Meraki

Community

MS Switches Enterprise vs Advanced license

Solved
TaniaSanchez
Here to help
‎Feb 17 2021 2:52 AM
‎Feb 17 2021 2:52 AM

MS Switches Enterprise vs Advanced license

Hi,

 

Is there a comprehensible list of features of each of the MS licenses as a comparison table similar to the MX comparison of the three license type? I have only seen two separate information pages for these MS licenses and I'm not sure it gives much information on why it would be good to use one over the other.

 

Network Swtich Enterprise License | Cisco Meraki

Meraki Advanced License (cisco.com)

 

The MX page feature comparison is perfect to really view the license differences:

Meraki MX Security and SD-WAN Licensing - Cisco Meraki

 

Thanks!

 

T.

0 Kudos
1 Accepted Solution
In response to TaniaSanchez
ww
Kind of a big deal
Kind of a big deal
‎Feb 17 2021 5:31 AM
‎Feb 17 2021 5:31 AM

The features available with advanced licensing are: 

  • Adaptive policy *
  • Greater than 1,000 routes for OSPF

 

* Available in a future software release

View solution in original post

10 Replies 10
ww
Kind of a big deal
Kind of a big deal
‎Feb 17 2021 4:13 AM
‎Feb 17 2021 4:13 AM

https://documentation.meraki.com/MS/MS_Overview_and_Specifications/MS390_Datasheet#MS390_Licensing

0 Kudos
In response to ww
TaniaSanchez
Here to help
‎Feb 17 2021 4:18 AM
‎Feb 17 2021 4:18 AM

Hi @ww ,

 

Thanks for your reply but that page doesn't really say anything apart from telling you that you can use the advance license in the MS390 model.

 

T.

0 Kudos
In response to TaniaSanchez
ww
Kind of a big deal
Kind of a big deal
‎Feb 17 2021 5:31 AM
‎Feb 17 2021 5:31 AM

The features available with advanced licensing are: 

  • Adaptive policy *
  • Greater than 1,000 routes for OSPF

 

* Available in a future software release

In response to ww
Bruce
Kind of a big deal
‎Feb 17 2021 12:20 PM
‎Feb 17 2021 12:20 PM

Just to add to this, the Advanced License is only relevant to the MS390. Adaptive Policy is available now, you have to be on Per Device Licensing and you need to be on the MS14 ‘beta’ firmware - it’s built on, and is interoperable with, Cisco SGT technology.

In response to ww
TaniaSanchez
Here to help
‎Feb 18 2021 6:15 AM
‎Feb 18 2021 6:15 AM

Thanks. It seems to be overpriced for just these two features.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 17 2021 2:29 PM
‎Feb 17 2021 2:29 PM

Also note you have to have Cisco ISE to use SGT.

 

So you would not use the advanced licence unless:

  • You have a Cisco MS390
  • You have Cisco ISE deployed
  • You have or intend to configure SGT on Cisco ISE

AND/OR

  • You need to use VLAN numbers over 1,000
  • Or you need more than OSPF 1,000 routes
0 Kudos
In response to PhilipDAth
BobbyMcLeod
Here to help
‎Feb 17 2021 3:02 PM
‎Feb 17 2021 3:02 PM

Will it work with alternatives to ICE such as ClearPass, ForeScout, etc.?

0 Kudos
In response to PhilipDAth
Paul_H
Meraki Employee
Meraki Employee
‎Feb 17 2021 3:02 PM
‎Feb 17 2021 3:02 PM

@PhilipDAth Quick clarification! 😉 

Cisco ISE is not required to leverage Adaptive policy.


You can assign devices/groups/SSIDs/Interfaces SGT values via the dashboard. Likewise, you can natively:

  • Define Policies, Source/Dest/SGT value/Descriptions
  • Create groups and bind them to network objects
  • Create custom ACLs to apply within policies
  • Apply specific Adaptive policy to targeted networks

In order to dynamically authenticate and assign unique user SGTs, then Cisco ISE is an EXCELLENT choice to do so! 
(@BobbyMcLeod Likewise, Cisco ISE is only NAC that can hand out SGTs)

In response to Paul_H
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 17 2021 3:04 PM
‎Feb 17 2021 3:04 PM

You are correct @Paul_H .

In response to Paul_H
Bruce
Kind of a big deal
‎Feb 17 2021 8:48 PM
‎Feb 17 2021 8:48 PM

@Paul_H Are you sure on the "Cisco ISE is only NAC that can hand out SGTs"?

 

In a pure Cisco Catalyst environment this may be the case as you need Cisco ISE to no only act as the RADIUS authenticator, but also to authenticate the infrastructure and create the source SGT to destination SGT matrix that is then downloaded to the switches when requested.

 

In a pure Cisco Meraki environment I was under the impression that the infrastructure is authenticated by the Meraki cloud, and the source SGT to destination SGT matrix, i.e. the Adaptive Policy matrix, is also managed by the Meraki cloud. Using these alone you can statically assign a port to an Adaptive Policy Group. If you introduce 802.1x (for dynamic Adaptive Policy assignment) then my understanding is that all the RADIUS server needs to do is return the AV Pair to assign the SGT number. Now admittedly this is in the Cisco AV Pair format, but so long as the RADIUS server can return this pair in the required format then surely it can inform the switch which Adaptive Policy to use? Or have I missed something?

 

(Don't get me wrong, ISE is an awesome platform, but is it really needed for a simple Meraki network using dynamic Adaptive Policy?)

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.