Updated: Junw 18, 2026
A network engineer at a Chennai hospital saved a few lakhs on a distribution-layer refresh by ordering Network Essentials across the board. The switches arrived, racked cleanly, and ran. Then he tried to bring up BGP to the data centre and segment the medical-device network into its own VRF. Neither command took. The features were not broken. They were not licensed. He had bought the tier below the one his design needed, and the fix was a licence upgrade he had to justify to the same finance team he had just impressed with the saving.
The opposite mistake is just as common and just as expensive: ordering Network Advantage for every access closet that will only ever switch traffic to phones and laptops, paying for routing protocols those switches will never run.
The Catalyst 9000 licence tiers are not a "more is better" ladder. They are a match-to-design decision, and getting it right needs you to know exactly what each tier does. Here is the feature-by-feature comparison, and the part Cisco's own naming makes harder than it should be.
Network Essentials is the entry licence tier for Catalyst 9000 switches. It covers Layer 2 switching and basic Layer 3: static routing, RIP, EIGRP stub and OSPF capped at around 1,000 routes, with 128-bit MACsec encryption and standard security. Network Advantage includes everything in Essentials and adds full Layer 3 routing, BGP, full OSPF and EIGRP, IS-IS, plus VRF, VXLAN, LISP, segmentation and the features that fabric and advanced designs depend on (Cisco Catalyst software subscription matrix).
Put simply, Essentials runs a competent access or small-routing switch. Advantage turns the same hardware into a full Layer 3 and fabric-capable device. The box is identical; the licence decides how much of it you can use.
Yes, and this is the confusion that sends engineers in circles. Cisco uses the words "Essentials" and "Advantage" twice, for two different things.
The first is the perpetual Network licence, Network Essentials or Network Advantage. It is a one-time, permanent licence that defines the switching and routing features built into the device, and it is the subject of this guide. The second is the term-based software subscription, historically Cisco DNA and now being renamed Cisco Catalyst, which also comes in Essentials and Advantage and unlocks the automation, assurance and analytics features delivered through Catalyst Center.
So a quote can read "Network Advantage" and "Catalyst Advantage" on two separate lines, and they are not duplicates. One is the perpetual feature set on the switch; the other is the subscription that powers the controller experience on top. When this article compares Essentials and Advantage, it means the perpetual Network tier, the one that decides whether BGP runs. Keep the two layers separate in your head, and the rest falls into place.
Network Essentials vs Network Advantage: The Feature Comparison
| Capability | Network Essentials | Network Advantage |
|---|---|---|
| Layer 2 switching, VLANs, STP | Yes | Yes |
| Inter-VLAN routing (SVIs) | Yes | Yes |
| Static routing, RIP | Yes | Yes |
| OSPF | Limited (around 1,000 routes) | Full |
| EIGRP | Stub only | Full |
| BGP | No | Yes |
| IS-IS | No | Yes |
| VRF / VRF-lite | No | Yes |
| Policy-based routing (PBR) | No | Yes |
| Multicast | PIM stub | Full PIM, MSDP |
| VXLAN / BGP EVPN | No | Yes |
| LISP | No | Yes |
| SD-Access fabric edge | No | Yes |
| TrustSec SGT / group-based policy | No | Yes |
| MPLS (supported platforms) | No | Yes |
| MACsec encryption | 128-bit | 128 and 256-bit |
| Flexible NetFlow | Limited | Full, VXLAN-aware |
| 802.1X, ACLs, QoS | Yes | Yes |
The pattern is clear once you see it. Essentials handles switching and the routing a smaller or edge network needs. Advantage adds the protocols, segmentation and fabric features that distribution layers, cores and zero-trust designs require (Cisco Catalyst software subscription matrix).
More than its position at the bottom of the ladder suggests. With Essentials, you get the full Layer 2 toolkit, inter-VLAN routing through switched virtual interfaces, static and basic dynamic routing, first-hop redundancy, 802.1X authentication, access-control lists, quality of service and 128-bit MACsec. For a great many switches in a real network, that is everything they will ever do.
Think of an access-layer switch in a branch or a floor closet. It connects endpoints, places them in VLANs, applies access policy and forwards their traffic upstream. It does not run BGP to the internet or hold a VRF for a segmented tenant. Essentials covers it completely, and paying for Advantage on that switch buys capability that will sit unused for the life of the device. The skill is not buying the highest tier; it is matching the tier to the job.
Everything that makes a switch more than an access device. Full Layer 3 routing, BGP, IS-IS, full OSPF and EIGRP, so the switch can take a real role in your routed topology. VRF, to keep tenants or security zones in separate routing tables on shared hardware. Policy-based routing and richer multicast. The fabric and segmentation stack, VXLAN, LISP, BGP EVPN, TrustSec group tags, which is what SD-Access is built on, so a fabric edge node requires Network Advantage (Cisco Catalyst software subscription matrix). It also adds 256-bit MACsec, full Flexible NetFlow and, on supported platforms, MPLS.
For the Chennai hospital, the distribution switches needed BGP and VRF, so they needed Advantage. The access switches feeding them did not. One estate, two correct answers. The error was applying a single tier to every layer rather than to each layer's role.
Decide by the role of the switch, not by the budget mood of the quarter. As a working rule:
Choose Network Essentials for access-layer switches that connect endpoints, apply VLANs and access policy, and forward traffic, with at most basic routing. This is the larger part of most networks. Choose Network Advantage for distribution and core switches running dynamic routing protocols, for anything needing VRF or MPLS, for any device that will be an SD-Access fabric edge, and for any layer where you intend to run micro-segmentation with group tags. Ask one question per switch: does this device need to route with BGP or IS-IS, hold a VRF, or join a fabric? If yes, it is Advantage. If no, Essentials almost certainly fits.
A good design mixes the tiers deliberately. A quote that puts the same tier on every line, high or low, is a quote nobody matched to your topology.
Yes. The tier is a licence, not the silicon, so you can move a switch from Network Essentials to Network Advantage by purchasing the upgrade, without replacing hardware. That is the reassuring half of the answer.
The cautionary half is that upgrading later is rarely cheaper or more convenient than ordering correctly the first time, and it tends to surface at the worst moment, mid-project, when a feature will not turn on, and a change window is ticking. Treat the tier as a design decision made before the purchase order, informed by the routing and segmentation plan, not as something to fix in production. Planning the tiers up front also keeps your renewals and Smart Account tidy, which your future self will thank you for.
The perpetual Network licence does not expire; that is what "perpetual" means. The switch keeps its Essentials or Advantage feature set for as long as it runs. What is term-based is the Cisco DNA or Catalyst subscription that sits alongside it. When that subscription lapses, you lose the Catalyst Center automation and assurance features and your entitlement to support and updates, but the perpetual network features keep working.
This is why the two-layer model matters at renewal time as well as at purchase. You are not at risk of a switch dropping BGP because a subscription expired. You are at risk of losing the controller features, the support and the right to new software, which is a different and quieter problem. Knowing which layer does what tells you exactly what a lapsed renewal costs you and what it does not.
Choosing tiers switch by switch across a campus is precisely the unglamorous design work that decides whether a network performs and whether you overpaid for it. It is also easy to get wrong from a price list.
Proactive Data Systems is a 35-year-old system integrator with more than 1,500 customers, and a Cisco Preferred Partner in Networking, Security, Collaboration, Cloud and AI, and Services. We map the licence tier to the role of every switch in your design, Essentials where it fits and Advantage where the routing, segmentation or fabric demands it, so you buy the capability you will use and not a rupee more. CCIE-led design, a 24x7 NOC in India, and a bill of quantities where every licence line has a reason next to it.
Not sure whether your next switches need Essentials or Advantage? Send us the design, or the quote you have been given. We will tell you which lines are right, which are over-specified, and which would have failed your first change window.
Proactive, Enterprise Networking Team
We'll get back to you shortly.
