Cisco Security SMU's and Licensing

Cisco's licensing model for its networking equipment, particularly for Catalyst switches, has drawn significant criticism for gating essential security updates behind higher-tier licenses. This practice is not only frustrating for network administrators but also poses potential risks to organizational security by incentivizing workarounds or delayed patching. This article explores the issue, focusing on the requirement for a Network Advantage license to install Software Maintenance Upgrades (SMUs) that address critical vulnerabilities, such as those in SNMPv3.

Cisco Catalyst switches, like the 9200L series, come with base licenses such as Network Essentials or Network Advantage. Network Essentials provides basic Layer 2 and limited Layer 3 functionality, suitable for many small to medium deployments. Network Advantage, however, includes advanced routing protocols (e.g., OSPF, BGP), enhanced analytics, and crucially, support for SMUs.^[1]

SMUs are targeted patches that fix specific bugs or vulnerabilities without requiring a full IOS upgrade. They are essential for maintaining security in production environments where downtime must be minimized.^[2]

When attempting to install an SMU on a switch with Network Essentials, users encounter errors like:

FAILED: Device license network-essentials+dna-essentials does not match SMU license level network-advantage

This error stems from Cisco's policy that SMU installation requires Network Advantage, introduced in IOS XE Fuji 16.9.7 and later.^[3] Prior versions required Cisco DNA Advantage for similar functionality.

For example, patching the SNMPv3 vulnerability (Cisco Bug ID CSCwq31287) in IOS XE 17.15.4 requires the SMU cat9k_lite_iosxe.17.15.04.CSCwq31287.SPA.smu.bin, which fails on Essentials-licensed devices without a license upgrade.

Requiring a more expensive license to apply security patches is fundamentally ridiculous for several reasons:

1. Security Should Not Be Paywalled: Basic security updates, especially those addressing vulnerabilities that could lead to denial-of-service or remote code execution, should be accessible to all users regardless of license tier. Tying patches to higher licenses effectively punishes cost-conscious organizations, potentially leaving them exposed to exploits. This approach prioritizes revenue over user safety, which is ethically questionable in an era of escalating cyber threats.^[4]

2. Increased Costs for Essential Maintenance: Upgrading from Network Essentials to Network Advantage can add significant costs, often requiring a DNA Advantage subscription (e.g., list price difference of thousands per switch over 3-7 years).^[5] For a vulnerability fix that might only require a temporary workaround (like license boot level adjustment), this creates unnecessary financial barriers. Critics argue it's akin to subscription models that force ongoing payments for basic functionality, drawing comparisons to Oracle's licensing practices.^[4]

3. Encourages Risky Workarounds: Administrators often resort to temporarily elevating the license via commands like license boot level network-advantage, installing the SMU, and then reverting. While effective, this relies on Right-to-Use licensing leniency and could violate terms if not reverted promptly.^[6] Such practices highlight the policy's impracticality, as they introduce operational overhead and potential compliance issues without providing real value.

4. Broader Industry Criticism: Cisco's licensing is frequently lambasted as overly complex and customer-unfriendly. In community forums, users describe it as a "labyrinth" that wastes time and money, with no added value.^[4] Higher tiers like DNA Advantage include SMU lifecycle management via Catalyst Center, but for standalone patches, this feels like an artificial gate.^[7] Analogous to criticisms of compliance audits like SOC2, where high costs yield little security benefit, Cisco's model is seen as "cancer" in the industry—self-inflicted harm through vendor lock-in.^[8]

This policy undermines trust in Cisco, especially when vulnerabilities like CVE-2025-20352 are actively exploited.^[9] Security experts recommend vendors prioritize universal patch availability to foster a safer ecosystem.

To circumvent the license requirement for SMU installation on a Network Essentials-licensed Catalyst 9200L switch, administrators can temporarily adjust the boot license level to Network Advantage. This leverages Cisco's Right-to-Use (RTU) licensing, which allows temporary enablement for maintenance without immediate purchase. However, this is intended for short-term use; prolonged operation at the higher level without purchasing the license may violate Cisco's terms of service.^[6]

This method involves elevating the license, installing the SMU, and then reverting to the original level. It requires access to the switch's CLI and should be performed during a maintenance window, as reloads are necessary.

The following example demonstrates installing the SMU cat9k_lite_iosxe.17.15.04.CSCwq31287.SPA.smu.bin to patch the SNMPv3 vulnerability on a Catalyst 9200L switch running IOS XE 17.15.4 MD with Network Essentials and DNA Essentials licenses.

1. Verify Current License:

Use the show license summary command to confirm the current license level.

   show license summary

Expected output:

   License Usage
     network-essentials (C9200L Network Essentials):
       Description: C9200L Network Essentials
       Count: 1
       Version: 1.0
       Status: IN USE
     dna-essentials (C9200L DNA Essentials):
       Description: C9200L DNA Essentials
       Count: 1
       Version: 1.0
       Status: IN USE

2. Copy the SMU File:

Transfer the SMU file to the switch's flash memory using TFTP or another method.

   copy tftp://<server-ip>/cat9k_lite_iosxe.17.15.04.CSCwq31287.SPA.smu.bin flash:

3. Temporarily Elevate the License:

Enter configuration mode and set the boot license level to Network Advantage.

   configure terminal
   license boot level network-advantage addon dna-essentials
   exit
   write memory

Note: If using DNA Advantage, replace dna-essentials with dna-advantage. This example assumes DNA Essentials compatibility.

4. Reload the Switch:

Reload to apply the new boot license level.

   reload

5. Verify Elevated License:

After reload, check the license again.

   show license summary

Expected output should show network-advantage and dna-essentials in use.

6. Install the SMU:

Add, activate, and commit the SMU. This will trigger another reload.

   install add file flash:cat9k_lite_iosxe.17.15.04.CSCwq31287.SPA.smu.bin activate commit

7. Revert the License:

After SMU installation and reload, revert to the original license level.

   configure terminal
   license boot level network-essentials addon dna-essentials
   exit
   write memory
   reload

8. Verify SMU Installation:

Confirm the SMU is active.

   show install summary

Look for the SMU listed under committed packages.

This example assumes the switch is in install mode (default for Catalyst 9200). Always back up the configuration with copy running-config startup-config before starting, and test in a non-production environment if possible.^[2]

• Advocate for Change: Organizations should provide feedback to Cisco via support channels or communities to push for decoupling security patches from license tiers.
• Explore Alternatives: Consider vendors with more inclusive update policies, or use open-source alternatives where feasible.
• Workaround Safely: If patching is urgent, use the temporary license elevation method, but document it and revert promptly to avoid audits.

• Cisco Systems on Wikipedia
• Software licensing on Wikipedia