Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9232
Views
18
Helpful
7
Replies

DTLS license for Catalyst 9800

Go to solution
aypopoff
Level 1
Level 1

‎11-30-2020 10:53 AM - edited ‎07-05-2021 12:50 PM

Hello,

Could you advise how to order DTLS license(LIC-C9800-DTLS-K9) for existing  Cat 9800 controller ?

 

For example, I have installed C9800-L-C-K9. It was ordered without LIC-C9800-DTLS-K9 license.

Now I need to enable DTLS encryption. So how to order LIC-C9800-DTLS-K9 (without controller) ?

 

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to aypopoff

‎12-03-2020 08:00 AM

No, this has nothing to do with DTLS, you can enable and use DTLS without it.

View solution in original post

7 Replies 7

Go to solution
marce1000
VIP
VIP

‎11-30-2020 11:22 PM

 

 https://www.cisco.com/c/dam/global/de_de/training-events/Roadshow2012/pdfs/Licensing_Cisco_FAQ.pdf 

                       (check first question)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to aypopoff

‎12-01-2020 06:55 AM

Talk to the supplier you purchased the 9800 from. They would be able to tell you. In AireOS, dtls was based on the image you download, LDPE image didn’t have dtls, but non LDPE you can enable dtls.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Grendizer
Cisco Employee
Cisco Employee

‎12-02-2020 04:04 PM

LIC-9800-DTLS-K9 is not smart license or PAK based license, it is perpetual license that cost $0 and at this time can't be purchase as spare (separately from the original order). Even if you are able to purchase it separately (which you can’t) there is no installation needed for it. You can enable and use the dtls from the AP Join profile without it. This is just for entitlement.

May I ask if you need it to secure the Mobility tunnels or to secure CAPWAP data tunnel?

9800 Mobility tunnel is always secure and encrypted, there is no way to disable it and is used to communicate the mobility messaging securely between mobility peers, this is not tied with DTLS License.

By default, the CAPWAP control plane is encrypted and can’t be disabled but CAPWAP data plane is not encrypted by default and you can enable the encryption for it if you are in a country allow that.

So the short answer is, you can’t purchase LIC-9800-DTLS-K9 which has no dollar value (cost is $0). Maybe Cisco will change that in the future.

Go to solution
aypopoff
Level 1
Level 1
In response to Grendizer

‎12-03-2020 01:02 AM

Great thanks for response.

>> You can enable and use the dtls from the AP Join profile without it.
To enable DTLS in the AP Join profile, the controller should be registered  in CSSM (Smart Account) with Export-Controlled Functionality enabled.  Right?

If customer's smart account doesn't have  Export-Controlled Functionality allowed, then, while registering controller, while generating new token, checkbox to enable export-controlled functionality will not be available.
And DTLS in the AP Join profile will not be available too. Right?

0 Helpful

Go to solution
Grendizer
Cisco Employee
Cisco Employee
In response to aypopoff

‎12-03-2020 08:00 AM

No, this has nothing to do with DTLS, you can enable and use DTLS without it.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card