MS Switches Enterprise vs Advanced license

Solved
TaniaSanchez
Here to help

MS Switches Enterprise vs Advanced license

Hi,

 

Is there a comprehensible list of features of each of the MS licenses as a comparison table similar to the MX comparison of the three license type? I have only seen two separate information pages for these MS licenses and I'm not sure it gives much information on why it would be good to use one over the other.

 

Network Swtich Enterprise License | Cisco Meraki

Meraki Advanced License (cisco.com)

 

The MX page feature comparison is perfect to really view the license differences:

Meraki MX Security and SD-WAN Licensing - Cisco Meraki

 

Thanks!

 

T.

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

The features available with advanced licensing are: 

  • Adaptive policy *
  • Greater than 1,000 routes for OSPF

 

* Available in a future software release

View solution in original post

10 Replies 10
ww
Kind of a big deal
Kind of a big deal
TaniaSanchez
Here to help

Hi @ww ,

 

Thanks for your reply but that page doesn't really say anything apart from telling you that you can use the advance license in the MS390 model.

 

T.

ww
Kind of a big deal
Kind of a big deal

The features available with advanced licensing are: 

  • Adaptive policy *
  • Greater than 1,000 routes for OSPF

 

* Available in a future software release

Bruce
Kind of a big deal

Just to add to this, the Advanced License is only relevant to the MS390. Adaptive Policy is available now, you have to be on Per Device Licensing and you need to be on the MS14 ‘beta’ firmware - it’s built on, and is interoperable with, Cisco SGT technology.

TaniaSanchez
Here to help

Thanks. It seems to be overpriced for just these two features.

PhilipDAth
Kind of a big deal
Kind of a big deal

Also note you have to have Cisco ISE to use SGT.

 

So you would not use the advanced licence unless:

  • You have a Cisco MS390
  • You have Cisco ISE deployed
  • You have or intend to configure SGT on Cisco ISE

AND/OR

  • You need to use VLAN numbers over 1,000
  • Or you need more than OSPF 1,000 routes
BobbyMcLeod
Here to help

Will it work with alternatives to ICE such as ClearPass, ForeScout, etc.?

Paul_H
Meraki Employee
Meraki Employee

@PhilipDAth Quick clarification! 😉 

Cisco ISE is not required to leverage Adaptive policy.


You can assign devices/groups/SSIDs/Interfaces SGT values via the dashboard. Likewise, you can natively:

  • Define Policies, Source/Dest/SGT value/Descriptions
  • Create groups and bind them to network objects
  • Create custom ACLs to apply within policies
  • Apply specific Adaptive policy to targeted networks

In order to dynamically authenticate and assign unique user SGTs, then Cisco ISE is an EXCELLENT choice to do so! 
(@BobbyMcLeod Likewise, Cisco ISE is only NAC that can hand out SGTs)

PhilipDAth
Kind of a big deal
Kind of a big deal

You are correct @Paul_H .

Bruce
Kind of a big deal

@Paul_H Are you sure on the "Cisco ISE is only NAC that can hand out SGTs"?

 

In a pure Cisco Catalyst environment this may be the case as you need Cisco ISE to no only act as the RADIUS authenticator, but also to authenticate the infrastructure and create the source SGT to destination SGT matrix that is then downloaded to the switches when requested.

 

In a pure Cisco Meraki environment I was under the impression that the infrastructure is authenticated by the Meraki cloud, and the source SGT to destination SGT matrix, i.e. the Adaptive Policy matrix, is also managed by the Meraki cloud. Using these alone you can statically assign a port to an Adaptive Policy Group. If you introduce 802.1x (for dynamic Adaptive Policy assignment) then my understanding is that all the RADIUS server needs to do is return the AV Pair to assign the SGT number. Now admittedly this is in the Cisco AV Pair format, but so long as the RADIUS server can return this pair in the required format then surely it can inform the switch which Adaptive Policy to use? Or have I missed something?

 

(Don't get me wrong, ISE is an awesome platform, but is it really needed for a simple Meraki network using dynamic Adaptive Policy?)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels