- 1. Quick Answer (TL;DR)
- 2. The SLUP Reality: What Happens at Subscription Expiry?
- 3. Unsubscribed Reality: Network Essentials Capabilities
- 4. Unsubscribed Reality: Network Advantage & PID Limits
- 5. Debunking Catalyst Licensing Myths (Telemetry & Support)
- 6. Architect's Verdict: Sizing Your BOM
- 7. Validation Appendix: Post-Expiry Verification Metrics
- 8. Frequently asked questions (FAQs)

Quick Answer (TL;DR)
When your mandatory Catalyst/DNA subscription expires, the Catalyst 9200 retains its fundamental Layer 2 and Layer 3 forwarding capabilities indefinitely via its perpetual Network Stack license. The functional difference between Network Essentials and Network Advantage in this unsubscribed state centers on advanced routing and segmentation scale. Network Essentials is limited to Layer 2, static routing, RIP, EIGRP Stub, and OSPF for Routed Access (capped at 1,000 dynamically learned routes). Network Advantage perpetually unlocks larger-scale segmentation (Virtual Networks / VRF-lite) and full OSPF within platform scale. However, hardware capabilities are strictly bound to specific PIDs: features like BGP and MACsec-256 are exclusive to the C9200CX compact series. Letting the subscription lapse removes entitlement to Catalyst Center automation and SD-Access, but localized APIs and Model-Driven Telemetry (MDT) remain functional within the perpetual Network tier.
The SLUP Reality: What Happens at Subscription Expiry?
When purchasing a Cisco Catalyst 9200 Series switch, you are required to buy a 3-, 5-, or 7-year Catalyst (or legacy DNA) software subscription alongside the hardware. A persistent anxiety among enterprise buyers is what happens to the switch when that Day-0 subscription expires.
Under Cisco's Smart Licensing Using Policy (SLUP), the answer is straightforward. The Catalyst software architecture is dual-layered:
- Network Stack (Essentials/Advantage): This is the perpetual license tied to the chassis. It governs localized data-plane forwarding and base API services. It never expires.
- Catalyst/DNA Stack (Subscription): This governs centralized management, cloud-based analytics, SD-Access automation, and controller-driven assurance and telemetry workflows.
When the subscription lapses, the exact routing capabilities you are left with depend entirely on whether you purchased Network Essentials or Network Advantage on Day 0.
A representative CLI output of an expired subscription may look like the following (note that exact status wording varies by IOS XE release, CSSM/CLC acknowledgment, and reporting state):
Cat9200# show license summary
Smart Licensing is ENABLED
License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
network-advantage (C9200-48P Network Advantage) 1 IN USE
dna-advantage (C9200-48P DNA Advantage) 1 EXPIRED
Unsubscribed Reality: Network Essentials Capabilities
If you purchased a Catalyst 9200 with the Essentials tier, the perpetual Network Essentials stack leaves you with a highly robust Layer 2 / Layer 3 access switch.
- Full Layer 2 Switching: 802.1Q trunking, STP/RSTP/MSTP, LACP, and CoS/DSCP QoS mapping.
- Basic Layer 3 Routing: Static routing, RIP, and EIGRP Stub.
- OSPF for Routed Access: This is a critical distinction. Network Essentials supports OSPF, but it is architecturally constrained. According to Cisco configuration guides, it supports one OSPFv2 and one OSPFv3 instance, with a maximum of 1,000 dynamically learned routes. It is engineered for the access layer to advertise local subnets upstream, rather than functioning as a full transit router in a complex topology.
Unsubscribed Reality: Network Advantage & PID Limits
Network Advantage permanently unlocks advanced routing and network segmentation. However, a major engineering pitfall is assuming that "Network Advantage" means all features are universally available across the entire 9200 family. Hardware limitations dictate actual feature availability based on the specific Product ID (PID).
- Network Segmentation (Virtual Networks vs. VRF-lite): Advantage unlocks advanced routing separation, but architects must not conflate SD-Access Virtual Networks (VN) with standalone VRF-lite limits. The datasheet specifies VN scale as: C9200L (1 VN), standard C9200 (4 VNs), C9200CX (16 VNs), and enhanced models like C9200-24PB-A (32 VNs). However, standalone VRF-lite deployments outside of a fabric often face different limits (e.g., typically 4 VRFs for modular models and 1 for fixed).
- Full OSPF within platform scale: Network Advantage removes the OSPF for Routed Access route-scale restriction and allows the switch to participate in normal transit OSPF designs, subject to Catalyst 9200 hardware and TCAM limits.
- BGP (PID Restricted): Do not buy a standard C9200L or C9200 expecting BGP. BGP routing is exclusively supported on the Catalyst 9200CX compact series running IOS XE 17.13.1 or later.
- MACsec Encryption (PID Restricted): Standard C9200 and C9200L models support AES-128 MACsec. The higher-tier AES-256 MACsec encryption is restricted to the C9200CX compact models.
Debunking Catalyst Licensing Myths (Telemetry & Support)
Several channel myths persist regarding post-subscription realities. Here are the verified engineering facts based on IOS XE behavior:
-
Myth 1: "All APIs and Telemetry Stop Working."
Fact: Letting the subscription lapse removes entitlement to Catalyst Center automation, Assurance, and SD-Access—controller workflows are no longer licensed. However, base-level IOS XE APIs (NETCONF, RESTCONF, YANG models) and Model-Driven Telemetry (MDT) remain part of the perpetual Network Stack feature set. -
Myth 2: "You Cannot Upgrade from Essentials to Advantage."
Fact: Cisco provides a specific Electronic Cisco DNA Upgrade License. When you purchase this upgrade from DNA Essentials to DNA Advantage, the underlying perpetual Network Essentials license is subsequently upgraded to Network Advantage. -
Myth 3: "You Must Renew at the Advantage Tier."
Fact: While Day-0 hardware purchases mandate matching tiers (Network Advantage hardware + DNA/Catalyst Advantage subscription), Day-2 renewals are flexible. A Network Advantage + DNA Essentials combination is valid during license renewal for customers who need advanced routing but only require basic Catalyst Center management.
Architect's Verdict: Sizing Your BOM
When generating a Bill of Materials (BOM), separate the perpetual data-plane requirements from the subscription-based management features.
Select Network Advantage only if your specific edge design strictly requires standalone VRF-lite segmentation, full transit OSPF within platform limits, or—if deploying the C9200CX on IOS XE 17.13.1+—BGP peering. Be incredibly meticulous regarding physical PIDs; paying for Network Advantage on a C9200L still restricts your segmentation scale severely.
For standard edge deployments where the switch provides localized PoE+, VLAN segmentation, and relies on an upstream core for complex routing, Network Essentials is overwhelmingly the correct engineering and financial decision. Your switch will continue to forward traffic perfectly long after the initial subscription term expires.
Validation Appendix: Post-Expiry Verification Metrics
To establish empirical clarity, the following states represent the functional engineering reality of a Catalyst 9200 series switch running post-subscription expiration. The following is a summarized validation checklist from observed deployments; for audit-grade validation, attach raw CLI output from each PID.
Tested PIDs: C9200-48P (Standard) and C9200CX-12P-2X2G
IOS XE Versions: 17.12.3 (C9200) and 17.13.1 (C9200CX)
License State (show license summary):
- Network Advantage: IN USE (Perpetual)
- DNA/Catalyst Advantage: EXPIRED (Entitlement removed)
Control Plane Status:
- Catalyst Center / SD-Access: Disconnected / Unprovisioned
Data Plane Verification:
- show ip ospf neighbor: Active and neighbor adjacencies established.
- show ip bgp summary: Active (Validated on C9200CX only).
- show vrf: Local standalone VRF-lite instances remain active and routing.
- show platform software fed switch active fwd-asic resource tcam utilization: Normal programming observed; no feature drop.
Frequently asked questions (FAQs)
Will my switch drop traffic when the Catalyst subscription hits the expiration date?
No. The expiration of the subscription tier removes your entitlement to centralized SD-Access and Catalyst Center controller workflows. Local data-plane forwarding managed by the perpetual Network license remains completely intact.
Does Network Advantage include BGP on the Catalyst 9200L?
No. BGP is not supported on the Catalyst 9200L or the standard Catalyst 9200. Within the 9200 family, BGP is strictly supported only on the Catalyst 9200CX compact switches (IOS XE 17.13.1+).
How many Virtual Networks or VRFs can I configure on a Catalyst 9200?
Cisco uses two related but not identical scale references here. For SD-Access / Virtual Network scale, the Catalyst 9200 data sheet lists: C9200L as limited to 1 Virtual Network, standard C9200 SKUs as 4 Virtual Networks, C9200CX as 16 Virtual Networks, and enhanced VN SKUs such as C9200-24PB-A / C9200-48PB-A as 32 Virtual Networks. For standalone VRF-lite / VRF instance limits, do not assume the SD-Access VN number is automatically identical; validate the exact PID and IOS XE release in Cisco Feature Navigator or the relevant configuration guide before designing segmentation scale.
Will an active SmartNet contract keep my software updated if I don't renew my Catalyst subscription?
Hardware warranty, SNTC (Smart Net Total Care), Solution Support, and Catalyst software subscriptions are separate commercial items. If you maintain an appropriate Cisco service contract, you retain TAC and OS software access according to that contract's specific entitlement. Do not assume an expired Catalyst subscription alone preserves subscription-stack software support.
Can I configure OSPF on Network Essentials?
Yes, but only as "OSPF for Routed Access." This permits one OSPFv2 instance and one OSPFv3 instance, with a strict architectural limit of 1,000 dynamically learned routes. It is designed for access layer switches to advertise local networks, not to act as transit routers.
References & Further Reading
- Cisco Catalyst 9200 Series Switches Data Sheet (Confirming PID-specific limits for Virtual Networks, MACsec, and BGP).
- Cisco Smart Licensing Using Policy (SLUP) Documentation (Confirming Out-of-Compliance behavior and perpetual Network stack retention).
This article is an independent engineering analysis based on Cisco IOS XE Smart Licensing Using Policy (SLUP) behaviors, specifically examining the Day-2 un-subscribed state of Catalyst 9200 Series switches. Feature capabilities, Virtual Network limits, and hardware-specific protocols (like BGP and MACsec) are cross-checked against Cisco's official configuration guides and consistent with observed field behavior across different physical PIDs (C9200L, C9200, C9200CX). General feature limits align with IOS XE 17.12.x+, while BGP observations apply exclusively to the C9200CX on IOS XE 17.13.1 or later.
https://network-switch.com/pages/david-lorame