Cisco ACI Smart Licensing
About Smart Licensing
Introduction to Smart Licensing
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure – you control what users can access. With Smart Licensing you get:
-
Easy Activation
Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys).
-
Unified Management
My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.
-
License Flexibility
Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (http://software.cisco.com).
For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.
Starting with Cisco Application Policy Infrastructure Controller (APIC) release 3.2(1), Smart Licensing is enabled in the Cisco Application Centric Infrastructure (ACI) fabric and by extension in the Cisco APIC as a Cisco Smart Licensing-enabled product. Cisco Smart Licensing is a unified license management system that manages all the software licenses across Cisco products.
For the purposes of Smart Licensing, "APIC" is occasionally referred to as the "ACI controller product."
Smart Licensing Evaluation Period
After APIC is rebooted, Smart Licensing is automatically enabled, and the APIC is initialized. Before you register the APIC with CSSM (Cisco Smart Software Manager), Smart Licensing is automatically in the Evaluation Period. The Evaluation Period is global for all the license entitlements. The Evaluation Period lasts 90 days (usage days and not calendar days). The APIC starts to countdown the clock when it receives the report of the first license consumption. After the APIC is registered with CSSM, the Evaluation Period countdown clock stops and Smart Licensing is in the Registered state. If the APIC is unregistered, the countdown clock starts again, and Smart Licensing returns to the Evaluation Period. After 90 days, the Evaluation Period expires and cannot be reset. When Smart Licensing is in the Evaluation Period, an info fault notifies you that the APIC is not registered. When the Evaluation Period expires, a major fault is raised to warn you that you must register the APIC.
If the APIC is unregistered, the APIC functionality is not affected.
Smart Licensing Authorization Status
State |
Description |
---|---|
Evaluation |
The Evaluation period lasts 90 usage days. After the APIC is rebooted, Smart Licensing is automatically enabled and the APIC for Licensing is initialized. Before you register the APIC with CSSM, the Smart Licensing is automatically placed in the Evaluation Period. |
Evaluation Expired |
The Evaluation Expired status is displayed after 90 days of usage, if you have not registered by then. |
License Authorization Expired |
The License Authorization Expired status is displayed if you cannot reach CSSM due to a network issue. The following are typical examples of why you could see a License Authorization Expired status (there could be other reasons):
|
Authorized |
In the Authorized state, a license entitlement request is received by CSSM (Cisco Smart Software Manager). CSSM has verified that the reported number of licenses in use do not exceed the total number of licenses purchased for an entitlement. CSSM returns In-Compliance. The authorization is valid for 90 days. APIC will send the entitlement request again every 30 days to renew the authorization. |
Out of Compliance (OOC) |
The license can be in the Out of Compliance state in CSSM for one of the following reasons:
|
Guidelines About Smart Licensing Authorization
The following guidelines related to smart licensing authorization are implemented currently:
-
In Evaluation mode, an info fault is raised to remind you that they have not yet registered the APIC with CSSM.
-
In Evaluation Expired mode, a major fault is raised to remind you that you must register the APIC with CSSM.
-
When an entitlement is in Out of Compliance (OOC) state, a major fault is raised.
-
When the the APIC loses network connectivity with CSSM, it raises three major faults. The faults are described in the following table:
Fault |
Description |
---|---|
License Authorization Expired |
After the APIC is registered with CSSM, the APIC periodically (every 30 days) reports all the licenses consumed to CSSM for authorization even if there are not changes in the licenses consumed. If the APIC loses network connectivity with CSSM, the reporting of licenses consumed may fail. As a result, the License Authorization Expired fault is raised. |
ID Certificate Expired Warning |
After the APIC is registered with CSSM, it receives an ID certificate from CSSM and stores it in its file system. For subsequent communications between the APIC and CSSM, CSSM uses the ID certificate to uniquely identify and authenticate the APIC. The ID certificate is valid for one year. Before the ID certificate expires, the APIC will automatically renew the ID certificate. However, if the APIC loses network connectivity with CSSM, the ID certificate renewal can fail. As a result, the ID Certificate Expired Warning fault is raised. |
ID Certificate Expired |
If APIC loses network connectivity with CSSM for a long time, and if after multiple retries, the APIC is unable to automatically renew the ID certificate, the ID certificate (valid for one year) can expire. As a result, the ID Certificate Expired fault is raised. |
Smart Licensing Usage Guidelines and Limitations
Follow these Smart Licensing guidelines and limitations:
-
The Evaluation Period countdown time is stored in the Cisco Application Policy Infrastructure Controller (APIC). The countdown time remains intact during a software downgrade. Therefore, if you upgrade your Cisco APIC software to version 3.2 or later once again after a downgrade, the countdown time will continue from the previous value before the downgrade. The countdown time cannot be reset. After 90 days, if no action is taken to register, the license status will display Evaluation Expired.
-
Upgrading Cisco APIC from a 3.x release to a 4.x release causes Smart Licensing to lose its registration. Registering Smart Licensing again will clear the fault. In order for Smart Licensing to be secure, the registration token is not stored in the database. Therefore, you must generate a new token from CSSM and re-register.
-
If there is a license violation for a feature that is enabled on Cisco APIC, the feature functionality will not be disabled, and there will be no impact on system functionality. The system will continue to operate, but relevant faults will be raised to warn the user. The most severe fault that will be raised is major.
-
If the registration fails, click the Faults tab in the Cisco APIC GUI System > Smart Licensing area. To see details about a specific failure, double click the listed fault.
-
The DLC tool is not supported when you use the Smart Software Manager Satellite transport setting.
-
Upgrading Cisco APIC from a 3.x release to a 4.x release causes Smart Licensing to lose its registration. Registering Smart Licensing again will clear the fault.
-
Cisco Application Centric Infrastructure (ACI) license SKUs are in Hybrid mode because the same SKU is shared between Cisco ACI and Cisco Nexus 9000 series ACI-mode switch licenses. If customers use a Cisco ACI software image, they must convert the SKU from a Product Activation Key (PAK) to Smart License and consume it from the product in the Smart License mode.
-
Cisco APIC Smart Licensing registration to the Satellite Server may not work if the Satellite Server language setting is not set to English. When using this method to register, verify that the language setting is set to English.
-
Smart Licensing does not support IPv6.
Transport Setting
The following different methods of Transport Setting network connectivity with CSSM are available:
Transport Setting |
Description |
---|---|
Direct connect to Cisco Smart Software Manager (CSSM) |
Choose this setting if your APIC controller has access to the internet and it can directly connect with CSSM. |
Transport Gateway/Smart Software Manager Satellite |
Choose this setting if the controller cannot directly connect with CSSM using the internet. You must install a physical transport gateway or a smart software manager satellite. You must use Smart Software Manager Satellite Enhanced Edition 6.0.0 or a higher version. You can download the software at the following URL: Smart Software Manager Satellite. |
HTTP/HTTPS Proxy |
Choose this setting if you already have an existing third-party web server (Apache) forward proxy to enable access to CSSM. |
Pre-Registration Verifications
Verification Checklist for CSSM Configurations
The following is a user checklist for readiness and configurations required with CSSM.
-
Verify that you have the appropriate Smart Account and Virtual Accounts created.
-
If you have purchased smart-enabled licenses from Cisco Commerce, then verify that your user-purchased licenses are populated.
-
As you begin the APIC Smart Licensing registration, work with your Cisco TAC engineer to ensure that you are ready with the appropriate CSSM items.
Verification Checklist for Smart Licensing and APIC Configurations
The following is a user checklist for readiness and configurations required with the APIC.
- Your DNS settings must be configured in APIC to resolve to https://software.cisco.com/.
Registering for Smart Licensing Using the GUI
Initial APIC GUI Login and Smart Licensing Pre-Registration
With APIC release 3.2(1), when you first log in to the GUI, the display shows a blinking alert that indicates that Smart Licensing is not configured with CSSM. There is a hyperlink to the Smart Licensing location in the GUI that takes you directly to the Smart Licensing GUI location. You can also manually navigate to the Smart Licensing GUI area as follows: System > Smart Licensing.
In the Smart Licensing GUI screen, click the Register button to start the process of registering the APIC controller. The Register Smart License dialog box is displayed where you can choose the appropriate method to register that suits your environment.
There are different methods to register depending upon your environment. The methods are described in the following sections.
Registering for Smart Licensing with Direct Connect to CSSM Using the GUI
Register the ACI controller product with Cisco Smart Software Manager (CSSM).
-
To register for Smart Licensing using this method, the APIC controller must have Internet access available.
-
Your CSSM Smart Software Licensing account must be created and available.
Step 1 | Login to the APIC GUI. |
Step 2 | Navigate to Systems > Smart Licensing. |
Step 3 | Click the Action icon drop-down list, and choose Register to Smart License. |
Step 4 | In the Register to Smart License dialog box, in the Transport Setting field and based upon your network settings, choose the Direct connect to Cisco Smart Software Manager (CSSM) registration method. The following note is displayed: APIC communicates directly with Cisco’s licensing servers. |
Step 5 | Go to your CSSM Smart Software Licensing account where you should already have an account created and perform the following actions: Note In this step, you leave the APIC GUI to complete a process at another site.
|
Step 6 | Next, return to the Register Smart License dialog box in the APIC GUI, and in the Product Instance Registration Token field, paste the token. Note Reregister product if already registered field must only be checked if you are already registered and you want to reregister. |
Step 7 | Click Register. In the Smart Software License Status area, the details about the registration state and License Authorization Status will auto refresh and display that the product is registered. Additional details about the account will also be visible in the area. This set of steps completes the registration. |
Registering for Smart Licensing with Transport Gateway Using the GUI
Register the APIC with Cisco Smart Software Manager (CSSM).
-
To register for Smart Licensing using this method, you must have Cisco Transport Gateway installed with the software as a physical or virtual machine.
-
Your CSSM Smart Software Licensing account must be created and available.
Step 1 | Login to the APIC GUI. |
Step 2 | Navigate to Systems > Smart Licensing. |
Step 3 | Click the Action icon drop-down list, and choose Register to Smart License. |
Step 4 | In the Register to Smart License dialog box, in the Transport Setting field and based upon your network settings, choose the Transport Gateway/Smart Software Manager Satellite registration method. The following note is displayed: APIC will use a Transport Gateway or Smart Software Manager satellite to proxy Smart Licensing data. |
Step 5 | In the URL field, enter the URL for the APIC to communicate with the Transport Gateway. You must include the port number on the Transport Gateway. |
Step 6 | Go to the Transport Gateway URL and perform the following actions: Note In this step, you leave the APIC GUI to complete a process at another site.
Note There is a Transport Gateway SSL Certificate used to communicate between the APIC and the Transport Gateway. If an IP address is used to create the certificate, then you must provide the same IP address in the APIC GUI in the URL field. If instead, you provide a hostname when creating the certificate, then provide the same hostname in the APIC GUI in the URL field. |
Step 7 | Go to your CSSM Smart Software Licensing account where you should already have an account created and perform the following actions: Note This step must be performed at the CSSM site.
|
Step 8 | Next, return to the Register Smart License dialog box in the APIC GUI, and in the Product Instance Registration Token field, paste the token. Note Reregister product if already registered field must only be checked if you are already registered and you want to reregister. |
Step 9 | Click Register. In the Smart Software License Status area, the details about the registration state and License Authorization Status will auto refresh and display that the product is registered. Additional details about the account will also be visible in the area. This set of steps completes the registration. |
Registering for Smart Licensing with Smart Software Manager Satellite Using the GUI
-
Register the ACI controller product with Cisco Smart Software Manager (CSSM).
-
You must use Smart Software Manager Satellite Enhanced Edition 6.0.0 or a higher version. You can download the software at the following URL: Smart Software Manager Satellite.
-
To register for Smart Licensing using this method, you must have Smart Software Manager Satellite deployed in your working environment.
Step 1 | Login to the APIC GUI. |
Step 2 | Navigate to Systems > Smart Licensing. |
Step 3 | Click the Action icon drop-down list, and choose Register to Smart License. |
Step 4 | In the Register to Smart License dialog box, in the Transport Setting field, choose the Transport Gateway/Smart Software Manager Satellite registration method. The following note is displayed: APIC will use a Transport Gateway or Smart Software Manager satellite to proxy Smart Licensing data. |
Step 5 | Go to your Smart Software Manager Satellite, and perform the following actions: Note In this step, you leave the APIC GUI to complete a process at another site.
|
Step 6 | Next, return to the Register Smart License dialog box in the APIC GUI, and in the URL field, enter the URL for the APIC to communicate with the Smart Software Manager Satellite. In the URL, include the IP address or the hostname as preferred. |
Step 7 | Go to the Smart Software Manager Satellite site, and perform the following actions: Note In this step, you leave the APIC GUI once again to complete a process at the Smart Software Manager Satellite site.
|
Step 8 | Next, return to the Register Smart License dialog box in the APIC GUI, and in the Product Instance Registration Token field, paste the token. Note Reregister product if already registered field must only be checked if you are already registered and you want to reregister. |
Step 9 | Click Register. In the Smart Software License Status area, the details about the registration state and License Authorization Status will auto refresh and display that the product is registered. Additional details about the account will also be visible in the area. In the Smart Software Manager Satellite site, the APIC instance is also visible after the registration is complete. This set of steps completes the registration. |
Registering for Smart Licensing with HTTP or HTTPS Proxy Using the GUI
You can use this method to register for Smart Licensing by using a normal HTTP proxy to relay messages to CSSM. This method works if you do not have internet or you do not have connectivity to www.cisco.com from APIC. In addition, there is also no transport gateway or satellite manager availability installed in your premises to allow the proxy to request CSSM.
If you register using this method, the Apache server has been tested and is recommended for use. You will be required to provide the IP address of the Apache server.
Step 1 | Login to the APIC GUI. |
Step 2 | Navigate to Systems > Smart Licensing. |
Step 3 | Click the Action icon drop-down list, and choose Register to Smart License. |
Step 4 | In the Register to Smart License dialog box, in the Transport Setting field and based upon your network settings, choose the HTTP/HTTPS Proxy registration method. The following note is displayed: Smart Licensing data will be via an intermediate HTTP or HTTPS proxy. |
Step 5 | In the URL field, enter the appropriate URL. |
Step 6 | In the IP Address field, provide the hostname or the IP address of the Apache webserver. |
Step 7 | In the Port field, enter the port number that will be used by the Apache server to listen. |
Step 8 | Go to your CSSM Smart Software Licensing account where you should already have an account created and perform the following actions: Note In this step, you leave the APIC GUI to complete a process at another site.
|
Step 9 | Next, return to the Register Smart License dialog box in the APIC GUI, and in the Product Instance Registration Token field, paste the token. Note Reregister product if already registered field must only be checked if you are already registered and you want to reregister. |
Step 10 | Click Register. In the Smart Software License Status area, the details about the registration state and License Authorization Status will auto refresh and display that the product is registered. Additional details about the account will also be visible in the area. This set of steps completes the registration. |
Renew Authorization
The Renew Authorization menu item is displayed when you click System > Smart Licensing > Renew Authorization.
Every time a license usage is changed (consumed or released), APIC immediately reports all the licenses consumed to CSSM and gets the license authorization status from CSSM. If there is no license usage change, APIC will synchronize the license authorization status from CSSM once every day. However, you can click Renew Authorization to manually synchronize the license authorization status from CSSM on-demand.
Renew Registration
The Renew Registration menu item is displayed when you click System > Smart Licensing > Renew Registration.
After the APIC is registered with CSSM, an ID certificate is returned by CSSM and stored in the APIC filesystem. Unlike the certificate used in HTTPS protocol, this ID certificate is used by CSSM to uniquely identify the registered APIC for subsequent communications. The ID certificate is valid for one year and can be automatically renewed. However, during the time when the APIC automatically renews the ID certificate, if network connectivity with CSSM has an issue, the ID certificate renewal can fail. If the ID certificate has expired, you must generate a registration token from CSSM and register the APIC again. To prevent such a situation from occurring, you can click Renew Registration, and the ID certificate will get renewed for one year immediately
It is recommended that you renew registration of your Smart License every six months. This will prevent your ID certificate from expiring.
Reregister Product If Already Registered
If you encounter an instance when the APIC has not deregistered successfully and it fails, the backend will still be associated with the instance ID. In such cases, to register the device again you must use a force option which is to reregister.
If you have already registered Smart Licensing with your APIC earlier, you can reregister the Smart License during the subsequent times you use the APIC. This prevents your registration from failing.
To reregister APIC, check the check box for the Reregister product if already registered dialog box in the APIC GUI by navigating to the System > Smart Licensing area. Click Register.
Import/Remove Private Certificate
Regardless of which transport setting (direct connect to CSSM, CSSM Satellite, or proxy server) you use, APIC has a built-in certificate signed by Cisco root CA and can communicate with CSSM (or CSSM Satellite) using a secured HTTPS protocol. In addition, when the certificate is close to expiry, APIC will automatically renew the certificate. Therefore, normally you are not required to manually download and import the certificate into APIC. However, if during the time when the certificate is being automatically renewed, APIC cannot reach the Cisco certificate website due to a network connectivity issue, the certificate auto renewal could fail. If as a result of such a rare incident, the certificate has expired and APIC cannot communicate with CSSM or CSSM Satellite, you must manually download a certificate from the following Cisco URL and import it into APIC: http://www.cisco.com/security/pki/certs/clrca.cer.
The Import/Remove Private Certificate menu item is displayed when you choose System > Smart Licensing > Import/Remove Private Certificate.
This certification is for network communication and is different from the token ID that is used during the Smart Licensing registration.
Device Led Conversion Tool
-
The DLC tool is not supported when you use the Smart Software Manager Satellite transport setting. If you are using the Satellite Manager Mode, a workaround task is available for your use in the following section: Workaround for Using DLC in the Smart Software Manager Satellite Mode
-
The DLC may also be referred as Claim Device License in the APIC GUI.
With the Device Led Conversion (DLC) tool, existing ACI customers can get their licenses under compliance.
Guidelines Related to the DLC Tool
The following are some guidelines related to the DLC tool:
-
DLC is an automation tool that enables you to choose Claim Device License with the simple click of a button in the Cisco Application Policy Infrastructure Controller (APIC) GUI. The purpose of the DLC tool is to help existing customers automatically convert from licenses currently IN USE to licenses PURCHASED, and to automatically populate the licenses into the license pool in CSSM.
-
The DLC feature is available for customers who have an existing Cisco Application Centric Infrastructure (ACI) fabric and are upgrading to Cisco APIC release 3.2 or later software images.
The DLC feature is not available for new customers who purchase the Cisco APIC, leaf switches, and spine switches with Cisco APIC version 3.2 or later software images. For such new customers, the Cisco Commerce ordering tool will auto-deposit the licenses in the CSSM backend when the smart-enabled Cisco ACI licenses are purchased. The Cisco Commerce tool automatically populates the purchased software licenses into the customer’s smart account.
-
The DLC tool can be used only once during the life cycle to convert existing licenses. If you downgrade and upgrade your software after having already gone through the DLC conversion, the DLC feature will no longer be available. The Claim Device License menu item will not display in the Cisco APIC GUI, and the existing licenses are automatically displayed in the Cisco APIC GUI.
-
As the DLC tool can be utilized once during the life cycle, if you make an error and the conversion is incorrect, you must file a case and let your TAC engineer log in to CSSM and manually correct the errors.
Using DLC Conversion
The following steps show how to perform a DLC conversion. The steps include performing actions in the Cisco Application Policy Infrastructure Controller (APIC) GUI as well as in your Smart Account in CSSM.
To use the DLC tool to get your licenses under compliance, the CSSM Smart Account Administrator must login to the Smart Account to which the Cisco APIC is registered and verify that DLC is enabled for the Smart Account as a whole or for the virtual account to which the Cisco APIC is registered.
Step 1 | In CSSM, log in to access your CSSM account is as follows: https://software.cisco.com/. Click Smart Software Licensing. Verify that you are logged into the correct Smart Account. |
Step 2 | In CSSM, click License Conversion to view the settings for DLC at the virtual account level. |
Step 3 | In CSSM, under Conversion Settings, verify that the appropriate radio button to enable your device is selected, and click Save. |
Step 4 | In the Cisco APIC GUI menubar, navigate to System > Smart Licensing, and from the Actions icon drop-down list, and click Register Smart License. You must register the Cisco APIC before you can use the DLC tool. |
Step 5 | In the Cisco APIC GUI, verify all the license features are enabled in the Cisco APIC and in the Cisco Application Centric Infrastructure (ACI) fabric. |
Step 6 | In the Cisco APIC GUI menubar, navigate to System > Smart Licensing. From the Actions icon drop-down list, verify that the Claim Device Licenses option is available for the existing Cisco ACI deployment. |
Step 7 | In the Cisco APIC GUI, read each item in the checklist and take the necessary actions. Then click the checkbox to choose all the items in the checklist. The DLC option in the Cisco APIC displays a checklist. |
Step 8 | To initiate the DLC, in the Cisco APIC GUI, navigate to System > Smart Licensing, and in the Actions menu, check the checkboxes for the following items in the checklist.
|
Step 9 | In the Cisco APIC GUI, click Claim Device Licenses. |
Guidelines for Monitoring the DLC Operation
-
The DLC operation takes a few minutes to convert licenses and deposit them into the Smart Account depending upon the number of licenses you are converting.
-
The DLC operation status can be monitored using the “licenseManager” managed object [MO] property dlcOperState . The states that the property can have are as follows: in-progress /success/failed.
apic1# moquery -c licenseManager dlcOperState : success
-
In the APIC GUI, the License Authorization Status changes to display the word Authorized after the DLC operation is successful.
NoteAn indication that the DLC operation is still in progress is if you continue to have the option to retrigger DLC.
-
In APIC release 3.2.2 and later releases, DLC has a 10-minute timeout feature. If the DLC operation does not succeed due to network issues or Smart Account misconfiguration, DLC will fail and the APIC GUI will provide the option to retrigger DLC. In addition, a major fault will be raised, and it will be displayed in the Faults section of the Smart Licensing tab in the APIC GUI.
-
The CSSM Smart Account Administrator can also verify the smart account / virtual account for the licenses deposited.
Workaround for Using DLC in the Smart Software Manager Satellite Mode
You have already read through the various registration modes and DLC conversion guidelines and instructions.
Step 1 | As the Smart Account (SA) administrator, login to CSSM, and create a new virtual account. (For example, the account is named VA-1). |
Step 2 | As the SA administrator, click Create Token in the virtual account (VA-1) in CSSM. |
Step 3 | As the APIC administrator, in the APIC portal, use the CSSM Direct mode or the Proxy mode to register APIC with CSSM. After registration, the APIC license status displays as follows: Registered and Out of Compliance. |
Step 4 | As the APIC administrator, in the APIC portal, initiate DLC. |
Step 5 | As the SA administrator, in the CSSM portal, verify that the DLC process is successful. |
Step 6 | As the SA administrator, in the CSSM portal, verify that the virtual account (VA-1) has all the licenses deposited. |
Step 7 | As the APIC administrator, in the APIC portal, deregister Smart Licensing. |
Step 8 | As the SA administrator, in CSSM, click the product instance tab in the virtual account to verify that the Smart Licensing product instance is removed from the virtual account. If the Smart Licensing product instance is not removed, then force remove it from the account using the options in the account. |
Step 9 | As the SA administrator, in CSSM, create a new virtual account (for example, VA-2) under the same Smart Account. |
Step 10 | As the SA administrator, in CSSM, transfer the licenses from VA-1 to VA-2. |
Step 11 | Login to the Smart Software Manager Satellite 6.0 as the administrator. The URL is as follows: https://<ip_address>:8443/admin, and in the URL, the IP address must be for the Smart Software Manager Satellite 6.0. |
Step 12 | As the Smart Software Manager Satellite administrator, navigate to your Smart Software Manager Satellite administrator portal, and perform the following actions:
|
Step 13 | As the APIC administrator, in the APIC portal, use the token to register APIC using the Smart Software Manager Satellite mode. |
Registering for Smart Licensing Using the CLI
License Catalog
Smart Licensing has a license catalog that specifies each license entitlement for the Cisco ACI fabric. Each license entitlement is considered as a type of license. The Product and Entitlement definition is available as an MO (Managed Object) in XML format. The CLI show license catalog displays the license catalog in a format similar to the MO XML format.
CLI Commands
Standard CLI configurations and show commands for Cisco Smart Licensing are supported in the ACI fabric with the following exceptions:
-
In the CLI, there is no difference between the config and the exec command. Therefore, both config and the exec commands are implemented as a config command.
-
By default, Smart Licensing is enabled and cannot be disabled by the user. Therefore, the [no] license smart enable CLI configuration command is not supported in APIC controller.
-
The operational test CLI commands are not supported.
-
A few CLI commands specific to the ACI fabric product line are implemented.
How Smart Licensing CLI Commands are Organized
Smart Licensing CLI Commands are Organized as follows:
-
All the show commands start with show license.
-
All the configuration commands start with license smart.
-
All the keywords are lower case, and a keyword can be auto filled.
-
All the values (user-input value) are indicated by an angle bracket. Such as, the <authorization code> indicates this is not a keyword, but this is the authorization code a user must type in.
-
Both keywords and values have HELP that explains the meanings of a keywords and values.
Smart Licensing NX-OS Style CLI Configuration Commands
The following are the configuration commands supported in the Cisco APIC:
Command |
Description |
---|---|
# license transport-smart mode proxy | satellite | smart-licensing |
This command configures a Smart Licensing mode. The value can be as follows:
|
# license smart server url | IP address port port number |
This command configures the URL and port of satellite manager or proxy server. The URL and port configuration is not required for smart-licensing mode. The port is configurable only in proxy mode. |
exec #license smart register idtoken token |
This command registers a device with Smart Licensing. |
exec # license smart deregister |
This command disables Smart Licensing and CSL or other legacy licensing will be re-enabled. |
exec # license smart renew ID |
This command initiates a manual update of the license registration information with Cisco. |
exec # license smart renew auth |
This command initiates This command initiates the renewal of the license authorization information manually. |
# license smart reservation request universal |
This command begins the universal license reservation request process. |
exec # license smart reservation install authorization code |
This command installs the authorization code generated by CSSM. This command verifies the signature on the authorization code, The command will fail immediately if there is not a request in progress. |
exec # license smart reservation return |
This command uses the authorization code previously installed to generate a return code to return this license to the account. |
exec # license smart reservation return authorization authorization code |
This command allows the customer to generate a return code and enter it in the portal to return the license to the account. |
exec # license smart reservation cancel |
This command is used to cancel the reservation process before the authorization code is installed. |
Smart Licensing NX-OS Style CLI Show Commands
The following are the show commands supported in the Cisco APIC:
Command |
Description |
---|---|
exec # show license all |
Show all Smart Licensing information. |
exec # show license status |
Show all Smart Licensing status. |
exec # show license summary |
Show Smart Licensing status summary. |
exec # show license tech support |
Show Smart Licensing tech support information. |
exec # show license usage |
Show Smart Licensing license usage. |
exec # show license mode |
Show Smart Licensing mode that is currently in use. |
exec # show license server |
Show the Smart Licensing server that is currently in use. |
exec # show license catalog |
Show the Smart Licensing definition of the product and license entitlements. |
exec # show hostname privacy |
Show the Smart Licensing hostname privacy. |
Registering for Smart Licensing with Direct Connect to CSSM Using the CLI
SUMMARY STEPS
- configure
- license smart transport-mode smart-licensing
- license smart register idtoken id token from cssm account
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
| Enters configuration mode. |
Step 2 | license smart transport-mode smart-licensing
| Configures the Smart Licensing mode. |
Step 3 | license smart register idtoken id token from cssm account
| Registers with the CSSM account using the token from the account. |
Registering for Smart Licensing with Transport Gateway Using the CLI
SUMMARY STEPS
- configure
- license smart transport-mode satellite url http(s)://10.0.0.0:8080/Transportgateway/services/DeviceRequestHandler
- license smart register idtoken id token from cssm account
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
| Enters configuration mode. |
Step 2 | license smart transport-mode satellite url http(s)://10.0.0.0:8080/Transportgateway/services/DeviceRequestHandler
| Configures the Transport Gateway mode and URL. |
Step 3 | license smart register idtoken id token from cssm account
| Registers with the CSSM using the token from the CSSM Smart account or the CSSM Virtual account. |
Registering for Smart Licensing with Smart Software Manager Satellite Using the CLI
SUMMARY STEPS
- configure
- license smart transport-mode satellite url http(s)://10.0.10.1:8080/Transportgateway/services/DeviceRequestHandler
- license smart register idtoken id token from smart software manager satellite
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
| Enters configuration mode. |
Step 2 | license smart transport-mode satellite url http(s)://10.0.10.1:8080/Transportgateway/services/DeviceRequestHandler
| Configures the Smart Software Manager Satellite mode and URL. |
Step 3 | license smart register idtoken id token from smart software manager satellite
| Registers with the Satellite using the token from the Smart Software Manager Satellite account. Note Note : Do not use the token from the CSSM account. |
Registering for Smart Licensing with HTTP or HTTPS Proxy Using the CLI
SUMMARY STEPS
- configure
- license smart transport-mode proxy ip-address ip address port port number
- license smart register idtoken id token from cssm account
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 | configure
| Enters configuration mode. |
Step 2 | license smart transport-mode proxy ip-address ip address port port number
| Configures the proxy mode, the IP address or hostname and the http(s) port. |
Step 3 | license smart register idtoken id token from cssm account
| Registers with the CSSM account using the token from the CSSM smart account or the CSSM virtual account. |
Methods of License Consumption
Within a Cisco Application Centric Infrastructure (ACI) fabric, there are two methods used to report license consumption:
-
Hardware License Reporting is used for count: An inventoried device (leaf and spine switch) results in one instance of a license consumed. When that device is decommissioned, it results in one less license consumed.
-
Software License Reporting is tiered: Feature usage based on policy configuration and deployment is constantly assessed to dynamically determine which tier of license must be consumed. When a higher tier feature is enabled in policy and applied to a switch, that switch reports that it is consuming a tier of license that matches that feature set. When all policies of a higher tier are removed, the switch will report requiring the next lowest tier of license that matches its currently enabled feature set.
The following diagram displays an example of how available Cisco ACI licenses match the available feature sets. In your Cisco Application Policy Infrastructure Controller (APIC) GUI, navigate to System > Smart Licensing. In the Smart License Usage area, click View the Smart Licensing Overview.
Troubleshooting Cisco ACI Smart Licensing
Smart Licensing APIC Registration Failed
Your registration fails upon registering APIC with the following error displayed under Faults in the Smart Licensing area of the APIC GUI.
Failed to register APIC Controller product with CSSM: Fail to send out Call Home HTTP message.
To troubleshoot such a registration failure, verify the following items:
-
Verify that your DNS server is configured to resolve to www.software.cisco.com. Perform a DNS lookup from APIC to verify this configuration.
-
Verify that you used the correct port numbers when you configured the Transport Gateway, the Smart Software Manager Satellite, or the HTTP/HTTPS proxy mode
-
It you are using HTTPS Proxy mode, the issue could be due to a certificate mismatch. Verify that your certificate is the correct one.
-
If you are using the Smart Software Manager Satellite mode, and you have generated an SSL certificate by providing a hostname, you must use the same hostname instead of the IP address while configuring the Smart Software Satellite mode in APIC. Similarly, if you have generated an SSL certificate by providing an IP address, you must use the same IP address instead of the hostname while configuring the Smart Software Satellite mode in APIC.
Smart Licensing Registration with Smart Software Manager Satellite has Failed
You must use a private certificate when you use Smart Software Manager Satellite as your Transport Setting. If you choose Cisco Smart Software Manager Satellite as your Transport Setting and use the HTTPS protocol, you must first download a certificate from the following Cisco web site: http://www.cisco.com/security/pki/certs/clrca.cer. Then, you must import the certificate into the APIC before registering the APIC. Otherwise, the registration will fail. Only Cisco Smart Software Manager Satellite (using HTTPS protocol) requires an import certificate. Other Transport Settings, such as Cisco Transport Gateway (HTTPS) and third-party Apache proxy server (HTTPS) do not require you to have an import certificate.
Registration Status Displays Registering
During registration, if you see a Registering status that lasts for a couple of minutes, verify the following items:
-
The network latency between the APIC instance you are trying to register and the Cisco cloud is high and some transactions are being rerun.
-
In proxy mode , if you have registered using an incorrect IP address or port then the registration could take a few minutes to exhaust the retry. Please correct the IP address or port number after a couple of minutes to restart the registration process with the correct input.
If the failure continues to persist after you have tried to troubleshoot using the above verification suggestions, collect the relevant tech-support data and contact Cisco TAC.
Registration Failed Due to an Expired Token
Your registration failed due to an expired token.
To troubleshoot such a registration failure issue, verify the following items:
The error message is self-explanatory and can be viewed under Smart Licensing > Faults. If registering with the Smart Software Manager Satellite server, use the token from the satellite manager to register. Do not use the token from CSSM.
Out of Compliance Message Upon Registration
If you see an Out of Compliance message upon registering, check the following items:
-
In the APIC GUI, navigate to System > Smart Licensing > Smart License Usage, and double-click the item that is displayed as Out of Compliance. The dialog box that opens will provide details about the features consumed by the specific APIC. Verify whether you have adequate licenses of the required type in your smart account.
-
When using the Smart Software Manager Satellite server, verify that the licenses in your smart account and in the Satellite server account are synchronized. If they are not synchronized, perform a manual or a network synchronization between the smart account and Smart Software Manager Satellite server.
Out Of Compliance Message After Smart Licensing Enabled and CSSM Connectivity is in Place
When a Cisco Application Centric Infrastructure (ACI) fabric is deployed with Smart Licensing enabled and CSSM connectivity in place, there are two noteworthy states.
-
Authorized: In this state, the number of purchased licenses in the Smart Account are equal to or greater than the number of consumed licenses.
-
This includes the count as well as the tier of a license.
-
If the tier of a license within the Smart Account is greater than the tier of license being requested by the devices in a Cisco ACI fabric, CSSM is expected to return an Authorized status back to Cisco Application Policy Infrastructure Controller (APIC) to be reported for its license usage. In this scenario, CSSM must have an indicator showing that the higher tier license is being temporarily subtracted, and the lower tier license is being temporarily added.
Example: A Cisco ACI fabric is using features that require 10 Essentials licenses; however, the Smart Account contains 12 Advantage licenses and 0 Essentials licenses. CSSM should display that it now has 12(-10) Advantage licenses and 0(+10) Essentials licenses. CSSM is expected to return an Authorized status to Cisco ACI.
-
-
Out-Of-Compliance: The number of purchased licenses in the Smart Account are less than the number of consumed licenses.
-
If your Smart Account is missing licenses, contact your account team to gather all appropriate Sales Orders/Purchase Orders. Then contact the Cisco Licensing team to deposit those licenses into your Smart Account.
-
If your Smart Account has more licenses than devices, and you are not consuming features greater than your available tier of license, invoke Renew Authorization to re-trigger the CSSM validation. If forcing a Renew Authorization does not correct the Authorization status to the expected state, collect an On-demand Techsupport policy for the Cisco ACI fabric and contact Cisco TAC.
NoteWithout a manual re-triggering of Renew Authorization, Cisco APIC will trigger one automatically every 30 days.
-
Troubleshooting Smart Licensing Authorization
To troubleshoot authorization issues with Smart Licensing, see the following information:
Faults |
Suggested Action |
---|---|
License Authorization Expired |
When this fault occurs, first check if there is any network connectivity issue between the APIC and CSSM. After fixing the network connectivity issue, log in to the APIC GUI and click Renew Authorization to manually trigger the licenses consumption report to CSSM for authorization. After a short time, the License Authorization Expired fault will be cleared. |
ID Certificate Expired Warning |
When this fault occurs, first check if there is any network connectivity issue between the APIC and CSSM. After fixing the network connectivity issue, log in to the APIC GUI and click Renew Registration to manually renew the ID certificate. After a short time, the ID Certificate Expired Warning fault will be cleared. We also recommend that you manually Renew Authorization. |
ID Certificate Expired |
Because the ID certificate has already expired, manually renewing ID certificates will no longer work. You have to log in to CSSM, generate a registration token, and re-register the APIC with CSSM. After re-registering with CSSM, the APIC will receive a new ID certificate. Following this process, the fault will be cleared. |
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Need help?
- Open a Support Case
- (Requires a Cisco Service Contract)