How Cisco Licensing Works (DNA, Smart Licensing Explained)

Introduction to Cisco Licensing

Cisco licensing has evolved dramatically over the past decade. What was once a relatively simple process of entering a Product Authorization Key (PAK) and activating a feature set has grown into a cloud-managed, subscription-oriented ecosystem. Understanding how Cisco Smart Licensing and DNA (Digital Network Architecture) licensing work is essential for any network engineer managing Cisco infrastructure at scale. Mismanaging licenses can result in compliance violations, feature lockout during audits, and expensive emergency procurement at renewal time.

This article breaks down the full Cisco licensing architecture — from traditional PAK-based licensing to Smart Licensing Using Policy (SLP) and Cisco DNA Center subscription tiers — and walks through the practical steps to register, manage, and troubleshoot licenses on IOS-XE devices such as the Catalyst 9000 series. All examples use sw-infrarunbook-01 as the target device with management connectivity to 10.10.10.0/24.

The Evolution from PAK to Smart Licensing

Before Smart Licensing, Cisco used Product Authorization Keys (PAKs). A PAK was a physical or electronic code redeemed at Cisco's license portal to generate a node-locked license file tied to a specific device UDI (Unique Device Identifier). While functional, PAK licensing had significant operational drawbacks:

• License files were bound to specific device UDIs, making hardware replacements and RMA swaps painful
• No centralized visibility into license utilization across the fleet
• Each device required individual manual activation
• No automated reconciliation against purchased entitlements
• Lost PAK codes or corrupted license files caused production outages

Smart Licensing, introduced broadly with IOS-XE 16.x and formalized in IOS-XE 17.x as Smart Licensing Using Policy (SLP), solves these problems by separating the license entitlement from the device hardware. Instead of installing a license file locally, the device reports its usage to a central pool managed through Cisco Smart Software Manager (CSSM), and entitlements are reconciled against what the organization has purchased.

Smart Licensing Architecture Overview

Smart Licensing has three primary infrastructure components that every engineer should understand:

• Cisco Smart Software Manager (CSSM): The cloud-based SaaS portal where Cisco tracks your purchased license entitlements. Your Smart Account lives here. Devices report usage to CSSM and receive usage acknowledgements (ACKs) in return.
• Smart Account and Virtual Accounts: A Smart Account is the top-level organizational container linked to your company's Cisco purchase agreements. Virtual Accounts (VAs) are sub-divisions within a Smart Account used to allocate licenses by department, geographic region, or business unit. For solvethenetwork.com, you might have VAs named Network-Infrastructure, DataCenter, and Branch-Sites.
• SSM On-Premises (CSSM On-Prem): A locally hosted virtual appliance version of CSSM for air-gapped or high-security environments. It mirrors your Smart Account inventory and syncs with Cisco's cloud CSSM on a scheduled basis.

Smart Licensing Using Policy (SLP) in Detail

Starting with IOS-XE 17.3.2 on Catalyst 9000 series platforms, Cisco replaced the older Smart Licensing registration model with Smart Licensing Using Policy (SLP). This is now the default behavior on all current Catalyst 9000 deployments and represents a fundamental shift in how licensing is enforced.

Under SLP, devices no longer need to register with CSSM before booting or enabling features. Instead, the device operates according to a license policy embedded in the IOS-XE software image and the purchased entitlement. The key behavioral changes are:

• Devices boot and operate without requiring upfront CSSM registration
• Usage is reported through Resource Utilization Measurement (RUM) reports sent to CSSM on a scheduled basis
• An acknowledgement deadline exists — if a RUM report is not acknowledged within the policy window, the device enters a non-compliant state
• For most enterprise perpetual licenses, the first report is due within 365 days; for subscription (DNA) licenses, the window is typically 90 days

SLP defines three transport methods for RUM report delivery:

1. Direct Cloud Access: The device connects directly to Cisco CSSM over HTTPS. Requires internet access from the management plane of the device.
2. SSM On-Premises: Devices report to a locally hosted SSM On-Prem server, which then syncs with Cisco's cloud CSSM. Ideal for environments where devices must not have direct internet access.
3. CSLU (Cisco Smart License Utility): A lightweight Windows-based application deployed on a management workstation that collects RUM reports from devices over HTTP and forwards them to CSSM cloud.

Cisco DNA Licensing: Tiers and What They Cover

DNA (Digital Network Architecture) licensing is a subscription-based license layer that sits on top of the base hardware license. It applies primarily to Catalyst 9000 series switches (9200, 9300, 9400, 9500, 9600) and ISR/ASR routers. DNA licenses are term-based — purchased in 1-year, 3-year, or 5-year increments — and are licensed per device.

There are three DNA subscription tiers:

• DNA Essentials: Covers foundational automation and telemetry. Includes basic Cisco DNA Center device management, Software Image Management (SWIM), basic network assurance, and SGT-based macro-segmentation for SD-Access.
• DNA Advantage: Adds AI/ML-driven network assurance and analytics, Encrypted Traffic Analytics (ETA), Stealthwatch integration, advanced SD-Access with micro-segmentation, and Application Quality of Experience (AppQoE) visibility. This is the most commonly deployed tier in enterprise environments.
• DNA Premier: The highest tier — includes all Advantage features plus additional AI/ML capabilities for predictive operations, Cisco ISE Premier licensing integration for advanced policy, and broader AI-driven lifecycle management.

Alongside the DNA subscription, each Catalyst 9000 device also carries a base Network License that governs the hardware-level IOS-XE feature set:

• Network Essentials: The standard feature baseline — OSPF, BGP, QoS, VLANs, STP, EtherChannel, standard Layer 2 and Layer 3 functionality
• Network Advantage: Adds advanced features above Essentials including MPLS, LISP, advanced multicast, and GRE tunneling

A typical enterprise Catalyst 9300 deployment would run Network Advantage + DNA Advantage to cover the full SD-Access and advanced analytics feature set. Smaller branch deployments may use Network Essentials + DNA Essentials for cost efficiency.

Checking License Status on sw-infrarunbook-01

On sw-infrarunbook-01, use the following commands to inspect the current Smart Licensing state:

sw-infrarunbook-01# show license status

Smart Licensing is ENABLED

Export Authorization Key:
  Features Authorized: none

Smart Licensing Using Policy:
  Status: ENABLED

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Smart
  URL: https://smartreceiver.cisco.com/licservice/license
  Proxy: Not Configured

Policy:
  Policy in use: Merged from multiple sources.
  Reporting ACK required: yes (CISCO default)
  Unenforced/Non-Export Perpetual Attributes:
    First report requirement (days): 365 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Unenforced/Non-Export Subscription Attributes:
    First report requirement (days): 90 (CISCO default)
    Reporting frequency (days): 90 (CISCO default)
    Report on change (days): 90 (CISCO default)

Usage Reporting:
  Last ACK received: 2026-01-15 08:22:14 UTC
  Next ACK deadline: 2026-04-15 08:22:14 UTC
  Reporting push interval: 30 days
  Next report push: 2026-02-14 08:22:14 UTC
  Last report push: 2026-01-15 08:22:14 UTC

Trust Code Installed: yes
  Active: PID:C9300-48P,SN:FCW2501XXXX
    INSTALLED on 2025-06-01 11:04:33 UTC

sw-infrarunbook-01# show license summary

Account Information:
  Smart Account: solvethenetwork.com
  Virtual Account: Network-Infrastructure

Usage Reporting:
  Host: smartreceiver.cisco.com
  Last ACK received: 2026-01-15

License Usage:
  License                 Entitlement Tag               Count  Status
  ---------------------------------------------------------------------------
  network-advantage       (C9300-48 Network Advantage)      1  IN USE
  dna-advantage           (C9300-48 DNA Advantage)          1  IN USE

sw-infrarunbook-01# show license usage

License Authorization:
  Status: IN COMPLIANCE  Wed Jan 15 08:22:14 UTC 2026

network-advantage (C9300-48 Network Advantage):
  Description: network-advantage
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED

dna-advantage (C9300-48 DNA Advantage):
  Description: dna-advantage
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED

Configuring Smart Licensing Transport

To configure sw-infrarunbook-01 to report directly to Cisco CSSM over HTTPS (Direct Cloud Access mode), apply the following configuration:

sw-infrarunbook-01(config)# license smart transport smart
sw-infrarunbook-01(config)# license smart url smart https://smartreceiver.cisco.com/licservice/license
sw-infrarunbook-01(config)# end
sw-infrarunbook-01# write memory

If the management plane routes through a proxy server at 10.10.10.50 on port 3128:

sw-infrarunbook-01(config)# ip http proxy-server 10.10.10.50
sw-infrarunbook-01(config)# ip http proxy-port 3128
sw-infrarunbook-01(config)# license smart transport smart
sw-infrarunbook-01(config)# end

For environments using CSLU running on a management server at 10.10.10.100:

sw-infrarunbook-01(config)# license smart transport cslu
sw-infrarunbook-01(config)# license smart url cslu http://10.10.10.100:8182/cslu/v1/pi
sw-infrarunbook-01(config)# end
sw-infrarunbook-01# license smart sync local

Generating a Trust Token and Establishing CSSM Trust

Before a device can report usage and receive acknowledgements from CSSM, it must establish cryptographic trust using an ID token generated from within the Smart Account. The process is:

1. Log into CSSM and navigate to your Virtual Account (e.g., Network-Infrastructure under solvethenetwork.com)
2. Navigate to General > New Token
3. Enter a description such as sw-infrarunbook-01, set an expiry of 30 days, and specify a max activation count
4. Copy the generated token string
5. Apply the token on the device using the trust command

sw-infrarunbook-01# license smart trust idtoken ZGRlNzM1MDItMmM3NC00NmVj...TRUNCATED... local

Building configuration...
[OK]

Trust Code Installed: yes
  Active: PID:C9300-48P,SN:FCW2501XXXX
    INSTALLED on 2026-01-20 09:11:55 UTC

sw-infrarunbook-01# license smart sync local

Pushing usage report to CSSM cloud...
Successfully received ACK from CSSM.

Air-Gapped Environments: Manual RUM Report Workflow

In environments where sw-infrarunbook-01 has no outbound internet connectivity and no SSM On-Prem is deployed, you can use a fully manual offline workflow to stay compliant. This involves exporting the RUM report as a file, uploading it to CSSM manually via a browser, downloading the ACK file, and importing it back to the device.

! Step 1: Save the RUM report to local flash storage
sw-infrarunbook-01# license smart save usage all file flash:rum_report_jan2026.txt

! Step 2: Copy the file to a TFTP or SCP server on the management LAN
sw-infrarunbook-01# copy flash:rum_report_jan2026.txt scp://infrarunbook-admin@10.10.10.200/rum_reports/

! Step 3: Upload the .txt file to the CSSM portal
! In CSSM: Navigate to Reports > Usage Data Files > Upload Usage Data
! CSSM will generate an acknowledgement (ACK) file for download

! Step 4: Transfer the ACK file back to the device
sw-infrarunbook-01# copy scp://infrarunbook-admin@10.10.10.200/ack_files/ack_jan2026.txt flash:

! Step 5: Import the ACK into Smart Licensing
sw-infrarunbook-01# license smart import flash:ack_jan2026.txt

Import completed successfully.
Last ACK received: 2026-01-20 14:30:00 UTC

License Reservation for Classified and Air-Gapped Networks

Permanent License Reservation (PLR) or Specific License Reservation (SLR) is used for devices that can never communicate with CSSM under any circumstances — such as classified government systems, OT/ICS networks, or highly regulated financial infrastructure. With PLR, a reservation code permanently binds an entitlement to a specific device UDI with no ongoing reporting requirement whatsoever.

! Step 1: Enable reservation on the device
sw-infrarunbook-01(config)# license smart reservation
sw-infrarunbook-01(config)# end

! Step 2: Generate a reservation request code
sw-infrarunbook-01# license smart reservation request local

Reservation request code:
CB-ZC9300-48P:FCW2501XXXX-AABBCC112233-44

! Step 3: Enter this code in CSSM under License > License Reservation
! CSSM will generate an authorization code file

! Step 4: Install the CSSM-generated authorization code on the device
sw-infrarunbook-01# license smart reservation install file flash:slr_auth_code.txt

License reservation: ENABLED

! Step 5: Verify the reservation
sw-infrarunbook-01# show license reservation

License reservation: ENABLED
  Overall status:
    Active: PID:C9300-48P,SN:FCW2501XXXX
      Reservation status: SPECIFIC INSTALLED on Jan 20 2026 09:30:00
      Export-Controlled Functionality: ALLOWED

Troubleshooting Common Smart Licensing Issues

The most frequent issues seen in production involve CSSM connectivity failures, expired ACK deadlines, and mismatched Virtual Account assignments after device reassignment. Use the following commands on sw-infrarunbook-01 to diagnose:

! Verify connectivity to CSSM cloud endpoint
sw-infrarunbook-01# ping smartreceiver.cisco.com source Vlan10

! Show full Smart Licensing diagnostic output
sw-infrarunbook-01# show license tech support

! Force an immediate RUM report sync
sw-infrarunbook-01# license smart sync local

! Enable debug output for Smart Licensing transport
sw-infrarunbook-01# debug license all

! Check call-home configuration (needed for some transport modes)
sw-infrarunbook-01# show call-home

Current call-home settings:
  call-home feature: ENABLED
  call-home message from address: infrarunbook-admin@solvethenetwork.com
  call-home message reply-to address: infrarunbook-admin@solvethenetwork.com
  vrf for call-home messages: Mgmt-vrf

! Reset Smart Licensing state completely (removes trust — use with caution)
sw-infrarunbook-01# license smart factory reset

Warning: Running

license smart factory reset

removes the installed trust code and all locally cached license information. The device will need to re-establish trust with CSSM before its next reporting cycle. Only use this during initial re-onboarding or when moving a device between Smart Accounts.

Cisco DNA Center License Manager Integration

When Cisco DNA Center is deployed for network management, license operations can be centralized through the DNA Center License Manager UI rather than managing each device individually via CLI. Under Tools > License Manager in DNA Center, administrators can:

• View a compliance dashboard across all managed devices, highlighting any that are non-compliant or approaching expiry
• Bulk-assign DNA license tiers to device groups
• Automate RUM report collection — DNA Center aggregates reports from all managed devices and submits them to CSSM as a single batch
• Configure automated renewal alerts for DNA subscription licenses approaching their end date
• View per-device license history and entitlement details

DNA Center must be registered to CSSM using its own Smart Account credentials. Once registered, managed devices route their Smart Licensing traffic through DNA Center, eliminating the need for individual device internet access for licensing purposes. This is the recommended architecture for large-scale Catalyst 9000 deployments.

License Management Best Practices

• Deploy SSM On-Prem or CSLU in any environment where managed devices cannot have direct internet access from their management plane
• Organize Virtual Accounts by logical grouping (site, business unit, or device family) to improve license allocation visibility
• Monitor ACK deadlines weekly — the default 90-day subscription window goes fast in busy change periods
• Stay current on IOS-XE major versions; Smart Licensing behavior and policy defaults change between 16.x, 17.3, and later 17.x trains
• Track DNA subscription expiry dates in your CMDB and set renewal alerts 90 days before expiration to avoid procurement gaps
• Document your Smart Account hierarchy in your ITSM system, including which Virtual Account corresponds to which site or team
• Test the full sync workflow after initial device onboarding — confirm CSSM shows the device as IN COMPLIANCE before closing the change ticket
• For devices going through RMA, deregister the old device in CSSM before bringing the replacement online to avoid double-counting entitlements

---

Frequently Asked Questions

Q: What happens if a Cisco device misses its Smart License ACK deadline?

A: The device enters a non-compliant state and begins generating periodic syslog and SNMP trap alerts. For most non-export-controlled licenses on Catalyst 9000 platforms, the device continues to operate normally — Cisco's SLP policy is designed to maintain service continuity while alerting the administrator. Features are not immediately disabled for standard enterprise licenses. However, persistent non-compliance is flagged during Cisco audits and can complicate renewal negotiations. The specific enforcement behavior depends on the policy encoded in the license entitlement and the IOS-XE version running on the device.

Q: What is the difference between Network Essentials and DNA Essentials?

A: Network Essentials is a perpetual base hardware license covering standard IOS-XE features such as OSPF, BGP, VLANs, STP, and QoS — these are the features available in the platform hardware without any subscription. DNA Essentials is a separate term-based subscription license that unlocks Cisco DNA Center management capabilities, basic SD-Access macro-segmentation using SGTs, Software Image Management (SWIM), and basic network assurance telemetry. A device requires both a Network license and a DNA license to access the full managed and automated feature set. They operate on different billing dimensions: Network licenses are typically perpetual; DNA licenses always expire.

Q: Can I move a DNA license from one device to another?

A: Under Smart Licensing Using Policy, license entitlements are held in CSSM and are not node-locked to individual devices by default (SLR/PLR being the exceptions). Within your Virtual Account, you can effectively reassign a license by removing one device from management and adding another. However, DNA subscription SKUs are tied to purchase orders that may specify particular device families or models — for example, a C9300-24 DNA Advantage license may not be valid for a C9300-48. Always verify the entitlement terms in your purchase order or with your Cisco account team before reassigning licenses between device types.

Q: What is SSM On-Premises and when should I deploy it?

A: SSM On-Premises (Smart Software Manager On-Prem) is a Cisco-provided virtual appliance that runs a local instance of the CSSM licensing portal within your data center. It is the right choice when your network devices cannot have direct outbound internet access for policy or security reasons, or when you manage hundreds or thousands of devices and want to avoid high-volume direct connections to Cisco's cloud. SSM On-Prem syncs with Cisco's cloud CSSM on a configurable schedule (typically daily or weekly) to reconcile license counts and download the latest policy updates.

Q: How do I identify which features require DNA Advantage versus DNA Essentials?

A: The most authoritative source is the Cisco Feature Navigator tool, which lets you search by feature name and returns the minimum platform, software release, and license tier required. Cisco also publishes detailed licensing datasheets for each Catalyst 9000 SKU that map every feature to a license tier. As a practical rule of thumb: basic DNA Center device onboarding, inventory, and SWIM require DNA Essentials; SD-Access fabric with micro-segmentation, AI/ML-driven assurance, Encrypted Traffic Analytics (ETA), and Stealthwatch integration all require DNA Advantage or higher.

Q: What is a RUM report and how often is it generated?

A: A Resource Utilization Measurement (RUM) report is the telemetry payload a device generates to describe which license entitlements it is actively consuming and at what count. Under SLP, RUM reports are generated locally and pushed to CSSM on a policy-driven schedule: typically every 30 days as a push interval, with the first report required within 365 days for perpetual licenses and 90 days for subscription licenses. You can view the reporting schedule with

show license status

and force an immediate sync at any time using

license smart sync local

.

Q: How does Specific License Reservation (SLR) differ from Permanent License Reservation (PLR)?

A: Both SLR and PLR are designed for devices that can never communicate with CSSM. The distinction is granularity. SLR (Specific License Reservation) allows you to reserve specific named license entitlements to a device — for example, exactly one Network Advantage and one DNA Advantage license. PLR (Permanent License Reservation) grants the device unrestricted access to all licensed features without specifying individual entitlements; it is typically used for devices that need all possible features enabled permanently. PLR consumes a broader entitlement from your Smart Account, so Cisco requires explicit justification and approval before granting PLR tokens.

Q: Does Smart Licensing affect the IOS-XE boot sequence?

A: Under Smart Licensing Using Policy, the boot process is not gated by license registration status. The device boots fully and all features remain available regardless of whether CSSM has been contacted or a trust token has been installed. The device simply begins counting down its reporting deadline from first use. This is a significant improvement over pre-SLP Smart Licensing and legacy PAK licensing, where missing or invalid license files could block feature activation at boot time. The trade-off is that the responsibility for compliance shifts entirely to the administrator — there is no automatic enforcement gate to catch unlicensed deployments.

Q: How does Cisco DNA Center communicate with CSSM on behalf of managed devices?

A: DNA Center acts as a licensing proxy and aggregator. It registers itself with CSSM using its own Smart Account credentials and then collects RUM reports from all managed devices through the southbound API channel used for device management. DNA Center batches these reports and submits them to CSSM, then distributes the resulting ACK files back to each individual device. This means individual managed devices do not need any CSSM connectivity of their own when fully managed by DNA Center. The compliance status seen in DNA Center's License Manager UI reflects what CSSM has acknowledged, updated on the next sync cycle.

Q: What is the difference between classic Smart Licensing and Smart Licensing Using Policy (SLP)?

A: Classic Smart Licensing (used in IOS-XE 16.x through 17.2) required devices to actively register with CSSM and receive an authorization certificate before licensed features could be used. The registration had to be renewed periodically or features would be restricted. Smart Licensing Using Policy (SLP), introduced in IOS-XE 17.3.2+, eliminates the registration and upfront authorization requirement entirely. Devices operate freely from boot and only need to report usage at defined intervals. The policy governing enforcement behavior — including what happens if reporting deadlines are missed — is embedded directly in the software and entitlement, rather than being enforced through a registration gate. SLP is more resilient to CSSM outages and dramatically simplifies device onboarding.

Q: Can I use CSLU (Cisco Smart License Utility) on a Linux management server?

A: As of current Cisco documentation, CSLU is officially supported on Windows only and is distributed as a Windows executable. For Linux-centric management environments, the recommended alternative is SSM On-Premises, which is distributed as a KVM or VMware OVA and runs on standard Linux-based hypervisors. Some teams work around the CSLU limitation by running a lightweight Windows VM in a dedicated management VLAN at 10.10.10.0/24 solely for the purpose of running CSLU, which then forwards reports upstream to CSSM cloud. If your environment already has SSM On-Prem, CSLU adds little value and SSM On-Prem should be preferred.

Q: How do I handle Smart Licensing during an RMA device swap?

A: When replacing a failed device through RMA, the recommended process is: first, note the old device's UDI from CSSM inventory; second, once the replacement device is racked and powered, establish its trust token and allow it to sync its usage to CSSM; third, log into CSSM and remove the old device's UDI from the Virtual Account inventory. If the old device is still online temporarily during the swap, both devices will briefly appear as IN USE against the same entitlement, which may trigger an overage alert. This resolves automatically once the old device is removed from CSSM. For SLR-reserved devices, you must first cancel the reservation on the old device before CSSM will release the entitlement for use on the replacement.