[Cisco] Overview of Smart Licensing Using Policy and how to set it

Switch

What is Smart Licensing Using Policy?

Catalyst switches with IOS-XE version 16.9.1 and later and ASR / ISR routers with 16.10.1 and later used smart licenses as a license management mechanism.

After the start of operation of smart licenses, there was a lot of feedback from users to Cisco, and a new mechanism called Smart Licensing Using Policy was introduced in the form of modifying smart licenses.

Target version

IOS-XE 17.3.2 and later devices (some devices 17.4.1 and later) support the Smart Licensing Using Policy.

At the time of writing this post, the recommended version for all C9000 series is 17.3.4, so understanding the Smart Licensing Using Policy is essential.

Recommended Releases for Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms
This document is to help customers find a stable software release for the enterprise switching platforms.

Major changes

The main changes from the conventional smart license are as follows.

  • Evaluation mode is gone
  • In the device, all licenses are in the IN USE state by default (except for some).
  • The device collects a license and its usage report and sends it to CSSM, and CSSM returns an ACK.
  • SLR (License Reservation) is no longer supported

RUM report

  • Resource Utilization Measurement
  • Usage reports generated and saved by Product Instances (PIs)
  • All license usage changes made in PI are saved as a report file
  • When CSSM receives RUM report data from the PI, it validates the report, checks the modified license usage timeline, and updates the CSSM data accordingly. The CSSM then acknowledges the PI via an ACK response message.

How to report to CSSM

Like traditional smart licensing, there are several methods for Smart Licensing Using Policy.

Report directly from the device to CSSM

With this method, Cisco equipment sends reports directly to CSSM on the Internet. There are two patterns, online and offline.

Online, the device connects to the Internet and automatically sends reports to CSSM on a regular basis. (Sometimes called CSSM Online.)

Offline, the device does not connect to the internet. The administrator manually exports the report from the device and manually uploads the report to her CSSM. In addition, download his ACK from CSSM and import it into the device. (Sometimes called CSSM offline.)

Reporting using the Cisco Smart Licensing Utility (CSLU)

Use the Cisco Smart Licensing Utility (CSLU), an application that runs on Windows 10. The device sends a report to CSLU, which in turn sends a report to CSSM.

This method also has two patterns, online / offline, depending on the CSLU Internet connection status.

License enforcement type

The licenses in the Smart Licensing Using Policy are classified as enforcement types, and there are three types:

  • Unenforced or Not Enforced
    • Does not require authorization or registration before use
    • All licenses available on Catalyst access / core / aggregation switches are of this type
  • Enforced
    • Requires authorization before use
    • Authorization code needs to be installed on the target device
    • An example of this type of license is the Media Redundancy Protocol (MRP) client license available on Cisco Industrial Ethernet switches.
  • Export-Controlled
    • Exports are restricted by U.S. trade control laws and these licenses require authorization before use
    • Authorization code needs to be installed on the target device
    • An example of this type of license is a fast encryption (HSECK9) license that can be used on a particular Cisco router.

License type

In addition to the enforcement type described above, licenses are classified as license types, and there are the following two types.

  • Perpetual
    • No expiration date
    • C9000 series Network Essentials and Network Advantage are of this type
  • Subscription
    • Has an expiration date
    • C9000 series DNA Essentials, DNA Advantage is this type

You can check the license enforcement type and license type in the License Usage item of show license all.

#show license all
...
License Usage
=============

network-essentials (C9200L-NW-E-24):
  Description: C9200L-24 Network Essentials
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: network-essentials
  Feature Description: C9200L-24 Network Essentials
  Enforcement type: NOT ENFORCED '<---------attention'
  License type: Perpetual '<---------attention'

dna-essentials (C9200L-DNA-E-24):
  Description: C9200L-24 DNA Essentials
  Count: 1
  Version: 1.0
  Status: IN USE
  Export status: NOT RESTRICTED
  Feature Name: dna-essentials
  Feature Description: C9200L-24 DNA Essentials
  Enforcement type: NOT ENFORCED '<---------attention'
  License type: Subscription '<---------attention'
...

Policy

The policy includes the following elements, which determine the device behavior.

  • Necessity of ACK from CSSM
  • The following items by enforcement type / license type
    • First report requirement:
      • The initial report must be submitted within the time period specified here
      • 0 means not needed
    • Reporting frequency:
      • Subsequent reports must be submitted within the time period specified here
      • 0 means not needed
    • Report on change:
      • If your license usage changes, you must submit the report within the time period specified here.
      • 0 means not needed
#show license all
...
Policy:
  Policy in use: Merged from multiple sources.
  Reporting ACK required: yes (CISCO default)
  Unenforced/Non-Export Perpetual Attributes: '<---------Policy for Unenforced/Non-Export and Perpetual type'
    First report requirement (days): 365 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Unenforced/Non-Export Subscription Attributes: '<---------Policy for Unenforced/Non-Export and Subscription type'
    First report requirement (days): 90 (CISCO default)
    Reporting frequency (days): 90 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Enforced (Perpetual/Subscription) License Attributes: '<---------Policy for Enforced type'
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)
  Export (Perpetual/Subscription) License Attributes: '<---------Policy for Export type'
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)
...

By default, the CISCO default policy is applied as above.

These types are points to check, as the policies that apply depend on the combination of Enforcement Type and License Type.

First check point at build time

  • IOS-XE version used in the device to be built
  • Which reporting method to use
  • With or without optional DNA license

It is safer not to change the license level unnecessarily

As mentioned in the policy section above, there is a set deadline for reporting after a change in license usage, so it is likely that you will need to report to CSSM after changing the license boot level. is.

Therefore, if you change the license level when you don’t need it, you run the risk of having trouble reporting to CSSM.

It seems safer not to try changing the license boot level.

Direct report method (online)

Isn’t the most frequently used method the direct report method (online)?

The procedure for adopting the direct report method (online) is as follows.

  1. Set up the device
  2. Issuing tokens (trust code) with CSSM
  3. Operate the device in an environment where internet connection is possible, and install the token (trust code) on the device.
  4. Confirm that the device was able to receive the ACK from CSSM

Device settings

Basic settings for connecting to CSSM

  • DNS server settings
    • ip name-server <DNS server IP>
  • DNS domain lookup source interface configuration
    • ip domain lookup source-interface <IF name>
  • IP domain name settings
    • ip domain name <Domain name>
  • Setting the IP address of the L3 interface
  • NTP server, time zone setting
  • Routing settings for the Internet
  • HTTP client source interface settings
    • ip http client source-interface <IF name>

License boot level setting

Change the license level of the device as needed. (Global setting)

  • license boot level <Network license level> [addon <DNA license level>]

Since the license level change will be reflected after restarting, reboot the device after changing the setting.

Transport type setting

Basically, the call-home used in the conventional smart license is not used, and all you have to do is set the following transport type and URL. (You can also use call-home.)

The transport type defaults to cslu, but for direct reporting, set it to smart. Then set the license smart url default.

#Global setting
license smart transport smart
license smart url default

After setting license smart url default, the following settings will be entered automatically.

license smart url https://smartreceiver.cisco.com/licservice/license
license smart url smart https://smartreceiver.cisco.com/licservice/license

After setting, use the show license all command to confirm that the following is displayed.

#show license all
...
Transport:
  Type: Smart
  URL: https://smartreceiver.cisco.com/licservice/license
  Proxy:
    Not Configured
...

Issuing tokens with CSSM

Ask an authorized person to issue the token. The token issuance procedure is as follows.

  1. Log in to CSSM and click Smart Software Licensing
  2. Click the Inventory tab
  3. Select the desired virtual account from the Virtual Account drop-down list
  4. Click the General tab
  5. Click New Token (Create Registration Token screen opens)
  6. Enter a description in the Description field (optional)
  7. Enter the token validity period in the Expire After field (optional, default 30 days)
  8. Enter the number of times the token can be used in the Max. Number of Uses field (optional, default unlimited)
  9. Click Create Token
  10. You can copy the token by selecting Copy in the Actions field of the target token record from the token list.

Installation and verification of tokens on the device

Once you have the token, install it on your device.

Install the token using the following command in an environment where you can connect to the Internet.

  • # license smart trust idtoken <token> <local | all> [force]
    • <token>:Token (string) obtained from CSSM
    • <local | all>
      • Specify local if the device is not in a stack configuration, and specify all if the device is in a stack configuration.
    • [force]
      • The force flag is set on the message sent to CSSM and a new trust code is created even if the target UDI already exists.
license smart trust idtoken XXXXXX local

After installing the token, check the status with the show license all command.

# show license all
...
Usage Reporting:
  Last ACK received: Mmm dd hh:mm:ss 2021 UTC
  Next ACK deadline: Mmm dd hh:mm:ss 2021 UTC
  Reporting push interval: 30  days
  Next ACK push check: <none>
  Next report push: Mmm dd hh:mm:ss 2021 UTC
  Last report push: Mmm dd hh:mm:ss 2021 UTC
  Last report file write: <none>

Trust Code Installed: Mmm dd hh:mm:ss 2021 UTC
...

  • Last ACK received: The time when the ACK from CSSM was received is displayed.
  • Trust Code Installed: The token installation date and time is displayed

It takes about 5 minutes after the token is installed until the time is displayed in Last ACK received :.

Also, check that the target device is registered on the Product Instances screen of CSSM.

This completes the response.

References

Smart Licensing using Policy on Catalyst Switching Platforms
This document describes the Smart Licensing feature using Policy on Catalyst Switching Platforms and its various supported deployment mechanism.
Configure Smart Licensing Using Policy On IOS-XE Routers
This document describes the steps required for the configuration and registration of a Cisco IOS®-XE router with Smart Licensing Using Policy feature.
Release Notes for Cisco Catalyst 9200 Series Switches, Cisco IOS XE Amsterdam 17.3.x
Release Notes for Cisco Catalyst 9200 Series Switches, Cisco IOS XE Amsterdam 17.3.x-Release Notes: Release Notes for Cisco Catalyst 9200 Series Switches, Cisco...
Release Notes for Cisco Catalyst 9300 Series Switches, Cisco IOS XE Amsterdam 17.3.x
Release Notes for Cisco Catalyst 9300 Series Switches, Cisco IOS XE Amsterdam 17.3.x-Release Notes: Release Notes for Cisco Catalyst 9300 Series Switches, Cisco...
System Management Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9200 Switches) - Smart Licensing Using Policy [Support]
Smart Licensing Using Policy
System Management Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9300 Switches) - Smart Licensing Using Policy [Support]
Smart Licensing Using Policy
Smart Licensing Using Policy for Cisco Enterprise Routing Platforms - Information About Smart Licensing Using Policy [Cisco IOS XE Amsterdam 17.3.2]
Information About Smart Licensing Using Policy


Comments

Copied title and URL