Cisco SD-WAN Licensing Guide: DNA Tiers, Controllers, and Cost Optimisation

The Viptela-to-Catalyst SD-WAN Transition

Cisco acquired Viptela in 2017 and integrated its cloud-native SD-WAN architecture into the Cisco portfolio under the SD-WAN brand. The platform has since been renamed Cisco Catalyst SD-WAN, aligning with Cisco's broader Catalyst branding for campus and branch networking. The underlying technology — vManage (management), vSmart (control plane), vBond (orchestration), and vEdge or Catalyst routers (data plane) — remains the same, but the commercial model has evolved significantly.

The current licensing framework combines DNA (Digital Network Architecture) software subscriptions with platform-specific hardware licences and, in some configurations, bandwidth-based subscriptions. Buyers who evaluated Cisco SD-WAN pricing when it was sold as Viptela may find the current commercial structure unfamiliar and more complex than the original flat-fee model.

DNA Subscription Tiers Explained

Cisco structures SD-WAN software capability into three DNA subscription tiers: Essentials, Advantage, and Premier. Each tier unlocks a progressively broader set of SD-WAN features and management capabilities. Understanding what each tier includes — and what it excludes — is the foundation for right-sizing the licensing commitment.

DNA Essentials

DNA Essentials is the entry-level SD-WAN software subscription, covering core WAN virtualisation, transport-agnostic connectivity, basic application-aware routing, and centralised management through vManage. Essentials supports TLOC (Transport Locator) configuration, basic QoS, and standard VPN segmentation. For organisations deploying SD-WAN primarily for WAN cost reduction through broadband offload, Essentials provides the necessary capability without paying for advanced security or analytics features that may not be needed at every site.

The limitation of Essentials is the absence of deep application intelligence, advanced security integration with the Cisco security portfolio, and the analytics capabilities required for application experience visibility beyond basic routing metrics.

DNA Advantage

DNA Advantage adds application experience monitoring with AppQoE (Quality of Experience), deep integration with Cisco Umbrella for DNS-layer security, enhanced policy capabilities, and more sophisticated analytics through vAnalytics. Advantage is the most commonly deployed tier for enterprise SD-WAN rollouts that require both WAN optimisation and security integration without moving to the full Premier feature set.

Advantage includes SD-WAN awareness of Cisco's security stack (Umbrella, Stealthwatch), making it the natural choice for organisations that have already invested in Cisco Secure products and want cohesive WAN and security policy management through a single control plane.

DNA Premier

DNA Premier adds Cisco ThousandEyes WAN Insights for active synthetic monitoring, Cloud OnRamp for SaaS optimisation across Office 365, Salesforce, and AWS, advanced cloud security integration, and the full Cisco SASE (Secure Access Service Edge) framework. Premier is positioned for organisations with complex multi-cloud environments, high application performance requirements, and a strategic commitment to the Cisco SASE architecture.

The cost differential between Advantage and Premier is material. Many organisations deploy Premier tier licensing across their entire branch estate based on Cisco sales positioning of ThousandEyes and Cloud OnRamp, without fully utilising these capabilities. Right-sizing to Advantage where Premier features are not actively used is a frequent optimisation opportunity.

Hardware Platform Licences

In addition to the DNA software subscription, Cisco SD-WAN deployments require hardware platform licences for the edge routers participating in the SD-WAN fabric. Cisco sells two hardware tiers: Network Essentials and Network Advantage, which unlock different sets of hardware platform features on Cisco ISR, ASR, and Catalyst routers.

Network Essentials vs Network Advantage

Network Essentials covers baseline routing and switching functionality required for SD-WAN participation, including IP Base forwarding, basic security features, and the SD-WAN data plane capabilities. Network Advantage adds Layer 3 routing protocol support, advanced security features, and the hardware-accelerated performance features that high-throughput sites require.

Organisations frequently purchase Network Advantage across their entire router estate based on the assumption that baseline capability is insufficient, when in practice many branch sites running standard MPLS or broadband connectivity operate correctly on Network Essentials. An audit of hardware licence alignment to actual site requirements routinely identifies over-licensing in 20 to 40 percent of edge devices.

Bandwidth-Based Licensing

Cisco's DNA Software for SD-WAN and Routing includes a bandwidth-based subscription tier for bandwidth-intensive deployments. Rather than licensing per device, bandwidth subscriptions are priced based on the committed throughput capacity of the SD-WAN edge, typically in ranges such as 1 to 5 Mbps, 6 to 10 Mbps, up to 250 Mbps, and above. Larger committed bandwidth tiers carry lower per-Mbps pricing, but buyers must accurately forecast bandwidth requirements at time of purchase.

Bandwidth over-provisioning is common in SD-WAN deployments because network architects build in headroom for future growth and peak traffic events. In practice, most sites operate below 50 percent of their provisioned bandwidth tier for the majority of the subscription period. A review of actual throughput data before renewal or initial purchase can identify significant savings by right-sizing bandwidth tiers to actual utilisation plus a reasonable growth buffer.

Controller Deployment Options: Cloud vs On-Premises

Cisco Catalyst SD-WAN can be managed through cloud-hosted controllers (vManage, vSmart, vBond running in Cisco's infrastructure) or through on-premises controller deployment (virtual machines running in the customer's data centre or a private cloud environment such as AWS or Azure).

Cloud-Hosted Controllers

Cloud-hosted management is included in the DNA subscription cost at no additional charge. Cisco hosts the control plane infrastructure, handles software upgrades, and provides the management portal as a service. This is the operationally simplest option and eliminates the need for dedicated infrastructure to run the controller VMs.

The limitation of cloud-hosted management is reduced control over data residency and connectivity to the management plane. Organisations with strict data sovereignty requirements, air-gapped environments, or security policies that prohibit management plane connectivity to third-party cloud infrastructure may be unable to use cloud-hosted controllers regardless of cost implications.

On-Premises Controller Deployment

On-premises controller deployment gives the organisation full control over the management infrastructure, data flows, and upgrade cycles. Controllers run as VMware vSphere, KVM, or hypervisor-agnostic virtual machines on customer-managed hardware. This model is operationally more complex but meets data sovereignty and security requirements that preclude cloud-hosted management.

The cost of on-premises controllers includes the virtual machine infrastructure, storage, compute, and operational overhead. Organisations that choose on-premises controllers for compliance reasons should model the total cost including infrastructure and operations, as this can represent a significant addition to the DNA subscription cost of the SD-WAN deployment.

SD-WAN Within Cisco Enterprise Agreements

Cisco Catalyst SD-WAN can be included within a Cisco Enterprise Agreement under the networking suite or procured as standalone DNA subscriptions. Including SD-WAN within an EA provides not-to-exceed pricing for the agreement term and the commercial benefits of consolidated spend, but requires careful assessment of whether the EA bundling actually delivers better economics than standalone negotiated pricing.

For organisations with large SD-WAN deployments (200-plus sites) that are also significant consumers of other Cisco products, EA inclusion typically delivers better commercial outcomes. For smaller or more narrowly scoped SD-WAN deployments, standalone negotiated subscriptions may provide more pricing flexibility and avoid the overhead of EA co-termination management.

Competitive Alternatives and Negotiation Leverage

The Cisco Catalyst SD-WAN market is competitive, with strong alternatives from VMware (now Broadcom) SD-WAN, Fortinet Secure SD-WAN, HPE Aruba EdgeConnect, and Versa Networks providing credible alternatives at different price-performance points. Each competitor has genuine strengths: Fortinet Secure SD-WAN integrates SD-WAN and next-generation firewall in a single appliance at lower TCO; VMware SD-WAN offers strong multi-cloud integration; Aruba EdgeConnect is favoured for application-centric policy.

Maintaining documented evaluation of alternatives during Cisco renewal cycles is the most effective lever for improving Cisco SD-WAN pricing. Cisco's account teams have significant discretionary discount authority for SD-WAN deals where competitive displacement is a genuine risk, and a credible alternative evaluation typically unlocks 15 to 25 percent pricing improvement beyond initial proposals.

Optimisation Checklist for Cisco SD-WAN Licensing

Based on our advisory work with enterprise Cisco SD-WAN customers, the following optimisation steps consistently deliver value before renewal or new deployment:

• Audit DNA tier utilisation: Review which Premier or Advantage features are actively configured and used at each site type. Sites where ThousandEyes and Cloud OnRamp are unused may be candidates for Advantage or Essentials tier.
• Review bandwidth tier alignment: Pull actual throughput data from vManage analytics and compare against the committed bandwidth tier for each site. Right-size tiers where actual peak throughput consistently falls in a lower bandwidth band.
• Assess hardware licence over-provisioning: Verify that Network Advantage hardware licences are only applied where Layer 3 routing protocols and advanced security features are actually required.
• Evaluate controller deployment cost: If using on-premises controllers, model the full infrastructure and operations cost and compare against cloud-hosted management economics.
• Benchmark subscription pricing: Compare your current DNA subscription rate against peer benchmarks for your site count and bandwidth tier. EA pricing and standalone pricing can differ significantly.
• Plan competitive evaluation: Begin competitive evaluation of Fortinet, VMware/Broadcom, or Aruba 90 days before renewal to create credible commercial pressure for Cisco discount improvement.

SmartNet and Support Licensing

Cisco SD-WAN deployments require SmartNet or equivalent support contracts for hardware and software maintenance. SmartNet costs for SD-WAN routers are typically calculated as a percentage of list hardware price, and multi-year SmartNet contracts offer moderate discounts compared to annual renewals. Ensuring that SmartNet co-terms with the DNA subscription renewal date simplifies commercial management and creates a single consolidation point for negotiation leverage.

Third-party hardware maintenance (TPHM) providers such as Park Place Technologies and Curvature offer SmartNet-equivalent coverage for Cisco hardware at 30 to 50 percent less than Cisco list pricing. For organisations with stable hardware estates that are not pursuing the latest Cisco hardware feature updates, TPHM is a legitimate cost reduction strategy that does not affect the DNA software subscription or SD-WAN operational capability.