Brkarc 2034

BRKARC-2034
Care and Feeding of

Smart Licensing
James Ng,
Technical Marketing Engineer
Colton Jenkins,
Technical Lead Engineering Licensing Office
Engineering Licensing Office, CCIE #1981

Agenda
• Get Ready!
• Smart Licensing Overview
• Smart Licensing Communications
• Get Set!
• Product Licensing Work Flow
• Product Licensing States
• Go!
• Deploying Smart License Enabled Products
• Conclusion
BRKARC-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
In this session, you will learn about deploying Cisco products using Cisco’s latest product licensing
vision. Come learn the foundational concepts you need to need to as you deploy and configure
Smart Software Licensing for Cisco products. Together, we will go over the various scenarios you
might deploy Smart License enabled products in connected and mediated networks.
For mediated (disconnected) networks, we will present an overview of the Cisco Smart Software
satellite, and how product configuration differs when used. By moving to an ISO-19770 Software
Asset Management (SAM) solution, Cisco Smart Software Licensing simplifies the deployment of
Cisco products focusing on usage (what and how many) and not enforcement. With Cisco Smart
Software Licensing say “goodbye” to Product Activation Keys (PAKs) and License files!
It is recommended that the student is familiar with Smart Licensing before taking this session.
BRKARC-2010 (Smart Accounts and Smart Licensing)
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=93760&backBtn=true
Get Ready!
Overview:
Smart Licensing and
Smart Accounts
Smart Licensing
Communications
Acronym Decoder
• CSR – Certificate Signing Request • PIDs – Product IDs
• CSSM or SSM – Cisco Smart Software Manager • PLR – Permanent License Reservation
• DLC – Device Led Conversion • SA – Smart Account
• DNS – Domain Name Server • SBP – Subscription Billing Platform
• FQDN - Fully Qualified Domain Name • SCH – Smart Call-Home
• LCS – License Crypto-Module Support • SKU – Stock Keeping Units
• LVA – Local Virtual Accounts • SLR – Specific License Reservation
• MSLA – Managed Service License Agreements • TPL – Third (3rd) Party Licensing
(Utility)
• UUID – Universally Unique Identifier
• OOC – Out of Compliance
• VA – Virtual Accounts
• PI – Product Instances
Cisco Software Central – software.cisco.com
Network Plug
and Play
Manage
Downloads and Software License
Upgrade Products Tools
Ordering and Smart Account

EULA Tools Management
What is Cisco Smart Licensing?
• Cisco Smart Licensing is a new way of thinking about licensing at Cisco that is being applied to all products
• Instead of DRM or Node Locked licensing – its a Software Inventory Management System
• Provides Customers, Cisco, and Selected Partners with information about Software Ownership and Software
Utilization
Ownership ‘Smart’ Usage

Account
Commerce Cisco
(CCW) Hello, I am Device-East5, I belong to Product
[big-u.edu] and I am using 1x License
I Have Purchased 5 additional

‘Advanced’ Licenses for [big-u.edu] Hello, Device-East5 from [big-u.edu],
you are ‘In-Compliance’
BigU.edu
I Own: 10
I am Using: 10
What is a Smart Accounts
Architected as a “container” - for more than licenses
Asset Pooling
Track Purchases
Pool assets, user roles and
Review purchases of Cisco
agreements for visibility of
Software entitlements and allocate
company license
new resources.
entitlements.
User Based Access Manage Services and Review Cases

Customer, partner, or other Subscriptions Manage cases open with Cisco
authorized party for control of Manage service contracts TAC and Cisco Support.
organizational assets. and subscriptions, and
download new software.
Today Future
Smart Account – Overview
• A Smart Account is a single place where
Customers can obtain visibility to their software
and entitlements.
Users & Roles

• Information associated with a Smart Account
Licenses
include
• User roles
• Licenses
• Devices
bigu.edu
Devices
• Agreements the customer has with Cisco.
• These assets can be further divided into “Virtual

Agreements
accounts” that might represents departments,
cost centers or locations within the company.
Organize it according to your business.
Smart Account Structure
What is in the Smart Account?
Virtual Accounts
Admissions
Users & Roles
Licenses
Physics
Devices
bigu.edu
Science
Agreements
Customer Smart Account Partner Holding

You can USE but not TRANSFER licenses between SAs You can TRANSFER but not USE a license
Account where devices leveraging PAK licenses, Smart Licenses, and Account where partners / distributors can temporarily deposit orders
licenses generated from EAs are stored and managed by a customer, until the end customer Smart Account is identified. Also provide
channel partner, or authorized party company-wide access to orders associated with the Holding
Account.
Smart Accounts – Virtual Accounts
• Assets are represented as company owned allowing effortless sharing across your
enterprise
Virtual Accounts Share devices and licenses

across virtual accounts
easily.
Admissions
Users & Roles
Licenses
Physics
bigu.edu
Devices
Chemistry
Agreements
Create sub-accounts to
reflect organization’s
construct.
Smart Accounts – Virtual Accounts
• You can create virtual accounts that reflect your organization’s departments then associate
licenses and devices with those departments.
Virtual Accounts
Admissions
Overall Cisco Licenses
Warning and Notifications -25
Users & Roles
Licenses Major Alert: Insufficient licenses – 25 needed to return to

Physics compliance
License Quantity In Use Surplus

bigu.edu 1900-WAN- 300 325 -25
Devices Collab-Suite
Chemistry
1900-Threat- 500 425 +75
Agreements
Defense-Suite
Track and Transfer Devices
ISR1900 Chemistry A Transfer
ISR1900 Chemistry B Remove
Smart Products
Communicating with
Cisco
Products, Agents and a Backend
SL
Router
SL
Switch
cisco.com
Firewall SL
Router
Unified SL
Communications
Switch Software Cisco

Smart
SL Software
Router
Manager
Firewall SL
Switch
SL Firewall
SL
Cisco Smart
Unified Software Manager
SL
Communications Unified satellite
Communications (Optional)
Products Smart Licensing Authorized Backend

Agent
Cisco Authorized Backend
Cisco.com (Direct Connection) SSM satellite (On Premise)
• Cisco Products communicate by default • Cisco Products communicate with SSM

(out of the box with Smart Software satellite the same way they do with Smart
Manager Software Manager
• Simplest method • Connected and Disconnected modes
supported
• Information is exchanged in Text (YAML
formatted)
Cisco Smart
Cisco Smart Software
Software Manager
satellite
Manager
CentOS 7 (Hardened)
Methods of Communication
The Cisco Product is configured to use Smart Licensing at install/provisioning time. Direct cloud access is the default option.
Options
1 Direct cloud access (default)
Cisco product sends usage information directly over the internet. No HTTPs
Available Today for all

additional components are needed. Cisco Cisco.com Usage Info
Product
2 Access through an HTTP proxy
products!
Cisco Products send usage information over the internet via a Proxy
Ease of use
Server. Any off-the-shelf Proxy will work. HTTP

Cisco Proxy Cisco.com Usage Info
Product
File Transfer
3 Access Through On-Premise License Management

Cisco products send usage information to a locally installed satellite.
+ Periodically, exchange information with Cisco to keep satellite sync. This
4 synchronization can occur automatically in connected environments or Cisco
HTTPs
Cisco.com Usage Info
manually in disconnected environments. Cisco
Product Satellite
Availability
5 Full Offline Access – License Reservation
Limited
Request License
Use copy/paste information between product and Cisco.com to manually Copy / Paste
check in and out licenses. Functionally equivalent to current node locking, but License Response
Cisco Cisco.com Usage Info
with Smart License tracking. Product
Telemetry
Smart Licensing requires the following minimal exchange of information during install/provision.
Element Required Cisco Smart

Software Manager
Trusted Unique Identifier
Yes
(SUDI/SUVI/ID)
HTTPS
Licenses Consumed Yes -or-
Organization Identifier (ID Token) Yes Cisco Checks:
Hostname No  Licenses
Offline
 Device IDs
Other Smart Call Home Information No On Premises  Business Rules
satellite/Proxy
Then
 Authorizes Use
Level of optional elements is fully configurable on products and/or satellite
Smart Product Telemetry & Visibility
• Industry Standard HTTPS (SSLv3*/TLS)
• Protects User’s Privacy! 01100101
• HTTP over TLS used for Transport encryption 100101011011
101001001010
• Telemetry sent to Cisco is User Configurable

0101101100100
001010011001
11010110101
• Smart Call Home Information is optional 1101001
• Smart License Information is minimal
• Auditable Telemetry sent by SSM satellite

• You have the right to inspect the data gathered
• License Information is in Text (YAML formatted)
* Newer products only use TLS
Get Set!
Understanding:
Product Licensing Work Flow
Product Licensing States
Understanding Product
Licensing Work Flow
Smart Licensing User Workflow
Have more licenses
Device/Product than being used
started
In-Compliance
SL State= (Authorized)
Un-configured Device/Product Registration
For Hybrid Create/Copy Enter Register Platform uses Users & Roles
Product Registration command/GU feature & Licenses
I with ID reports usage

Enable Smart ID Token from
to CSSM
Licensing CSSM Token Devices
Agreements
Customer Smart
SL State= Account identified Out-of
SL State= Compliance
Un-identified
Registered
Using more licenses
than entitled to
What is Cisco Smart Licensing – ID Tokens
An ID Token: An ID Tokens is NOT:
• Can be used once – or reused
multiple times • Product specific
• Can be created and revoked at any • Licenses or keys or PAKs
time • “one-time use”
• Expires after a period of time • Stored on the Cisco Product
(default is 30 days; Minimum of 1 • Needed after the product is
day and a maximum of 365 days) registered
Used to securely Register products to a Smart Account and Virtual Account

ID Tokens are “organizational identifier” used to establish ‘identity’ when
registering a Product
Enable Smart Software Licensing
Select:
Inventory
Click:
New Token
Enable Smart Software Licensing
Provide:
ID Token Description
Decide:
Allow enablement of Export
Controlled functionality
(functionality varies by
product)
Note: Enabled by default if

Export Control is allowed for
this Smart Account
Smart Licensing Product Registration
• Paste the “ID Token” created in your Smart Account directly into the CLI
Hybrid Products Smart Only Products
device> en
device# config t
device(config)# license smart enable
device(config)# end
device# license smart register idtoken <id token> device# license smart register idtoken <id token>
<id token>
“ID Token” is copied from Smart Account either manually via Cisco API’s
 Can be used once – or multiple times
 Can be used on any or every Cisco product
 Can be created and revoked at any time
 Can be created and accessed via APIs
 Expires after a period of time (default is 30 days; Minimum of 1 day and a maximum of 365 days)
How to Enable the licenses you want to consume on
Enterprise Products
IOS XE Based Product Example

Product Specific Configuration Guides Found at: cisco.com/go/smartlicensing
Configure which licenses to enable • License boot level license_level
See Product specific Configuration guide for all options
Smart Licensing Verification
• Verify licensing status
csr1kv# show license status

Tue Sep 29 07:34:36.023 PDT
Smart Licensing is ENABLED

Initial Registration: SUCCEEDED on Mon Sep 28 2017 21:55:46 PDT
Last Renewal Attempt: None
Registration Expires: Sun Dec 27 2017 11:49:40 PDT
License Authorization:
Status: AUTHORIZED on Mon Sep 28 2017 21:56:10 PDT
Last Communication Attempt: SUCCEEDED on Mon Sep 28 2017 21:56:10 PDT
Next Communication Attempt: Wed Oct 28 2017 21:56:10 PDT
Communication Deadline: Sun Dec 27 2017 11:49:16 PDT
csr1kv#
Show License All (ASAv)
asa971# show license all License Usage
==============
Smart Licensing Status
====================== ASAv30 Standard - 2G (ASAv-STD-2G):
Description: ASAv30 Standard - 2G
Smart Licensing is ENABLED Count: 1
Version: 1.0
Registration: Status: OUT OF COMPLIANCE
Status: REGISTERED
Smart Account: CISCO LIVE Product Information
Virtual Account: JLN-Sat ===================
Export-Controlled Functionality: Allowed UDI: PID:ASAv,SN:9AJP2PTBH1L
Initial Registration: SUCCEEDED on Feb 08 21:24:22 2017 UTC
Last Renewal Attempt: None Agent Version
Next Renewal Attempt: Mar 10 18:57:40 2017 UTC =============
Registration Expires: May 09 14:04:18 2017 UTC Smart Agent for Licensing: 1.6.4_rel/63
License Authorization:
Status: OUT OF COMPLIANCE on Feb 08 21:24:34 2017 UTC
Last Communication Attempt: SUCCESS on Feb 08 21:24:34 2017 UTC
Next Communication Attempt: Feb 09 09:24:34 2017 UTC
Communication Deadline: May 09 14:04:18 2017 UTC
Understanding Product
Licensing State
Smart License Product States
• Registered state
Product has been associated with a valid Smart Account
Un-
• Authorized state (In Compliance) Registered
Product is using an entitlement, and the Virtual Account Failed

does not have a negative balance Register
Product
• Out of Compliance state
Product is using an entitlement, but the Virtual Account
Registered
State
has a negative balance
Remains in state until Remains in state
• Authorization expired state Product communicates Consume while Smart
Account is OOC
with Cisco License
Product has not communicated with
Cisco within a maximum of 90 days Out Of
Authorization Authorized
Compliance
Expired State
State
Note: Platforms may differ with timeouts, check with

specific platform for details
Smart License Product States – Registered
• Initial registration
1. A Registration Message is sent when Product is registered
via CLI with a valid ID Token. Un-
Registered
2. Cisco will reply with a Cryptograph ID certificate that,
by default, is valid for one year. Failed
Register
Product
• If there is a failure sending the message the retry,
interval will be as follows:
Registered
• Every 15 minutes for 4 hours. State
• Then every hour until successful, or

Smart License is disabled via CLI Consume
License
Out Of
Compliance
Expired State
State
Smart License Product States – Licenses
• One a product has been successfully registered, it can be configured
to use an licenses via CLI
• A Entitlement Message is sent when Product is

Un-
Registered
configured to use licenses via CLI Failed

Register
• The Entitlement Response message will Product
1. Indicate if the Virtual Account is in or out of compliance Registered

2. Provide the length of time the request is valid, and State
the renewal interval.

Consume
• By default the Licenses usage is valid for 90 days, License
and renewed every 30 days
Out Of
Compliance
Expired State
State
Entitlement Authorization Request or Renewal
• If there is a communications failure sending the
renewal, the retry interval will be as follows:
• If the agent is in the authorized state Un-
Registered
Retry every 23 hours Failed
• If agent is in the Out of Compliance (OOC) state Register
Product
Retry every 15 minutes for two hours
Then once every 4 hours. Registered
State
• If agent is in the authorization expired state
Retry once every hour. Consume
License
• If there is NO communications within 90 days,
License usage is released and available Authorization Authorized
Out Of
for use by other products

Compliance
Expired State
State
Registration ID Certificate Renewal
• By default the Cryptograph ID certificate
• Valid duration (one Year) and renewal period is sent
in with the Registration Response message . Un-
Registered
• The Cryptograph ID certificate
Failed
• Renewal will be sent every six months
Register
Product
• If there is a communications failure sending the
message, the retry interval will be as follows:
Registered
• One per hour until success State
• Or until Cryptograph ID certificate expires.

Consume
• If there is NO communications within 1 year License
• Device become “unregistered”
• Device must be re-registered Authorization Authorized
Out Of
Compliance
Expired State
• Use any remaining evaluation time State
Go!
Deploying:
Smart License Enabled Products
Method 1
Configure Smart
Licensing for Direct
Cloud Access
Smart Call Home – High Level
• Smart Call Home (SCH) Server is located in a secure Cisco Data Centre
• Smart License (SL) messages reach SCH Server, they are sent to the Cisco SSM portal
• SL uses only the Call Home Client (Packet Delivery) Cisco Smart
Smart License
Software
• Information is exchange using Manager
Smart
HTTPS (TLS/SSL encryption
Call Home Client

of data)
HTTPS
Smart Agent
Home Server
Smart Call
Product
Cisco Smart
Call Home
Decision is made by the configuration

of the SCH configured “contact”
Smart Call Home – Cisco Example Configs
• Service Active
Enable call-home service
• Contact-email-addr <email-address>
Contact email address is mandatory for sending SCH notifications. If it is configured as sch-smart-
licensing@cisco.com, the email address configured in Cisco Smart License Portal will be used
• Profile CiscoTAC-1
Call-home profile CiscoTAC-1 is configured to send Smart licensing message by default
• Active
Enables profile to be used
• destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
Configure HTTP destination address with service URL
• destination transport-method http
Change transport method to HTTP (this includes HTTPS)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/callhome.html
Smart Call Home – Smart Licensing Only
• Smart License does not require ALL of Smart Call Home
• Smart Call Home reporting CAN be disabled
• Smart License only uses the Call Home Client (Packet Delivery)
• When Smart Call Home reporting on the Product is not used,
• contact-email-addr must be configured as sch-smart-licensing@cisco.com
❌This is NOT an email address – it just looks like one
❌Inventory is not sent
❌Configuration information is not sent
❌Environmental conditions is not sent
❌Diagnostics to include syslog events is not sent
Smart Call Home – Default CSR1000v
Configuration
service call-home
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
rate-limit 20 Automatically added on Smart License enablement.
alert-group-config snapshot Do not change!
data-privacy level normal
syslog-throttling Here is where you limit data sharing:
profile "CiscoTAC-1" data-privacy {level {normal | high} | hostname}
active reporting no-call-home-data | Only hostname can be sent.
no anonymous-reporting-only Not all products support call home data sharing.
reporting smart-call-home-data
reporting smart-licensing-data Automatically added on Smart License enablement.
destination preferred-msg-format xml Do not change!
destination message-size-limit 3145728
destination transport-method http
no destination transport-method email Note: No SCH email sent by default.
destination address email callhome@cisco.com
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService Authorized Backend Target
Method 2
Proxy / Gateway
Transport Gateway or Proxy
• Is Not Required • Is Required When • Is Desirable When
When • Managed devices do not • Needs to inspect traffic
• Devices can send have direct access to on the LAN while securely
messages directly to cisco.com communicating over the
cisco.com using HTTPS • A HTTP proxy server is Internet
• Encryption capabilities of required to reach • Needs all outbound traffic
all managed devices meet cisco.com to be sourced from a
the customer's security • Store and Forwarding of single device
requirements SCH messages
• Devices can send
messages directly to SSM
satellite
Deploying Transport Gateway –
Configuration Example
• Change HTTP destination address of CiscoTAC-1 profile to TG service URL.
asr9k#conf t
asr9k(config)#call-home
asr9k(config-call-home)#profile CiscoTAC-1
asr9k(config-call-home-profile)#no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
asr9k(config-call-home-profile)#destination address http https://tg-server
asr9k(config-call-home-profile)#commit
asr9k(config-call-home-profile)#end
asr9k#
asr9k#show running-config call-home
call-home
profile CiscoTAC-1
destination address http https://tg-server
!
!
NOTE: The default destination to cisco must be removed when configuring when
using with proxy, or satellite
Method 3&4
Smart Software
Manager satellite
Cisco Smart Software Manager (SSM) satellite
Ideal for customers who want to manage their Cisco licenses locally or if their
Cisco products cannot reach Cisco directly
Offered as a secured on-premise IT Asset Management Application in two

forms: Classic Edition and Enhanced Edition
• Cisco devices and software products are registered with and report license
consumption directly via SSM satellite
• Provided at no additional cost
SSM satellite Classic Edition: SSM satellite Enhanced Edition
• Targeted for small enterprises, labs, and • Targeted for medium and large
offline environments enterprises, service providers and
• 89 day Sync Requirement partners
• Scales to 4,000 product instances • 364 day Sync Requirement

• Scales to 10,000 product instances
SSM satellite is a secure on-premise Asset Management Application provided free of charge.
SSM satellite Classic Edition SSM satellite Enhanced Edition

 Single-tenancy - supports single Smart Account  Multi-tenancy - supports multiple Smart
Account(s)
 Each satellite is associated to only one Smart
Account/Multiple Virtual Account(s) at  Each satellite account can be registered to any
cisco.com eligible Smart Account/Virtual Account pair at
cisco.com
 Custom UI with reduced set of capabilities and
options  Uses Cisco UI and work flows to keep
consistent look and feel
 Only local user creation and authentication
supported  Multiple authentication methods (OpenLDAP
Single role (RBAC) for all local users and local users) supported and unique roles
(RBAC)
 Work equally well for online and offline mode
 Works in online and offline mode, although best
suited for online mode
Feature Classic Edition Enhanced Edition
HA Yes March
DLC Yes February
3rd Party License Support Yes February
On-Box and VM
Backup Restore VM Snapshots Only
Snapshots
HTTP Proxy Support No Yes
Interface Firewall Zone
No Yes
Support
OpenLDAP No Yes
User Groups No Yes
License Hierarchy No Yes
Number of Devices 4000 10,000
MSLA Yes End of 2019
Cisco Smart Software Manager satellite -
Installation
• Deploy the ISO into either a VM or bare metal
• Configure IP address (IPv4 and/or IPv6)
• Configure Netmask / Prefix
• Configure Default Gateway
• Configure DNS
• Connect to Administration portal via a browser
• Login as default “admin/CiscoAdmin!2345” user
• Change the admin’s default password
• Register Account(s) with Cisco Smart Account/Virtual Account
• Synchronize Account(s) with Cisco Smart Account(s)
SSM satellite - Deployments
Smart Software Manager satellite can be deployed
in one of two modes:
 Connected Connected
- Used when there is connectivity to cisco.com directly from the Router

Smart Software Manager satellite
- Cisco® Smart Account synchronization (optionally)
happens automatically Switch Offline
- Standard model for Enhanced Edition, easiest to deploy SSM satellite

Firewall
 Disconnected
- Used when there is no connectivity to cisco.com from the Monthly
Video Inventory
Smart Software Manager satellite
Update
- Smart Account synchronization must be manually uploaded
and downloaded
Unified Communications Disconnected
SSM satellite - Registration
• At registration there are 2 files exchanged between SSM satellite and Cisco
• Registration file (SSM satellite  Cisco)
• Authorization file (Cisco  SSM satellite)
• During normal operation, there are 2 different files exchanged between SSM satellite
and Cisco
• Sync Request file (SSM satellite  Cisco)
• Sync Response file (Cisco  SSM satellite)
• Auditable data sent by SSM satellite

• Information is in text (YAML formatted)
• You have the ability to inspect the data gathered!
SSM satellite – Sync Request File Details
:sync: 2.0.0, Information Collected Required?
:version: 2.0.0
:id_cert: |- XXXXXXXXXXXXXXXXXX
Trusted Unique Identifier
Yes
(SUDI/SUVI/ID)
:collector_id: 4cdd0470-e5e4-0132-a310-005056841670
:csr: |- Licenses Consumed Yes
:last_sync: 2017-Jun-22 08:50:35 UTC Organisation Identifier Yes
:last_generated: 2017-Jul-20 11:22:16 UTC
:virtual_accounts:
Hostname No
- :id: 101342 AAA ID of User Making Change No
:name: Ross-1
:product_instances: Feature Tags No
- :id: 2373d312-2cd8-4029-9517-8c60037cca8c
:registration_date: 2017-Jun-12 07:25:40 UTC Other Smart Call Home Information No
:last_contact_date: 2017-Jul-02 06:13:47 UTC
:is_active: true
:software_tag_identifier: regid.2013-08.com.cisco.CSR1000V,1.0_1562da96-9176-4f99-a6cb-14b4dd0fa135
:udi_pid: CSR1000V
:hostname: CSR-1000v
:ip_address: NOTE: hostname is sent by default, to disable sending
:mac_address:
:udi_serial_number: 97YZFA9VYJK the hostname, configure:
:host_identifier: cfg-call-home# data-privacy hostname
:licenses:
- :tag_id: 1146
:tag: regid.2014-05.com.cisco.ax_2500M,1.0_3e0288f3-4838-47c2-93a8-3d8743850f0c
:consumed_quantity: 1
Cisco Smart Software Manager satellite
• HTTP/HTTPS communication:
• Products communicating with SSM satellite via HTTPS use one of two Cisco signed certificates
dependent on the smart agent version
Older Products: Newer Products:

• Smart Agent versions prior to 1.5 • Smart Agent versions 1.5 and later
•\ Use a 3-tier certificate • Use a 4-tier certificate
• Must wait 10 business days for Cert to • Can be registered with no delay
be available and synchronized
• Agent version can be seen with “show license all”
• Check to make sure that the time is correct on the SSM satellite and product.
How do I deploy products with CSSM satellite?
• Products register to satellite the exact the same way as with Cisco
• Change the ‘Authorized Backend Address’ (See product documentation)
• Example for IOS Devices:
profile CiscoTAC-1
Active
# Configure HTTP destination address with service URL
destination address http https://<satellite_ip_address>/Transportgateway/services/DeviceRequestHandler
Key Features in SSM satellite Classic Edition
Networking Support
• IPv4 and IPv6 support
• Dual-NIC: separate interfaces for network management and product instance registrations.
Security Enhancements:
• FIPS 140-2 Certification (Version 4.2)
Key License Features

• High Availability Support
• Backup Restore of Database and System Configs
• Device Led Migration
Sync Intervals
• Adjustable 30-day Synchronization Schedule
• Allow satellite to functions as long as it synchronizes with Cisco once every 3 months
• Scalability
• 4K product instances, 1 Smart Account
SSM satellite Classic Edition Requirements
• The Free installation package is available in a number of formats
• ISO installable via Bootable Media
System Requirements
(Customer Provided):
ISO
SSM satellite Classic Edition Minimum MSLA
Application 200 GB Hard Disk 300 GB Hard Disk
8GB Memory 8GB Memory
(Centos 7) 4 vCPUs 4 vCPUs
4000 products 4000 products
SSM satellite Classic Edition– Single Workspace
https://<ip-address>:8443
• Simplified UI for satellite
administration
• Limited features as compared
to CSSM and SSM satellite
Enhanced Edition
• Single Cisco Smart Account
support
• Multiple Cisco Virtual Accounts
supported
SSM satellite Classic Edition– Features
Set up
Register product View the list of Reports for virtual
synchronization Manage users
instances virtual accounts accounts
schedules
Create a “ID View Synchronize to Run a report to Create and

Token” from information in the latest copy show usage delete users
SSM satellite virtual on what vs.
and use it to accounts from licenses are consumption
enable the CSSM that are being used vs. and export it to
product to be associated what has been CSV or an
registered with SSM purchased Excel file
satellite
SSM Satellite Classic Edition – Synchronization
• SSM satellite should synchronize with Cisco every 30 days
• Automatic if network attached (online mode)
• By manual file transfers if disconnected (offline mode)
• SSM satellite must synchronize with Cisco within 89 days.
• After 89 days without synchronization;

• MUST be reinstalled using a NEW instance of SSM satellite
• All product instances are removed
• All ID tokens are expired
• Products will not be able to communicate with the original SSM satellite
• Products will need to be re-registered
CSSM satellite HA Deployment Configurations
Active Standby
Zabbix Tomcat Zabbix Tomcat
satellite satellite
MariaDB DRDB MariaDB DRDB Internet
Pacemaker Pacemaker
Corosync Corosync
DNS
Server X Proxy Firewall
(NAT)
IPv4 (or IPv6) Management Network
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
SSM satellite – HA Data Replication
VIP Address File system File system

10.1.1.1
Service Address 10.1.1.2 10.1.1.3
DRBD (module) DRBD (module)
Tomcat Tomcat
Satellite Services MariaDB MariaDB Zabbix TCP TCP
Zabbix DRBD DRBD
Sync Block Block
DRBD Master Standby NIC driver Driver Driver NIC driver
Resource Monitor Pacemaker
Cluster Manager Corosync
Replicated Volume
SSM satellite Classic Edition – MSLA (Utility)
• Managed Service License Agreement (MSLA)
MSLA – Customer Checklist
• Identify/Create Smart Account and satellite Virtual Account(s) – New
customer.
• Identify billing and service locations to determine the Subscription IDs
setup – New customer.
• Install Smart Software Manager satellite Classic Edition 5.0.1 (or later)
• Ensure CSRv has a minimum version – 16.9.1
• Enable utility on the product instances with CLI:
• “license smart utility”
• Ensure subscription SKUs are added to your Smart Account

• Register the product instances with SSM satellite Classic Edition
SSM satellite Enhanced Edition - Key Features
Multi-tenancy: Manage multiple customer Smart Accounts in a single management portal
• Administration Workspace only accessible by System Admin and System Operators
• Licensing portal is for Smart Licensing and Administration.
• Multiple levels of RBAC (Admin, Operator, User)
• User Authentication Control: LDAP or OAuth2
Security Enhancements:
• CentOS 7 Security Harden Kernel
• Separate Workspace for Licensing and Administration:
Networking Support
• IPv4 and IPv6 support
• Multi-NIC: multiple interfaces for traffic separation between network management and product instance registrations.
Proxy support: Allow for satellite to have a proxy between itself and Cisco Smart Software Manager for traffic separation
• Firewall Zones: Ability to configure interfaces for Internal (access) or External (no access)
System Alerts and Notifications

• Email Support for notation of License Events
• Syslog support: Account events can be configured to be sent to a syslog server
SSM satellite Enhanced Edition - Key Features
Longer Sync Intervals
• Native 365-day Synchronization Schedule
• Allow satellite to functions as long as it synchronizes with Cisco once a year.
New License Features

• License AppHA: Allows for the reporting of a single license usage for both standby and active Applications
• License Hierarchy: Enable borrowing of a higher-tier license to be fulfilled when a lower tier license is not
available
API Support
• API Support for automation of product deployment
• Resource and Owner credentials grant supported
• 5 major API groups for over 15 unique APIs
Improved Scalability
• 500+ accounts
• 10,000 Product Instances
• Active development in progress to increase scale
SSM satellite Enhanced Edition - Requirements
• The Free installation package is available in a number of formats
• ISO installable via Bootable Media
System Requirements
(Customer Provided):
ISO
SSM satellite Enhanced Edition Minimum Recommended
Containers 200 GB Hard Disk 200 GB Hard Disk
Database
Crypto Services
License/Admin 8GB Memory 8GB Memory
License Services Portals
2 vCPUs 4 vCPUs
(Centos 7) 4000 products 10000 products
SSM satellite Enhanced Edition - Workspace
• Licensing & Administration Workspace
Licensing Portal User Interface Administration Portal User Interface
• Similar to CSSM “Smart Licensing” • Administration of System configuration
• Similar to CSSM “Manage Smart Account" • Administration of Users and Accounts
https://<ip-address>:8443 https://<ip-address>:8443/admin
Administration Workspace - System RBAC
• All Users: • System Admin
• Can be local, or authenticated with an • Full System access
external system • Access to all Account(s)
• Local users have preference over
• System Operator (restricted)
authenticated users
• No ability to change system configurations
• Are not required to have Cisco CCO
• Access to all Account(s)
Accounts
• Must have access to Smart Account • System User (restricted)
Admin access at Cisco to create local • Limited to License Workspace Only
satellite account
• Access to all Account(s)
Administration Workspace
• All Accounts map to a Smart Account/Virtual Account
• Customer requests account; email alert is sent to System Admin(s)
• System Admin performs account creations and grants user Access
• Flexible Account Setup models
• Single Smart Account mapping to Multiple satellite Accounts
• Multiple Smart Account mapping to Multiple satellite Accounts
Example: Satellite Accounts to Single Smart
Account
Accounts
Department 1 software.cisco.com
Department 2
Virtual Account
Department 3
SSM satellite Virtual Account BigU.edu
Virtual Account
Licensing Workspace
Example: Satellite Accounts to Multiple Smart
Account
Accounts
Customer 1 software.cisco.com
Customer 2
Virtual Account BigU.edu
Customer 3
SSM satellite Virtual Account MediumU.edu
Virtual Account SmallU.edu
Licensing Workspace
• SSM satellite should synchronize with Cisco every 30 days
• Automatic if Network Attached
• By manual file transfers in disconnected Mode
• SSM satellite must synchronize with Cisco within 364 days.
• After 364 days without synchronization;

• A new Account MUST be registered with Cisco
• All product instances in the Account are removed
• All ID Tokens in the Account are expired
• Products will need to be re-registered
• Smart Account APIs • License APIs • Token APIs
• Account Search • Smart License Usage • Create Tokens
• Validate User Access API • License Subscriptions • List Tokens
Usage • Revoke Tokens
• Virtual Accounts APIs
• Transfer Licenses
• Create Local Virtual • Device APIs
Account • Smart License Alerts • Product Instance Usage
• Delete Local Virtual • List Alerts • Product Instance Search
Account
• Product Instance Transfer
• List Local Virtual
Accounts • Product Instance Remove
Method 5
License Reservation
Introduction to License Reservation
• The Smart Account must be authorized for License Reservation
• Must have enough available licenses (Over subscription is not allowed)
• Smart Account must be authorized for any Export Restricted Functionality
Permanent License Reservation Specific License Reservation

• All features are enabled • Only featured owned can be reserved
• Cost premium • At no additional cost
• Some products will not support PLR • Not all products support SLR (yet)
Permanent License Reservation
• Manually exchange short ASCII strings with CSSM
• Two way data exchange via ASCII strings

• Product Request (UDI/vUDI, etc.) entered into CSSM (~ 32 characters*)
• CSSM returns an authorization locked to UDI/vUDI (34 characters)
• Entitles unlimited license consumption on product
CSSM
1
Get UDI/vUDI Type UDI/vUDI
Request Request
Get Auth String

4
Type Auth String
3
• Length will vary by product – 31 for new version of ASAv BRKARC-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Specific License Reservation
• Manually exchange information (copy and paste) with CSSM
• Two way data exchange via ASCII strings

• Product Request (UDI/vUDI, etc.) entered into CSSM
• Requested licenses and quantities chosen in CSSM
• CSSM returns an authorization locked to UDI/vUDI
• Entitles specific license consumption on product
CSSM
1 2
Get UDI/vUDI Type or Paste
Request Request String
3
Choose Licenses
5 4
Copy Auth String
Paste Auth String
License Reservation Summary
• PLR has a price premium because it enables all features on the product
whether you want them or not
• Not available on all products
• Node lock (cannot transfer licenses if it’s already in use)
• RMAs can be a challenge if you cannot get the return code off the box
• Changing SLR entitlements can be difficult
Conclusion
Smart License is here today!
Key decisions you need to make...
Smart Account Virtual Accounts Product Telemetry
• All Cisco Products are • Determine ”Span of • What's your network
moving to Smart Licensing Control” access policy?
• Smart Account is not • Who will manage the • What product telemetry
option Smart Account? method(s) will you use?
• You will need it to register • Partner Managed? • Will you need a Smart
products? • Central Managed? Software Manager
• Who needs to approve your • Distributed Managed? satellite? How many?
Smart Account creation? Locations?
• Who will manage the
• Smart Accounts are not Smart License?
Optional!
• Who do I get the <id token>
• Products may have limited from?
functionality until registered!
Get Ready! Get Set! Go!
Determining the best Method to Use
Your
Cisco
HTTPs Software
Method 1 & 2
Usage
•
Cisco Product Cisco.com
• Device has Direct Network Access
Your
Simplest to Deploy and Use

Cisco
• Software
Usage
Transport Gateway
or HTTPs Proxy Cisco.com
Method 3 & 4
Cisco Product
•
• Device has Intermediate Network Access Your
Cisco
Software
One line change to Product Configuration

Usage
•
HTTPs Smart Software
Cisco.com
Cisco Product Manager satellite
• Method 5 Your
Device has No Network Access

Cisco
Request License
• Software
Usage
Copy/Paste
• Similar to PAK Files License Response Cisco.com
Cisco Product
Questions?
For More Information – Cisco SSM Satellite
Cisco® Smart Licensing
www.cisco.com/go/smartlicensing
(http://www.cisco.com/c/en/us/products/abt_
sw.html)
Cisco® Smart Software Manager

www.cisco.com/go/smartsatellite
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-software-manager-
satellite.html)
Cisco® Smart Accounts

www.cisco.com/go/smartaccounts
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-accounts.html)
For More Information – Cisco Smart Call Home
• For more Information on Cisco® Smart Call Home
Smart Call Home
http://www.cisco.com/c/en/us/support/cloud-systems-management/smart-call-home/tsd-products-support-
series-home.html
Cisco Privacy and Security Compliance
http://www.cisco.com/web/about/doing_business/legal/privacy_compliance/index.html
• For more Information on Cisco® Transport Gateway

User Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch4.pdf
Troubleshooting Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch5.pdf
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKARC-2034
Complete your online session evaluation
• Please complete your Online Session Evaluations

after each session
• Complete 4 Session Evaluations & the Overall
Conference Evaluation (available from Thursday) to
receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events
Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing

on-demand after the event at CiscoLive.cisco.com/Online.
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Brkarc 2034

Uploaded by

Copyright:

Available Formats

Brkarc 2034

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkarc 2034

Uploaded by

Copyright:

Available Formats

BRKARC-2034

Care and Feeding of

Engineering Licensing Office, CCIE #1981

• DLC – Device Led Conversion • SA – Smart Account

• DNS – Domain Name Server • SBP – Subscription Billing Platform

• FQDN - Fully Qualified Domain Name • SCH – Smart Call-Home

• LCS – License Crypto-Module Support • SKU – Stock Keeping Units

• LVA – Local Virtual Accounts • SLR – Specific License Reservation

Ordering and Smart Account

Ownership ‘Smart’ Usage

I Have Purchased 5 additional

User Based Access Manage Services and Review Cases

Users & Roles

• These assets can be further divided into “Virtual

Users & Roles

Customer Smart Account Partner Holding

Virtual Accounts Share devices and licenses

Users & Roles

Licenses Major Alert: Insufficient licenses – 25 needed to return to

License Quantity In Use Surplus

Switch Software Cisco

Products Smart Licensing Authorized Backend

• Cisco Products communicate by default • Cisco Products communicate with SSM

Available Today for all

2 Access through an HTTP proxy

Server. Any off-the-shelf Proxy will work. HTTP

3 Access Through On-Premise License Management

Element Required Cisco Smart

Level of optional elements is fully configurable on products and/or satellite

• Telemetry sent to Cisco is User Configurable

• Smart License Information is minimal

• Auditable Telemetry sent by SSM satellite

* Newer products only use TLS

Product Registration command/GU feature & Licenses

I with ID reports usage

Used to securely Register products to a Smart Account and Virtual Account

Note: Enabled by default if

Hybrid Products Smart Only Products

IOS XE Based Product Example

See Product specific Configuration guide for all options

csr1kv# show license status

Smart Licensing is ENABLED

Product is using an entitlement, and the Virtual Account Failed

Note: Platforms may differ with timeouts, check with

• Then every hour until successful, or

• A Entitlement Message is sent when Product is

configured to use licenses via CLI Failed

1. Indicate if the Virtual Account is in or out of compliance Registered

the renewal interval.

for use by other products

• Or until Cryptograph ID certificate expires.

Call Home Client

Decision is made by the configuration

Offered as a secured on-premise IT Asset Management Application in two

• Scales to 4,000 product instances • 364 day Sync Requirement

SSM satellite Classic Edition SSM satellite Enhanced Edition

- Used when there is connectivity to cisco.com directly from the Router

- Standard model for Enhanced Edition, easiest to deploy SSM satellite

• Auditable data sent by SSM satellite