Mais conteúdo relacionado Semelhante a Brkarc 2034 smart-licensing (20) Mais de Michael Ganschuk (18) Brkarc 2034 smart-licensing3. Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Get Ready!
• Smart Licensing Overview
• Smart Licensing Communications
• Get Set!
• Product Licensing Work Flow
• Product Licensing States
• Go!
• Deploying Smart License Enabled Products
• Conclusion
BRKARC-2034
4. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
In this session, you will learn about deploying Cisco products using Cisco’s latest product licensing
vision. Come learn the foundational concepts you need to need to as you deploy and configure
Smart Software Licensing for Cisco products. Together, we will go over the various scenarios you
might deploy Smart License enabled products in connected and mediated networks.
For mediated (disconnected) networks, we will present an overview of the Cisco Smart Software
satellite, and how product configuration differs when used. By moving to an ISO-19770 Software
Asset Management (SAM) solution, Cisco Smart Software Licensing simplifies the deployment of
Cisco products focusing on usage (what and how many) and not enforcement. With Cisco Smart
Software Licensing say “goodbye” to Product Activation Keys (PAKs) and License files!
It is recommended that the student is familiar with Smart Licensing before taking this session.
BRKARC-2010 (Smart Accounts and Smart Licensing)
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93760&backBtn=true
BRKARC-2034 4
6. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• CSR – Certificate Signing Request
• CSSM or SSM – Cisco Smart Software Manager
• DLC – Device Led Conversion
• DNS – Domain Name Server
• FQDN - Fully Qualified Domain Name
• LCS – License Crypto-Module Support
• LVA – Local Virtual Accounts
• MSLA – Managed Service License Agreements
(Utility)
• OOC – Out of Compliance
• PI – Product Instances
Acronym Decoder
• PIDs – Product IDs
• PLR – Permanent License Reservation
• SA – Smart Account
• SBP – Subscription Billing Platform
• SCH – Smart Call-Home
• SKU – Stock Keeping Units
• SLR – Specific License Reservation
• TPL – Third (3rd) Party Licensing
• UUID – Universally Unique Identifier
• VA – Virtual Accounts
BRKARC-2034 6
7. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Software Central – software.cisco.com
Software License
Tools
Smart Account
Management
Manage
Downloads and
Upgrade Products
Ordering and
EULA Tools
Network Plug
and Play
BRKARC-2034 7
8. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Cisco Smart Licensing?
• Cisco Smart Licensing is a new way of thinking about licensing at Cisco that is being applied to all products
• Instead of DRM or Node Locked licensing – its a Software Inventory Management System
• Provides Customers, Cisco, and Selected Partners with information about Software Ownership and Software
Utilization
Commerce
(CCW)
‘Smart’
Account
Cisco
Product
I Have Purchased 5 additional
‘Advanced’ Licenses for [big-u.edu]
Hello, I am Device-East5, I belong to
[big-u.edu] and I am using 1x License
Hello, Device-East5 from [big-u.edu],
you are ‘In-Compliance’
Ownership Usage
BigU.edu
I Own: 10
I am Using: 10
BRKARC-2034 8
9. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is a Smart Accounts
Architected as a “container” - for more than licenses
User Based Access
Customer, partner, or other
authorized party for control of
organizational assets.
Asset Pooling
Pool assets, user roles and
agreements for visibility of
company license
entitlements.
Manage Services and
Subscriptions
Manage service contracts
and subscriptions, and
download new software.
Track Purchases
Review purchases of Cisco
Software entitlements and allocate
new resources.
Review Cases
Manage cases open with Cisco
TAC and Cisco Support.
FutureToday
BRKARC-2034 9
10. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Account – Overview
• A Smart Account is a single place where
Customers can obtain visibility to their software
and entitlements.
• Information associated with a Smart Account
include
• User roles
• Licenses
• Devices
• Agreements the customer has with Cisco.
• These assets can be further divided into “Virtual
accounts” that might represents departments,
cost centers or locations within the company.
Organize it according to your business.
Users & Roles
Licenses
Devices
Agreements
bigu.edu
BRKARC-2034 11
11. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Account Structure
What is in the Smart Account?
You can USE but not TRANSFER licenses between SAs
Account where devices leveraging PAK licenses, Smart Licenses, and
licenses generated from EAs are stored and managed by a customer,
channel partner, or authorized party
Customer Smart Account
Users & Roles
Licenses
Devices
Agreements
Admissions
Physics
Science
Virtual Accounts
bigu.edu
You can TRANSFER but not USE a license
Account where partners / distributors can temporarily deposit orders
until the end customer Smart Account is identified. Also provide
company-wide access to orders associated with the Holding
Account.
Partner Holding
BRKARC-2034 12
12. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Admissions
Physics
Chemistry
Virtual Accounts
Users & Roles
Licenses
Devices
Agreements
bigu.edu
Smart Accounts – Virtual Accounts
• Assets are represented as company owned allowing effortless sharing across your
enterprise
Share devices and licenses
across virtual accounts
easily.
Create sub-accounts to
reflect organization’s
construct.
BRKARC-2034 13
13. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Accounts – Virtual Accounts
• You can create virtual accounts that reflect your organization’s departments then associate
licenses and devices with those departments.
Admissions
Physics
Chemistry
Virtual Accounts
Users & Roles
Licenses
Devices
Agreements
bigu.edu
Overall Cisco Licenses
Warning and Notifications -25
Major Alert: Insufficient licenses – 25 needed to return to
compliance
License Quantity In Use Surplus
1900-WAN-
Collab-Suite
300 325 -25
1900-Threat-
Defense-Suite
500 425 +75
Track and Transfer Devices
ISR1900 Chemistry A Transfer
ISR1900 Chemistry B Remove
BRKARC-2034 14
15. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Router
Switch
Firewall
Unified
Communications
Products Smart Licensing
Agent
Authorized Backend
Router
Switch
Firewall
Unified
Communications
Cisco Smart
Software Manager
satellite
(Optional)
Router
Switch
Firewall
Unified
Communications
Cisco
Smart
Software
Manager
cisco.com
Software
SL
Products, Agents and a Backend
SL
SL
SL
SL
SL
SL
SL
SL
BRKARC-2034 16
16. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Authorized Backend
BRKARC-2034
Cisco.com (Direct Connection) SSM satellite (On Premise)
• Cisco Products communicate by default
(out of the box with Smart Software
Manager
• Simplest method
• Cisco Products communicate with SSM
satellite the same way they do with Smart
Software Manager
• Connected and Disconnected modes
supported
• Information is exchanged in Text (YAML
formatted)
Cisco Smart Software
Manager
satellite
Cisco Smart
Software
Manager
CentOS 7 (Hardened)
17
17. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AvailableTodayforall
products!
Methods of Communication
Direct cloud access (default)
Cisco product sends usage information directly over the internet. No
additional components are needed.
Options
Access through an HTTP proxy
Cisco Products send usage information over the internet via a Proxy
Server. Any off-the-shelf Proxy will work.
Access Through On-Premise License Management
Cisco products send usage information to a locally installed satellite.
Periodically, exchange information with Cisco to keep satellite sync. This
synchronization can occur automatically in connected environments or
manually in disconnected environments.
Full Offline Access – License Reservation
Use copy/paste information between product and Cisco.com to manually
check in and out licenses. Functionally equivalent to current node locking, but
with Smart License tracking.
Easeofuse
1
2
HTTPs
HTTP
Proxy
HTTPs
Copy / Paste
Cisco.com
Cisco.com
Cisco.comCisco
Satellite
Cisco.com
The Cisco Product is configured to use Smart Licensing at install/provisioning time. Direct cloud access is the default option.
Cisco
Product
Cisco
Product
Cisco
Product
Cisco
Product
Usage Info
Usage Info
Usage Info
Usage Info
5 Request License
License Response
3
4
+
File Transfer
Limited
Availability
BRKARC-2034 19
18. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Telemetry
20BRKARC-2034
Smart Licensing requires the following minimal exchange of information during install/provision.
Cisco Checks:
Licenses
Device IDs
Business Rules
Then
Authorizes Use
HTTPS
On Premises
satellite/Proxy
-or-
Cisco Smart
Software Manager
Offline
Level of optional elements is fully configurable on products and/or satellite
Element Required
Trusted Unique Identifier
(SUDI/SUVI/ID)
Yes
Licenses Consumed Yes
Organization Identifier (ID Token) Yes
Hostname No
Other Smart Call Home Information No
19. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Product Telemetry & Visibility
• Industry Standard HTTPS (SSLv3*/TLS)
• Protects User’s Privacy!
• HTTP over TLS used for Transport encryption
• Telemetry sent to Cisco is User Configurable
• Smart Call Home Information is optional
• Smart License Information is minimal
• Auditable Telemetry sent by SSM satellite
• You have the right to inspect the data gathered
• License Information is in Text (YAML formatted)
01100101
100101011011
101001001010
0101101100100
001010011001
11010110101
1101001
* Newer products only use TLS
BRKARC-2034 22
22. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Licensing User Workflow
Device/Product
started
For Hybrid
Product
Enable Smart
Licensing
SL State=
Un-configured
SL State=
Un-identified
SL State=
Registered
Create/Copy
Registration
ID Token from
CSSM
Enter Register
command/GU
I with ID
Token
Platform uses
feature &
reports usage
to CSSM
In-Compliance
(Authorized)
Out-of
Compliance
Have more licenses
than being used
Using more licenses
than entitled to
Device/Product Registration
Customer Smart
Account identified
Users & Roles
Licenses
Devices
Agreements
BRKARC-2034 26
23. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
An ID Token:
• Can be used once – or reused
multiple times
• Can be created and revoked at any
time
• Expires after a period of time
(default is 30 days; Minimum of 1
day and a maximum of 365 days)
What is Cisco Smart Licensing – ID Tokens
An ID Tokens is NOT:
• Product specific
• Licenses or keys or PAKs
• “one-time use”
• Stored on the Cisco Product
• Needed after the product is
registered
Used to securely Register products to a Smart Account and Virtual Account
ID Tokens are “organizational identifier” used to establish ‘identity’ when
registering a Product
BRKARC-2034 27
24. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable Smart Software Licensing
Select:
Inventory
Click:
New Token
BRKARC-2034 28
25. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable Smart Software Licensing
Provide:
ID Token Description
Decide:
Allow enablement of Export
Controlled functionality
(functionality varies by
product)
Note: Enabled by default if
Export Control is allowed for
this Smart Account
BRKARC-2034 29
26. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Licensing Product Registration
• Paste the “ID Token” created in your Smart Account directly into the CLI
<id token>
“ID Token” is copied from Smart Account either manually via Cisco API’s
Can be used once – or multiple times
Can be used on any or every Cisco product
Can be created and revoked at any time
Can be created and accessed via APIs
Expires after a period of time (default is 30 days; Minimum of 1 day and a maximum of 365 days)
device> en
device# config t
device(config)# license smart enable
device(config)# end
device# license smart register idtoken <id token> device# license smart register idtoken <id token>
Hybrid Products Smart Only Products
BRKARC-2034 31
27. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to Enable the licenses you want to consume on
Enterprise Products
IOS XE Based Product Example
Product Specific Configuration Guides Found at: cisco.com/go/smartlicensing
Configure which licenses to enable • License boot level license_level
See Product specific Configuration guide for all options
BRKARC-2034 33
28. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Licensing Verification
• Verify licensing status
csr1kv# show license status
Tue Sep 29 07:34:36.023 PDT
Smart Licensing is ENABLED
Initial Registration: SUCCEEDED on Mon Sep 28 2017 21:55:46 PDT
Last Renewal Attempt: None
Registration Expires: Sun Dec 27 2017 11:49:40 PDT
License Authorization:
Status: AUTHORIZED on Mon Sep 28 2017 21:56:10 PDT
Last Communication Attempt: SUCCEEDED on Mon Sep 28 2017 21:56:10 PDT
Next Communication Attempt: Wed Oct 28 2017 21:56:10 PDT
Communication Deadline: Sun Dec 27 2017 11:49:16 PDT
csr1kv#
BRKARC-2034 40
29. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Show License All (ASAv)
asa971# show license all
Smart Licensing Status
======================
Smart Licensing is ENABLED
Registration:
Status: REGISTERED
Smart Account: CISCO LIVE
Virtual Account: JLN-Sat
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Feb 08 21:24:22 2017 UTC
Last Renewal Attempt: None
Next Renewal Attempt: Mar 10 18:57:40 2017 UTC
Registration Expires: May 09 14:04:18 2017 UTC
License Authorization:
Status: OUT OF COMPLIANCE on Feb 08 21:24:34 2017 UTC
Last Communication Attempt: SUCCESS on Feb 08 21:24:34 2017 UTC
Next Communication Attempt: Feb 09 09:24:34 2017 UTC
Communication Deadline: May 09 14:04:18 2017 UTC
License Usage
==============
ASAv30 Standard - 2G (ASAv-STD-2G):
Description: ASAv30 Standard - 2G
Count: 1
Version: 1.0
Status: OUT OF COMPLIANCE
Product Information
===================
UDI: PID:ASAv,SN:9AJP2PTBH1L
Agent Version
=============
Smart Agent for Licensing: 1.6.4_rel/63
BRKARC-2034 41
31. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart License Product States
• Registered state
Product has been associated with a valid Smart Account
• Authorized state (In Compliance)
Product is using an entitlement, and the Virtual Account
does not have a negative balance
• Out of Compliance state
Product is using an entitlement, but the Virtual Account
has a negative balance
• Authorization expired state
Product has not communicated with
Cisco within a maximum of 90 days
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Remains in state
while Smart
Account is OOC
Remains in state until
Product communicates
with Cisco
Un-
Registered
Failed
Register
Product
Consume
License
Note: Platforms may differ with timeouts, check with
specific platform for details
BRKARC-2034 43
32. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart License Product States – Registered
• Initial registration
1. A Registration Message is sent when Product is registered
via CLI with a valid ID Token.
2. Cisco will reply with a Cryptograph ID certificate that,
by default, is valid for one year.
• If there is a failure sending the message the retry,
interval will be as follows:
• Every 15 minutes for 4 hours.
• Then every hour until successful, or
Smart License is disabled via CLI
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 44
33. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart License Product States – Licenses
• One a product has been successfully registered, it can be configured
to use an licenses via CLI
• A Entitlement Message is sent when Product is
configured to use licenses via CLI
• The Entitlement Response message will
1. Indicate if the Virtual Account is in or out of compliance
2. Provide the length of time the request is valid, and
the renewal interval.
• By default the Licenses usage is valid for 90 days,
and renewed every 30 days
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 45
34. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Entitlement Authorization Request or Renewal
• If there is a communications failure sending the
renewal, the retry interval will be as follows:
• If the agent is in the authorized state
Retry every 23 hours
• If agent is in the Out of Compliance (OOC) state
Retry every 15 minutes for two hours
Then once every 4 hours.
• If agent is in the authorization expired state
Retry once every hour.
• If there is NO communications within 90 days,
License usage is released and available
for use by other products
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 46
35. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Registration ID Certificate Renewal
• By default the Cryptograph ID certificate
• Valid duration (one Year) and renewal period is sent
in with the Registration Response message .
• The Cryptograph ID certificate
• Renewal will be sent every six months
• If there is a communications failure sending the
message, the retry interval will be as follows:
• One per hour until success
• Or until Cryptograph ID certificate expires.
• If there is NO communications within 1 year
• Device become “unregistered”
• Device must be re-registered
• Use any remaining evaluation time
Registered
State
Authorized
State
Out Of
Compliance
State
Authorization
Expired
Un-
Registered
Failed
Register
Product
Consume
License
BRKARC-2034 47
38. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Call Home – High Level
• Smart Call Home (SCH) Server is located in a secure Cisco Data Centre
• Smart License (SL) messages reach SCH Server, they are sent to the Cisco SSM portal
• SL uses only the Call Home Client (Packet Delivery)
• Information is exchange using
HTTPS (TLS/SSL encryption
of data)
SmartAgent
HTTPS
Decision is made by the configuration
of the SCH configured “contact”
Smart
Product
CallHomeClient
SmartLicenseSmartCall
HomeServer
Cisco Smart
Software
Manager
Cisco Smart
Call Home
BRKARC-2034 51
39. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Call Home – Cisco Example Configs
• Service Active
Enable call-home service
• Contact-email-addr <email-address>
Contact email address is mandatory for sending SCH notifications. If it is configured as sch-smart-
licensing@cisco.com, the email address configured in Cisco Smart License Portal will be used
• Profile CiscoTAC-1
Call-home profile CiscoTAC-1 is configured to send Smart licensing message by default
• Active
Enables profile to be used
• destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
Configure HTTP destination address with service URL
• destination transport-method http
Change transport method to HTTP (this includes HTTPS)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/callhome.html
BRKARC-2034 52
40. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Call Home – Smart Licensing Only
• Smart License does not require ALL of Smart Call Home
• Smart Call Home reporting CAN be disabled
• Smart License only uses the Call Home Client (Packet Delivery)
• When Smart Call Home reporting on the Product is not used,
• contact-email-addr must be configured as sch-smart-licensing@cisco.com
❌This is NOT an email address – it just looks like one
❌Inventory is not sent
❌Configuration information is not sent
❌Environmental conditions is not sent
❌Diagnostics to include syslog events is not sent
BRKARC-2034 53
41. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Call Home – Default CSR1000v
Configuration
service call-home
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
rate-limit 20
alert-group-config snapshot
data-privacy level normal
syslog-throttling
profile "CiscoTAC-1"
active
no anonymous-reporting-only
reporting smart-call-home-data
reporting smart-licensing-data
destination preferred-msg-format xml
destination message-size-limit 3145728
destination transport-method http
no destination transport-method email
destination address email callhome@cisco.com
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
Automatically added on Smart License enablement.
Do not change!
Note: No SCH email sent by default.
Here is where you limit data sharing:
data-privacy {level {normal | high} | hostname}
reporting no-call-home-data | Only hostname can be sent.
Not all products support call home data sharing.
Automatically added on Smart License enablement.
Do not change!
Authorized Backend Target
BRKARC-2034 54
43. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Gateway or Proxy
• Is Not Required
When
• Devices can send
messages directly to
cisco.com using HTTPS
• Encryption capabilities of
all managed devices meet
the customer's security
requirements
• Devices can send
messages directly to SSM
satellite
• Is Required When
• Managed devices do not
have direct access to
cisco.com
• A HTTP proxy server is
required to reach
cisco.com
• Store and Forwarding of
SCH messages
• Is Desirable When
• Needs to inspect traffic
on the LAN while securely
communicating over the
Internet
• Needs all outbound traffic
to be sourced from a
single device
BRKARC-2034 56
44. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying Transport Gateway –
Configuration Example
• Change HTTP destination address of CiscoTAC-1 profile to TG service URL.
asr9k#conf t
asr9k(config)#call-home
asr9k(config-call-home)#profile CiscoTAC-1
asr9k(config-call-home-profile)#no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
asr9k(config-call-home-profile)#destination address http https://tg-server
asr9k(config-call-home-profile)#commit
asr9k(config-call-home-profile)#end
asr9k#
asr9k#show running-config call-home
call-home
profile CiscoTAC-1
destination address http https://tg-server
!
!
NOTE: The default destination to cisco must be removed when configuring when
using with proxy, or satellite
BRKARC-2034 57
46. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ideal for customers who want to manage their Cisco licenses locally or if their
Cisco products cannot reach Cisco directly
Offered as a secured on-premise IT Asset Management Application in two
forms: Classic Edition and Enhanced Edition
• Cisco devices and software products are registered with and report license
consumption directly via SSM satellite
• Provided at no additional cost
Cisco Smart Software Manager (SSM) satellite
SSM satellite Classic Edition:
• Targeted for small enterprises, labs, and
offline environments
• 89 day Sync Requirement
• Scales to 4,000 product instances
SSM satellite Enhanced Edition
• Targeted for medium and large
enterprises, service providers and
partners
• 364 day Sync Requirement
• Scales to 10,000 product instances
BRKARC-2034 59
47. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Smart Software Manager (SSM) satellite
Single-tenancy - supports single Smart Account
Each satellite is associated to only one Smart
Account/Multiple Virtual Account(s) at
cisco.com
Custom UI with reduced set of capabilities and
options
Only local user creation and authentication
supported
Single role (RBAC) for all local users
Work equally well for online and offline mode
Multi-tenancy - supports multiple Smart
Account(s)
Each satellite account can be registered to any
eligible Smart Account/Virtual Account pair at
cisco.com
Uses Cisco UI and work flows to keep
consistent look and feel
Multiple authentication methods (OpenLDAP
and local users) supported and unique roles
(RBAC)
Works in online and offline mode, although best
suited for online mode
SSM satellite Enhanced EditionSSM satellite Classic Edition
SSM satellite is a secure on-premise Asset Management Application provided free of charge.
BRKARC-2034 60
48. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Smart Software Manager (SSM) satellite
Feature
HA
DLC
3rd Party License Support
Backup Restore
HTTP Proxy Support
Interface Firewall Zone
Support
OpenLDAP
User Groups
License Hierarchy
Number of Devices
MSLA
Classic Edition
Yes
Yes
Yes
On-Box and VM
Snapshots
No
No
No
No
No
4000
Yes
Enhanced Edition
March
February
February
VM Snapshots Only
Yes
Yes
Yes
Yes
Yes
10,000
End of 2019
BRKARC-2034 62
49. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Smart Software Manager satellite -
Installation
• Deploy the ISO into either a VM or bare metal
• Configure IP address (IPv4 and/or IPv6)
• Configure Netmask / Prefix
• Configure Default Gateway
• Configure DNS
• Connect to Administration portal via a browser
• Login as default “admin/CiscoAdmin!2345” user
• Change the admin’s default password
• Register Account(s) with Cisco Smart Account/Virtual Account
• Synchronize Account(s) with Cisco Smart Account(s)
BRKARC-2034 64
50. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite - Deployments
Smart Software Manager satellite can be deployed
in one of two modes:
Connected
- Used when there is connectivity to cisco.com directly from the
Smart Software Manager satellite
- Cisco® Smart Account synchronization (optionally)
happens automatically
- Standard model for Enhanced Edition, easiest to deploy
Disconnected
- Used when there is no connectivity to cisco.com from the
Smart Software Manager satellite
- Smart Account synchronization must be manually uploaded
and downloaded
Monthly
Inventory
Update
SSM satellite
Router
Switch
Firewall
Video
Unified Communications
Offline
Connected
Disconnected
BRKARC-2034 66
51. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite - Registration
• At registration there are 2 files exchanged between SSM satellite and Cisco
• Registration file (SSM satellite Cisco)
• Authorization file (Cisco SSM satellite)
• During normal operation, there are 2 different files exchanged between SSM satellite
and Cisco
• Sync Request file (SSM satellite Cisco)
• Sync Response file (Cisco SSM satellite)
• Auditable data sent by SSM satellite
• Information is in text (YAML formatted)
• You have the ability to inspect the data gathered!
BRKARC-2034 67
52. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite – Sync Request File Details
:sync: 2.0.0,
:version: 2.0.0
:id_cert: |- XXXXXXXXXXXXXXXXXX
:collector_id: 4cdd0470-e5e4-0132-a310-005056841670
:csr: |-
:last_sync: 2017-Jun-22 08:50:35 UTC
:last_generated: 2017-Jul-20 11:22:16 UTC
:virtual_accounts:
- :id: 101342
:name: Ross-1
:product_instances:
- :id: 2373d312-2cd8-4029-9517-8c60037cca8c
:registration_date: 2017-Jun-12 07:25:40 UTC
:last_contact_date: 2017-Jul-02 06:13:47 UTC
:is_active: true
:software_tag_identifier: regid.2013-08.com.cisco.CSR1000V,1.0_1562da96-9176-4f99-a6cb-14b4dd0fa135
:udi_pid: CSR1000V
:hostname: CSR-1000v
:ip_address:
:mac_address:
:udi_serial_number: 97YZFA9VYJK
:host_identifier:
:licenses:
- :tag_id: 1146
:tag: regid.2014-05.com.cisco.ax_2500M,1.0_3e0288f3-4838-47c2-93a8-3d8743850f0c
:consumed_quantity: 1
NOTE: hostname is sent by default, to disable sending
the hostname, configure:
cfg-call-home# data-privacy hostname
Information Collected Required?
Trusted Unique Identifier
(SUDI/SUVI/ID)
Yes
Licenses Consumed Yes
Organisation Identifier Yes
Hostname No
AAA ID of User Making Change No
Feature Tags No
Other Smart Call Home Information No
BRKARC-2034 71
53. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Smart Software Manager satellite
• HTTP/HTTPS communication:
• Products communicating with SSM satellite via HTTPS use one of two Cisco signed certificates
dependent on the smart agent version
• Agent version can be seen with “show license all”
• Check to make sure that the time is correct on the SSM satellite and product.
Older Products:
• Smart Agent versions prior to 1.5
• Use a 3-tier certificate
• Must wait 10 business days for Cert to
be available and synchronized
Newer Products:
• Smart Agent versions 1.5 and later
• Use a 4-tier certificate
• Can be registered with no delay
BRKARC-2034 77
54. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
How do I deploy products with CSSM satellite?
• Products register to satellite the exact the same way as with Cisco
• Change the ‘Authorized Backend Address’ (See product documentation)
• Example for IOS Devices:
profile CiscoTAC-1
Active
# Configure HTTP destination address with service URL
destination address http https://<satellite_ip_address>/Transportgateway/services/DeviceRequestHandler
BRKARC-2034 78
55. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Features in SSM satellite Classic Edition
Networking Support
• IPv4 and IPv6 support
• Dual-NIC: separate interfaces for network management and product instance registrations.
Security Enhancements:
• FIPS 140-2 Certification (Version 4.2)
Key License Features
• High Availability Support
• Backup Restore of Database and System Configs
• Device Led Migration
Sync Intervals
• Adjustable 30-day Synchronization Schedule
• Allow satellite to functions as long as it synchronizes with Cisco once every 3 months
• Scalability
• 4K product instances, 1 Smart Account
BRKARC-2034 81
56. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite Classic Edition Requirements
• The Free installation package is available in a number of formats
• ISO installable via Bootable Media
SSM satellite Classic Edition
Application
(Centos 7)
ISO
System Requirements
(Customer Provided):
Minimum MSLA
200 GB Hard Disk 300 GB Hard Disk
8GB Memory 8GB Memory
4 vCPUs 4 vCPUs
4000 products 4000 products
BRKARC-2034 82
57. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite Classic Edition– Single Workspace
• Simplified UI for satellite
administration
• Limited features as compared
to CSSM and SSM satellite
Enhanced Edition
• Single Cisco Smart Account
support
• Multiple Cisco Virtual Accounts
supported
https://<ip-address>:8443
BRKARC-2034 84
58. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create and
delete users
Run a report to
show usage
vs.
consumption
and export it to
CSV or an
Excel file
Synchronize to
the latest copy
on what
licenses are
being used vs.
what has been
purchased
View
information in
virtual
accounts from
CSSM that are
associated
with SSM
satellite
Create a “ID
Token” from
SSM satellite
and use it to
enable the
product to be
registered
SSM satellite Classic Edition– Features
Register product
instances
View the list of
virtual accounts
Set up
synchronization
schedules
Reports for virtual
accounts
Manage users
BRKARC-2034 85
59. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM Satellite Classic Edition – Synchronization
• SSM satellite should synchronize with Cisco every 30 days
• Automatic if network attached (online mode)
• By manual file transfers if disconnected (offline mode)
• SSM satellite must synchronize with Cisco within 89 days.
• After 89 days without synchronization;
• MUST be reinstalled using a NEW instance of SSM satellite
• All product instances are removed
• All ID tokens are expired
• Products will not be able to communicate with the original SSM satellite
• Products will need to be re-registered
BRKARC-2034 91
60. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSSM satellite HA Deployment Configurations
Firewall
(NAT)
DNS
Server
Internet
CSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kvCSR1kv
IPv4 (or IPv6) Management Network
Proxy
X
satellite
TomcatZabbix
Active
MariaDB
Corosync
Pacemaker
DRDB
satellite
TomcatZabbix
Standby
MariaDB
Corosync
Pacemaker
DRDB
BRKARC-2034 93
61. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite – HA Data Replication
File system
DRBD (module)
TCP
NIC driver
Block
Driver
Replicated Volume
File system
DRBD (module)
TCP
NIC driver
Block
Driver
Service Address
VIP Address
10.1.1.2 10.1.1.3
10.1.1.1
Cluster Manager
Resource Monitor
DRBD Master Standby
Sync
Corosync
Pacemaker
Satellite Services
Tomcat
MariaDB
Zabbix DRBD
Tomcat
MariaDB Zabbix
DRBD
BRKARC-2034 98
62. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite Classic Edition – MSLA (Utility)
• Managed Service License Agreement (MSLA)
BRKARC-2034 102
63. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
MSLA – Customer Checklist
• Identify/Create Smart Account and satellite Virtual Account(s) – New
customer.
• Identify billing and service locations to determine the Subscription IDs
setup – New customer.
• Install Smart Software Manager satellite Classic Edition 5.0.1 (or later)
• Ensure CSRv has a minimum version – 16.9.1
• Enable utility on the product instances with CLI:
• “license smart utility”
• Ensure subscription SKUs are added to your Smart Account
• Register the product instances with SSM satellite Classic Edition
103BRKARC-2034
64. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite Enhanced Edition - Key Features
BRKARC-2034
Multi-tenancy: Manage multiple customer Smart Accounts in a single management portal
• Administration Workspace only accessible by System Admin and System Operators
• Licensing portal is for Smart Licensing and Administration.
• Multiple levels of RBAC (Admin, Operator, User)
• User Authentication Control: LDAP or OAuth2
Security Enhancements:
• CentOS 7 Security Harden Kernel
• Separate Workspace for Licensing and Administration:
Networking Support
• IPv4 and IPv6 support
• Multi-NIC: multiple interfaces for traffic separation between network management and product instance registrations.
Proxy support: Allow for satellite to have a proxy between itself and Cisco Smart Software Manager for traffic separation
• Firewall Zones: Ability to configure interfaces for Internal (access) or External (no access)
System Alerts and Notifications
• Email Support for notation of License Events
• Syslog support: Account events can be configured to be sent to a syslog server
106
65. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite Enhanced Edition - Key Features
BRKARC-2034
Longer Sync Intervals
• Native 365-day Synchronization Schedule
• Allow satellite to functions as long as it synchronizes with Cisco once a year.
New License Features
• License AppHA: Allows for the reporting of a single license usage for both standby and active Applications
• License Hierarchy: Enable borrowing of a higher-tier license to be fulfilled when a lower tier license is not
available
API Support
• API Support for automation of product deployment
• Resource and Owner credentials grant supported
• 5 major API groups for over 15 unique APIs
Improved Scalability
• 500+ accounts
• 10,000 Product Instances
• Active development in progress to increase scale
107
66. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite Enhanced Edition - Requirements
• The Free installation package is available in a number of formats
• ISO installable via Bootable Media
BRKARC-2034
SSM satellite Enhanced Edition
Containers
(Centos 7)
ISO
License/Admin
PortalsLicense Services
Crypto Services
Database
System Requirements
(Customer Provided):
Minimum Recommended
200 GB Hard Disk 200 GB Hard Disk
8GB Memory 8GB Memory
2 vCPUs 4 vCPUs
4000 products 10000 products
108
67. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSM satellite Enhanced Edition - Workspace
Licensing Portal User Interface
• Similar to CSSM “Smart Licensing”
• Similar to CSSM “Manage Smart Account"
• Licensing & Administration Workspace
Administration Portal User Interface
• Administration of System configuration
• Administration of Users and Accounts
https://<ip-address>:8443 https://<ip-address>:8443/admin
BRKARC-2034 110
68. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• All Users:
• Can be local, or authenticated with an
external system
• Local users have preference over
authenticated users
• Are not required to have Cisco CCO
Accounts
• Must have access to Smart Account
Admin access at Cisco to create local
satellite account
Administration Workspace - System RBAC
• System Admin
• Full System access
• Access to all Account(s)
• System Operator (restricted)
• No ability to change system configurations
• Access to all Account(s)
• System User (restricted)
• Limited to License Workspace Only
• Access to all Account(s)
BRKARC-2034 113
69. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Administration Workspace
• All Accounts map to a Smart Account/Virtual Account
• Customer requests account; email alert is sent to System Admin(s)
• System Admin performs account creations and grants user Access
• Flexible Account Setup models
• Single Smart Account mapping to Multiple satellite Accounts
• Multiple Smart Account mapping to Multiple satellite Accounts
BRKARC-2034 114
70. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example: Satellite Accounts to Single Smart
Account
Virtual Account
Virtual Account
Virtual Account
Department 1
Department 2
Department 3
Accounts
Licensing Workspace
SSM satellite BigU.edu
software.cisco.com
BRKARC-2034 115
71. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example: Satellite Accounts to Multiple Smart
Account
software.cisco.com
BigU.eduVirtual Account
Virtual Account
Virtual Account
Customer 1
Customer 2
Customer 3
Accounts
Licensing Workspace
SSM satellite
SmallU.edu
MediumU.edu
BRKARC-2034 116
72. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Administration Workspace
• SSM satellite should synchronize with Cisco every 30 days
• Automatic if Network Attached
• By manual file transfers in disconnected Mode
• SSM satellite must synchronize with Cisco within 364 days.
• After 364 days without synchronization;
• A new Account MUST be registered with Cisco
• All product instances in the Account are removed
• All ID Tokens in the Account are expired
• Products will need to be re-registered
BRKARC-2034 117
73. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Administration Workspace
• Smart Account APIs
• Account Search
• Validate User Access API
• Virtual Accounts APIs
• Create Local Virtual
Account
• Delete Local Virtual
Account
• List Local Virtual
Accounts
• License APIs
• Smart License Usage
• License Subscriptions
Usage
• Transfer Licenses
• Smart License Alerts
• List Alerts
• Token APIs
• Create Tokens
• List Tokens
• Revoke Tokens
• Device APIs
• Product Instance Usage
• Product Instance Search
• Product Instance Transfer
• Product Instance Remove
BRKARC-2034 122
75. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• The Smart Account must be authorized for License Reservation
• Must have enough available licenses (Over subscription is not allowed)
• Smart Account must be authorized for any Export Restricted Functionality
Introduction to License Reservation
Permanent License Reservation
• All features are enabled
• Cost premium
• Some products will not support PLR
Specific License Reservation
• Only featured owned can be reserved
• At no additional cost
• Not all products support SLR (yet)
BRKARC-2034 127
76. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Permanent License Reservation
BRKARC-2034
• Manually exchange short ASCII strings with CSSM
• Two way data exchange via ASCII strings
• Product Request (UDI/vUDI, etc.) entered into CSSM (~ 32 characters*)
• CSSM returns an authorization locked to UDI/vUDI (34 characters)
• Entitles unlimited license consumption on product
Get UDI/vUDI
Request
Type Auth String
CSSM
1
3
4
Get Auth String
2
Type UDI/vUDI
Request
• Length will vary by product – 31 for new version of ASAv 128
77. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Specific License Reservation
BRKARC-2034
• Manually exchange information (copy and paste) with CSSM
• Two way data exchange via ASCII strings
• Product Request (UDI/vUDI, etc.) entered into CSSM
• Requested licenses and quantities chosen in CSSM
• CSSM returns an authorization locked to UDI/vUDI
• Entitles specific license consumption on product
Get UDI/vUDI
Request
Choose Licenses
Paste Auth String
CSSM
Type or Paste
Request String
Copy Auth String
1
3
5
2
4
130
78. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
License Reservation Summary
• PLR has a price premium because it enables all features on the product
whether you want them or not
• Not available on all products
• Node lock (cannot transfer licenses if it’s already in use)
• RMAs can be a challenge if you cannot get the return code off the box
• Changing SLR entitlements can be difficult
BRKARC-2034 132
80. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart License is here today!
Key decisions you need to make...
• All Cisco Products are
moving to Smart Licensing
• Smart Account is not
option
• You will need it to register
products?
• Who needs to approve your
Smart Account creation?
• Smart Accounts are not
Optional!
• Products may have limited
functionality until registered!
• Determine ”Span of
Control”
• Who will manage the
Smart Account?
• Partner Managed?
• Central Managed?
• Distributed Managed?
• Who will manage the
Smart License?
• Who do I get the <id token>
from?
• What's your network
access policy?
• What product telemetry
method(s) will you use?
• Will you need a Smart
Software Manager
satellite? How many?
Locations?
Smart Account Virtual Accounts Product Telemetry
Get Ready! Get Set! Go!
BRKARC-2034 134
81. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Determining the best Method to Use
• Method 1 & 2
• Device has Direct Network Access
• Simplest to Deploy and Use
• Method 3 & 4
• Device has Intermediate Network Access
• One line change to Product Configuration
• Method 5
• Device has No Network Access
• Similar to PAK Files
BRKARC-2034
Cisco Product
HTTPs
TransportGateway
or HTTPs Proxy
HTTPs
Your
Cisco
Software
Usage
Your
Cisco
Software
Usage
Your
Cisco
Software
Usage
Your
Cisco
Software
Usage
Cisco.com
Cisco.com
Cisco.comSmart Software
Manager satellite
Cisco.com
Request License
License Response
Copy/Paste
Cisco Product
Cisco Product
Cisco Product
135
82. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Questions?
BRKARC-2034 136
83. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
For More Information – Cisco SSM Satellite
BRKARC-2034
Cisco® Smart Licensing
www.cisco.com/go/smartlicensing
(http://www.cisco.com/c/en/us/products/abt_
sw.html)
Cisco® Smart Software Manager
www.cisco.com/go/smartsatellite
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-software-manager-
satellite.html)
Cisco® Smart Accounts
www.cisco.com/go/smartaccounts
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-accounts.html)
137
84. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
For More Information – Cisco Smart Call Home
• For more Information on Cisco® Smart Call Home
• For more Information on Cisco® Transport Gateway
BRKARC-2034
User Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch4.pdf
Troubleshooting Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch5.pdf
Smart Call Home
http://www.cisco.com/c/en/us/support/cloud-systems-management/smart-call-home/tsd-products-support-
series-home.html
Cisco Privacy and Security Compliance
http://www.cisco.com/web/about/doing_business/legal/privacy_compliance/index.html
138
85. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
cs.co/ciscolivebot#BRKARC-2034
BRKARC-2034 139
86. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations
after each session
• Complete 4 Session Evaluations & the Overall
Conference Evaluation (available from Thursday) to
receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events
Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing
on-demand after the event at CiscoLive.cisco.com/Online.
Complete your online session evaluation
BRKARC-2034 140
87. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demos in
the Cisco
Showcase
Walk-in
self-paced
labs
Meet the
engineer
1:1
meetings
Related
sessions
Continue Your Education
BRKARC-2034 141