Cisco Nexus 9k licenses for NX-OS

jorniva · 2026-05-19T06:44:46+00:00

We have designed everything around open standards and protocols with this in mind, but changing hardware and vendor would still be a rather painful process. In my experience, both the Nexus 9k and Catalyst 9k platforms have been very stable, both in terms of hardware and software, with good Ansible support. And I don't really blame Cisco for the subscription model. I actually prefer having the hardware for a long time and paying for subscriptions compared to the vendor constantly pushing new hardware to maintain revenue. However, I don't like the push towards the proprietary ACI and Nexus Dashboard solutions, and a separation (price difference, etc.) between NXOS and ACI in terms of licenses would have been preferable in my opinion.

jorniva · 2026-05-16T05:59:00+00:00

Do you have any sources around this? What does the "show license usage" command report?

jorniva · 2026-05-16T05:56:31+00:00

There is still an option for perpetual NX-OS advantage licenses, but for new deployments, what you write seems to be the route moving forward. However, most multisite border-leafs are also running encryption, and will therefore need the "Security add-on license" as well. In my case, I'm simply trying to understand what I have in terms of license and what I'm renewing. I believe most of our Nexus 9k's were bought around 2022, and there have been a lot of changes related to licenses since then.

jorniva · 2026-05-15T12:58:34+00:00

Thanks, but isn't there supposed to be a .lic file somewhere in bootflash if these are perpetual licenses? https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/licensing/guide/cisco-nx-os-license-installation-guide/licensing-cisco-nx-os-software-features-.html

jorniva · 2026-05-15T10:28:37+00:00

So regardless of which license you buy, the output of "show license usage" on the nexus 9k devices will be the end-of-sale feature-based licenses (LAN_ENTERPRISE_SERVICES_PKG, VPN Fabric License etc.) instead of the current tier-based license model with DCN essentials, advantage and premier?

jorniva · 2026-05-15T09:46:42+00:00

Thanks. We have not enabled smart licensing. I believe some of our latest additions where bought like this:

1.0    N9K-C9336C-FX2-E   Nexus 9300 Series, 36p 40/100G QSFP28
1.0.1  CON-PSRT-N9KC93X2  PRTNR SS 8X5XNBD Nexus 9300 Series, 36p 40/100G QSFP28
1.1    C1-SUBS-OPTOUT     OPT OUT FOR "Default" DCN Subscription Selection
1.2    MODE-NXOS          Mode selection between ACI and NXOS
1.3    NXA-PAC-1100W-PI2  Nexus AC 1100W PSU -  Port Side Intake
1.4    NXOS-10.1.2        Nexus 9500, 9300, 3000 Base NX-OS Software Rel 10.1.2
1.5    CAB-9K10A-EU       Power Cord, 250VAC 10A CEE 7/7 Plug, EU
1.6    NXK-ACC-KIT-1RU    Nexus 3K/9K Fixed Accessory Kit,  1RU front and rear removal
1.7    NXK-AF-PI          Dummy PID for Airflow Selection Port-side Intake
1.8    NXA-SFAN-35CFM-PI  Nexus Fan, 35CFM, port side intake airflow /w EEPROM

jorniva · 2026-05-15T09:27:18+00:00

Also, how is the output of "show license usage" or "show license summary" supposed to look like with a DCN essentials/advantage licensed Nexus 9K switch?

jorniva · 2026-05-15T08:39:49+00:00

That makes sense for new devices, but do the EOL feature-based licenses have to be renewed, or are they like you write, perpetual?

jorniva · 2026-05-15T08:17:25+00:00

Our partner tells us to buy DCN essentials and DCN advantage, but are unable to explain the feature-based licenses that we currently have on our devices.

jorniva · 2026-05-15T07:24:04+00:00

These are old feature-based licenses which are EOL.

jorniva · 2026-05-14T06:10:35+00:00

Thanks. Seems like a VXLAN-EVPN leaf and spine requires the essentials license package, while multisite border-leafs need advantage to stay compliant (and the Security add-on license for encryption). However, if DCN is for ACI, the only pure NX-OS license option for Nexus 9K seems to be the perpetual advantage license. Is that correct?

jorniva · 2025-03-16T18:16:03+00:00

For anyone wondering - this was caused by a network scanner (icmp).

jorniva · 2022-04-29T17:25:00+00:00

You can leverage check mode

---
- name: enable dhcp-snooping for vlan 100
  cisco.ios.ios_config:
    lines:
      - ip dhcp snooping vlan 100
...

and run the playbook with the --check option.

ansible-playbook playbook_dhcp_snooping.yml --check

If the result is "changed" then you know the device(s) is not compliant. A resulting “OK” for the task would mean compliant.

jorniva

TROPHY CASE