IOS Licensing

Hello Jonathan

Be joyful my friend! :stuck_out_tongue: There is a licensing lesson on NetworkLessons. Here’s the link:


I know, I know, it may not be as detailed as what you need, or it may not cover some of the topics that you described above, but it’s an excellent start. It gives you the basics of how licensing works for Cisco. Now if you have a suggestion to enrich this topic or to have some licensing subtopics included, I suggest you go to the Member Ideas page where you can make your suggestion and also vote for the suggestions that others have made as well.

I hope this has been helpful!

Laz

Hello team!
What are the differences between the Cisco Catalyst 2960 LAN Base and LAN Lite switches? Please clarify me. Thanks.

Hello Boris

For Cisco switches, there are four general categories: LAN Lite, LAN Base, IP Base, and IP Services. Each of these increases in features in the order stated. So LAN Base is a superset of LAN Lite, IP Base is a superset of LAN Base, and so on. In order to get the full details of the differences between them, you can take a look at the Cisco feature navigator.

In general, LAN Lite has some layer 2 features such as VLANs, STP, trunks, DTP, and VTP, but doesn’t support private VLANs for example. It has no Layer 3 functionality at all, and is capable of very basic security and QoS features. LAN base on the other hand has support for a redundant power system (RPS), Layer 2 to 4 ACLs, DHCP snooping, as well as 802.1x support. Extensive queuing features for QOS such as policing, class and policy maps, and AutoQoS. It also supports an increased number of VLANs and MLD snooping for IPv6.

I hope this has been helpful!

Laz

1 Like

Hello Laz.
Thank you very much!

1 Like

Hello!

I have bought a Cisco 887VA and want to test SSL_VPN.
How can I activate?

C887#sh lic feature 
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse 
advipservices            yes          yes         no             no       yes        
advsecurity              no           no          no             yes      no         
ios-ips-update           yes          yes         yes            no       yes        
WAAS_Express             yes          yes         no             no       yes        
SSL_VPN                  yes          yes         no             no       yes

Get following during configuration:

C887(config)#webvpn gateway ssl_vpn 
Warning: could not reserve counts: Request failed due to no license
C887(config-webvpn-gateway)#

Regards, Hannes

Found following Software Features:

Software License for Cisco 880 Data
SL-880-ADSEC (default)
Cisco 880 Advanced Security Image Feature License
SL-880-AIS (upgrade option)
Cisco 880 Advanced IP Services Image Feature License
SL-880-ADVSEC-NPE
Cisco 880 Advanced Security NPE License PAK (Paper)
SL-880-AIS-NPE (upgrade option)
Cisco 880 Advanced IP Services NPE License PAK (Paper)
Software License for Cisco 880 Data (Bulk)
L-SL-800-SEC-K9
Advanced IP e-Delivery PAK for Cisco 800 Series
Security Services
SL-CNFIL-88x-1Y
One year subscription to Content Filtering for Cisco 881/888-URL/Phishing
SL-CNFIL-8xx-TRI
30 day free trial license for 88x series
SSL
FL-WEBVPN-10-K9
Feature License SSL VPN for Up to 10 Users (incremental), for 12.4T based IOS releases only
FL-SSLVPN10-K9
Feature License SSL VPN for Up to 10 Users (incremental), for 15.x based IOS releases only

Hello Johann

According to the output of your show license feature command, the SSL_VPN option is not enabled in your license.

However, when you attempt to use the SSL option, you get the message:

Warning: could not reserve counts: Request failed due to no license

This message appears when your device is attempting to achieve what is known as Specific License Reservation. This is an automatic attempt of the device to connect to a Cisco Smart Software Manager (SSM) and automatically request to reserve and activate the feature. Now in your case, I assume you don’t have Cisco SSM, so the request fails. SSM is typically used within a large enterprise network. More about Cisco SSM can be found here:

Now in order for you to activate the license, you must follow the instructions as stated in this lesson. It may be that the initial IOS you purchased requires an additional PAK to activate it. Take a look and let us know how you get along.

I hope this has been helpful!

Laz

1 Like

Hello Laz,

Thanks for the shared information on Traditional License.
Can you please help with one detail session on Smart license?

Hello Shashi

The issue with licensing is a big one, and it can take some time to understand and implement. If you would like to see a lesson devoted to smart licensing, I suggest you go to the following Member Ideas page where you can make suggestions and vote on topics that Rene can create in the future. You may find that others have suggested something similar, and you can add your voice to theirs.

In the meantime, I have created a short NetworkLessons note on the topic of IOS licensing that describes the various licensing schemes including Cisco’s smart licensing mechanisms and policies. If you have any more specific questions about this process, please let us know, and we’ll be happy to respond!

I hope this has been helpful!

Laz

Hi,

Does anyone know why the same licence appears in multiple Storeindex entries in the sh license all output but just once (and all periods added together) in the sh license output?

Cheers,

Rob.

Hello Rob

The sh license all command provides a detailed output of all the licenses, including those licenses that are in use, not in use, and expired. It shows each instance of the license separately, even if it’s the same license. This is why you see the same license appearing in multiple Storeindex entries.

On the other hand, the sh license command provides a summary of the licenses. It combines all instances of the same license into one entry and adds up their periods. That’s why you see the same license just once and all periods added together in the ‘sh license’ output.

I hope this has been helpful!

Laz

1 Like

Hi Laz,

Thank you!

So when selecting a license to use (one which is in multiple Storeindex entries), will it last for the total amount of time which is the sum of all the Storeindex entries?

Eg: Storeindex 1 = 200 days, Storeindex 2 = 200 days, Storeindex 3 = 200 days… Will the license last for 600 days or will it expire and need attention after every 200 day period expires?

Cheers,

Rob.

Hello Robert

Hmm, I’m having a rethink on this one. Can you share with us an example of your output from the show license and the show license all commands?

Initially, I had the impression that it would be just 200 days in your case, however, if these are multiple different licenses that have been added for the same feature, it may be that they are sequential… Send us the output and we’ll get back to you. :slight_smile:

I hope this will be helpful!

Laz

1 Like

Hi Laz,

Sure, see below - the sh license appears to capture the sum of all 3 StoreIndex entries.

I’m just wondering, when the active 1 of the 3 StoreIndex licenses expires, does it automatically roll over to one of the 2 remaining.?

sh license

Index 2 Feature: securityk9
	Period left: 604 weeks 3 days
	Period used: 20 weeks 3 days
	License type: Right to use
	License state: Active, in use
	License Count: Non-Counted
	License Priority: Low
sh license all

StoreIndex: 0 Feature: securityk9	Version:1.0
	License type: Evaluation
	License state: inactive
	Evaluation total period: 208 weeks 2 days
	Evaluation period left: 208 weeks 2 days
	License Count: Non-Counted
	License Priority: Low

StoreIndex: 1 Feature: securityk9	Version:1.0
	License type: Evaluation
	License state: inactive
	Evaluation total period: 208 weeks 2 days
	Evaluation period left: 208 weeks 2 days
	License Count: Non-Counted
	License Priority: Low

StoreIndex: 2 Feature: securityk9	Version:1.0
	License type: Evaluation
	License state: Active, in use
	Evaluation total period: 208 weeks 2 days
	Evaluation period left: 187 weeks 6 days
	Expiry date: Apr 13 2027 22:31:52
	License Count: Non-Counted
	License Priority: Low

Hello Robert

Thanks for sharing that. In this instance it looks like the securityk9 feature has been installed, and three licenses have been applied, each for a duration of just over 208 weeks. The result is that these licenses will be applied consecutively thus you will have a license duration of (208 weeks 2 days) X 3 which is almost 12 years :hushed:.

Notice that in the show license output, it gives you the total period left of 604 weeks, which is the cumulative remainder of all three licenses.

Indeed, when the currently active license expires, it automatically rolls over to the next one. No need to do anything to get that to happen.

I hope this has been helpful!

Laz

1 Like

Hi Laz,

Very helpful - thank you :slightly_smiling_face:

1 Like

Hi all,

I’m hoping you may be able to help clarify regarding IOS-XE right-to-use lifetime license. We are using some routers with the license that is not permanent and are right-to-use. Reading Cisco EULA it reads that you need to purchase a perm license, even though you can continue to use all device features through cisco’s honour basis. Is it legal to continue to use the device in this state. what would happen if you continue to use them in a live production environment and you are audited? Most forums suggest you are okay to continue to use them in this state, however I read it as you do need to buy a permanent license.

The devices we are using are cisco asr1001-x and licence type are advent or advips

Hello Jason

Strictly speaking, if the RTU license has expired, you should not use it, and should purchase the appropriate license to cover your requirements. If an audit is performed, the existance of an RTU license being used beyon its expiry date can incur financial and legal penalties.

Now having said that, experience has shown that during such audits, (if and when they do occur) auditors are generally leniant with such violations. They will typically let them slide, with just a warning or a request to resolve the violation. This will also depend upon the level of the violation, if it is say just on two or three routers, it’s probably not even worth their time. If it is on, say 400 routers then it may be that they will respond with some penalty.

Most forums will have posts with people having various experiences, and usually there is no problem. However, strictly speaking, Cisco does have the right to move against anyone that is in violation. So really, you’ll have to decide on what level of risk you’d like to take, and what the cost of that risk is. Does that make sense?

I hope this has been helpful!

Laz

HI Laz,

thank you for replying the info you have provided is so helpful, I really appreciate this.

thank you so much.

all the best Jason.

I do have one additional question what if the RTU license is lifetime

sho license 
Index 1 Feature: adventerprise                  
        Period left: Life time
        License Type: RightToUse
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Low

Hello Jason

I’m glad to hear that you found the previous information helpful!

Concerning your question about the RTU license, if it shows Period left: Life time, it means that the license is permanent. It won’t expire and you can use the features associated with this license indefinitely on your device.

In this particular case, the adventerprise feature is under the RTU license, which means you can use the advanced enterprise features for the lifetime of the device.

Just remember, while the license is active and in use, it is not counted against any usage count, hence you see License Count: Non-Counted under License Count:.

I hope this has been helpful!

Laz

Brilliant thankyou again this is very helpful

1 Like