InfraRunBook
    Back to articles

    How Cisco Licensing Works (DNA, Smart Licensing Explained)

    Cisco
    Published: Mar 28, 2026
    Updated: Apr 13, 2026

    A deep-dive into Cisco Smart Licensing and DNA licensing on IOS-XE devices, covering CSSM, Smart Licensing Using Policy (SLP), DNA tiers, RUM reports, and license reservation for enterprise networks.

    How Cisco Licensing Works (DNA, Smart Licensing Explained)

    Introduction to Cisco Licensing

    Cisco licensing has evolved dramatically over the past decade. What was once a relatively simple process of entering a Product Authorization Key (PAK) and activating a feature set has grown into a cloud-managed, subscription-oriented ecosystem. Understanding how Cisco Smart Licensing and DNA (Digital Network Architecture) licensing work is essential for any network engineer managing Cisco infrastructure at scale. Mismanaging licenses can result in compliance violations, feature lockout during audits, and expensive emergency procurement at renewal time.

    This article breaks down the full Cisco licensing architecture — from traditional PAK-based licensing to Smart Licensing Using Policy (SLP) and Cisco DNA Center subscription tiers — and walks through the practical steps to register, manage, and troubleshoot licenses on IOS-XE devices such as the Catalyst 9000 series. All examples use sw-infrarunbook-01 as the target device with management connectivity to 10.10.10.0/24.

    The Evolution from PAK to Smart Licensing

    Before Smart Licensing, Cisco used Product Authorization Keys (PAKs). A PAK was a physical or electronic code redeemed at Cisco's license portal to generate a node-locked license file tied to a specific device UDI (Unique Device Identifier). While functional, PAK licensing had significant operational drawbacks:

    • License files were bound to specific device UDIs, making hardware replacements and RMA swaps painful
    • No centralized visibility into license utilization across the fleet
    • Each device required individual manual activation
    • No automated reconciliation against purchased entitlements
    • Lost PAK codes or corrupted license files caused production outages

    Smart Licensing, introduced broadly with IOS-XE 16.x and formalized in IOS-XE 17.x as Smart Licensing Using Policy (SLP), solves these problems by separating the license entitlement from the device hardware. Instead of installing a license file locally, the device reports its usage to a central pool managed through Cisco Smart Software Manager (CSSM), and entitlements are reconciled against what the organization has purchased.

    Smart Licensing Architecture Overview

    Smart Licensing has three primary infrastructure components that every engineer should understand:

    • Cisco Smart Software Manager (CSSM): The cloud-based SaaS portal where Cisco tracks your purchased license entitlements. Your Smart Account lives here. Devices report usage to CSSM and receive usage acknowledgements (ACKs) in return.
    • Smart Account and Virtual Accounts: A Smart Account is the top-level organizational container linked to your company's Cisco purchase agreements. Virtual Accounts (VAs) are sub-divisions within a Smart Account used to allocate licenses by department, geographic region, or business unit. For solvethenetwork.com, you might have VAs named Network-Infrastructure, DataCenter, and Branch-Sites.
    • SSM On-Premises (CSSM On-Prem): A locally hosted virtual appliance version of CSSM for air-gapped or high-security environments. It mirrors your Smart Account inventory and syncs with Cisco's cloud CSSM on a scheduled basis.

    Smart Licensing Using Policy (SLP) in Detail

    Starting with IOS-XE 17.3.2 on Catalyst 9000 series platforms, Cisco replaced the older Smart Licensing registration model with Smart Licensing Using Policy (SLP). This is now the default behavior on all current Catalyst 9000 deployments and represents a fundamental shift in how licensing is enforced.

    Under SLP, devices no longer need to register with CSSM before booting or enabling features. Instead, the device operates according to a license policy embedded in the IOS-XE software image and the purchased entitlement. The key behavioral changes are:

    • Devices boot and operate without requiring upfront CSSM registration
    • Usage is reported through Resource Utilization Measurement (RUM) reports sent to CSSM on a scheduled basis
    • An acknowledgement deadline exists — if a RUM report is not acknowledged within the policy window, the device enters a non-compliant state
    • For most enterprise perpetual licenses, the first report is due within 365 days; for subscription (DNA) licenses, the window is typically 90 days

    SLP defines three transport methods for RUM report delivery:

    1. Direct Cloud Access: The device connects directly to Cisco CSSM over HTTPS. Requires internet access from the management plane of the device.
    2. SSM On-Premises: Devices report to a locally hosted SSM On-Prem server, which then syncs with Cisco's cloud CSSM. Ideal for environments where devices must not have direct internet access.
    3. CSLU (Cisco Smart License Utility): A lightweight Windows-based application deployed on a management workstation that collects RUM reports from devices over HTTP and forwards them to CSSM cloud.

    Cisco DNA Licensing: Tiers and What They Cover

    DNA (Digital Network Architecture) licensing is a subscription-based license layer that sits on top of the base hardware license. It applies primarily to Catalyst 9000 series switches (9200, 9300, 9400, 9500, 9600) and ISR/ASR routers. DNA licenses are term-based — purchased in 1-year, 3-year, or 5-year increments — and are licensed per device.

    There are three DNA subscription tiers:

    • DNA Essentials: Covers foundational automation and telemetry. Includes basic Cisco DNA Center device management, Software Image Management (SWIM), basic network assurance, and SGT-based macro-segmentation for SD-Access.
    • DNA Advantage: Adds AI/ML-driven network assurance and analytics, Encrypted Traffic Analytics (ETA), Stealthwatch integration, advanced SD-Access with micro-segmentation, and Application Quality of Experience (AppQoE) visibility. This is the most commonly deployed tier in enterprise environments.
    • DNA Premier: The highest tier — includes all Advantage features plus additional AI/ML capabilities for predictive operations, Cisco ISE Premier licensing integration for advanced policy, and broader AI-driven lifecycle management.

    Alongside the DNA subscription, each Catalyst 9000 device also carries a base Network License that governs the hardware-level IOS-XE feature set:

    • Network Essentials: The standard feature baseline — OSPF, BGP, QoS, VLANs, STP, EtherChannel, standard Layer 2 and Layer 3 functionality
    • Network Advantage: Adds advanced features above Essentials including MPLS, LISP, advanced multicast, and GRE tunneling

    A typical enterprise Catalyst 9300 deployment would run Network Advantage + DNA Advantage to cover the full SD-Access and advanced analytics feature set. Smaller branch deployments may use Network Essentials + DNA Essentials for cost efficiency.

    Checking License Status on sw-infrarunbook-01

    On sw-infrarunbook-01, use the following commands to inspect the current Smart Licensing state:

    sw-infrarunbook-01# show license status

Smart Licensing is ENABLED

Export Authorization Key:
  Features Authorized: none

Smart Licensing Using Policy:
  Status: ENABLED

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Smart
  URL: https://smartreceiver.cisco.com/licservice/license
  Proxy: Not Configured

Policy:
  Policy in use: Merged from multiple sources.
  Reporting ACK required: yes (CISCO default)
  Unenforced/Non-Export Perpetual Attributes:
    First report requirement (days): 365 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Unenforced/Non-Export Subscription Attributes:
    First report requirement (days): 90 (CISCO default)
    Reporting frequency (days): 90 (CISCO default)
    Report on change (days): 90 (CISCO default)

Usage Reporting:
  Last ACK received: 2026-01-15 08:22:14 UTC
  Next ACK deadline: 2026-04-15 08:22:14 UTC
  Reporting push interval: 30 days
  Next report push: 2026-02-14 08:22:14 UTC
  Last report push: 2026-01-15 08:22:14 UTC

Trust Code Installed: yes
  Active: PID:C9300-48P,SN:FCW2501XXXX
    INSTALLED on 2025-06-01 11:04:33 UTC
    sw-infrarunbook-01# show license summary

Account Information:
  Smart Account: solvethenetwork.com
  Virtual Account: Network-Infrastructure

Usage Reporting:
  Host: smartreceiver.cisco.com
  Last ACK received: 2026-01-15

License Usage:
  License                 Entitlement Tag               Count  Status
  ---------------------------------------------------------------------------
  network-advantage       (C9300-48 Network Advantage)      1  IN USE
  dna-advantage           (C9300-48 DNA Advantage)          1  IN USE
    sw-infrarunbook-01# show license usage

License Authorization:
  Status: IN COMPLIANCE  Wed Jan 15 08:22:14 UTC 2026

network-advantage (C9300-48 Network Advantage):
  Description: network-advantage
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED

dna-advantage (C9300-48 DNA Advantage):
  Description: dna-advantage
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED

    Configuring Smart Licensing Transport

    To configure sw-infrarunbook-01 to report directly to Cisco CSSM over HTTPS (Direct Cloud Access mode), apply the following configuration:

    sw-infrarunbook-01(config)# license smart transport smart
sw-infrarunbook-01(config)# license smart url smart https://smartreceiver.cisco.com/licservice/license
sw-infrarunbook-01(config)# end
sw-infrarunbook-01# write memory

    If the management plane routes through a proxy server at 10.10.10.50 on port 3128:

    sw-infrarunbook-01(config)# ip http proxy-server 10.10.10.50
sw-infrarunbook-01(config)# ip http proxy-port 3128
sw-infrarunbook-01(config)# license smart transport smart
sw-infrarunbook-01(config)# end

    For environments using CSLU running on a management server at 10.10.10.100:

    sw-infrarunbook-01(config)# license smart transport cslu
sw-infrarunbook-01(config)# license smart url cslu http://10.10.10.100:8182/cslu/v1/pi
sw-infrarunbook-01(config)# end
sw-infrarunbook-01# license smart sync local

    Generating a Trust Token and Establishing CSSM Trust

    Before a device can report usage and receive acknowledgements from CSSM, it must establish cryptographic trust using an ID token generated from within the Smart Account. The process is:

    1. Log into CSSM and navigate to your Virtual Account (e.g., Network-Infrastructure under solvethenetwork.com)
    2. Navigate to General > New Token
    3. Enter a description such as sw-infrarunbook-01, set an expiry of 30 days, and specify a max activation count
    4. Copy the generated token string
    5. Apply the token on the device using the trust command
    sw-infrarunbook-01# license smart trust idtoken ZGRlNzM1MDItMmM3NC00NmVj...TRUNCATED... local

Building configuration...
[OK]

Trust Code Installed: yes
  Active: PID:C9300-48P,SN:FCW2501XXXX
    INSTALLED on 2026-01-20 09:11:55 UTC

sw-infrarunbook-01# license smart sync local

Pushing usage report to CSSM cloud...
Successfully received ACK from CSSM.

    Air-Gapped Environments: Manual RUM Report Workflow

    In environments where sw-infrarunbook-01 has no outbound internet connectivity and no SSM On-Prem is deployed, you can use a fully manual offline workflow to stay compliant. This involves exporting the RUM report as a file, uploading it to CSSM manually via a browser, downloading the ACK file, and importing it back to the device.

    ! Step 1: Save the RUM report to local flash storage
sw-infrarunbook-01# license smart save usage all file flash:rum_report_jan2026.txt

! Step 2: Copy the file to a TFTP or SCP server on the management LAN
sw-infrarunbook-01# copy flash:rum_report_jan2026.txt scp://infrarunbook-admin@10.10.10.200/rum_reports/

! Step 3: Upload the .txt file to the CSSM portal
! In CSSM: Navigate to Reports > Usage Data Files > Upload Usage Data
! CSSM will generate an acknowledgement (ACK) file for download

! Step 4: Transfer the ACK file back to the device
sw-infrarunbook-01# copy scp://infrarunbook-admin@10.10.10.200/ack_files/ack_jan2026.txt flash:

! Step 5: Import the ACK into Smart Licensing
sw-infrarunbook-01# license smart import flash:ack_jan2026.txt

Import completed successfully.
Last ACK received: 2026-01-20 14:30:00 UTC

    License Reservation for Classified and Air-Gapped Networks

    Permanent License Reservation (PLR) or Specific License Reservation (SLR) is used for devices that can never communicate with CSSM under any circumstances — such as classified government systems, OT/ICS networks, or highly regulated financial infrastructure. With PLR, a reservation code permanently binds an entitlement to a specific device UDI with no ongoing reporting requirement whatsoever.

    ! Step 1: Enable reservation on the device
sw-infrarunbook-01(config)# license smart reservation
sw-infrarunbook-01(config)# end

! Step 2: Generate a reservation request code
sw-infrarunbook-01# license smart reservation request local

Reservation request code:
CB-ZC9300-48P:FCW2501XXXX-AABBCC112233-44

! Step 3: Enter this code in CSSM under License > License Reservation
! CSSM will generate an authorization code file

! Step 4: Install the CSSM-generated authorization code on the device
sw-infrarunbook-01# license smart reservation install file flash:slr_auth_code.txt

License reservation: ENABLED

! Step 5: Verify the reservation
sw-infrarunbook-01# show license reservation

License reservation: ENABLED
  Overall status:
    Active: PID:C9300-48P,SN:FCW2501XXXX
      Reservation status: SPECIFIC INSTALLED on Jan 20 2026 09:30:00
      Export-Controlled Functionality: ALLOWED

    Troubleshooting Common Smart Licensing Issues

    The most frequent issues seen in production involve CSSM connectivity failures, expired ACK deadlines, and mismatched Virtual Account assignments after device reassignment. Use the following commands on sw-infrarunbook-01 to diagnose:

    ! Verify connectivity to CSSM cloud endpoint
sw-infrarunbook-01# ping smartreceiver.cisco.com source Vlan10

! Show full Smart Licensing diagnostic output
sw-infrarunbook-01# show license tech support

! Force an immediate RUM report sync
sw-infrarunbook-01# license smart sync local

! Enable debug output for Smart Licensing transport
sw-infrarunbook-01# debug license all

! Check call-home configuration (needed for some transport modes)
sw-infrarunbook-01# show call-home

Current call-home settings:
  call-home feature: ENABLED
  call-home message from address: infrarunbook-admin@solvethenetwork.com
  call-home message reply-to address: infrarunbook-admin@solvethenetwork.com
  vrf for call-home messages: Mgmt-vrf

! Reset Smart Licensing state completely (removes trust — use with caution)
sw-infrarunbook-01# license smart factory reset

    Warning: Running

    license smart factory reset
    removes the installed trust code and all locally cached license information. The device will need to re-establish trust with CSSM before its next reporting cycle. Only use this during initial re-onboarding or when moving a device between Smart Accounts.

    Cisco DNA Center License Manager Integration

    When Cisco DNA Center is deployed for network management, license operations can be centralized through the DNA Center License Manager UI rather than managing each device individually via CLI. Under Tools > License Manager in DNA Center, administrators can:

    • View a compliance dashboard across all managed devices, highlighting any that are non-compliant or approaching expiry
    • Bulk-assign DNA license tiers to device groups
    • Automate RUM report collection — DNA Center aggregates reports from all managed devices and submits them to CSSM as a single batch
    • Configure automated renewal alerts for DNA subscription licenses approaching their end date
    • View per-device license history and entitlement details

    DNA Center must be registered to CSSM using its own Smart Account credentials. Once registered, managed devices route their Smart Licensing traffic through DNA Center, eliminating the need for individual device internet access for licensing purposes. This is the recommended architecture for large-scale Catalyst 9000 deployments.

    License Management Best Practices

    • Deploy SSM On-Prem or CSLU in any environment where managed devices cannot have direct internet access from their management plane
    • Organize Virtual Accounts by logical grouping (site, business unit, or device family) to improve license allocation visibility
    • Monitor ACK deadlines weekly — the default 90-day subscription window goes fast in busy change periods
    • Stay current on IOS-XE major versions; Smart Licensing behavior and policy defaults change between 16.x, 17.3, and later 17.x trains
    • Track DNA subscription expiry dates in your CMDB and set renewal alerts 90 days before expiration to avoid procurement gaps
    • Document your Smart Account hierarchy in your ITSM system, including which Virtual Account corresponds to which site or team
    • Test the full sync workflow after initial device onboarding — confirm CSSM shows the device as IN COMPLIANCE before closing the change ticket
    • For devices going through RMA, deregister the old device in CSSM before bringing the replacement online to avoid double-counting entitlements

    Related Articles

    Frequently Asked Questions

    What happens if a Cisco device misses its Smart License ACK deadline?

    The device enters a non-compliant state and generates periodic syslog and SNMP trap alerts. For most non-export-controlled licenses on Catalyst 9000 platforms, the device continues to operate normally — Cisco's SLP policy maintains service continuity while alerting the administrator. Features are not immediately disabled for standard enterprise licenses, but persistent non-compliance is flagged during audits and can complicate renewal negotiations.

    What is the difference between Network Essentials and DNA Essentials?

    Network Essentials is a perpetual base hardware license covering standard IOS-XE features such as OSPF, BGP, VLANs, STP, and QoS. DNA Essentials is a separate term-based subscription license unlocking Cisco DNA Center management, basic SD-Access macro-segmentation using SGTs, SWIM, and basic assurance telemetry. A device requires both a Network license and a DNA license for full managed functionality.

    Can I move a DNA license from one device to another?

    Under Smart Licensing Using Policy, entitlements are held in CSSM and are not node-locked by default. You can reassign within your Virtual Account by removing one device and adding another. However, DNA subscription SKUs may be tied to specific device families per your purchase order — verify entitlement terms before reassigning between device types.

    What is SSM On-Premises and when should I deploy it?

    SSM On-Premises is a Cisco virtual appliance running a local CSSM instance. Deploy it when network devices cannot have direct outbound internet access, or when managing hundreds of devices that would generate excessive direct CSSM cloud connections. It syncs with Cisco cloud CSSM on a configurable schedule to reconcile license counts.

    How do I identify which features require DNA Advantage versus DNA Essentials?

    Use Cisco Feature Navigator to search by feature and find the minimum license tier required. As a practical rule: basic DNA Center onboarding and SWIM require DNA Essentials; SD-Access micro-segmentation, AI/ML assurance, Encrypted Traffic Analytics (ETA), and Stealthwatch integration require DNA Advantage or higher.

    What is a RUM report and how often is it generated?

    A Resource Utilization Measurement (RUM) report describes which license entitlements a device is consuming. Under SLP, reports are pushed on a policy-driven schedule — typically every 30 days — with the first report required within 365 days for perpetual licenses and 90 days for subscription licenses. Force an immediate sync with 'license smart sync local'.

    How does Specific License Reservation (SLR) differ from Permanent License Reservation (PLR)?

    SLR reserves specific named license entitlements (e.g., one Network Advantage, one DNA Advantage) to a specific device UDI. PLR grants unrestricted access to all licensed features without specifying individual entitlements. PLR consumes a broader entitlement from your Smart Account and requires explicit Cisco approval before PLR tokens are issued.

    Does Smart Licensing affect the IOS-XE boot sequence?

    Under Smart Licensing Using Policy, the boot process is not gated by license registration. The device boots fully and all features remain available regardless of CSSM contact status. The device simply begins counting down its reporting deadline from first use. This is a major improvement over legacy PAK licensing where missing license files could block feature activation.

    What is the difference between classic Smart Licensing and Smart Licensing Using Policy (SLP)?

    Classic Smart Licensing required devices to register with CSSM and receive an authorization certificate before licensed features could be used. SLP, introduced in IOS-XE 17.3.2+, eliminates upfront registration entirely. Devices operate freely from boot and only need to report usage at defined policy intervals. The enforcement policy is embedded in the software rather than enforced through a registration gate.

    Can I use CSLU on a Linux management server?

    CSLU is officially supported on Windows only. For Linux environments, the recommended alternative is SSM On-Premises, distributed as a KVM or VMware OVA. Some teams run a dedicated Windows VM solely for CSLU in their management VLAN. If SSM On-Prem is already deployed, CSLU adds little value and SSM On-Prem should be preferred.

    Related Articles