Cisco SD-WAN licensing

Cisco SD-WAN plans

SD-WAN is an emerging technology and is well know from its subscription-based approach. It means that when you design an SD-WAN solution, it comes with a subscription model, usually time-based. I will not elaborate on how good or bad this idea is because that’s how the entire subscription world works, whether we like it or not. My post is intended for those who want to have a quick overview of Cisco SD-WAN licensing before they decide which way to go.

Two types of licenses – time-based and permanent

Some time ago, Cisco created DNA (Digital Network Architecture) licensing approach for routing, switching and wireless architectures.

For the WAN area – routing (where SD-WAN lies), Cisco proposes three types of licenses, so-called subscription DNA tiers:

1. Essentials,
2. Advantage,
3. Premier.

All above licenses are time-based. Essentials and Premier can last for three and five years, while the Advantage plan can be set to three, five, or seven years. At a first glance, there are no meaningful differences between the plans since you can build SD-WAN network using any of them. The devil, as always, lies in the details. I will elaborate a little bit more about those details later in this post.

The second thing is a perpetual licensing, a permanent element that sticks with the hardware, which is:

• Network Essentials
• Network Advantage

SD-WAN functionality is a pure subscription-based offering, meaning that you can use router devices after the SD-WAN time-based subscription expires but with the standard routing capabilities (image update to Cisco IOS XE is required or switching to autonomous mode starting with IOS-XE 17.2 rel.). The perpetual licenses then are back in game so that you can build DMVPN, GETVPN, or just regular IPSec-based connectivity. By default, Network Essentials and Network Advantage feature sets are bundled with DNA Essentials and DNA Advantage respectively.

No more restrictions for Essentials tier routers number

One of the advantages offered since August 2020 is that Cisco endured the limitation of 50 routers per SD-WAN overlay in the Essentials option. It means that you can choose an arbitrary scale of your WAN and build it based on Essentials licensing. With this single step, Cisco opened its solutions to the market of customers who use large-scale WANs but don’t want to apply the feature set that comes with the Advantage option.

SD-WAN features vs. Subscription tiers

From my experience, the two most important factors that impact the licensing level are security features and cloud deployment.

Fundamental connectivity, security, and monitoring features are a part of the Essentials plan. Those include (but are not limited to):

• Unlimited size (by subscription) of IPSec-secured SD-WAN overlay
• EIGRP, OSPF, BGP support on service side
• Dual Stack support
• Hub-Spoke, Full mesh and partial mesh topologies support
• ACL, Statefull firewall and IPS powered by Talos

Going further, you need the Advantage license to use any of the security features below:

• Cisco AMP
• URL filtering
• Public Cloud deployment (like vEdge Cloud router, Cloud on Ramp in AWS or Azure)
• Advanced BGP support or multicast
• Advanced Voice (SRST, voice ports FXS/FXO, SIP trunk)

To take advantage of Umbrella SIG (Secure Internet Gateway) and its features, you need to invest in the Premier tier.

Traffic isolation

Another thing worth mentioning is the traffic isolation. You might know the VRF or VRF-Lite concept (routing table virtualization and data plane separation), SD-WAN allows for keeping the traffic separated across the WAN. With the beginning of August 2020, the Essentials tier offers 2 service VPNs and 1 management VPN. To play with more service VPNs you need the Advantage or Premier license.

Bandwidth entitlement

The next step after choosing the right hardware (or software) platform for your company locations, and the right subscription tier, is the choice of bandwidth entitlement. It means that you choose the amount of expected traffic volume license that your SD-WAN router will process. The amount of traffic is calculated as the aggregated bandwidth for all transport side uplinks (up & down) that are expected to be utilized. This amount of traffic divided by 2 points to the license part number 🙂

Below a drawing from the Cisco ordering guide with an explanation of the process:

The license part number Cisco derives from the following scheme:

DNA – X – Y – Z – N

DNA – DNA licensing

X – C for Cloud or P for on-Premise controller deployment

Y – Bandwidth

Z – License tier

N – Subscription duration (years)

Example from ordering guide:

Mixing Cisco subscriptions

Let’s assume that your network comprises different sites – each with their own requirements. According to the licensing approach in SD-WAN, you’ll be able to mix different licenses in one overlay and use, for example, the Essentials set for regular sites and Advantage license for public cloud site (like Azure or AWS).

Will I pay for cloud controllers?

Last but not least, buying the Cisco SD-WAN you can choose between a cloud-managed and on-prem management option and it is all about the controllers’ location and controller infrastructure maintenance responsibility. With the first option controllers are located in Cisco’s cloud infrastructure (or AWS ;)), with the second, you have an option to setup your vManage, vSmart and vBond in your DC. No matter which option you will choose, you will not pay for the controllers extra. The price of SD-WAN subscription includes the controllers.

Interested in studying the Cisco SD-WAN concept? Grab a cup of coffee and read our series of SD-WAN articles.

See also Grandmetric and Cisco SD-WAN case study.