Application Control Engine Module Administration Guide (Software Version A1(2))
Managing ACE Software Licenses
Download this chapter
Managing ACE Software LicensesManaging ACE Software Licenses
Download the complete book
Cisco Application Control Engine Module Administration Guide Book-Length PDF (Software Version A1(2))Cisco Application Control Engine Module Administration Guide Book-Length PDF (Software Version A1(2)) (PDF - 4 MB)
give_us_feedback

Table Of Contents

Managing ACE Software Licenses

Available ACE Licenses

Ordering an Upgrade License and Generating a Key

Copying a License to the ACE

Installing a New or Upgrade License

Replacing a Demo License with a Permanent License

Removing a License

Removing a Module Bandwidth License

Removing an SSL TPS License

Removing a User Context License

Backing Up a License File

Displaying License Configurations and Statistics


Managing ACE Software Licenses

This chapter describes how to manage the software licenses for your Cisco Application Control Engine (ACE) module. It contains the following major sections:

Available ACE Licenses

Ordering an Upgrade License and Generating a Key

Copying a License to the ACE

Installing a New or Upgrade License

Replacing a Demo License with a Permanent License

Removing a License

Backing Up a License File

Displaying License Configurations and Statistics

Note You can access the license and show license commands only in the Admin context. You must have the Admin role in the Admin context to perform the tasks of installing, removing, and updating the license.

Available ACE Licenses

By default, the ACE supports virtualization with one Admin context and five user contexts, 4 gigabits per second (Gbps) module bandwidth, and 1000 SSL transactions per second (TPS). You can increase the number of default user contexts, module bandwidth, and SSL TPS by purchasing the following licenses:

ACE-VIRT-020—20 virtual contexts.

ACE-VIRT-050—50 virtual contexts.

ACE-VIRT-100—100 virtual contexts.

ACE-VIRT-250—250 virtual contexts.

ACE-08G-LIC—8 Gbps bandwidth (available when you initially purchase an ACE).

If you purchase an ACE with a bandwidth of 4 Gbps, you can upgrade the module bandwidth to 8 Gbps through the ACE-UPG1-LIC license.

ACE-SSL-05K-K9—SSL with 5,000 TPS.

You can upgrade virtualization in increments, provided that you do not exceed the limits of the ACE (a maximum of 250 contexts) through the following licenses:

ACE-VIRT-UP1—upgrades 20 to 50 contexts

ACE-VIRT-UP2—upgrades 50 to 100 contexts

ACE-VIRT-UP3—upgrades 100 to 250 contexts

To take advantage of all the ACE security features, you must install the ACE-SEC-LIC-K9 security license.

You can also obtain an ACE demo licence for each type of virtualization, bandwidth, or SSL TPS licence, including upgrade increments for contexts. A demo license is valid for only 60 days. At the end of this period, you will need to update the demo license with a permanent license to continue to use the ACE software. To view the expiration of the demo license, use the show license usage command in Exec mode.

Note If you need to replace the ACE module, you can copy and install the licenses onto the replacement module.

Ordering an Upgrade License and Generating a Key

This section describes the process you use to order an upgrade license and to generate a license key for your ACE. To order an upgrade license:

1. Order one of the licenses from the list in the "Available ACE Licenses" section using any of the available Cisco ordering tools on cisco.com.

2. When you receive the license certificate from Cisco, follow the instructions directing you to the cisco.com website.

If you are a registered user of cisco.com, go to:

http://www.cisco.com/go/license

If you are not a registered user of cisco.com go to:

http://www.cisco.com/go/license/public

3. Enter the Product Authorization Key (PAK) number found on the license certificate as your proof of purchase.

4. Provide all the requested information to generate a license key.

5. Once the system generates the license key, you will receive the license key with installation instructions through an e-mail. Be sure to save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE).

Copying a License to the ACE

After you have received the software license key for a license in an e-mail from Cisco Systems, you must copy the license file to a network server. Then, use the copy command in Exec mode from the Admin context to copy the file to disk0: on the ACE. For detailed information on the copying files from a remote server, see Chapter 5, Managing the ACE Software.

For example, the syntax for the copy tftp command is:

copy tftp:[//server[/path/][/filename]] disk0:[path/]filename

The arguments are:

[//server[/path/][/filename]]—The path to the network server. This path is optional because the ACE prompts you for this information if you omit it.

disk0:[path/]filename—Specifies that the file destination is the disk0: directory of the current context and the filename. If you do not provide the optional path, the ACE copies the file to the root directory on the disk0: file system.

For example, to copy the ACE-VIRT-020.lic license file from the license directory on the track network server to the root directory on disk0:, enter: 

host1/Admin# copy tftp://track/license/ACE-VIRT-020.lic disk0:

If the license is a demo or permanent license for a new or upgrade installation, see the "Installing a New or Upgrade License" section.

If the license is a permanent license replacing a demo license, see the "Replacing a Demo License with a Permanent License" section.

Installing a New or Upgrade License

After you copy a demo or permanent license to the ACE for a new or upgrade installation, you can install it. For information on replacing a demo license with a permanent one, see the "Replacing a Demo License with a Permanent License" section.

Caution If you install a context demo license, make sure that you save the Admin running configuration and all user context running configurations to a remote server. If you allow a context license to expire, the ACE automatically removes all user contexts from the Admin running configuration and thus removes all configurations for the user contexts.

To install or upgrade a license on your ACE, use the license install disk0: command in Exec mode from the Admin context. The syntax for this command is:

license install disk0:[path/]filename [target_filename]

The arguments are:

[path/]filename—Installs the license stored on the disk0: file system. If you do not specify the optional path, the ACE looks for the file in the root directory.

target_filename—(Optional) Target filename for the license file

For example, to upgrade the module bandwidth license to 8 Gbps, enter: 

host1/Admin# license install disk0:ACE-UPG1-LIC.lic

To install an SSL 5000 TPS license, enter: 

host1/Admin# license install disk0:ACE-SSL-05K-K9.lic

To install a 20 context license, enter: 

host1/Admin# license install disk0:ACE-VIRT-020.lic

There are multiple virtual context licenses including upgrade licenses. The number of contexts currently installed on the ACE determines which additional license you can install, as shown in Table 3-2

Table 3-1 Allowable VIrtual User Context Installation

Current number of contexts
Allowable license installation

5 (default)

ACE-VIRT-020

ACE-VIRT-050

ACE-VIRT-100

ACE-VIRT-250

20

ACE-VIRT-UP1 (to upgrade to 50 contexts)

50

ACE-VIRT-UP2 (to upgrade to 100 contexts)

100

ACE-VIRT-UP3 (to upgrade to 250 contexts)

250

No additional licenses


Replacing a Demo License with a Permanent License

The ACE demo licence is valid for only 60 days. Four weeks before the license expires, the ACE generates warning syslog messages once a day. During the final week, a warning syslog message occurs once an hour. Before this period ends, you will need to update the demo license with a permanent license to continue to use the ACE software. Otherwise, the ACE will revert to its previous bandwidth, SSL TPS, or number of contexts.

Caution If you replace context demo license with a permanent license, you can continue to use the configured user contexts on the ACE. However, if you allow a context license to expire, the ACE automatically removes all user contexts from the Admin running configuration and thus removes all configurations for the user contexts. Before a context license expires, save the Admin running configuration and the user context running configurations to a remote server.

To view the expiration of the demo license, use the show license usage command in Exec mode from the Admin context.

After you copy the permanent license to the ACE, you can install it. To replace a demo license with a permanent license, use the license update disk0: command in Exec mode from the Admin context. The syntax for this command is:

license update disk0:[path/]permanent_filename demo_filename

The keyword and arguments are:

[path/]permanent_filename—Filename for the permanent license that you copied onto the ACE.

demo_filename—Filename for the demo license that the permanent license is replacing.

For example, enter: 

host1/Admin# license update disk0:ACE-VIRT-250.lic 
ACE-VIRT-250-DEMO.lic

Removing a License

To remove a module bandwidth, SSL TPS, or user context license, use the license uninstall command in Exec mode from the Admin context. The syntax for this command is:

license uninstall license_filename

The license_name argument specifies the file name of the license file that you want to remove. Enter the license file name as an unquoted text string with no spaces.

Note When you enter the clear startup-config or write erase command, the ACE does not remove license files from the startup-configuration file. You must use the license uninstall command to remove license files from the ACE.

The following sections provides information on removing licences:

Removing a Module Bandwidth License

Removing an SSL TPS License

Removing a User Context License

Caution When you remove a demo or permanent virtual context license, the ACE removes all user contexts from the Admin running configuration. By removing the user contexts, their running and startup configurations are also removed from the ACE. Before removing any virtual context license, save the Admin running configuration and the user context running configurations to a remote server. For more information, see the "Removing a User Context License" section.

Removing a Module Bandwidth License

To remove an ACE-08G-LIC or ACE-UPG1-LIC bandwidth license, use the license uninstall command in Exec mode from the Admin context. When you uninstall a bandwidth license, it reduces the module bandwidth to the default of 4 Gbps on the ACE.

For example, to remove a bandwidth license, enter: 

host1/Admin# license uninstall ACE-08G-LIC.lic

Removing an SSL TPS License

To remove an ACE-SSL-5K-K9.LIC SSL TPS license, use the license uninstall command in Exec mode from the Admin context. When you uninstall an SSL license, it reduces SSL TPS performance to 1000 TPS on the ACE.

For example, to remove an SSL TPS license, enter: 

host1/Admin# license uninstall ACE-SSL-05K-K9.lic

Removing a User Context License

The number of virtual contexts and type of licenses currently installed on the ACE determines which license you can remove. Table 3-2 lists the currently installed contexts, the type of license on the ACE, and the remaining number of context after the license is removed.

Table 3-2 VIrtual Context License Removal

Current number of contexts
Applicable licenses
Results of license removal

5 (default)

Not applicable

-

20

ACE-VIRT-020

5 contexts

50

ACE-VIRT-050

5 contexts

ACE-VIRT-UP1

20 contexts

100

ACE-VIRT-100

5 contexts

ACE-VIRT-UP2

50 contexts

250

ACE-VIRT-250

5 contexts

ACE-VIRT-UP3

100 contexts


Caution When you remove a demo or permanent virtual context license, the ACE removes all user contexts from the Admin running configuration. By removing the user contexts, their running and startup configurations are also removed from the ACE. Before removing any virtual context license, save the Admin running configuration and the user context running configurations to a remote server.

To remove a context license:

1. Save the Admin and user context running configurations to a remote server. Use the copy running-config command in Exec mode in each context. For more information on this command, see Chapter 5, Managing the ACE Software.

For example, to copy the Admin running configuration to an TFTP server as R-CONFIG-ADM, enter: 

host1/Admin# copy running-config tftp://192.168.1.2/R-CONFIG-ADM

To copy the C1 user context running configuration to an TFTP server, access the C1 context and enter: 

host1/C1# copy running-config tftp://192.168.1.2/R-CONFIG-C1

2. Remove the license with the license uninstall command. For example, to remove the ACE-VIRT-250.LIC license, enter: 

host1/Admin# license uninstall ACE-VIRT-250.lic

The ACE displays the messages and prompt: 

Clearing license ACE-VIRT-250.lic:

SERVER this_host ANY

VENDOR cisco

INCREMENT ACE-VIRT-250 cisco 1.0 permanent 1 \

        VENDOR_STRING=<count>1</count> HOSTID=ANY \

        
NOTICE="<LicFileID>20051103151315824</LicFileID><LicLineID>1</LicLineI
D> \

        <PAK></PAK>" SIGN=86A13B1EA2F2



INCREMENT ACE-VIRT-250 cisco 1.0 permanent 1 \

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!! WARNING: Uninstalling virtual context license will automatically!!

!!! cleanup all the user context configurations, please backup the  !!

!!! configurations before proceeding further with uninstallation    !!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Do you want to continue? (y/n)

3. If you have not saved the running configurations for the Admin and user contexts to a remote server, enter n. Go to step 1.

If you saved the running configurations for the Admin and user contexts to a remote server, enter y.

During the license removal, the ACE removes the user context configurations from the Admin running configuration, causing the deletion of all user contexts including their running and startup configurations.

4. Use the show license status command in Exec mode of the Admin context to display the current number of supported contexts on the ACE.

5. Determine which contexts you want to keep in the Admin running configuration. Using a text editor, manually remove the extra context configurations from the Admin running configuration on the remote server.

If the Admin running configuration contains more contexts than what the ACE supports and you copy this configuration to the ACE, the ACE rejects contexts that exceed the supported limit. For example, if the running configuration contains 20 context configuration, when you remove the license, the ACE supports five contexts. If you attempt to copy the configuration with all 20 contexts, the ACE allows the first five context configurations, fails the remaining contexts, and displays error messages on the console.

Note You can also manually recreate the user contexts in the running configuration currently on the ACE. If you do, go to step 7.

6. Retrieve the modified Admin running configuration from the remote server. For example, to copy the R-CONFIG-ADM Admin running configuration from the TFTP server, enter: 

host1/Admin# copy tftp://192.168.1.2/R-CONFIG-ADM running-config

7. Copy the Admin running configuration to the startup-configuration file. For example, enter: 

host1/Admin# copy running-config startup-config

Note If you do not update the startup configuration with the latest running configuration, when the ACE restarts, it uses the startup configuration with the extra contexts. The ACE allows the number of contexts that the license supports but failed the remaining contexts.

8. Access the user context, and copy its running configurations from the remote server. For example, to copy the C1 user context running configuration from the TFTP server, access the C1 context and enter: 

host1/C1# tftp://192.168.1.2/R-CONFIG-C1 copy running-config

9. Copy the user context running configuration to the startup-configuration file. For example, enter: 

host1/Admin# copy running-config startup-config

10. Repeat steps 8 and 9 until you retrieve the running configurations for all user contexts configured in the Admin configuration.

Backing Up a License File

To safeguard your license files, we recommend that you back up your license files to the ACE flash disk as tar files. To back up license files in .tar format, use the copy licenses command in Exec mode from the Admin context. The syntax for this command is:

copy licenses disk0:[path/]filename.tar

The keyword and argument are:

disk0:—Specifies that the backup license file is copied to the disk0: file system.

[path/]filename.tar—The destination filename for the back up licenses. The destination filename must have a .tar file extension.

For example, enter: 

host1/Admin# copy licenses disk0:mylicenses.tar

If you accidently remove or lose the license on the ACE, you can untar the backup file and reinstall it. To untar the license, use the untar command in Exec mode. The syntax for this command is:

untar disk0:[path/]filename.tar

The [path/]filename.tar argument is the filename of the .tar backup license file.

For example, to untar the mylicense.tar file on disk0:, enter: 

host1/Admin# untar disk0:mylicenses.tar

For information on installing the license, see the "Installing a New or Upgrade License" section.

Displaying License Configurations and Statistics

This section describes the show commands you can use to display license information about your ACE. To display license information, use the show license command in Exec mode from the Admin context. The syntax for this command is:

show license brief | file filename | internal event-history | status | usage

The options and arguments for this command are:

brief—Displays a list of the currently installed licenses

file filename—Displays the file contents of the specified license

internal event-history—Displays a history of licensing-related events

status—Displays the status of licensed features

usage—Displays the usage table for all licenses

Note Entering the show license command without any options and arguments displays all installed ACE license files and their contents.

Table 3-3 describes the fields in the show license status command output.

Table 3-3 Field Descriptions for the show license status Command Output 

Field
Description

Licensed Feature

List including the ACE virtualized contexts, the SSL transactions per second, and the module bandwidth feature.

Count

Number of ACE supported contexts, SSL transactions per second (TPS), and bandwidth in gigabits per second (Gbps). This information also provides the default number of contexts, SSL TPS, and module bandwidth that the ACE supports when a license is not installed.


Table 3-4 describes the fields in the show license usage command output.

Table 3-4 Field Descriptions for the show license usage Command Output 

Field
Description

License

Name of the license

Ins

Whether the license is installed (Yes or No)

Lic Count

Number of licenses for this feature

Status

Current state of the feature (In use or Unused)

Expiry Date

Date when the demo license expires, as defined in the license file

Comments

Licensing errors, if any


You can also view the ACE license by using:

The show version command in Exec mode on the ACE.

The show module services command on the supervisor. See the license information under the Services field.