT device, extends trust, and applies policy to the device. Does not require Cisco Catalyst Center. Not supported on Cisco Catalyst 9200 Series switches.

Gain complete security and threat containment, managed by Cisco Catalyst Center.

Detect malware within encrypted traffic. License is required for both manual/CLI configuration or automation through Cisco Catalyst Center. Includes Stealthwatch Flow Rate License, Virtual Stealthwatch Management Console, and Virtual Flow Collectors.

Multi-Cisco Catalyst Center Management and LAN/Campus Service Automation for Switching Infrastructure

Enables policy-based automation with secure segmentation, complete visibility, and delivery of new services quickly on SD-Access devices, managed by Cisco Catalyst Center only.

90 days of Cisco TAC support; local business hours, 8x5; Hardware replacement (next business day where available); Warranty duration is lifespan of hardware product; OS software updates and upgrades.

Software Support Service in the subscription software stack includes 24-hour TAC support and software updates and upgrades in Cisco Catalyst Center.

Automated provisioning of a new Cisco switch using the Zero Touch Provisioning functionality built into the switch.

Deliver superior network and application experience with Cisco ThousandEyes, now integrated into Cisco Catalyst 9300 and 9400 Series switches.

AI and machine learning technologies are implemented on Cisco Catalyst Center and in the AI Network Analytics cloud to enhance the insight and remediation capabilities of Cisco DNA Assurance.

Identify and check compliance of endpoints, and use AI/ML techniques to classify them into groups.

Get visual traffic flows between endpoint groups, so you can define the right segmentation policies.

Get visual traffic flows between endpoint groups, so you can define the right segmentation policies.

Verifies that connected endpoints are legitimate. Use this information to define security policies that isolate rogue or compromised endpoints to reduce threat proliferation.

Verifies that connected endpoints are legitimate. Use this information to define security policies that isolate rogue or compromised endpoints to reduce threat proliferation.

Makes segmentation policy simpler by discovering traffic flows between scalable groups to determine the right policies.

Supports 100G+ HW encryption for high-bandwidth secure L3 transport between sites or from cloud to site.

Allows IT to give end-users control of their very own wireless network partition. End-users can then remotely and securely deploy their devices on this network.

EEM is a powerful and flexible subsystem that provides real-time network event detection and onboard automation. It gives you the ability to adapt the behavior of your network devices to align with your business needs.

A flexible framework is provided to integrate third-party application software.

A powerful, end-to-end, indoor location services cloud platform that unlock insights and trends into customer, employee and asset behavior. Available for Cisco Catalyst 9300 and 9400 Series Switches.

A powerful end-to-end, indoor location services cloud platform that extends platform capabilities via integrations and partner applications. Includes Cisco Spaces See. Available for Cisco Catalyst 9300 and 9400 Series Switches.

Offers cloud monitoring options with Cisco® Catalyst® 9000 switches to deliver visibility and troubleshooting.

Smart Net Total Care, 24-hour hardware and network software stack support provided by TAC.