Evolving Smart Licensing, what’s coming and when?

Does anyone else feel like they need a Ph.D. in Cisco licensing?! Good news is that there are some changes coming to help make our lives easier.

Most of you are likely familiar with Smart Licensing. However, you can go here if you need more information. During Cisco’s transition to subscription-based licenses, Smart Licensing (SL) was introduced. Cisco believed Smart Licensing would streamline the way customers activate and manage Cisco licenses across the organization. Transitioning from the traditional PAK based licensing method to SL wasn’t the only goal for Cisco. Amongst others, it served as a way to combat the grey market gear. The thought was that upon purchasing a product from Cisco, a Smart Account would be associated with the order, which in return would entitle the organization to their licenses, products, and services.

A Smart Account is hierarchical and serves as the top-level domain for the organization. You can further organize your Smart Account into sub-accounts, known as “Virtual Accounts.” It is very much structured, like a domain. A “DEFAULT” Virtual Account serves as your catch-all bucket and is persistent and can’t change.

After Cisco launched the new licensing model, they found that the customers purchasing processes became complicated, increased their operational overhead, and challenged their security practices. Therefore, Cisco took this feedback and decided they needed to evolve SL to be less detrimental. 

You can find the current list of Smart License enabled products here

Introducing Smart Licensing Using Policy

Starting with IOS-XE 17.3.2/17.4.1 all products running these versions of the software will only support Smart Licensing Using Policy. These currently include. 

  • Cisco Catalyst 9000 series switches. 
  • The routing platforms such as the ASR1K, ISR1K, ISR4K. 
  • The Next Generation virtual routers starting with Polaris IOS-XE release 17.4.1 
  • Cisco Catalyst 9800 Series Wireless Controllers and APs. 
  • Internet of Things (IoT) Next Generation platforms such as Industrial Router IR 1101, Industrial Ethernet IE
  • 3200/3300/3400 and any Next Gen IoT products will also adopt Smart Licensing Using Policy. 
  • Collaboration products; CUBE, SRST, and CME with their November release.

With Smart Licensing Using Policy you can expect: 

  1. The product will not boot in evaluation-mode (see screen shots below)
  2. per product software registration is not required
  3. And on-going communication every 30 days with Cisco isn’t needed.

Registering a device before use and on-going communication is going away. However, reporting to Cisco may still be a pain point. The good news? Reporting is only required if there is a change in software level for Perpetual or Subscription. Changing software levels doesn’t happen too frequently, so it may not be too big of an issue. 

For example, if you purchase a Catalyst 9120 access point with DNA Essentials from the factory and 30 days later, you realize you need EasyQoS. You’d have to change to DNA Advantage, which means you now need to report this change to Cisco. 

This change would need to be reported within 90 days to Cisco. 

What happens if you don’t? Most of the products will turn into a nag box, sending out syslog/alarm notifications. However, you should review the enforcement rules specific to the particular device to avoid potential interruptions.

You can find the enforcement rules per product here

Reporting

You can report to Cisco in a couple of different ways. 

1. New reporting utility called Cisco Smart Licensing Utility (CSLU): which is a small Windows application that can be configured to send the data to Cisco in with a push or pull operation. 

2. Cisco DNA Center controller with Cisco Smart Licensing Utility (CSLU): Cisco DNA Center has connectivity to Cisco Smart Software Manager (CSSM). Periodically, exchange information with Cisco to keep in sync with CSSM. 

3. Offline: where the data is taken off the device onto a storage and then uploaded into CSSM.

In the end, not having to register a product before makes sense but reporting may be still be cumbersome. I’m thinking theres a way you could script this with Python.

Here’s a screen shot of pre IOS-XE 17.3.2 and post IOS-XE 17.3.2.

Mike

Smart Software Licensing Overview. (2020, November 26). Retrieved from https://www.cisco.com/c/en/us/products/software/smart-accounts/software-licensing.html

Cisco DNA Software Subscription Matrix for Wireless. (2020, November 17). Retrieved from https://www.cisco.com/c/m/en_us/products/software/dna-subscription-wireless/en-sw-sub-matrix-wireless.html?oid=porew018984

(n.d.). Retrieved from https://www.cisco.com/c/dam/en/us/products/collateral/software/smart-accounts/smart-licensing-feature-roadmap-by-pf-external-v20201102.xlsx

(n.d.). Retrieved from https://software.cisco.com/download/home/286285506/type/286327971/release/1.0.0-2

Networking Hype, Cisco’s SDWAN Catalyst 8000 Edge Platform

Cisco announced the Catalyst 8000 Edge Platforms designed to accelerate the next generation of WAN, 5G, and enable connectivity to hybrid and multi-cloud applications. The Catalyst 8000 Edge Platform includes the 8500 Series for aggregation, Catalyst 8300 Serries for access, and Catalyst 8000V Edge software for virtual/cloud deployments.

The Catalyst 8000V will be available with Cisco SD-WAN 17.4, so you will have to wait just a bit longer.  

 It’s an “edge platform.” Not a router. 

Typically the Catalyst family line is analogous to Cisco switching; however, the branding and messaging align with Cisco’s intent-based networking (IBN) portfolio. The “Catalyst” name now unifies the LAN and the WAN.

With distributed locations, flexible deployment models, and hosting containerized services, the term “router” has evolved to be more of a WAN edge device. Calling these devices “edge platforms” versus “routers” seems to be more appropriate. 

The platform fits nicely into the Cisco SD-WAN portfolio as it addresses security, on-box, and support for Umbrella’s cloud base FWaaS. Cloud-native agility provided by Cloud OnRamp for IaaS and SaaS for distributed applications. (If you haven’t seen this in action, it’s eye-opening!) 

Expect other vendors to begin adopting these features into one solution as Gartner has already coined the term “SASE” (Secure Access Service Edge) pronounced “sassy” to describe the solution. 

In addition to the above, the edge platform functions as an edge router like you’d expect with some new beefiness to it. 

Catalyst 8300 Series, compared to the ISR 4400 Series offers:

  • Up to five times faster data plane performance 
  • Up to 12 Core CPU 
  • Native support for 10GE 

Catalyst 8500 Series, compared to ASR1001-HX and ASR1002-HX offers:

  • Improved data plane with Cisco’s custome 3rd gen ASIC Quantum Flow Processor (QFP)
  • Inline Cyrpto
  • Native support for 100GE and 40GE

Catalyst 8000v Series, compared to CSR1000V offers:

  • Support for up to 16vCPUs
  • 25Gbps Interfaces

and Many more

Lastly, there is no End-of-Life announcement for the previous platforms that the Catalyst 8000 line intends to replace, as of 10/20/20. I’d be willing to bet that these platforms adopt ThousandEyes at some point, which is an absolute game-changer.

Mike

Valente, Jean-Luc “Introducing the Catalyst 8000 Edge Family, Cisco’s New SD-WAN Platform” Oct. 20, 2020, Retrieved From https://blogs.cisco.com/networking/catalyst-8000-edge-platforms

Cisco “Cisco Catalyst 8000 Edge Platforms Family” Oct. 20, 2020, Retrieved From
https://www.cisco.com/c/en/us/products/routers/cloud-edge/index.html?ccid=cc001903

Lener, Andrew “Say Hello to SASE (Secure Access Service Edge)” Dec. 23, 2019, Retrieved From
https://blogs.gartner.com/andrew-lerner/2019/12/23/say-hello-sase-secure-access-service-edge/

RIPv2 Authentication

RIP is an old distance vector routing protocol. I wanted to give a quick over view of a potential problem when using authentication with RIP.

Below is the topology that we will be using.

rip.auth1

RIPv2 has been enable on R1,R2, and R3. We have full reachability between our nodes. I have enabled plain text authentication on each link. Here is R2s output.

rip.auth2

Key Chain = PASSWORD_TEXT
Key Number = 1
Key String = CCIE

I am going to setup a packet capture so we can view our RIP packets.

rip.auth3

Notice that R2 10.0.12.2 is sending updates to the Multicast address for RIP 224.0.0.9. Authentication type: Simple password. Our password is CCIE. One thing in particular is that the Key identifier or our key number in our case 1 is arbitrary.

RIP plain text authentication doesn’t transmit the key identifier so you could have different key numbers on each of our routers. Say R1 = Key 1, R2 = Key 2, R3 = Key 3 and authentication would succeed as long as the password matches.

Lets switch our plain text authentication to use MD5 authentication between R1 and R2.

rip.auth4

I created a new key chain and used MD5 authentication between R1 and R2. The link between R2 and R3 are still using plain text authentication.

Key Chain = PASSWORD_MD5
Key Number = 2
Key String = CCIE

I’ll setup a new packet capture between R1 and R2.

rip.auth5

We have the same information as our last capture with two slight differences. We are using Authentication type: MD5 and now have a Key identifier field Key ID: 2

I’m going to change the Key ID on R1 to 1. Let’s see what happens when we have two different Key IDs.

rip.auth6

R1 is now using Key ID of 1. And below you see R1 ignoring RIP updates from R2 because authentication failed.

rip.auth7

The point here is that when using RIP authentication with MD5 the Key identifier needs to match between routers. You see this in the packet capture, the Key identifier field is transmitted in the RIP payload. If Key ID differs, authentication will fail.

Mike

 

Converting Cisco IOS-XE Software from Bundle Mode to Install Mode

Recommended Releases for Cat9k

Today we’re are going to be converting a Cisco WS-C3850-24XS from a Bundle Running Mode to an Install Running Mode.

If you haven’t read my other post on operating modes for the Cat3k or 9Ks, look there first. Upgrading Cisco IOS-XE Software (Install Mode)

You can also review upgrade procedure for specific hardware.
Catalyst 9200 upgrade procedure or review Campus switching positioning with Catalyst 9Ks for a quick reference to determine what hardware is best suited for your campus.

I first want to show you the file(s) that each mode references. I’ll use the show version command to do this.

3850-1
3850-2

You can see from the previous output that the 3850 is running in BUNDLE mode. Secondly, the line that starts with ‘System image file is..” This line is the name and location of the booted Cisco IOS XE bundle file. Notice that this is a .bin extension.

3850-3
3850-4.PNG

Again using the show version command, in the previous output the 3650 is running in INSTALL mode. This time the line that starts with ‘System image file is..” is referencing the name and location of the provisioning file ‘packages.conf‘.

Let’s continue changing our Bundle running mode to Install running mode.

To do this, execute the command below in exec.

3850# software expand running to flash:

3850-5

I am executing this on a stack so you can see that the operation is expanding the bundle (.bin) file to switch 1 and switch 2. This is essentially unpacking .pkg files from the running .bin file on the switch.

Notice that the switch attempts to create a packages.conf file but it already exists, so it creates a file called ‘running-packages.conf‘. This isn’t a big deal. If you want your file to be named packages.conf, just rename the original packages.conf to something else before you run the above command.

After this finishes, we can view the flash:/ to see our pkg files.

3850-6.PNG

Here we see two .pkg versions, 03.07.04E.pkg and 03.07.05E.pkg. Which one is the most recent one? 03.07.05E.pkg is the most recent because that is the version we extracted from our current running cat3k_caa-universalk9.SPA.03.07.05.E152-3.bin file. Also, notice the running-packages.conf file.

Let’s change the boot system variable to reference our new .conf file.

3850-7

Note: Check to see if you already have a boot variable defined. Change it so that on next boot you load your packages.conf file and not the .bin file. Check the boot var with the command show boot to confirm.

Save your running config to start up and reload the switch.

After the reload, we can check our running mode.

3850-8

Lets clean up our flash directory.

3850-9

Here is the flash directory after we cleaned it.

3850-10

Mike

CCIE, is it time?

I have always had a dream to one day become CCIE certified and it has always been just that, a dream. It has always been unclear on how I would do this. There is no road map to becoming a CCIE. So when I sit and dream about becoming a CCIE it makes me a bit anxious. My blood pressure starts to rise, my palms get sweaty, my stomach starts to hurt. I can’t help but be anxious.

I started to groom my conscious thoughts about becoming a CCIE for a few months  hoping to set ease by Googling things like, “How to become a CCIE?”, or “What does it take to be a CCIE?” (this really didn’t help). The overwhelming response was, be ready to sacrifice a lot and that it is expensive..great thanks for stating the obvious.

Unfortunately I wouldn’t have a “sponsor” for this journey, which is fine but having an employer assist me in my efforts would be great (This changed July 26th 2018, when I was hired by Cisco). I also didn’t have peers that were of the CCIE status. It wasn’t like I was sitting in a room of other CCIEs that I could ask questions to. So it was hard for me to understand things like, how to start?, where to start?, what are the best resources?

I started to curate a list of resources that I would use for my studies, I even created a work/study schedule that I could use as sort of a soft opening to my studies. I started reading Routing TCP/IP Volume I and II by Jeff Doyle for my soft opening studies as I called it. I would tweak the schedule based on how I felt and after a few months had a good plan in place that compliments work, family, and pleasures.

What did turn out to be useful from my Google searches was that many CCIE achievers started with ensuring that their spouse, family, friends, and others understood the sacrifices and what it would take to achieve their CCIE. Many of them stated that this was key to their success. So for that reason and after a few months I sat to discuss my CCIE aspiration with my wife. My wife already knew about this CCIE dream, so it wasn’t a surprise to her when I brought this up. I was fully transparent about my studies, the cost and the marathon I was about to start. She was fully supporting, and couldn’t have asked for a better support system than her. I then included my friends, family and my employer in my efforts.

As of today April 2, 2018 I will be starting my CCIE journey. I plan to fall in love with the process of becoming great. This journey will be about becoming an expert in my field and as a byproduct achieve my CCIE. I hope to share as much as I can with all of you during this time. I appreciate any and all support.

Mike