What is Smart Licensing Using Policy?
Catalyst switches with IOS-XE version 16.9.1 and later and ASR / ISR routers with 16.10.1 and later used smart licenses as a license management mechanism.
After the start of operation of smart licenses, there was a lot of feedback from users to Cisco, and a new mechanism called Smart Licensing Using Policy
was introduced in the form of modifying smart licenses.
Target version
IOS-XE 17.3.2
and later devices (some devices 17.4.1 and later) support the Smart Licensing Using Policy.
At the time of writing this post, the recommended version for all C9000 series is 17.3.4, so understanding the Smart Licensing Using Policy is essential.
Major changes
The main changes from the conventional smart license are as follows.
- Evaluation mode is gone
- In the device, all licenses are in the IN USE state by default (except for some).
- The device collects a license and its usage report and sends it to CSSM, and CSSM returns an ACK.
- SLR (License Reservation) is no longer supported
RUM report
- Resource Utilization Measurement
- Usage reports generated and saved by Product Instances (PIs)
- All license usage changes made in PI are saved as a report file
- When CSSM receives RUM report data from the PI, it validates the report, checks the modified license usage timeline, and updates the CSSM data accordingly. The CSSM then acknowledges the PI via an ACK response message.
How to report to CSSM
Like traditional smart licensing, there are several methods for Smart Licensing Using Policy.
Report directly from the device to CSSM
With this method, Cisco equipment sends reports directly to CSSM on the Internet. There are two patterns, online and offline.
Online, the device connects to the Internet and automatically sends reports to CSSM on a regular basis. (Sometimes called CSSM Online.)
Offline, the device does not connect to the internet. The administrator manually exports the report from the device and manually uploads the report to her CSSM. In addition, download his ACK from CSSM and import it into the device. (Sometimes called CSSM offline.)
Reporting using the Cisco Smart Licensing Utility (CSLU)
Use the Cisco Smart Licensing Utility (CSLU)
, an application that runs on Windows 10. The device sends a report to CSLU, which in turn sends a report to CSSM.
This method also has two patterns, online / offline, depending on the CSLU Internet connection status.
License enforcement type
The licenses in the Smart Licensing Using Policy are classified as enforcement types, and there are three types:
- Unenforced or Not Enforced
- Does not require authorization or registration before use
- All licenses available on Catalyst access / core / aggregation switches are of this type
- Enforced
- Requires authorization before use
- Authorization code needs to be installed on the target device
- An example of this type of license is the Media Redundancy Protocol (MRP) client license available on Cisco Industrial Ethernet switches.
- Export-Controlled
- Exports are restricted by U.S. trade control laws and these licenses require authorization before use
- Authorization code needs to be installed on the target device
- An example of this type of license is a fast encryption (HSECK9) license that can be used on a particular Cisco router.
License type
In addition to the enforcement type described above, licenses are classified as license types, and there are the following two types.
- Perpetual
- No expiration date
- C9000 series
Network Essentials
andNetwork Advantage
are of this type
- Subscription
- Has an expiration date
- C9000 series
DNA Essentials
,DNA Advantage
is this type
You can check the license enforcement type and license type in the License Usage item of show license all
.
#show license all
...
License Usage
=============
network-essentials (C9200L-NW-E-24):
Description: C9200L-24 Network Essentials
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: network-essentials
Feature Description: C9200L-24 Network Essentials
Enforcement type: NOT ENFORCED '<---------attention'
License type: Perpetual '<---------attention'
dna-essentials (C9200L-DNA-E-24):
Description: C9200L-24 DNA Essentials
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: dna-essentials
Feature Description: C9200L-24 DNA Essentials
Enforcement type: NOT ENFORCED '<---------attention'
License type: Subscription '<---------attention'
...
Policy
The policy includes the following elements, which determine the device behavior.
- Necessity of ACK from CSSM
- The following items by enforcement type / license type
First report requirement:
- The initial report must be submitted within the time period specified here
- 0 means not needed
Reporting frequency:
- Subsequent reports must be submitted within the time period specified here
- 0 means not needed
Report on change:
- If your license usage changes, you must submit the report within the time period specified here.
- 0 means not needed
#show license all
...
Policy:
Policy in use: Merged from multiple sources.
Reporting ACK required: yes (CISCO default)
Unenforced/Non-Export Perpetual Attributes: '<---------Policy for Unenforced/Non-Export and Perpetual type'
First report requirement (days): 365 (CISCO default)
Reporting frequency (days): 0 (CISCO default)
Report on change (days): 90 (CISCO default)
Unenforced/Non-Export Subscription Attributes: '<---------Policy for Unenforced/Non-Export and Subscription type'
First report requirement (days): 90 (CISCO default)
Reporting frequency (days): 90 (CISCO default)
Report on change (days): 90 (CISCO default)
Enforced (Perpetual/Subscription) License Attributes: '<---------Policy for Enforced type'
First report requirement (days): 0 (CISCO default)
Reporting frequency (days): 0 (CISCO default)
Report on change (days): 0 (CISCO default)
Export (Perpetual/Subscription) License Attributes: '<---------Policy for Export type'
First report requirement (days): 0 (CISCO default)
Reporting frequency (days): 0 (CISCO default)
Report on change (days): 0 (CISCO default)
...
By default, the CISCO default policy is applied as above.
These types are points to check, as the policies that apply depend on the combination of Enforcement Type and License Type.
First check point at build time
- IOS-XE version used in the device to be built
- Which reporting method to use
- With or without optional DNA license
It is safer not to change the license level unnecessarily
As mentioned in the policy section above, there is a set deadline for reporting after a change in license usage, so it is likely that you will need to report to CSSM after changing the license boot level. is.
Therefore, if you change the license level when you don’t need it, you run the risk of having trouble reporting to CSSM.
It seems safer not to try changing the license boot level.
Direct report method (online)
Isn’t the most frequently used method the direct report method (online)?
The procedure for adopting the direct report method (online) is as follows.
- Set up the device
- Issuing tokens (trust code) with CSSM
- Operate the device in an environment where internet connection is possible, and install the token (trust code) on the device.
- Confirm that the device was able to receive the ACK from CSSM
Device settings
Basic settings for connecting to CSSM
- DNS server settings
ip name-server <DNS server IP>
- DNS domain lookup source interface configuration
ip domain lookup source-interface <IF name>
- IP domain name settings
ip domain name <Domain name>
- Setting the IP address of the L3 interface
- NTP server, time zone setting
- Routing settings for the Internet
- HTTP client source interface settings
ip http client source-interface <IF name>
License boot level setting
Change the license level of the device as needed. (Global setting)
license boot level <Network license level> [addon <DNA license level>]
Since the license level change will be reflected after restarting, reboot the device after changing the setting.
Transport type setting
Basically, the call-home used in the conventional smart license is not used, and all you have to do is set the following transport type and URL. (You can also use call-home.)
The transport type defaults to cslu
, but for direct reporting, set it to smart
. Then set the license smart url default
.
#Global setting
license smart transport smart
license smart url default
After setting license smart url default
, the following settings will be entered automatically.
license smart url https://smartreceiver.cisco.com/licservice/license
license smart url smart https://smartreceiver.cisco.com/licservice/license
After setting, use the show license all
command to confirm that the following is displayed.
#show license all
...
Transport:
Type: Smart
URL: https://smartreceiver.cisco.com/licservice/license
Proxy:
Not Configured
...
Issuing tokens with CSSM
Ask an authorized person to issue the token. The token issuance procedure is as follows.
- Log in to CSSM and click Smart Software Licensing
- Click the Inventory tab
- Select the desired virtual account from the Virtual Account drop-down list
- Click the General tab
- Click New Token (Create Registration Token screen opens)
- Enter a description in the Description field (optional)
- Enter the token validity period in the Expire After field (optional, default 30 days)
- Enter the number of times the token can be used in the Max. Number of Uses field (optional, default unlimited)
- Click Create Token
- You can copy the token by selecting Copy in the Actions field of the target token record from the token list.
Installation and verification of tokens on the device
Once you have the token, install it on your device.
Install the token using the following command in an environment where you can connect to the Internet.
# license smart trust idtoken <token> <local | all> [force]
<token>
:Token (string) obtained from CSSM<local | all>
- Specify
local
if the device is not in a stack configuration, and specifyall
if the device is in a stack configuration.
- Specify
[force]
- The force flag is set on the message sent to CSSM and a new trust code is created even if the target UDI already exists.
license smart trust idtoken XXXXXX local
After installing the token, check the status with the show license all
command.
# show license all
...
Usage Reporting:
Last ACK received: Mmm dd hh:mm:ss 2021 UTC
Next ACK deadline: Mmm dd hh:mm:ss 2021 UTC
Reporting push interval: 30 days
Next ACK push check: <none>
Next report push: Mmm dd hh:mm:ss 2021 UTC
Last report push: Mmm dd hh:mm:ss 2021 UTC
Last report file write: <none>
Trust Code Installed: Mmm dd hh:mm:ss 2021 UTC
...
Last ACK received:
The time when the ACK from CSSM was received is displayed.Trust Code Installed:
The token installation date and time is displayed
Also, check that the target device is registered on the Product Instances screen of CSSM.
This completes the response.
Comments