Solved: Re: MS Switches Enterprise vs Advanced license

TaniaSanchez24 · ‎02-17-2021

Hi,

Is there a comprehensible list of features of each of the MS licenses as a comparison table similar to the MX comparison of the three license type? I have only seen two separate information pages for these MS licenses and I'm not sure it gives much information on why it would be good to use one over the other.

Network Swtich Enterprise License | Cisco Meraki

Meraki Advanced License (cisco.com)

The MX page feature comparison is perfect to really view the license differences:

Meraki MX Security and SD-WAN Licensing - Cisco Meraki

Thanks!

T.

ww^ · ‎02-17-2021

The features available with advanced licensing are:

Adaptive policy *
Greater than 1,000 routes for OSPF

* Available in a future software release

View solution in original post

ww^ · ‎02-17-2021

https://documentation.meraki.com/MS/MS_Overview_and_Specifications/MS390_Datasheet#MS390_Licensing

TaniaSanchez24 · ‎02-17-2021

Hi @jdb1 ,

Thanks for your reply but that page doesn't really say anything apart from telling you that you can use the advance license in the MS390 model.

T.

ww^ · ‎02-17-2021

The features available with advanced licensing are:

Adaptive policy *
Greater than 1,000 routes for OSPF

* Available in a future software release

BRUCE NEWTON · ‎02-17-2021

Just to add to this, the Advanced License is only relevant to the MS390. Adaptive Policy is available now, you have to be on Per Device Licensing and you need to be on the MS14 ‘beta’ firmware - it’s built on, and is interoperable with, Cisco SGT technology.

TaniaSanchez24 · ‎02-18-2021

Thanks. It seems to be overpriced for just these two features.

Philip D'Ath · ‎02-17-2021

Also note you have to have Cisco ISE to use SGT.

So you would not use the advanced licence unless:

You have a Cisco MS390
You have Cisco ISE deployed
You have or intend to configure SGT on Cisco ISE

AND/OR

You need to use VLAN numbers over 1,000
Or you need more than OSPF 1,000 routes

BobbyMcLeod · ‎02-17-2021

Will it work with alternatives to ICE such as ClearPass, ForeScout, etc.?

phassted · ‎02-17-2021

@Philip D'Ath Quick clarification! 😉

Cisco ISE is not required to leverage Adaptive policy.

You can assign devices/groups/SSIDs/Interfaces SGT values via the dashboard. Likewise, you can natively:

Define Policies, Source/Dest/SGT value/Descriptions
Create groups and bind them to network objects
Create custom ACLs to apply within policies
Apply specific Adaptive policy to targeted networks

In order to dynamically authenticate and assign unique user SGTs, then Cisco ISE is an EXCELLENT choice to do so!
(@BobbyMcLeod1 Likewise, Cisco ISE is only NAC that can hand out SGTs)

Philip D'Ath · ‎02-17-2021

You are correct @phassted .

BRUCE NEWTON · ‎02-17-2021

@phassted Are you sure on the "Cisco ISE is only NAC that can hand out SGTs"?

In a pure Cisco Catalyst environment this may be the case as you need Cisco ISE to no only act as the RADIUS authenticator, but also to authenticate the infrastructure and create the source SGT to destination SGT matrix that is then downloaded to the switches when requested.

In a pure Cisco Meraki environment I was under the impression that the infrastructure is authenticated by the Meraki cloud, and the source SGT to destination SGT matrix, i.e. the Adaptive Policy matrix, is also managed by the Meraki cloud. Using these alone you can statically assign a port to an Adaptive Policy Group. If you introduce 802.1x (for dynamic Adaptive Policy assignment) then my understanding is that all the RADIUS server needs to do is return the AV Pair to assign the SGT number. Now admittedly this is in the Cisco AV Pair format, but so long as the RADIUS server can return this pair in the required format then surely it can inform the switch which Adaptive Policy to use? Or have I missed something?

(Don't get me wrong, ISE is an awesome platform, but is it really needed for a simple Meraki network using dynamic Adaptive Policy?)