When we talk about the Layer 2 or Layer 3 switching, we should know the main Cisco IOS Software feature licenses. And the Layer 2 and layer 3 switching seem a hot and popular topics discussed in Cisco switch users.

• Cisco License Verification
• Cisco License Pak

Cisco User Connect Licensing (UCL) provides per-user based licensing for individual Cisco Unified Communications applications, including the applications server software, user licensing, and a soft client. User Connect Licensing is available in Essential, Basic, Enhanced, and Enhanced Plus versions. When it comes to Cisco, you have choice in how you purchase, consume and deploy software. Get started with Smart Licensing Cisco Smart Licensing is a flexible software licensing method that simplifies the way you activate and manage licenses across your organization.

How to deal with the problems about the Layer 2 or Layer 3 Switching?How to choose and upgrade yourCisco IOS Software Feature License?

In this article, we will share Steven Song’s summary about the Cisco IOS Software Licenses for Layer 2 or Layer 3 Switching, which tell the main differences of Cisco IOS Software feature licenses for switching.

There are 4 common Cisco IOS Software feature licenses for Cisco Catalyst 2K and 3K switches.

LAN Lite:Enterprise EntryLevel Layer 2 Switching
LAN Base: Enterprise Access Layer 2 Switching
IP Base: Enterprise Access Layer 3 Switching
IP Services: Advanced Layer 3 Switching

To be specific, we will concentrate on these popular Cisco Catalyst switches: Cisco Catalyst 2960, Catalyst 2960-S, Catalyst 3560-X and Catalyst 3750-X switches.

LAN Lite License: Cisco Catalyst 2960 and 2960-S Series Switches

LAN Lite and LAN Base are two common licenses for the 2960 and 2960-S switches. As its name suggests, LAN Lite is an entry level license for enterprise layer 2 access switches with many useful features including 802.1Q trunking, (M)STP, STP extensions, CDP, DTP, UDLD, VTPv2, PAGP/LACP, and LLDP. It also supports important security features such as TACACS+, RADIUS, port security, 802.1X and DHCP snooping. At this level, this license does not provide layer 3 routing capabilities. Nor does it have advanced security and management capabilities such as Dynamic ARP Inspection and advanced QoS beyond some basic functions, for example priority queuing.

Related:

Introducing the New Cisco Catalyst 2960-L LAN Lite Series Switches

LAN Base License: Cisco Catalyst 2960, 2960-S, 3560-X, and 3750-X Series Switches

LAN Base is a powerful license for layer 2 access switches. Its broad range of access features covers all LAN Lite capabilities plus more robust features such as VTPv3 and FlexLinks. VTP version 3 offers better administrative control over VLAN topology information sharing to reduce unintended or disruptive changes. It also adds more VLAN environment support including expanded ISL VLAN support range. FlexLinks increase Layer 2 resiliency by adding a pair of fast converging active and backup links between access and distribution switches. LAN Base allows layer 3 routing by adding static routing support. Many strong security capabilities are added in LAN Base, too. Examples include Flexible Authentication, Radius Change of Authorization and advanced 802.1X features. On the management side, a long list of capabilities becomes available in LAN Base including a wider range of MIBs, Ingress policing, Trust Boundary, AutoQoS, and DSCP mapping.

If you have a basic layer 2 access networks with essentially no routing needs and no advanced security or management requirements, you might want to consider LAN Lite. For most enterprise layer 2 networks, LAN Base is a minimum requirement. It gives you a robust layer 2 access network with excellent network manageability, security and user experience.

Q: “What are the advantages of Cisco Catalyst 2960 Series Switches with the LAN Base software relative to Cisco Catalyst 2960 Series Switches with the LAN Lite software?”

A: Cisco Catalyst 2960 LAN Base switches deliver intelligent services for branch offices and wiring closets. The LAN Base IOS software supports enhanced Layer 2+ security, quality of service (QoS), availability, and scalable management to enable new converged applications. Catalyst 2960 LAN Base switches include both 10/100 Fast Ethernet and 10/100/1000 Gigabit Ethernet connectivity in 8-, 24-, and 48-port configurations.

Cisco Catalyst 2960 LAN Lite switches are for entry-level branch office and wiring closet networks. They simplify the migration from nonintelligent hubs and unmanaged switches to a fully scalable and reliable network. The LAN Lite IOS software supports standard Layer 2 security, QoS, and availability while lowering the network total cost of ownership. Catalyst 2960 LAN Lite switches deliver 10/100 Fast Ethernet connectivity in 24- and 48-port configurations.

All Cisco Catalyst 2960 Series Switches have technical support service options available through Cisco SMARTNetservice. All come with a Limited Lifetime Hardware Warranty, and LAN Base and LAN Lite software updates are provided at no additional cost.

Layer 3 Licenses-IP Base and IP Services Licenses

IP Base License: Cisco Catalyst 3560-X and 3750-X Series Switches

Dynamic routing provides network scalability, adaptability and resiliency. IP Base is a baseline enterprise services license for the 3560-X and 3750-X switches with dynamic routing support. It includes all layer 2 functionalities covered by the LAN Base license, plus an impressive list of layer 3 capabilities including static routing, RIP, EIGRP stub, Protocol Independent Multicast (PIM) stub and OSPF for Routed Access. Here EIGRP stub means that the switch participates in EIGRP routing as a stub and the EIGRP routes will not be extended to any downstream devices connecting to the switch. Also, notice that OSPF for Routed Access is designed specifically to extend Layer 3 routing capabilities to the wiring closet. It supports only one OSPFv2 and one OSPFv3 instance, with a maximum number of 200 dynamically learned routes. On the security front, a huge number of network security features are delivered in IP Base. Examples include ACLs, Private VLANs, TrustSec SXP, and IEEE 802.1AE (also known as MACsec). A new and exciting security feature is device sensor. It is part of the IOS software running on a switch which collects certain endpoint device attributes and sends such info to the Cisco Identify Services Engine (ISE) through RADIUS accounting packets. Cisco ISE then applies the appropriate policies as part of the Bring Your Own Device (BYOD) solution. In addition, new management capabilities have been added to the IP Base image. A good example is Embedded Event Manager (EEM). This is a policy-based framework that allows you to customize a script for real-time network event detection and onboard automation. Also, medianet support gives you the ability to troubleshoot and customize business applications such as video-based collaborations.

IP Services License: Cisco Catalyst 3560-X, and 3750-X Series Switches

IP Services is your full enterprise services license. It supports everything delivered by IP Base. It then adds further capabilities to enable a high-quality user experience that one expects in the next-generation workplace. At the top of the list are full capabilities of EIGRP and OSPF routing protocols with no restrictions on network topology or routing table size. In addition, the BGP routing protocol is supported which is not part of IP Base. Another important area is IPv6 support. IP Services provides OSPFv3 and EIGRP for IPv6 which are not available in IP Base. As many customers are running out of IPv4 addresses, IPv6 support is rapidly becoming a high priority requirement for the networks. Yet another important area is full scale support for PIM for IP multicast routing, including PIM sparse mode (PIM-SM), PIM dense mode (PIM-DM), PIM sparse-dense mode and Source Specific Multicast (SSM). The full PIM routing support greatly improves network efficiency as multimedia, interactive video and business collaborations generate exponential traffic growth. Here’s another important enhancement that IP Services enables: VRF-lite support is not in IP Base but it is in IP Services. As you may recall, VRF-lite is a good way to segment a physical network into multiple logical networks for network virtualization. Additional IP Services capabilities include Web Cache Coordination Protocol (WCCP) and policy-based routing (PRB) support.

Now let’s show some information on various license SKUs, then you can easily recognize them.

For Catalyst 2960 and 2960S switches, the SKU group ending with
-S represents LAN Lite
-L represents LAN Base

For Catalyst 3560-X and 3750-X switches, the SKU group ending with
-L represents LAN base
-S represents IP Base
-E represents IP Services

Here are some samples SKUs.

Switches	LAN Lite	LAN Base	IP Base	IP Services
Catalyst 2960, 2960-S switches	WS-C2960-24-S (24 Ethernet ports, LAN Lite image)	WS-C2960S-24TD-L (24 Ethernet ports, LAN Base image)	N/A	N/A
Catalyst 3560-X, 3750-X switches	N/A	WS-C3750X-24T-L (Stackable 24 Ethernet ports, LAN Base feature set)	WS-C3750X-24T-S (Stackable 24 Ethernet ports, IP Base feature set)	WS-C3750X-24T-E (Stackable 24 Ethernet ports, IP Services feature set)

More Suggestions:

If you require dynamic routing for your enterprise access networks, you’ll need to begin with IP Base. It gives you full layer 2 capabilities, plus robust layer 3 features to support your access network with enhanced scale, performance and network services such as security and application optimization. IP Services takes you one step further with full scale support of unicast and multicast routing protocols, as well as critical services such as network segmentation and IPv6 support for OSPF/EIGRP to enable the full experience of the next generation workplace.

If yourinitial software choices were LAN Base or an IP Base license for your Catalyst 3560-X and 3750-X switches, you would need an upgrade license to deploy IP Services. A family of new IP Services SKUs is available (SKUs ending with –E). These new SKUs make it easy for you to deploy IP Services directly.

More Related:

Cisco Licensing – Cisco Licenses Explained

• 6 March, 2019

Article, Cisco Licensing Explained, Enterprise Agreements, Licenses

Traditionally, Cisco licensing has offered a perpetual licensing model in which you buy once and keep the license through the life of the hardware. Once that hardware has been replaced, the license is obsolete, and the new hardware will need its own set of license(s). In the event you RMA the device, you’re eligible for a one time transfer of that license to the new hardware but for all intents and purposes that is the exception to the rule. This is true for all hardware.

The software features you buy on top of the hardware are licensed separately and require their own support contract. If you want to get IPS (Intrusion Prevention System) feature for your firewall, you’ll need a software license or entitlement.

This leads to a situation where one single device will have two support contracts associated to it. One for the hardware failure and the underlying operating system and another for the software support and updates you’d get specific to the IPS example above.

This perpetual method of ownership still requires you to have a support contract at all times to get the latest updates. What happens if you let the support lapse but keep the Cisco licensing? The core feature of the IPS module will continue to work as is. However, the module will stop receiving the latest threat updates leaving you more vulnerable to new threat vectors. You would also not be eligible to call Cisco support (TAC) and get assistance with the IPS software module.

There are two models and SKU’s you’ll normally see on your order and build of material sheets; Smartnet (SNT) and Software Support Services (SWSS). At a glance, these might look quite similar but there are fundamental differences that, if not accounted for, can leave a company vulnerable to security threats or extended downtime. In this article, we’ll examine the differences.

Cisco License Verification

Smartnet only applies to the hardware. Depending on the level purchased, you get anywhere from 8x5xNBD (next business day) up to 24x7x2hours replacement on that hardware. This also grants you operating system updates similar to getting Windows updates while your Smartnet is valid.

Software Support Service (SWSS) has one single purpose. To keep the software add-on features updated and eligible for support.

Now let’s revisit our earlier example with more detail to see how these apply in a real-world scenario. Let’s say you have a Cisco Firepower NGFW (Next-Gen Firewall) withAMP(Advanced Malware Protection), IPS (Intrusion Prevention System) and URL Filtering. You are up for renewal. You get a build of materials that has an SNT and SWSS SKU’s on it. You choose to buy the SNT but leave out the SWSS because you assume the hardware replacement will cover the software and could even be cheaper.

The SNT gets renewed and things seem to work as before. Two months down the road, you’re looking into the URL module to and realize it hasn’t been receiving updates for some time. You call support and provide your details. Support will now tell you that while your hardware is in coverage you are not eligible for signature updates due to the lack of SWSS (software support services). You now have to work with your Cisco team and “re-instate” coverage which is often more expensive than keeping it current.

Let’s flip the scenario. You bought SWSS but left out SNT (Smartnet). You experience a hardware failure. You call support and they’ll tell you the reverse. There’s nothing they can do with helping you replace your hardware and you’ll need to contact your Cisco Account Team to buy new hardware with new licenses attached to it. The whole SNT and SWSS cycle starts again.

The lesson here is to always ensure that your Smartnet and Software subscriptions remain in sync to avoid these scenarios that we see all too often. The larger the environment, the higher the operation overhead this creates.

There are significant challenges, especially in larger and geographically dispersed organizations, to keep your support and Cisco licensing in harmony given that growth and purchasing needs can originate from various sides of the business. Different teams and cost centres can also have their own strategies as to what they consider best practices. This leads to a lot of operational challenges and it’s not uncommon to sense dread in an organization around “renewal time.”

This is the bane of most IT and procurement teams as it requires a lot of manual inventory, reconciliation, lifecycle management and roadmap reviews. Many excel spreadsheets are passed around and many meeting hours are used up for a process that should take a fraction of the time. This continuous burden and pushback from customers force Cisco to think and innovate around the issue.

This think tank led to the formation of Cisco Enterprise Agreements.

Cisco Enterprise Agreements came to light when organizations asked for a more agile way handling their Cisco licensing needs, especially when considering that the majority of the new Cisco platforms are software-centric and are best utilised with software features enabled.

The goal of the Cisco Enterprise Agreement is twofold: reduce overall cost vs a perpetual licensing model and demonstrate a significant reduction in operational overhead.

You can find an in-depth look at Cisco Enterprise Agreements here.

The Tesrex Review & Renew is a two-week process that will pinpoint all the areas where you can save money and streamline management. Click here to learn more about this no-obligation engagement.

This is the first article in our series concerning Cisco Licensing and Enterprise Agreements. Please ensure you have signed up to be notified of when the rest of this series is released by clicking the blue icon in the bottom right-hand corner.

You can read Part 2 here.

Book a 30 minute chat

Cisco License Pak

Arrange a short call with a Cisco Licensing expert. They can answer any of your questions.