Guest

Cisco License Manager

Deploying Cisco License Manager 3.1 in Isolated Networks

  • Viewing Options

  • PDF (238.9 KB)
  • Feedback
Last updated: May 2011

Abstract

Cisco ® License Manager is a lightweight, GUI-based application for managing Cisco IOS ® Software activation and licenses for many Cisco devices such as Cisco Catalyst ® 3560-E/X and 3750-E/X Series Switches. It automates the licensing workflows associated with fulfillment and accelerates deployment of licenses in customer networks. Cisco License Manager resides at the customer premises and securely communicates with Cisco devices in the customer network to automatically build an inventory of software licenses in the customer network. In addition, it securely interacts with the license server at Cisco.com for license fulfillment, and it generally requires Internet connectivity from the host on which Cisco License Manager is installed. Some customers have isolated networks with no Internet connectivity and therefore may not be able to make full use of Cisco License Manager functionality. This paper describes how to deploy Cisco License Manager in these scenarios to be able to securely use its full functionality.

Introduction

Some customers, especially in government, the financial, and healthcare market segments, keep their networks isolated from the Internet for security reasons. There is no Internet connectivity from their network operations centers. As a result, these customers cannot use the full functionality of Cisco License Manager. They can automatically discover Cisco devices with licensing capability and build up and maintain a network wide inventory of licenses. However, any functionality related to license fulfillment, such as retrieving SKU information from a Product Authorization Key (PAK), obtaining licenses by associating devices with PAKs, and collecting all the licenses for a device, cannot be used because these functions require secure Internet connectivity to the license server at Cisco.com.

Approaches

You can take advantage of the full functionality of Cisco License Manager deployed in isolated networks using four approaches:

1. Manual license fulfillment

2. Use of proxy servers to access Cisco.com

3. Two-stage deployment

4. Two-host deployment

Note: All the scripts mentioned in this document are located in <$CLMHome>/bin, where <$CLMHome> is the directory in which the Cisco License Manager server is installed.

Manual License Fulfillment

The simplest solution for customers looking to deploy Cisco License Manager in isolated networks is to manually obtain license keys for their devices from the Cisco Product Registration portal at http://www.cisco.com/go/license. Use the following script to install Cisco License Manager in the isolated network:

clm_import.bat <password> {<import-source> <license-file>}

Where password is the Cisco License Manager administrator password, import-source indicates the source of the license file and should be set to -email because the license file is sent from the Cisco Product Registration portal in an email, and license-file is the fully qualified location of the license file.
For example, the following script imports a license file located at C:\clm_email_license.xml:

clm_import.bat cisco -email C:\clm_email_license.xml

Once Cisco License Manager has imported the license file, it can then deploy the licenses to devices and keep its inventory up to date. However, this approach can be cumbersome if the number of devices in the network is large.

Using Proxy Servers to Access Cisco.com

Cisco License Manager supports proxy servers to access the Cisco.com license portal for various license operations. You can configure your proxy server details in Cisco License Manager by providing the proxy server address, HTTP and HTTPS port numbers, as well as the username and password for the proxy server. Cisco License Manager will connect to the Cisco.com license portal through the proxy server for all transactions. Please see Cisco License Manager Users Guide for step-by-step instructions.

Two-Stage Deployment

Cisco License Manager supports a two-stage deployment model where it is installed on a host in the isolated network (Figure 1). Cisco License Manager has connectivity to network devices and discovers Cisco devices with licensing capability and builds an inventory of licenses in the isolated network. Once this is done, you can physically move Cisco License Manager to a network domain with Internet connectivity and fulfill licenses by securely communicating to the license server at Cisco.com and obtaining and saving the licenses to its database. Cisco License Manager can then be moved back to the original isolated network domain to deploy previously obtained licenses to network devices.
Cisco License Manager is a lightweight application and can even be installed on low-powered machines such as laptops, if the number of managed devices is relatively small and there are no concurrent clients so that network operators can physically move between network domains easily. Please see the Cisco License Manager data sheet for exact minimum system requirements for larger deployments.

Figure 1. Two-Stage Deployment Diagram

Two-Host Deployment

Some customers have policies and restrictions on physically moving hosts or equipment out from isolated network domains. In this case, the customer should deploy Cisco License Manager on two hosts-one inside the isolated network (Cisco License Manager server 1) and the second one in the network domain with Internet connectivity (Cisco License Manager server 2). See Figure 2. Cisco License Manager installed in the isolated network (Cisco License Manager server 1) has connectivity to network devices and discovers Cisco devices with licensing capability and builds an inventory of licenses in the network. Then you can back up the Cisco License Manager database using the following script:

clm_backup.bat <password> <absolute_backup_directory_path>

Where password is the Cisco License Manager administrator password and absolute_backup_directory_path is the location where the backup files will be stored.
If you have security concerns about including your IP address information in the backup, please invoke the following command to mask IP addresses from the backup:

clm_backup.bat <password> <absolute_backup_directory_path> -mask ipaddr

For example, the following script will backup all the data to the C:\CLMServer1 directory except IP addresses of managed devices and the server hostname-related information:

clm_backup.bat cisco C:\CLMServer1 -mask ipaddr

You should copy this database onto physical media and take it to the Cisco License Manager host in the network domain with Internet connectivity (Cisco License Manager server 2) and restore its database using Cisco License Manager server 1's database backup with the following script:

clm_restore.bat <password> <absolute_backup_directory_path> <-mask hostInfo>

Where password is the Cisco License Manager administrator password and absolute_backup_directory_path is the location where the backup files are stored.
-mask hostInfo will help ensure that Cisco License Manager server 2 will continue to use its server hostname even after the restore and there is no need to change the hostname after restoring Cisco License Manager server 1's database.
For example, the following script restores Cisco License Manager from the backup stored at C:\CLMServer1:

clm_restore.bat cisco C:\CLMServer1 -mask hostInfo

You should then restart the Cisco License Manager server.
Now, Cisco License Manager server 2 has the information about all the devices in the isolated network and their Unique Device Identifiers (UDIs). You then can proceed with the license fulfillment by securely connecting to the license server at Cisco.com and obtaining and saving the licenses to its database. Once this is done, you can back up the database on Cisco License Manager server 2 using the following command:

clm_backup.bat cisco C:\CLMServer2

You can then take this database on physical media to the isolated network and restore Cisco License Manager server 1's database using the database backup of Cisco License Manager server 2 with the following command:

clm_restore.bat cisco C:\CLMServer2 -mask hostInfo -mask ipaddr

Please note that in this case, the IP addresses of managed devices and the server hostname-related information from the Cisco License Manager server 1's original database will continue to be used, and the rest of the data, such as licenses and PAK information, will be used from Cisco License Manager server 2's backup database.
If you have not masked IP addresses from the backup in the original step, -unmask ipaddr must not be used.

Figure 2. Two-Host Deployment Diagram

Now the Cisco License Manager installed in the isolated network (on Cisco License Manager server 1) has all the obtained licenses and is ready to deploy them. You must update the license information for all managed devices by selecting all top-level device groups and then clicking Poll Licenses before deploying the licenses to the managed devices. This will update your Cisco License Manager inventory, in case some license operations were done on the managed devices while Cisco License Manager in the connected network domain was obtaining licenses.
Please note that you must not add, remove, or autodiscover network devices in either of the Cisco License Manager servers. You must perform these steps with minimum delay between them in order to minimize the delta between the databases on the two Cisco License Manager installations.

Conclusion

The Cisco License Manager application automates software license management and securely communicates both with network devices and the license server at Cisco.com. Some customers have isolated networks of Cisco devices with no Internet connectivity, thereby limiting the benefits they can achieve from the functionality of Cisco License Manager. The four approaches discussed in this paper can help you to securely make full use of Cisco License Manager functionality in these scenarios.

For More Information

Please visit http://www.cisco.com/go/clm for more information or send an email to ask-clm-pm@cisco.com.