Cisco is rolling out their new Smart Licensing System (Cisco FAQ) that looks very concerning as it will give the keys to your Cisco device to Cisco.
For the new IOS XE version, 16.9 and later beginning with Catalyst 3650, 3850, and Catalyst 9000 series switches, these devices will be required to connect to the internet daily with call home feature to Cisco’s entitlement system to validate licensing. That takes the license entitlement off the devices and onto Cisco’s servers. Licenses now become subscription based instead of a perpetual license.
Smart Licensing Basics
There is a hierarchy that starts with the organization (ORG). A company can have one ORG and it is essentially the domain name of your organization. Say, it would be xyz-tech.com This is important to note unless you have different domains for various companies within your larger organization.
So with the top-level ORG, you have an administrator(s) of the organization who has total rights to the smart licensing ORG. They can add users to the ORG and assign rights to them. It is important to know who those users are in a company as their Cisco Connect Online identification (CCO ID) is tied to the organization.
If you had one administrator and he or she leaves, then you would not have any administrators left in your company. In the event of staffing changes, this also means that there is a new bit of cleanup needed.
Users can be added to an ORG either manually by an administrator or they can request access to smart licensing by going to http://software.cisco.com. They log in using there CCO credentials and click on the link to request access to an existing smart account. This kicks off a workflow and an email is sent to all administrators of the ORG to approve.
Roles and Structure
In smart licensing, you have four definable roles:
- Smart account user,
- Smart account administrator,
- Smart account approver and
- User or administrator over a specific virtual account.
Smart account users: Manage assets within the organization and all virtual accounts, but cannot add or delete virtual accounts or manage users access. Users with this designation can see all licenses for the organization.
we have the ORG and beneath that you have items called virtual accounts which can be used to manage licenses and organize them.
The virtual account is the last leaf node in the hierarchy. You cannot nest a virtual account inside of another virtual account. Virtual accounts also work as a demarcation for security of licenses. There are no divisions in smart licensing so virtual accounts to take on this role. For large organizations, one can get creative with virtual accounts to suit most of your needs.
Infrastructure is the next building block for smart licensing to work, each device needs to have access to the smart licensing system. There are three possible connections each with its own benefits and drawbacks.
- Any server can connect to the internet model:
This is the preferred model as it has most of the benefits. A drawback to this model is for security purposes when some their servers may not need to access the internet. It is important to know that this is not the internet accessing the servers. But allowing the server to connect out on the internet to the Cisco smart licensing infrastructure over SSL. This allows the server to sync to the smart licensing platform, keeping license usage and other things up to date.
- Server can have the smart license virtual appliance model:
This acts as a smart licensing proxy where the internal machines connect to it and then it connects to the internet. This is a more secure option if you don’t want to allow all devices access out to the internet.
- Proxy server with sneaker-net model.
Instead of allowing the proxy server out to the internet, we can manually update the appliance with a file upload/download method from Cisco. This method, while being the most secure but you have to maintain it manually.
Final part be the token. Token lets the smart licensing server sync with the devices and their licenses.
Suppose we have vCUSP 5 session license in my smart license account. From the licensing portal, create a token and assign it to one of the vCUSP 5 session licenses available to user in the portal.
When vCUSP licensing section, instruct how to get to the smart licensing server, and then provide token ID created. The server communicates to the licensing server and uses that token to authenticate itself and get the entitlements it has available to it.
If you need more, say, 10 sessions, simply revoke the five-session token and create a new token assigning two five-session licenses to that token. Then from the device put in the new token ID and have it go out and re-license itself, giving it more sessions. Devices communicate back to the server every 90 days unless a manual license sync is done.
How It Works
Let’s put everything together, taking into consideration based on different needs.
For a small company with a small IT department, everyone might be an administrator of the ORG. We may choose not to use virtual accounts and let all licenses just fall into the default virtual account.
For a medium-size company, you may still want to have everyone operate as an ORG administrator but also use virtual accounts to hold licenses of certain types.
For instance, if you want to create a networking, security and unified communications virtual account to place licenses into it. This reduces the clutter of finding licenses in a sea of entitlements. Any ORG administrator, can see all virtual accounts and can browse and use any licenses that the company owns.
Medium/large/enterprise-size companies may wish to have certain ORG admins and then create the virtual account hierarchy that fits their needs.
To create a departmental structure. Suppose the company is international: Since we cannot nest virtual accounts, choose to make US-UC, EU-UC and EMEA-UC virtual accounts. In each virtual account, put the licenses for each region, and assign virtual account administrators from the various regions. Those administrators can, in turn, assign users to their virtual account, allowing them to use the licenses and see the licenses they have access to.
More Issues to Address
From the unified communications perspective, the Cisco Unified Workspace Licensing (CUWL/CUWL Pro) works has many issues with the licensing model.