IOS Licensing

Hi Rene,
Please can you explain License Count and License Priority.
Also let me know if there any difference EvalRightToUse and RightToUse.

Thanks,
Pradeep

Hello Pandeep!

License Count gives you the number of licenses available and the number in use for a “countable” feature. For example, if the license is for SSL VPNs, then the license count will display something like this:

License Count: 200/0/0 (Active/In-use/Violation)

This tells you how many active licenses you have, in this case you can create up to 200 SSL VPNs, how many are in use, currently 0, and how many are in violation, i.e., over and above the licensed number. In cases where the feature is not countable, for example, a voice Gatekeeper or an ios-ips, then the license count will look something like this:

License Count: Non-Counted

License priority is used in the following scinarios: When you have several licenses available for example, datak9, securityk9 and uck9, not all licenses will be active. The license with the highest priority will be chosen and activated. You are able to go in and change the priority of specific features in order to cause them to be active. If for whatever reason a high priority feature cannot be activated, (license expiry for example) then the next highest priority feature is loaded. The priority can be changed using the license modify priority command.

Right To Use (RTU) licensing just simplifies software licensing process. It allows allows you to order and activate a specific license type and level via command line. EvalRightToUse or ERTU on the other hand is a license that allows you to use a feature for a limited time for evaluation purposes.

I hope this has been helpful!

Laz

Hi Lazaros,
For evaluation license, i think if the period has expired, the license will still active until a reload is occurred to the router.
Is that right?

hi Mahmoud,

As Rene has explained on the lesson, when the evaluation license is expired the feature(s) won’t be disabled and Cisco expect its customers to behave and not take advantage of it.
With reloading a router which has an expired evaluation license, you may get an output on the router like this:

Router# reload

 The following license(s) are expiring or have expired.
 Features with expired licenses may not work after Reload.
 Feature: uc,Status: expiring, Period Left: 4  wks 2  days

 Proceed with reload? [confirm]

So it is always recommended to purchase the PAK from Cisco once the evaluation license is expired to keep the feature active.

Hope I could answer your question.

Hi Maher,
let me clarify some thing, because i faced this issue before an i opened a TAC case with cisco team.

for examole (cme-srst license)–for voice enabled router-- it is (right to use ) and you can enable it on the router and the router will show you that it is evaluation license and will expire after 8 weeks but it will be continue and never expired even if the router is reloaded.

for example (seck9 license), it is evaluation license and not Right to use. you can enable it on the router but it will expire after 8 weeks. so you must purchase a license for seck9 feature.

Hello again Mahmoud

What you describe for the voice and security licenses makes sense. Keep the following in mind:

RTU or Right to Use licenses are licenses that use the “honour system” that is, they will always function even if their evaluation period has expired. This follows Cisco’s traditional IOS licensing scheme where the license is not tied down to a serial number or UDI (Unique Device Identifier). This is why even after a reboot, the feature continues to function.

Evaluation licenses can be enabled, but they will expire after the evaluation period. The functionality will stop working after the evaluation period is over. As you state, the feature must be purchased in order to continue using it.

I hope this has been helpful!

Laz

1 Like

One thing I have struggled with since completing my CCNA and going into the real world as a Network Engineer is dealing with Licensing as a topic and how it applies in the real world. I have come to realize that Cisco Licensing isn’t the easiest and there are plenty of gotcha’s that I have had to deal with.

One Example is that I recently had to RMA a Router that had MPLS configuration on it. I was able to load the correct iOS (as I had learnt about this previously on my CCNA) but soon after got stuck because none of the MPLS commands would work on the replacement device. After contacting Cisco TAC I was advised that most of the IOS-XE versions for Enterprise customers are universal and it all comes down to the license thats applied to each machine. All it took to resolve the MPLS issue was to change the license with a line of code that I wasn’t familiar with or had experience with.

If I ever see a Licensing Lesson on Networklessons.com I’ll be crying with joy! I spent an hour or so in a Data Centre last night troubleshooting iOS images when it was simply a license command that would have done the job.

Hello Jonathan

Be joyful my friend! :stuck_out_tongue: There is a licensing lesson on NetworkLessons. Here’s the link:


I know, I know, it may not be as detailed as what you need, or it may not cover some of the topics that you described above, but it’s an excellent start. It gives you the basics of how licensing works for Cisco. Now if you have a suggestion to enrich this topic or to have some licensing subtopics included, I suggest you go to the Member Ideas page where you can make your suggestion and also vote for the suggestions that others have made as well.

I hope this has been helpful!

Laz

Hello team!
What are the differences between the Cisco Catalyst 2960 LAN Base and LAN Lite switches? Please clarify me. Thanks.

Hello Boris

For Cisco switches, there are four general categories: LAN Lite, LAN Base, IP Base, and IP Services. Each of these increases in features in the order stated. So LAN Base is a superset of LAN Lite, IP Base is a superset of LAN Base, and so on. In order to get the full details of the differences between them, you can take a look at the Cisco feature navigator.

In general, LAN Lite has some layer 2 features such as VLANs, STP, trunks, DTP, and VTP, but doesn’t support private VLANs for example. It has no Layer 3 functionality at all, and is capable of very basic security and QoS features. LAN base on the other hand has support for a redundant power system (RPS), Layer 2 to 4 ACLs, DHCP snooping, as well as 802.1x support. Extensive queuing features for QOS such as policing, class and policy maps, and AutoQoS. It also supports an increased number of VLANs and MLD snooping for IPv6.

I hope this has been helpful!

Laz

1 Like

Hello Laz.
Thank you very much!

1 Like

Hello!

I have bought a Cisco 887VA and want to test SSL_VPN.
How can I activate?

C887#sh lic feature 
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse 
advipservices            yes          yes         no             no       yes        
advsecurity              no           no          no             yes      no         
ios-ips-update           yes          yes         yes            no       yes        
WAAS_Express             yes          yes         no             no       yes        
SSL_VPN                  yes          yes         no             no       yes

Get following during configuration:

C887(config)#webvpn gateway ssl_vpn 
Warning: could not reserve counts: Request failed due to no license
C887(config-webvpn-gateway)#

Regards, Hannes

Found following Software Features:

Software License for Cisco 880 Data
SL-880-ADSEC (default)
Cisco 880 Advanced Security Image Feature License
SL-880-AIS (upgrade option)
Cisco 880 Advanced IP Services Image Feature License
SL-880-ADVSEC-NPE
Cisco 880 Advanced Security NPE License PAK (Paper)
SL-880-AIS-NPE (upgrade option)
Cisco 880 Advanced IP Services NPE License PAK (Paper)
Software License for Cisco 880 Data (Bulk)
L-SL-800-SEC-K9
Advanced IP e-Delivery PAK for Cisco 800 Series
Security Services
SL-CNFIL-88x-1Y
One year subscription to Content Filtering for Cisco 881/888-URL/Phishing
SL-CNFIL-8xx-TRI
30 day free trial license for 88x series
SSL
FL-WEBVPN-10-K9
Feature License SSL VPN for Up to 10 Users (incremental), for 12.4T based IOS releases only
FL-SSLVPN10-K9
Feature License SSL VPN for Up to 10 Users (incremental), for 15.x based IOS releases only

Hello Johann

According to the output of your show license feature command, the SSL_VPN option is not enabled in your license.

However, when you attempt to use the SSL option, you get the message:

Warning: could not reserve counts: Request failed due to no license

This message appears when your device is attempting to achieve what is known as Specific License Reservation. This is an automatic attempt of the device to connect to a Cisco Smart Software Manager (SSM) and automatically request to reserve and activate the feature. Now in your case, I assume you don’t have Cisco SSM, so the request fails. SSM is typically used within a large enterprise network. More about Cisco SSM can be found here:

Now in order for you to activate the license, you must follow the instructions as stated in this lesson. It may be that the initial IOS you purchased requires an additional PAK to activate it. Take a look and let us know how you get along.

I hope this has been helpful!

Laz

1 Like

Hello Laz,

Thanks for the shared information on Traditional License.
Can you please help with one detail session on Smart license?

Hello Shashi

The issue with licensing is a big one, and it can take some time to understand and implement. If you would like to see a lesson devoted to smart licensing, I suggest you go to the following Member Ideas page where you can make suggestions and vote on topics that Rene can create in the future. You may find that others have suggested something similar, and you can add your voice to theirs.

In the meantime, I have created a short NetworkLessons note on the topic of IOS licensing that describes the various licensing schemes including Cisco’s smart licensing mechanisms and policies. If you have any more specific questions about this process, please let us know, and we’ll be happy to respond!

I hope this has been helpful!

Laz

Hi,

Does anyone know why the same licence appears in multiple Storeindex entries in the sh license all output but just once (and all periods added together) in the sh license output?

Cheers,

Rob.

Hello Rob

The sh license all command provides a detailed output of all the licenses, including those licenses that are in use, not in use, and expired. It shows each instance of the license separately, even if it’s the same license. This is why you see the same license appearing in multiple Storeindex entries.

On the other hand, the sh license command provides a summary of the licenses. It combines all instances of the same license into one entry and adds up their periods. That’s why you see the same license just once and all periods added together in the ‘sh license’ output.

I hope this has been helpful!

Laz

1 Like

Hi Laz,

Thank you!

So when selecting a license to use (one which is in multiple Storeindex entries), will it last for the total amount of time which is the sum of all the Storeindex entries?

Eg: Storeindex 1 = 200 days, Storeindex 2 = 200 days, Storeindex 3 = 200 days… Will the license last for 600 days or will it expire and need attention after every 200 day period expires?

Cheers,

Rob.

Hello Robert

Hmm, I’m having a rethink on this one. Can you share with us an example of your output from the show license and the show license all commands?

Initially, I had the impression that it would be just 200 days in your case, however, if these are multiple different licenses that have been added for the same feature, it may be that they are sequential… Send us the output and we’ll get back to you. :slight_smile:

I hope this will be helpful!

Laz

1 Like

Hi Laz,

Sure, see below - the sh license appears to capture the sum of all 3 StoreIndex entries.

I’m just wondering, when the active 1 of the 3 StoreIndex licenses expires, does it automatically roll over to one of the 2 remaining.?

sh license

Index 2 Feature: securityk9
	Period left: 604 weeks 3 days
	Period used: 20 weeks 3 days
	License type: Right to use
	License state: Active, in use
	License Count: Non-Counted
	License Priority: Low
sh license all

StoreIndex: 0 Feature: securityk9	Version:1.0
	License type: Evaluation
	License state: inactive
	Evaluation total period: 208 weeks 2 days
	Evaluation period left: 208 weeks 2 days
	License Count: Non-Counted
	License Priority: Low

StoreIndex: 1 Feature: securityk9	Version:1.0
	License type: Evaluation
	License state: inactive
	Evaluation total period: 208 weeks 2 days
	Evaluation period left: 208 weeks 2 days
	License Count: Non-Counted
	License Priority: Low

StoreIndex: 2 Feature: securityk9	Version:1.0
	License type: Evaluation
	License state: Active, in use
	Evaluation total period: 208 weeks 2 days
	Evaluation period left: 187 weeks 6 days
	Expiry date: Apr 13 2027 22:31:52
	License Count: Non-Counted
	License Priority: Low