Brkarc 2034 smart-licensing

BRKARC-2034
Engineering Licensing Office, CCIE #1981
Care and Feeding of
Smart Licensing
James Ng,
Technical Marketing Engineer
Colton Jenkins,
Technical Lead Engineering Licensing Office

Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Get Ready!
• Smart Licensing Overview
• Smart Licensing Communications
• Get Set!
• Product Licensing Work Flow
• Product Licensing States
• Go!
• Deploying Smart License Enabled Products
• Conclusion
BRKARC-2034

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
In this session, you will learn about deploying Cisco products using Cisco’s latest product licensing
vision. Come learn the foundational concepts you need to need to as you deploy and configure
Smart Software Licensing for Cisco products. Together, we will go over the various scenarios you
might deploy Smart License enabled products in connected and mediated networks.
For mediated (disconnected) networks, we will present an overview of the Cisco Smart Software
satellite, and how product configuration differs when used. By moving to an ISO-19770 Software
Asset Management (SAM) solution, Cisco Smart Software Licensing simplifies the deployment of
Cisco products focusing on usage (what and how many) and not enforcement. With Cisco Smart
Software Licensing say “goodbye” to Product Activation Keys (PAKs) and License files!
It is recommended that the student is familiar with Smart Licensing before taking this session.
BRKARC-2010 (Smart Accounts and Smart Licensing)
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93760&backBtn=true
BRKARC-2034 4

Get Ready!
Overview:
Smart Licensing and
Smart Accounts
Smart Licensing
Communications

• CSR – Certificate Signing Request
• CSSM or SSM – Cisco Smart Software Manager
• DLC – Device Led Conversion
• DNS – Domain Name Server
• FQDN - Fully Qualified Domain Name
• LCS – License Crypto-Module Support
• LVA – Local Virtual Accounts
• MSLA – Managed Service License Agreements
(Utility)
• OOC – Out of Compliance
• PI – Product Instances
Acronym Decoder
• PIDs – Product IDs
• PLR – Permanent License Reservation
• SA – Smart Account
• SBP – Subscription Billing Platform
• SCH – Smart Call-Home
• SKU – Stock Keeping Units
• SLR – Specific License Reservation
• TPL – Third (3rd) Party Licensing
• UUID – Universally Unique Identifier
• VA – Virtual Accounts
BRKARC-2034 6

Cisco Software Central – software.cisco.com
Software License
Tools
Smart Account
Management
Manage
Downloads and
Upgrade Products
Ordering and
EULA Tools
Network Plug
and Play
BRKARC-2034 7

What is Cisco Smart Licensing?
• Cisco Smart Licensing is a new way of thinking about licensing at Cisco that is being applied to all products
• Instead of DRM or Node Locked licensing – its a Software Inventory Management System
• Provides Customers, Cisco, and Selected Partners with information about Software Ownership and Software
Utilization
Commerce
(CCW)
‘Smart’
Account
Cisco
Product
I Have Purchased 5 additional
‘Advanced’ Licenses for [big-u.edu]
Hello, I am Device-East5, I belong to
[big-u.edu] and I am using 1x License
Hello, Device-East5 from [big-u.edu],
you are ‘In-Compliance’
Ownership Usage
BigU.edu
I Own: 10
I am Using: 10
BRKARC-2034 8

What is a Smart Accounts
Architected as a “container” - for more than licenses
User Based Access
Customer, partner, or other
authorized party for control of
organizational assets.
Asset Pooling
Pool assets, user roles and
agreements for visibility of
company license
entitlements.
Manage Services and
Subscriptions
Manage service contracts
and subscriptions, and
download new software.
Track Purchases
Review purchases of Cisco
Software entitlements and allocate
new resources.
Review Cases
Manage cases open with Cisco
TAC and Cisco Support.
FutureToday
BRKARC-2034 9

Smart Account – Overview
• A Smart Account is a single place where
Customers can obtain visibility to their software
and entitlements.
• Information associated with a Smart Account
include
• User roles
• Licenses
• Devices
• Agreements the customer has with Cisco.
• These assets can be further divided into “Virtual
accounts” that might represents departments,
cost centers or locations within the company.
Organize it according to your business.
Users & Roles
Licenses
Devices
Agreements
bigu.edu
BRKARC-2034 11

Smart Account Structure
What is in the Smart Account?
You can USE but not TRANSFER licenses between SAs
Account where devices leveraging PAK licenses, Smart Licenses, and
licenses generated from EAs are stored and managed by a customer,
channel partner, or authorized party
Customer Smart Account
Users & Roles
Licenses
Devices
Agreements
Admissions
Physics
Science
Virtual Accounts
bigu.edu
You can TRANSFER but not USE a license
Account where partners / distributors can temporarily deposit orders
until the end customer Smart Account is identified. Also provide
company-wide access to orders associated with the Holding
Account.
Partner Holding
BRKARC-2034 12

Admissions
Physics
Chemistry
Virtual Accounts
Users & Roles
Licenses
Devices
Agreements
bigu.edu
Smart Accounts – Virtual Accounts
• Assets are represented as company owned allowing effortless sharing across your
enterprise
Share devices and licenses
across virtual accounts
easily.
Create sub-accounts to
reflect organization’s
construct.
BRKARC-2034 13

Smart Accounts – Virtual Accounts
• You can create virtual accounts that reflect your organization’s departments then associate
licenses and devices with those departments.
Admissions
Physics
Chemistry
Virtual Accounts
Users & Roles
Licenses
Devices
Agreements
bigu.edu
Overall Cisco Licenses
Warning and Notifications -25
Major Alert: Insufficient licenses – 25 needed to return to
compliance
License Quantity In Use Surplus
1900-WAN-
Collab-Suite
300 325 -25
1900-Threat-
Defense-Suite
500 425 +75
Track and Transfer Devices
ISR1900 Chemistry A Transfer
ISR1900 Chemistry B Remove
BRKARC-2034 14

Smart Products
Communicating with
Cisco

Router
Switch
Firewall
Unified
Communications
Products Smart Licensing
Agent
Authorized Backend
Router
Switch
Firewall
Unified
Communications
Cisco Smart
Software Manager
satellite
(Optional)
Router
Switch
Firewall
Unified
Communications
Cisco
Smart
Software
Manager
cisco.com
Software
SL
Products, Agents and a Backend
SL
SL
SL
SL
SL
SL
SL
SL
BRKARC-2034 16

Cisco Authorized Backend
BRKARC-2034
Cisco.com (Direct Connection) SSM satellite (On Premise)
• Cisco Products communicate by default
(out of the box with Smart Software
Manager
• Simplest method
• Cisco Products communicate with SSM
satellite the same way they do with Smart
Software Manager
• Connected and Disconnected modes
supported
• Information is exchanged in Text (YAML
formatted)
Cisco Smart Software
Manager
satellite
Cisco Smart
Software
Manager
CentOS 7 (Hardened)
17

AvailableTodayforall
products!
Methods of Communication
Direct cloud access (default)
Cisco product sends usage information directly over the internet. No
additional components are needed.
Options
Access through an HTTP proxy
Cisco Products send usage information over the internet via a Proxy
Server. Any off-the-shelf Proxy will work.
Access Through On-Premise License Management
Cisco products send usage information to a locally installed satellite.
Periodically, exchange information with Cisco to keep satellite sync. This
synchronization can occur automatically in connected environments or
manually in disconnected environments.
Full Offline Access – License Reservation
Use copy/paste information between product and Cisco.com to manually
check in and out licenses. Functionally equivalent to current node locking, but
with Smart License tracking.
Easeofuse
1
2
HTTPs
HTTP
Proxy
HTTPs
Copy / Paste
Cisco.com
Cisco.com
Cisco.comCisco
Satellite
Cisco.com
The Cisco Product is configured to use Smart Licensing at install/provisioning time. Direct cloud access is the default option.
Cisco
Product
Cisco
Product
Cisco
Product
Cisco
Product
Usage Info
Usage Info
Usage Info
Usage Info
5 Request License
License Response
3
4
+
File Transfer
Limited
Availability
BRKARC-2034 19

Telemetry
20BRKARC-2034
Smart Licensing requires the following minimal exchange of information during install/provision.
Cisco Checks:
 Licenses
 Device IDs
 Business Rules
Then
 Authorizes Use
HTTPS
On Premises
satellite/Proxy
-or-
Cisco Smart
Software Manager
Offline
Level of optional elements is fully configurable on products and/or satellite
Element Required
Trusted Unique Identifier
(SUDI/SUVI/ID)
Yes
Licenses Consumed Yes
Organization Identifier (ID Token) Yes
Hostname No
Other Smart Call Home Information No

Smart Product Telemetry & Visibility
• Industry Standard HTTPS (SSLv3*/TLS)
• Protects User’s Privacy!
• HTTP over TLS used for Transport encryption
• Telemetry sent to Cisco is User Configurable
• Smart Call Home Information is optional
• Smart License Information is minimal
• Auditable Telemetry sent by SSM satellite
• You have the right to inspect the data gathered
• License Information is in Text (YAML formatted)
01100101
100101011011
101001001010
0101101100100
001010011001
11010110101
1101001
* Newer products only use TLS
BRKARC-2034 22

Get Set!
Understanding:
Product Licensing Work Flow
Product Licensing States

Understanding Product
Licensing Work Flow

Smart Licensing User Workflow
Device/Product
started
For Hybrid
Product
Enable Smart
Licensing
SL State=
Un-configured
SL State=
Un-identified
SL State=
Registered
Create/Copy
Registration
ID Token from
CSSM
Enter Register
command/GU
I with ID
Token
Platform uses
feature &
reports usage
to CSSM
In-Compliance
(Authorized)
Out-of
Compliance
Have more licenses
than being used
Using more licenses
than entitled to
Device/Product Registration
Customer Smart
Account identified
Users & Roles
Licenses
Devices
Agreements
BRKARC-2034 26

An ID Token:
• Can be used once – or reused
multiple times
• Can be created and revoked at any
time
• Expires after a period of time
(default is 30 days; Minimum of 1
day and a maximum of 365 days)
What is Cisco Smart Licensing – ID Tokens
An ID Tokens is NOT:
• Product specific
• Licenses or keys or PAKs
• “one-time use”
• Stored on the Cisco Product
• Needed after the product is
registered
Used to securely Register products to a Smart Account and Virtual Account
ID Tokens are “organizational identifier” used to establish ‘identity’ when
registering a Product
BRKARC-2034 27

Enable Smart Software Licensing
Select:
Inventory
Click:
New Token
BRKARC-2034 28

Enable Smart Software Licensing
Provide:
ID Token Description
Decide:
Allow enablement of Export
Controlled functionality
(functionality varies by
product)
Note: Enabled by default if
Export Control is allowed for
this Smart Account
BRKARC-2034 29

Smart Licensing Product Registration
• Paste the “ID Token” created in your Smart Account directly into the CLI
<id token>
“ID Token” is copied from Smart Account either manually via Cisco API’s
 Can be used once – or multiple times
 Can be used on any or every Cisco product
 Can be created and revoked at any time
 Can be created and accessed via APIs
 Expires after a period of time (default is 30 days; Minimum of 1 day and a maximum of 365 days)
device> en
device# config t
device(config)# license smart enable
device(config)# end
device# license smart register idtoken <id token> device# license smart register idtoken <id token>
Hybrid Products Smart Only Products
BRKARC-2034 31

How to Enable the licenses you want to consume on
Enterprise Products
IOS XE Based Product Example
Product Specific Configuration Guides Found at: cisco.com/go/smartlicensing
Configure which licenses to enable • License boot level license_level
See Product specific Configuration guide for all options
BRKARC-2034 33

Smart Licensing Verification
• Verify licensing status
csr1kv# show license status
Tue Sep 29 07:34:36.023 PDT
Smart Licensing is ENABLED
Initial Registration: SUCCEEDED on Mon Sep 28 2017 21:55:46 PDT
Last Renewal Attempt: None
Registration Expires: Sun Dec 27 2017 11:49:40 PDT
License Authorization:
Status: AUTHORIZED on Mon Sep 28 2017 21:56:10 PDT
Last Communication Attempt: SUCCEEDED on Mon Sep 28 2017 21:56:10 PDT
Next Communication Attempt: Wed Oct 28 2017 21:56:10 PDT
Communication Deadline: Sun Dec 27 2017 11:49:16 PDT
csr1kv#
BRKARC-2034 40

Show License All (ASAv)
asa971# show license all
Smart Licensing Status
======================
Smart Licensing is ENABLED
Registration:
Status: REGISTERED
Smart Account: CISCO LIVE
Virtual Account: JLN-Sat
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Feb 08 21:24:22 2017 UTC
Last Renewal Attempt: None
Next Renewal Attempt: Mar 10 18:57:40 2017 UTC
Registration Expires: May 09 14:04:18 2017 UTC
License Authorization:
Status: OUT OF COMPLIANCE on Feb 08 21:24:34 2017 UTC
Last Communication Attempt: SUCCESS on Feb 08 21:24:34 2017 UTC
Next Communication Attempt: Feb 09 09:24:34 2017 UTC
Communication Deadline: May 09 14:04:18 2017 UTC
License Usage
==============
ASAv30 Standard - 2G (ASAv-STD-2G):
Description: ASAv30 Standard - 2G
Count: 1
Version: 1.0
Status: OUT OF COMPLIANCE
Product Information
===================
UDI: PID:ASAv,SN:9AJP2PTBH1L
Agent Version
=============
Smart Agent for Licensing: 1.6.4_rel/63
BRKARC-2034 41

Understanding Product
Licensing State

Smart License Product States
• Registered state
Product has been associated with a valid Smart Account
• Authorized state (In Compliance)
Product is using an entitlement, and the Virtual Account
does not have a negative balance
• Out of Compliance state
Product is using an entitlement, but the Virtual Account
has a negative balance
• Authorization expired state
Product has not communicated with
Cisco within a maximum of 90 days
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Remains in state
while Smart
Account is OOC
Remains in state until
Product communicates
with Cisco
Un-
Registered
Failed
Register
Product
Consume
License
Note: Platforms may differ with timeouts, check with
specific platform for details
BRKARC-2034 43

Smart License Product States – Registered
• Initial registration
1. A Registration Message is sent when Product is registered
via CLI with a valid ID Token.
2. Cisco will reply with a Cryptograph ID certificate that,
by default, is valid for one year.
• If there is a failure sending the message the retry,
interval will be as follows:
• Every 15 minutes for 4 hours.
• Then every hour until successful, or
Smart License is disabled via CLI
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 44

Smart License Product States – Licenses
• One a product has been successfully registered, it can be configured
to use an licenses via CLI
• A Entitlement Message is sent when Product is
configured to use licenses via CLI
• The Entitlement Response message will
1. Indicate if the Virtual Account is in or out of compliance
2. Provide the length of time the request is valid, and
the renewal interval.
• By default the Licenses usage is valid for 90 days,
and renewed every 30 days
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 45

Entitlement Authorization Request or Renewal
• If there is a communications failure sending the
renewal, the retry interval will be as follows:
• If the agent is in the authorized state
Retry every 23 hours
• If agent is in the Out of Compliance (OOC) state
Retry every 15 minutes for two hours
Then once every 4 hours.
• If agent is in the authorization expired state
Retry once every hour.
• If there is NO communications within 90 days,
License usage is released and available
for use by other products
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 46

Registration ID Certificate Renewal
• By default the Cryptograph ID certificate
• Valid duration (one Year) and renewal period is sent
in with the Registration Response message .
• The Cryptograph ID certificate
• Renewal will be sent every six months
• If there is a communications failure sending the
message, the retry interval will be as follows:
• One per hour until success
• Or until Cryptograph ID certificate expires.
• If there is NO communications within 1 year
• Device become “unregistered”
• Device must be re-registered
• Use any remaining evaluation time
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 47

Go!
Deploying:
Smart License Enabled Products

Configure Smart
Licensing for Direct
Cloud Access
Method 1

Smart Call Home – High Level
• Smart Call Home (SCH) Server is located in a secure Cisco Data Centre
• Smart License (SL) messages reach SCH Server, they are sent to the Cisco SSM portal
• SL uses only the Call Home Client (Packet Delivery)
• Information is exchange using
HTTPS (TLS/SSL encryption
of data)
SmartAgent
HTTPS
Decision is made by the configuration
of the SCH configured “contact”
Smart
Product
CallHomeClient
SmartLicenseSmartCall
HomeServer
Cisco Smart
Software
Manager
Cisco Smart
Call Home
BRKARC-2034 51

Smart Call Home – Cisco Example Configs
• Service Active
Enable call-home service
• Contact-email-addr <email-address>
Contact email address is mandatory for sending SCH notifications. If it is configured as sch-smart-
licensing@cisco.com, the email address configured in Cisco Smart License Portal will be used
• Profile CiscoTAC-1
Call-home profile CiscoTAC-1 is configured to send Smart licensing message by default
• Active
Enables profile to be used
• destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
Configure HTTP destination address with service URL
• destination transport-method http
Change transport method to HTTP (this includes HTTPS)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/callhome.html
BRKARC-2034 52

Smart Call Home – Smart Licensing Only
• Smart License does not require ALL of Smart Call Home
• Smart Call Home reporting CAN be disabled
• Smart License only uses the Call Home Client (Packet Delivery)
• When Smart Call Home reporting on the Product is not used,
• contact-email-addr must be configured as sch-smart-licensing@cisco.com
❌This is NOT an email address – it just looks like one
❌Inventory is not sent
❌Configuration information is not sent
❌Environmental conditions is not sent
❌Diagnostics to include syslog events is not sent
BRKARC-2034 53

Smart Call Home – Default CSR1000v
Configuration
service call-home
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
rate-limit 20
alert-group-config snapshot
data-privacy level normal
syslog-throttling
profile "CiscoTAC-1"
active
no anonymous-reporting-only
reporting smart-call-home-data
reporting smart-licensing-data
destination preferred-msg-format xml
destination message-size-limit 3145728
destination transport-method http
no destination transport-method email
destination address email callhome@cisco.com
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
Automatically added on Smart License enablement.
Do not change!
Note: No SCH email sent by default.
Here is where you limit data sharing:
data-privacy {level {normal | high} | hostname}
reporting no-call-home-data | Only hostname can be sent.
Not all products support call home data sharing.
Automatically added on Smart License enablement.
Do not change!
Authorized Backend Target
BRKARC-2034 54

Transport Gateway or Proxy
• Is Not Required
When
• Devices can send
messages directly to
cisco.com using HTTPS
• Encryption capabilities of
all managed devices meet
the customer's security
requirements
• Devices can send
messages directly to SSM
satellite
• Is Required When
• Managed devices do not
have direct access to
cisco.com
• A HTTP proxy server is
required to reach
cisco.com
• Store and Forwarding of
SCH messages
• Is Desirable When
• Needs to inspect traffic
on the LAN while securely
communicating over the
Internet
• Needs all outbound traffic
to be sourced from a
single device
BRKARC-2034 56

Deploying Transport Gateway –
Configuration Example
• Change HTTP destination address of CiscoTAC-1 profile to TG service URL.
asr9k#conf t
asr9k(config)#call-home
asr9k(config-call-home)#profile CiscoTAC-1
asr9k(config-call-home-profile)#no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
asr9k(config-call-home-profile)#destination address http https://tg-server
asr9k(config-call-home-profile)#commit
asr9k(config-call-home-profile)#end
asr9k#
asr9k#show running-config call-home
call-home
profile CiscoTAC-1
destination address http https://tg-server
!
!
NOTE: The default destination to cisco must be removed when configuring when
using with proxy, or satellite
BRKARC-2034 57

Smart Software
Manager satellite
Method 3&4

Ideal for customers who want to manage their Cisco licenses locally or if their
Cisco products cannot reach Cisco directly
Offered as a secured on-premise IT Asset Management Application in two
forms: Classic Edition and Enhanced Edition
• Cisco devices and software products are registered with and report license
consumption directly via SSM satellite
• Provided at no additional cost
Cisco Smart Software Manager (SSM) satellite
SSM satellite Classic Edition:
• Targeted for small enterprises, labs, and
offline environments
• 89 day Sync Requirement
• Scales to 4,000 product instances
SSM satellite Enhanced Edition
• Targeted for medium and large
enterprises, service providers and
partners
• 364 day Sync Requirement
• Scales to 10,000 product instances
BRKARC-2034 59

 Single-tenancy - supports single Smart Account
 Each satellite is associated to only one Smart
Account/Multiple Virtual Account(s) at
cisco.com
 Custom UI with reduced set of capabilities and
options
 Only local user creation and authentication
supported
Single role (RBAC) for all local users
 Work equally well for online and offline mode
 Multi-tenancy - supports multiple Smart
Account(s)
 Each satellite account can be registered to any
eligible Smart Account/Virtual Account pair at
cisco.com
 Uses Cisco UI and work flows to keep
consistent look and feel
 Multiple authentication methods (OpenLDAP
and local users) supported and unique roles
(RBAC)
 Works in online and offline mode, although best
suited for online mode
SSM satellite Enhanced EditionSSM satellite Classic Edition
SSM satellite is a secure on-premise Asset Management Application provided free of charge.
BRKARC-2034 60

Feature
HA
DLC
3rd Party License Support
Backup Restore
HTTP Proxy Support
Interface Firewall Zone
Support
OpenLDAP
User Groups
License Hierarchy
Number of Devices
MSLA
Classic Edition
Yes
Yes
Yes
On-Box and VM
Snapshots
No
No
No
No
No
4000
Yes
Enhanced Edition
March
February
February
VM Snapshots Only
Yes
Yes
Yes
Yes
Yes
10,000
End of 2019
BRKARC-2034 62

Cisco Smart Software Manager satellite -
Installation
• Deploy the ISO into either a VM or bare metal
• Configure IP address (IPv4 and/or IPv6)
• Configure Netmask / Prefix
• Configure Default Gateway
• Configure DNS
• Connect to Administration portal via a browser
• Login as default “admin/CiscoAdmin!2345” user
• Change the admin’s default password
• Register Account(s) with Cisco Smart Account/Virtual Account
• Synchronize Account(s) with Cisco Smart Account(s)
BRKARC-2034 64

SSM satellite - Deployments
Smart Software Manager satellite can be deployed
in one of two modes:
 Connected
- Used when there is connectivity to cisco.com directly from the
Smart Software Manager satellite
- Cisco® Smart Account synchronization (optionally)
happens automatically
- Standard model for Enhanced Edition, easiest to deploy
 Disconnected
- Used when there is no connectivity to cisco.com from the
Smart Software Manager satellite
- Smart Account synchronization must be manually uploaded
and downloaded
Monthly
Inventory
Update
SSM satellite
Router
Switch
Firewall
Video
Unified Communications
Offline
Connected
Disconnected
BRKARC-2034 66

SSM satellite - Registration
• At registration there are 2 files exchanged between SSM satellite and Cisco
• Registration file (SSM satellite  Cisco)
• Authorization file (Cisco  SSM satellite)
• During normal operation, there are 2 different files exchanged between SSM satellite
and Cisco
• Sync Request file (SSM satellite  Cisco)
• Sync Response file (Cisco  SSM satellite)
• Auditable data sent by SSM satellite
• Information is in text (YAML formatted)
• You have the ability to inspect the data gathered!
BRKARC-2034 67

SSM satellite – Sync Request File Details
:sync: 2.0.0,
:version: 2.0.0
:id_cert: |- XXXXXXXXXXXXXXXXXX
:collector_id: 4cdd0470-e5e4-0132-a310-005056841670
:csr: |-
:last_sync: 2017-Jun-22 08:50:35 UTC
:last_generated: 2017-Jul-20 11:22:16 UTC
:virtual_accounts:
- :id: 101342
:name: Ross-1
:product_instances:
- :id: 2373d312-2cd8-4029-9517-8c60037cca8c
:registration_date: 2017-Jun-12 07:25:40 UTC
:last_contact_date: 2017-Jul-02 06:13:47 UTC
:is_active: true
:software_tag_identifier: regid.2013-08.com.cisco.CSR1000V,1.0_1562da96-9176-4f99-a6cb-14b4dd0fa135
:udi_pid: CSR1000V
:hostname: CSR-1000v
:ip_address:
:mac_address:
:udi_serial_number: 97YZFA9VYJK
:host_identifier:
:licenses:
- :tag_id: 1146
:tag: regid.2014-05.com.cisco.ax_2500M,1.0_3e0288f3-4838-47c2-93a8-3d8743850f0c
:consumed_quantity: 1
NOTE: hostname is sent by default, to disable sending
the hostname, configure:
cfg-call-home# data-privacy hostname
Information Collected Required?
Trusted Unique Identifier
(SUDI/SUVI/ID)
Yes
Licenses Consumed Yes
Organisation Identifier Yes
Hostname No
AAA ID of User Making Change No
Feature Tags No
Other Smart Call Home Information No
BRKARC-2034 71

Cisco Smart Software Manager satellite
• HTTP/HTTPS communication:
• Products communicating with SSM satellite via HTTPS use one of two Cisco signed certificates
dependent on the smart agent version

• Agent version can be seen with “show license all”
• Check to make sure that the time is correct on the SSM satellite and product.
Older Products:
• Smart Agent versions prior to 1.5
• Use a 3-tier certificate
• Must wait 10 business days for Cert to
be available and synchronized
Newer Products:
• Smart Agent versions 1.5 and later
• Use a 4-tier certificate
• Can be registered with no delay
BRKARC-2034 77

How do I deploy products with CSSM satellite?
• Products register to satellite the exact the same way as with Cisco
• Change the ‘Authorized Backend Address’ (See product documentation)
• Example for IOS Devices:
profile CiscoTAC-1
Active
# Configure HTTP destination address with service URL
destination address http https://<satellite_ip_address>/Transportgateway/services/DeviceRequestHandler
BRKARC-2034 78

Key Features in SSM satellite Classic Edition
Networking Support
• IPv4 and IPv6 support
• Dual-NIC: separate interfaces for network management and product instance registrations.
Security Enhancements:
• FIPS 140-2 Certification (Version 4.2)
Key License Features
• High Availability Support
• Backup Restore of Database and System Configs
• Device Led Migration
Sync Intervals
• Adjustable 30-day Synchronization Schedule
• Allow satellite to functions as long as it synchronizes with Cisco once every 3 months
• Scalability
• 4K product instances, 1 Smart Account
BRKARC-2034 81

SSM satellite Classic Edition Requirements
• The Free installation package is available in a number of formats
• ISO installable via Bootable Media
SSM satellite Classic Edition
Application
(Centos 7)
ISO
System Requirements
(Customer Provided):
Minimum MSLA
200 GB Hard Disk 300 GB Hard Disk
8GB Memory 8GB Memory
4 vCPUs 4 vCPUs
4000 products 4000 products
BRKARC-2034 82

SSM satellite Classic Edition– Single Workspace
• Simplified UI for satellite
administration
• Limited features as compared
to CSSM and SSM satellite
Enhanced Edition
• Single Cisco Smart Account
support
• Multiple Cisco Virtual Accounts
supported
https://<ip-address>:8443
BRKARC-2034 84

Create and
delete users
Run a report to
show usage
vs.
consumption
and export it to
CSV or an
Excel file
Synchronize to
the latest copy
on what
licenses are
being used vs.
what has been
purchased
View
information in
virtual
accounts from
CSSM that are
associated
with SSM
satellite
Create a “ID
Token” from
SSM satellite
and use it to
enable the
product to be
registered
SSM satellite Classic Edition– Features
Register product
instances
View the list of
virtual accounts
Set up
synchronization
schedules
Reports for virtual
accounts
Manage users
BRKARC-2034 85

SSM Satellite Classic Edition – Synchronization
• SSM satellite should synchronize with Cisco every 30 days
• Automatic if network attached (online mode)
• By manual file transfers if disconnected (offline mode)
• SSM satellite must synchronize with Cisco within 89 days.
• After 89 days without synchronization;
• MUST be reinstalled using a NEW instance of SSM satellite
• All product instances are removed
• All ID tokens are expired
• Products will not be able to communicate with the original SSM satellite
• Products will need to be re-registered
BRKARC-2034 91

CSSM satellite HA Deployment Configurations
Firewall
(NAT)
DNS
Server
Internet
CSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kv
IPv4 (or IPv6) Management Network
Proxy
X
satellite
TomcatZabbix
Active
MariaDB
Corosync
Pacemaker
DRDB
satellite
TomcatZabbix
Standby
MariaDB
Corosync
Pacemaker
DRDB
BRKARC-2034 93

SSM satellite – HA Data Replication
File system
DRBD (module)
TCP
NIC driver
Block
Driver
Replicated Volume
File system
DRBD (module)
TCP
NIC driver
Block
Driver
Service Address
VIP Address
10.1.1.2 10.1.1.3
10.1.1.1
Cluster Manager
Resource Monitor
DRBD Master Standby
Sync
Corosync
Pacemaker
Satellite Services
Tomcat
MariaDB
Zabbix DRBD
Tomcat
MariaDB Zabbix
DRBD
BRKARC-2034 98

SSM satellite Classic Edition – MSLA (Utility)
• Managed Service License Agreement (MSLA)
BRKARC-2034 102

MSLA – Customer Checklist
• Identify/Create Smart Account and satellite Virtual Account(s) – New
customer.
• Identify billing and service locations to determine the Subscription IDs
setup – New customer.
• Install Smart Software Manager satellite Classic Edition 5.0.1 (or later)
• Ensure CSRv has a minimum version – 16.9.1
• Enable utility on the product instances with CLI:
• “license smart utility”
• Ensure subscription SKUs are added to your Smart Account
• Register the product instances with SSM satellite Classic Edition
103BRKARC-2034

SSM satellite Enhanced Edition - Key Features
BRKARC-2034
Multi-tenancy: Manage multiple customer Smart Accounts in a single management portal
• Administration Workspace only accessible by System Admin and System Operators
• Licensing portal is for Smart Licensing and Administration.
• Multiple levels of RBAC (Admin, Operator, User)
• User Authentication Control: LDAP or OAuth2
Security Enhancements:
• CentOS 7 Security Harden Kernel
• Separate Workspace for Licensing and Administration:
Networking Support
• IPv4 and IPv6 support
• Multi-NIC: multiple interfaces for traffic separation between network management and product instance registrations.
Proxy support: Allow for satellite to have a proxy between itself and Cisco Smart Software Manager for traffic separation
• Firewall Zones: Ability to configure interfaces for Internal (access) or External (no access)
System Alerts and Notifications
• Email Support for notation of License Events
• Syslog support: Account events can be configured to be sent to a syslog server
106

SSM satellite Enhanced Edition - Key Features
BRKARC-2034
Longer Sync Intervals
• Native 365-day Synchronization Schedule
• Allow satellite to functions as long as it synchronizes with Cisco once a year.
New License Features
• License AppHA: Allows for the reporting of a single license usage for both standby and active Applications
• License Hierarchy: Enable borrowing of a higher-tier license to be fulfilled when a lower tier license is not
available
API Support
• API Support for automation of product deployment
• Resource and Owner credentials grant supported
• 5 major API groups for over 15 unique APIs
Improved Scalability
• 500+ accounts
• 10,000 Product Instances
• Active development in progress to increase scale
107

SSM satellite Enhanced Edition - Requirements
• The Free installation package is available in a number of formats
• ISO installable via Bootable Media
BRKARC-2034
SSM satellite Enhanced Edition
Containers
(Centos 7)
ISO
License/Admin
PortalsLicense Services
Crypto Services
Database
System Requirements
(Customer Provided):
Minimum Recommended
200 GB Hard Disk 200 GB Hard Disk
8GB Memory 8GB Memory
2 vCPUs 4 vCPUs
4000 products 10000 products
108

SSM satellite Enhanced Edition - Workspace
Licensing Portal User Interface
• Similar to CSSM “Smart Licensing”
• Similar to CSSM “Manage Smart Account"
• Licensing & Administration Workspace
Administration Portal User Interface
• Administration of System configuration
• Administration of Users and Accounts
https://<ip-address>:8443 https://<ip-address>:8443/admin
BRKARC-2034 110

• All Users:
• Can be local, or authenticated with an
external system
• Local users have preference over
authenticated users
• Are not required to have Cisco CCO
Accounts
• Must have access to Smart Account
Admin access at Cisco to create local
satellite account
Administration Workspace - System RBAC
• System Admin
• Full System access
• Access to all Account(s)
• System Operator (restricted)
• No ability to change system configurations
• System User (restricted)
• Limited to License Workspace Only
BRKARC-2034 113

Administration Workspace
• All Accounts map to a Smart Account/Virtual Account
• Customer requests account; email alert is sent to System Admin(s)
• System Admin performs account creations and grants user Access
• Flexible Account Setup models
• Single Smart Account mapping to Multiple satellite Accounts
• Multiple Smart Account mapping to Multiple satellite Accounts
BRKARC-2034 114

Example: Satellite Accounts to Single Smart
Account
Virtual Account
Virtual Account
Virtual Account
Department 1
Department 2
Department 3
Accounts
Licensing Workspace
SSM satellite BigU.edu
software.cisco.com
BRKARC-2034 115

Example: Satellite Accounts to Multiple Smart
Account
software.cisco.com
BigU.eduVirtual Account
Virtual Account
Virtual Account
Customer 1
Customer 2
Customer 3
Accounts
Licensing Workspace
SSM satellite
SmallU.edu
MediumU.edu
BRKARC-2034 116

• SSM satellite should synchronize with Cisco every 30 days
• Automatic if Network Attached
• By manual file transfers in disconnected Mode
• SSM satellite must synchronize with Cisco within 364 days.
• After 364 days without synchronization;
• A new Account MUST be registered with Cisco
• All product instances in the Account are removed
• All ID Tokens in the Account are expired
• Products will need to be re-registered
BRKARC-2034 117

• Smart Account APIs
• Account Search
• Validate User Access API
• Virtual Accounts APIs
• Create Local Virtual
Account
• Delete Local Virtual
Account
• List Local Virtual
Accounts
• License APIs
• Smart License Usage
• License Subscriptions
Usage
• Transfer Licenses
• Smart License Alerts
• List Alerts
• Token APIs
• Create Tokens
• List Tokens
• Revoke Tokens
• Device APIs
• Product Instance Usage
• Product Instance Search
• Product Instance Transfer
• Product Instance Remove
BRKARC-2034 122

• The Smart Account must be authorized for License Reservation
• Must have enough available licenses (Over subscription is not allowed)
• Smart Account must be authorized for any Export Restricted Functionality
Introduction to License Reservation
Permanent License Reservation
• All features are enabled
• Cost premium
• Some products will not support PLR
Specific License Reservation
• Only featured owned can be reserved
• At no additional cost
• Not all products support SLR (yet)
BRKARC-2034 127

Permanent License Reservation
BRKARC-2034
• Manually exchange short ASCII strings with CSSM
• Two way data exchange via ASCII strings
• Product Request (UDI/vUDI, etc.) entered into CSSM (~ 32 characters*)
• CSSM returns an authorization locked to UDI/vUDI (34 characters)
• Entitles unlimited license consumption on product
Get UDI/vUDI
Request
Type Auth String
CSSM
1
3
4
Get Auth String
2
Type UDI/vUDI
Request
• Length will vary by product – 31 for new version of ASAv 128

Specific License Reservation
BRKARC-2034
• Manually exchange information (copy and paste) with CSSM
• Two way data exchange via ASCII strings
• Product Request (UDI/vUDI, etc.) entered into CSSM
• Requested licenses and quantities chosen in CSSM
• CSSM returns an authorization locked to UDI/vUDI
• Entitles specific license consumption on product
Get UDI/vUDI
Request
Choose Licenses
Paste Auth String
CSSM
Type or Paste
Request String
Copy Auth String
1
3
5
2
4
130

License Reservation Summary
• PLR has a price premium because it enables all features on the product
whether you want them or not
• Not available on all products
• Node lock (cannot transfer licenses if it’s already in use)
• RMAs can be a challenge if you cannot get the return code off the box
• Changing SLR entitlements can be difficult
BRKARC-2034 132

Smart License is here today!
Key decisions you need to make...
• All Cisco Products are
moving to Smart Licensing
• Smart Account is not
option
• You will need it to register
products?
• Who needs to approve your
Smart Account creation?
• Smart Accounts are not
Optional!
• Products may have limited
functionality until registered!
• Determine ”Span of
Control”
• Who will manage the
Smart Account?
• Partner Managed?
• Central Managed?
• Distributed Managed?
• Who will manage the
Smart License?
• Who do I get the <id token>
from?
• What's your network
access policy?
• What product telemetry
method(s) will you use?
• Will you need a Smart
Software Manager
satellite? How many?
Locations?
Smart Account Virtual Accounts Product Telemetry
Get Ready! Get Set! Go!
BRKARC-2034 134

Determining the best Method to Use
• Method 1 & 2
• Device has Direct Network Access
• Simplest to Deploy and Use
• Method 3 & 4
• Device has Intermediate Network Access
• One line change to Product Configuration
• Method 5
• Device has No Network Access
• Similar to PAK Files
BRKARC-2034
Cisco Product
HTTPs
TransportGateway
or HTTPs Proxy
HTTPs
Your
Cisco
Software
Usage
Your
Cisco
Software
Usage
Your
Cisco
Software
Usage
Your
Cisco
Software
Usage
Cisco.com
Cisco.com
Cisco.comSmart Software
Manager satellite
Cisco.com
Request License
License Response
Copy/Paste
Cisco Product
Cisco Product
Cisco Product
135

Questions?
BRKARC-2034 136

For More Information – Cisco SSM Satellite
BRKARC-2034
Cisco® Smart Licensing
www.cisco.com/go/smartlicensing
(http://www.cisco.com/c/en/us/products/abt_
sw.html)
Cisco® Smart Software Manager
www.cisco.com/go/smartsatellite
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-software-manager-
satellite.html)
Cisco® Smart Accounts
www.cisco.com/go/smartaccounts
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-accounts.html)
137

For More Information – Cisco Smart Call Home
• For more Information on Cisco® Smart Call Home
• For more Information on Cisco® Transport Gateway
BRKARC-2034
User Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch4.pdf
Troubleshooting Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch5.pdf
Smart Call Home
http://www.cisco.com/c/en/us/support/cloud-systems-management/smart-call-home/tsd-products-support-
series-home.html
Cisco Privacy and Security Compliance
http://www.cisco.com/web/about/doing_business/legal/privacy_compliance/index.html
138

Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
cs.co/ciscolivebot#BRKARC-2034
BRKARC-2034 139

• Please complete your Online Session Evaluations
after each session
• Complete 4 Session Evaluations & the Overall
Conference Evaluation (available from Thursday) to
receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events
Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing
on-demand after the event at CiscoLive.cisco.com/Online.
Complete your online session evaluation
BRKARC-2034 140

Demos in
the Cisco
Showcase
Walk-in
self-paced
labs
Meet the
engineer
1:1
meetings
Related
sessions
Continue Your Education
BRKARC-2034 141

Brkarc 2034 smart-licensing

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Brkarc 2034 smart-licensing

Semelhante a Brkarc 2034 smart-licensing (20)

Mais de Michael Ganschuk

Mais de Michael Ganschuk (18)

Último

Último (20)

Brkarc 2034 smart-licensing