I would highly recommend getting all of your Cat9K devices to 17.12.4 if you're not already on that release. Let's leave older IOS-XE (16.12) out of this discussion for now. My journey with Smart Licensing has been a miserable and tedious one. In the beginning (before I heard DNAC can help with this) I started out lovingly SSH'ing to every device and pasting the 'call-home' config into each device, and ensuring that the Inventory in On-Prem SSM reflected the device. Then a colleague told me that DNAC could handle this at scale. It's true - it can. But here are some facts that apply to customers who have Catalyst devices, On-prem SSM, and a DNAC:
- On-prem SSM is no longer required when you have SLUP capable IOS-XE devices, but you must configure DNAC into Smart Proxy Mode - this turns DNAC into a licensing gateway box - In this mode DNAC logs into (SSH I think) IOS-XE SLUP devices and fetches files and then uploads them to the cloud on your behalf (proxy). Here's the kicker - if you have SLUP devices, then you MUST either run DNAC in Proxy Mode, or Direct Mode or else you can't manage SLUP devices in DNAC itself - in other words, you must change the mode from On-Prem SSM to one of the others - and then you suddenly have features in DNAC to manage the SLUP devices. There is a conversion process that DNAC can handle for you, and you have to convert all your devices to use the new world. But here's what they don't tell you
- The comms between devices and DNAC can fail if the devices check the CRL of the DNAC certificate (since this is https traffic) - ensure that you have provisioned your devices with CRL none
- If you have Cat9K's with VRFs and many interfaces, then check that you always configure the specific source interface and VRF (BTW, VRF support gets better in newer releases ... and was quite broken before 17.9.6)
- In line vty, do not turn off the output transport (DNAC uses this to initiate SCP for SWIM operations)
Smart Proxy Mode is great and IOS-XE 17.3.2 and later device use SLUP - you can ignore/delete the 'call-home and 'license smart transport' commands in the show run, because SLUP uses HTTPS mechanisms to transport a little file from the flash to DNAC. But as mentioned above, you must ensure that devices can talk securely to DNAC for this to happen.
Older devices still using call-home, that are not SLUP compatible but support smart transport can be converted through DNAC GUI to have their config changed to use DNAC as their gateway. Luckily DNAC will provision its enterprise IPv4 address into the 'license smart url' URL so you don't have to faff around with DNS resolution (which was the bane of my life with call-home, because I had to resolve the FQDN of the on-prem SSM on my devices). The only gotcha I found with this one is that you have to sometimes tell the IOS-XE devices which source interface to use for https comms, as well as VRF (if applicable) - DNAC cannot do this for you because it's not clever enough to make that decision. And again, in this mode, the call-home section of the config is no longer used.
The long story short, is that 17.12.4 made my life easier, because DNAC/CatCenter was finally happy with this release and seems to manage the devices really well in Proxy Mode.
if you decide that you don't want DNAC to be your Licensing middle man, then you can manually configure your SLUP devices to talk to your on-prem CSSM in CSLU mode. Ensure that your on-prem has the CSLU enabled (all the latest versions have this) and then use 'license smart transport cslu' and the corresponding URL that points to your on-prem - but beware of CRL checks, VRF hurdles and DNS resolution (if the URL contains FQDN). Of the hours I have wasted on this ...
I think On-prem SSM will stay around for a while, since many other Cisco products talk to it (ISE, Prime, FMC, etc.)
