explained
SD-WAN is an emerging technology and is well know from its subscription-based approach. It means that when you design an SD-WAN solution, it comes with a subscription model, usually time-based. I will not elaborate on how good or bad this idea is because that’s how the entire subscription world works, whether we like it or not. My post is intended for those who want to have a quick overview of Cisco SD-WAN licensing before they decide which way to go.
Some time ago, Cisco created DNA (Digital Network Architecture) licensing approach for routing, switching and wireless architectures.
For the WAN area – routing (where SD-WAN lies), Cisco proposes three types of licenses, so-called subscription DNA tiers:
All above licenses are time-based. Essentials and Premier can last for three and five years, while the Advantage plan can be set to three, five, or seven years. At a first glance, there are no meaningful differences between the plans since you can build SD-WAN network using any of them. The devil, as always, lies in the details. I will elaborate a little bit more about those details later in this post.
The second thing is a perpetual licensing, a permanent element that sticks with the hardware, which is:
SD-WAN functionality is a pure subscription-based offering, meaning that you can use router devices after the SD-WAN time-based subscription expires but with the standard routing capabilities (image update to Cisco IOS XE is required or switching to autonomous mode starting with IOS-XE 17.2 rel.). The perpetual licenses then are back in game so that you can build DMVPN, GETVPN, or just regular IPSec-based connectivity. By default, Network Essentials and Network Advantage feature sets are bundled with DNA Essentials and DNA Advantage respectively.
One of the advantages offered since August 2020 is that Cisco endured the limitation of 50 routers per SD-WAN overlay in the Essentials option. It means that you can choose an arbitrary scale of your WAN and build it based on Essentials licensing. With this single step, Cisco opened its solutions to the market of customers who use large-scale WANs but don’t want to apply the feature set that comes with the Advantage option.
From my experience, the two most important factors that impact the licensing level are security features and cloud deployment.
Fundamental connectivity, security, and monitoring features are a part of the Essentials plan. Those include (but are not limited to):
Going further, you need the Advantage license to use any of the security features below:
To take advantage of Umbrella SIG (Secure Internet Gateway) and its features, you need to invest in the Premier tier.
Another thing worth mentioning is the traffic isolation. You might know the VRF or VRF-Lite concept (routing table virtualization and data plane separation), SD-WAN allows for keeping the traffic separated across the WAN. With the beginning of August 2020, the Essentials tier offers 2 service VPNs and 1 management VPN. To play with more service VPNs you need the Advantage or Premier license.
The next step after choosing the right hardware (or software) platform for your company locations, and the right subscription tier, is the choice of bandwidth entitlement. It means that you choose the amount of expected traffic volume license that your SD-WAN router will process. The amount of traffic is calculated as the aggregated bandwidth for all transport side uplinks (up & down) that are expected to be utilized. This amount of traffic divided by 2 points to the license part number 🙂
Below a drawing from the Cisco ordering guide with an explanation of the process:
The license part number Cisco derives from the following scheme:
DNA – X – Y – Z – N
DNA – DNA licensing
X – C for Cloud or P for on-Premise controller deployment
Y – Bandwidth
Z – License tier
N – Subscription duration (years)
Example from ordering guide:
Let’s assume that your network comprises different sites – each with their own requirements. According to the licensing approach in SD-WAN, you’ll be able to mix different licenses in one overlay and use, for example, the Essentials set for regular sites and Advantage license for public cloud site (like Azure or AWS).
Last but not least, buying the Cisco SD-WAN you can choose between a cloud-managed and on-prem management option and it is all about the controllers’ location and controller infrastructure maintenance responsibility. With the first option controllers are located in Cisco’s cloud infrastructure (or AWS ;)), with the second, you have an option to setup your vManage, vSmart and vBond in your DC. No matter which option you will choose, you will not pay for the controllers extra. The price of SD-WAN subscription includes the controllers.
Interested in studying the Cisco SD-WAN concept? Grab a cup of coffee and read our series of SD-WAN articles.
See also Grandmetric and Cisco SD-WAN case study.
Thank you Marcin for this article. Can you explain what will be needed to use BGP capabilities after the 3 years Essential DNA license expires? We do not need SD-WAN capabilities and just want to use routers as BGP gateways to the internet. Will we still be eligible for autonomous mode software upgrades?
Hello Adrian, thanks for the question. If you need to use the Cisco routers with “pure” routing / BGP capabilities, you can just buy router platform and go ahead with classic licensing model. If you buy SD-WAN first and then you want to use routing after sd-wan subs expire, you need to take a look on a featureset you want to use and choose proper SD-WAN subscription (Essentials or Advantage). They reffer to Network Essentials and Advantage respectively, options that are perpetual. You can refer to https://www.cisco.com/c/m/en_us/products/software/sd-wan-routing-matrix.html for details. You should be ok with essentials for basic bgp capabilities. After licenses expire you can go ahead with controller based to autonomous conversion and use essentials network stack as long as you have support coverage.