Cisco Licensing · SD-WAN & Routing · 2026

Cisco SD-WAN Licensing: Viptela and Catalyst

Cisco's SD-WAN licensing carries the legacy of the Viptela acquisition and the structure of the current Catalyst SD-WAN model — per-device subscriptions, bandwidth tiers, and dependencies that quietly stack extra licences onto larger routers. This guide explains how the per-device DNA tiers work, where bandwidth and HSEC licences bite, what happens to legacy Viptela agreements at renewal, and how to negotiate the subscription down.

📋 1,330 words ⏱ 7 min read 📅 Updated June 2026 🔗 Cisco Licensing Cluster
By Morten Andersen
In This Article
  1. The Per-Device Subscription Model
  2. Essentials vs Advantage
  3. Bandwidth Tiers and the HSEC Licence
  4. The DNA Dependency on Catalyst 8000
  5. The Viptela-to-Catalyst Cut-Over
  6. Optimising and Negotiating SD-WAN

The Per-Device Subscription Model

Cisco SD-WAN licensing — now branded Catalyst SD-WAN, carrying the technology Cisco acquired with Viptela — is a per-device subscription. Every WAN edge device, whether an ISR small-branch router or a Catalyst 8000 aggregation platform, requires its own DNA subscription, and the per-device price depends on the hardware: an ISR 1000 small-branch router carries a far lower rate than a Catalyst 8000 series device at a large site. The controllers are included in the subscription — the right to run on-premises SD-WAN Manager, controller and orchestrator components comes with the licence, though Cisco-hosted cloud control adds a Management Add-on.

Because cost is driven per device and per bandwidth tier, an SD-WAN estate's licensing total is the sum of many sizing decisions rather than one. Getting each device's tier and bandwidth right is where the saving sits, and it connects directly to the switching-side discipline in the DNA licensing tier guide and the broader Cisco Enterprise Agreement and licensing guide.

Essentials vs Advantage

SD-WAN is sold in two feature tiers — DNA Essentials and DNA Advantage; the former Premier tier has been discontinued. Essentials covers core SD-WAN: secure connectivity, application-aware routing and centralised policy. Advantage adds advanced application optimisation, richer segmentation and deeper analytics. As everywhere in the Cisco estate, the tier is chosen per device, so the right question for each WAN edge is whether it genuinely uses Advantage capabilities or only runs core connectivity.

Subscriptions come in 3-, 5- and 7-year terms, with Advantage also available on the longer 7-year term. Matching term to the expected life of each site, and tier to the features it actually uses, prevents the long commitment becoming a lock to over-tiered or obsolete kit — the same term discipline set out in the Cisco subscription licensing transition guide.

Bandwidth Tiers and the HSEC Licence

On top of the feature tier, SD-WAN subscriptions are bandwidth-tiered. You select an expected traffic-volume licence sized to the aggregated bandwidth of all transport-side uplinks — up and down — that a device will use. Over-estimate and you pay for throughput the site never carries; under-estimate and you constrain it. Sizing the bandwidth tier to real, measured uplink demand rather than peak theoretical capacity is a direct cost lever.

There is a hidden mandatory licence: HSEC. To enable encrypted throughput above 250 Mbps on ISR 1000, ISR 4000, Catalyst 8000 and 8000V platforms, an export-controlled HSEC licence is required on top of the device licence. Any high-bandwidth site needs it, and leaving it out of the budget is a common cause of mid-deployment cost surprises.

Because the HSEC requirement is throughput-triggered and easy to overlook, it should be mapped during sizing for every site expected to exceed 250 Mbps of encrypted traffic. Treating bandwidth tier and HSEC as a single sizing exercise per device keeps the WAN budget honest, the same evidence-led posture the Cisco Smart Licensing compliance guide applies to entitlement generally.

The DNA Dependency on Catalyst 8000

The most expensive subtlety in SD-WAN licensing is a stacking dependency on Catalyst 8000 platforms: SD-WAN Advantage on a Catalyst 8000 requires a DNA Advantage licence on the underlying device as well, because the DNA licence covers the network operating system features the SD-WAN overlay relies on. The two licences compound, so over-tiering a Catalyst 8000 to SD-WAN Advantage when Essentials would do is a double cost, not a single one.

This dependency makes right-tiering Catalyst 8000 aggregation devices especially valuable — the gap between Essentials and Advantage is widened by the underlying DNA requirement. Mapping which 8000-series devices genuinely need Advantage features, and which only run core SD-WAN, is where the largest recoverable spend in a WAN estate usually sits, mirroring the over-tiering trap detailed for switching in the Cisco Meraki licensing guide and the visibility lens of the Cisco ThousandEyes licensing guide.

The Viptela-to-Catalyst Cut-Over

Organisations still on legacy Viptela agreements face a defined migration: at the time of a Viptela EA renewal, the agreement is cut over to a Cisco EA with a Cisco DNA offer. That cut-over re-prices the whole estate onto the current Catalyst SD-WAN model, which makes it both a risk and an opportunity. Accept a like-for-like roll-over and you may carry forward over-tiered or mis-sized entitlement from the Viptela era; engage with it and the cut-over becomes the moment to right-size every device.

The right approach is to treat the Viptela renewal as a fresh sizing exercise: re-measure bandwidth, re-tier each device, confirm HSEC needs, and negotiate the DNA offer rather than accepting the migration default. Done well, the cut-over that Cisco frames as administrative becomes a genuine cost reset.

Optimising and Negotiating SD-WAN

Optimising SD-WAN licensing is a per-device discipline: right-tier each WAN edge between Essentials and Advantage, size each bandwidth tier to measured uplink demand, map HSEC where throughput exceeds 250 Mbps, and account for the DNA dependency on Catalyst 8000. Then negotiate the aggregate. Full co-termination is available inside a Cisco Enterprise Agreement without the standalone 3-year-minimum co-term restriction, so folding SD-WAN into an EA both simplifies renewal and lifts the committed value that drives the discount band.

The combination of right-sizing and EA-level negotiation turns SD-WAN from a stacking, device-by-device cost into a controlled, evidenced line. To run a per-device SD-WAN sizing and tier review before your next renewal or Viptela cut-over, request a confidential briefing, or download our Cisco EA Playbook.

Common Questions

Cisco SD-WAN Licensing: FAQ

How is Cisco SD-WAN licensed?
Cisco Catalyst SD-WAN (formerly Viptela) is licensed per WAN edge device — every router or platform running the SD-WAN software needs its own per-device subscription, in either the DNA Essentials or DNA Advantage tier (the Premier tier has been discontinued). The subscription is also bandwidth-tiered: you select an expected traffic volume based on the aggregated bandwidth of all transport-side uplinks the device will use. Per-device price depends on the hardware platform, so an ISR 1000 small-branch router costs far less than a Catalyst 8000 aggregation device.
What is the difference between SD-WAN Essentials and Advantage?
Essentials covers core SD-WAN — secure connectivity, application-aware routing and centralised policy — while Advantage adds advanced application optimisation, richer segmentation and deeper analytics. The tier is chosen per device, so the question for each WAN edge is whether it genuinely uses Advantage features or only runs core connectivity. On Catalyst 8000 platforms there is an added dependency: SD-WAN Advantage requires a DNA Advantage licence on the underlying device as well, which compounds the cost of over-tiering.
What is an HSEC licence and when do you need one?
HSEC (High Security) is an additional, export-controlled licence required to enable encrypted throughput above 250 Mbps on ISR 1000, ISR 4000, Catalyst 8000 and Catalyst 8000V platforms. It sits on top of the normal device licence such as DNA Advantage. For any site whose encrypted traffic exceeds 250 Mbps, the HSEC licence is mandatory and easy to miss in sizing — leaving it out of the budget is a common cause of mid-deployment cost surprises.
What happens to Viptela licences at renewal?
Legacy Viptela agreements are migrated at renewal: at the time of a Viptela EA renewal, the customer's agreement is cut over to a Cisco EA with a Cisco DNA offer. This is a moment of leverage and risk — the cut-over re-prices the estate onto the current Catalyst SD-WAN model, so it is the point at which to right-size tiers, confirm bandwidth needs, and negotiate the DNA offer rather than accepting a like-for-like roll-over of the old Viptela entitlement.

Stop SD-WAN Licences From Stacking

Our advisors right-tier each WAN edge, size bandwidth and HSEC to real demand, manage the Viptela cut-over, and fold SD-WAN into your wider Cisco EA.

Request a Confidential Briefing Explore the Cisco Hub

Cisco Licensing Intelligence

Monthly briefings on Cisco SD-WAN and routing licensing, bandwidth-tier economics, and EA negotiation tactics — from advisors who negotiate Cisco agreements on behalf of buyers.