Deploying Cisco License Manager 3.0 in Isolated Networks
PDF(170.6 KB) View with Adobe Reader on a variety of devices
Updated:October 12, 2009
® License Manager is a lightweight, GUI-based application for managing Cisco IOS
® Software activation and licenses for Cisco devices such as Cisco Catalyst
® 3560-E and 3750-E Series Switches. It automates the licensing workflows associated with fulfillment and accelerates deployment of licenses in customer networks. Cisco License Manager resides at the customer premises and securely communicates with Cisco devices in the customer network to automatically build an inventory of software licenses in the customer network. In addition, it securely interacts with the license server at Cisco.com for license fulfillment, and it requires Internet connectivity from the host on which Cisco License Manager is installed. Some customers have isolated networks with no Internet connectivity and therefore may not be able to make full use of Cisco License Manager functionality. This paper describes how to deploy Cisco License Manager in these scenarios to be able to securely use its full functionality.
Some customers, especially in government and the financial and healthcare market segments, keep their networks isolated from the Internet for security reasons. There is no Internet connectivity from their network operations centers. As a result, these customers cannot use the full functionality of Cisco License Manager. They can automatically discover Cisco devices with licensing capability and build up and maintain a networkwide inventory of licenses. However, any functionality related to license fulfillment, such as retrieving SKU information from a Product Authorization Key (PAK), obtaining licenses by associating devices with PAKs, and collecting all the licenses for a device, cannot be used because these functions require secure Internet connectivity to the license server at Cisco.com.
You can take advantage of the full functionality of Cisco License Manager deployed in isolated networks use four approaches: manual license fulfillment, use of proxy servers to access Cisco.com, two-stage deployment, and two-host deployment.
Note: All the scripts mentioned in these approaches are located in <$CLMHome>/bin, where <$CLMHome> is the directory in which the Cisco License Manager server is installed.
Manual License Fulfillment
The simplest solution for customers looking to deploy Cisco License Manager in isolated networks is to manually obtain license keys for their devices from the Cisco Product Registration portal at
https://www.cisco.com/go/license. Use the following script to install Cisco License Manager in the isolated network:
password is the Cisco License Manager administrator password,
import-source indicates the source of the license file and should be set to
-email because the license file is sent from the Cisco Product Registration portal in an email, and
license-file is the fully qualified location of the license file.
For example, the following script imports a license file located at C:\clm_email_license.xml:
Once Cisco License Manager has imported the license file, it can then deploy the licenses to devices and keep its inventory up to date. However, this approach is not scalable and will work only if the number of devices in the network is small.
Using Proxy Servers to Access Cisco.com
Cisco License Manager supports proxy servers to access the Cisco.com license portal for various license operations. You can configure your proxy server details in Cisco License Manager by providing the proxy server address, HTTP and HTTPS port numbers, as well as the username and password for the proxy server. Cisco License Manager will connect to the Cisco.com license portal through the proxy server for all transactions. Please see Cisco License Manager Users Guide for step-by-step instructions.
Cisco License Manager supports a two-stage deployment model where it is installed on a host in the isolated network (Figure 1). Cisco License Manager has connectivity to network devices and discovers Cisco devices with licensing capability and builds an inventory of licenses in the isolated network. Once this is done, you can physically move Cisco License Manager to a network domain with Internet connectivity and fulfill licenses by securely communicating to the license server at Cisco.com and obtaining and saving the licenses to its database. Cisco License Manager can then be moved back to the original isolated network domain to deploy previously obtained licenses to network devices.
Cisco License Manager is a lightweight application and can even be installed on low-powered machines such as laptops if the number of managed devices is relatively small compared to the maximum supported number of 500,000 devices and there are no concurrent clients so that network operators can physically move between network domains easily. Please see the Cisco License Manager data sheet for exact minimum system requirements for larger deployments.
Figure 1. Two-Stage Deployment Diagram
Some customers have policies and restrictions on physically moving hosts or equipment out from isolated network domains. In this case, the customer should deploy Cisco License Manager on two hosts-one inside the isolated network (Cisco License Manager server 1) and the second one in the network domain with Internet connectivity (Cisco License Manager server 2). See Figure 2. Cisco License Manager installed in the isolated network (Cisco License Manager server 1) has connectivity to network devices and discovers Cisco devices with licensing capability and builds an inventory of licenses in the network. Then you can back up the Cisco License Manager database using the following script:
For example, the following script backs up all the data to the C:\CLMServer1 directory except IP addresses of managed devices and the server hostname-related information:
clm_backup.bat cisco C:\CLMServer1 -mask ipaddr
You should copy this database onto physical media and take it to the Cisco License Manager host in the network domain with Internet connectivity (Cisco License Manager server 2) and restore its database using Cisco License Manager server 1's database backup with the following script:
password is the Cisco License Manager administrator password and
absolute_backup_directory_path is the location where the backup files are stored.
mask hostInfo will help ensure that Cisco License Manager server 2 will continue to use its server hostname even after the restore and there is no need to change the hostname after restoring Cisco License Manager server 1's database.
For example, the following script restores Cisco License Manager from the backup stored at C:\CLMServer1:
You should then restart the Cisco License Manager server.
Now, Cisco License Manager server 2 has the information about all the devices in the isolated network and their unique device identifiers (UDIs). You then can proceed with the license fulfillment by securely connecting to the license server at Cisco.com and obtaining and saving the licenses to its database. Once this is done, you can back up the database on Cisco License Manager server 2 using the following command:
clm_backup.bat cisco C:\CLMServer2
You can then take this database on physical media to the isolated network and restore Cisco License Manager server 1's database using the database backup of Cisco License Manager server 2 with the following command:
Please note that in this case, the IP addresses of managed devices and the server hostname-related information from the Cisco License Manager server 1's original database will continue to be used, and the rest of the data such as licenses and PAK information will be used from Cisco License Manager server 2's backup database.
If you have not masked IP addresses from the backup in the original step,
-unmask ipaddr must not be used.
Figure 2. Two-Host Deployment Diagram
Now the Cisco License Manager installed in the isolated network (on Cisco License Manager server 1) has all the obtained licenses and is ready to deploy them. You must update the license information for all managed devices by selecting all top-level device groups and then clicking Poll Licenses before deploying the licenses to the managed devices. This will update your Cisco License Manager Inventory in case some license operations were done on the managed devices while Cisco License Manager in the connected network domain was obtaining licenses.
Please note that you must not add, remove, or autodiscover network devices in either of the Cisco License Manager servers. You must perform these steps with minimum delay between them in order to minimize the delta between the databases on the two Cisco License Manager installations.
The Cisco License Manager application automates software license management and securely communicates both with network devices and the license server at Cisco.com. Some customers have isolated networks of Cisco devices with no Internet connectivity, thereby limiting the benefits they can achieve from the functionality of Cisco License Manager. The four approaches discussed in this paper can help you to securely make full use of Cisco License Manager functionality in these scenarios.