cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6638
Views
37
Helpful
7
Replies

DNAC And SSM

NETAD
Level 4
Level 4

Hello, can someone give me the procedure to point devices in DNAC to Cisco Smart Software Manager on prem smart licensing server?

 

Thanks

7 Replies 7

Mohamed Alhenawy
Spotlight
Spotlight

Hello @NETAD 

Hopefully, you are doing well!

Please Find this Procedure as per DNA guide

Set Up License Manager

You must set up access to your Cisco Smart Account before you can use the Cisco DNA Center License Manager tools.

Before you begin

  • Ensure that you have SUPER-ADMIN-ROLE permissions and the appropriate RBAC scope to perform this procedure.

  • Collect the Cisco user ID and password for your Smart Account.

  • If you have one or more Smart Accounts: Select the Smart Account that you want to use with Cisco DNA Center, and collect that account's user ID and password.

  • To enable a Smart Account, Cisco DNA Center must have reachability to tools.cisco.com.

  • To apply licenses to a device in Cisco DNA Center, the device must be present in Inventory, must have a site assigned to it, and must have reachability to tools.cisco.com.


Step 1

Log in using a Cisco DNA Center system administrator username and password.

Step 2

Choose  > System Settings > Settings > Cisco Credentials.

Step 3

Under Cisco.com Credentials, enter the username and password for your Smart Account.

Step 4

To access your Smart Account using a virtual or subordinate Smart Account name and password, under Link Your Smart Account, choose:

  • Use Cisco.com user ID if your cisco.com and Smart Account credentials are the same.

  • Use different credentials if your cisco.com and Smart Account credentials are different, and then enter your Smart Account credentials.

Step 5

Click View all virtual accounts to view all virtual Smart License Accounts.

Step 6

Click Apply.

Hi Mohamed, is this procedure for if you have an on prem satellite server? Do we still need to configure the switches via a template? 

 

 

for instance: 

 

on prem ssm configuration:
!
enable
configure terminal
call-home
profile name <>
destination transport-method http
destination address http url <>
active
exit
!
end
!


load license
!
enable
configure terminal
license boot level license_level
write memory
end
show version
configure terminal
reload
end
!
show version
!

 

and what about the token piece? Do we generate one and apply it somewhere in DNAC? 

Andrew Woolman
Level 1
Level 1

Hope you worked this out. You need to go into the API module on the On-Prem licencing server and Create Client Credentials which generates the ClientID and Client Secret that you need to enter into DNA Under SSM Connection Mode, On Prem-CSSM .

This doesn't seem to be documented anywhere.

Arne Bier
VIP
VIP

Thanks @Andrew Woolman 

 

I don't understand why every Cisco product has such a widely differing approach to how Smart Licensing is configured. It's utterly astounding. DNAC is just the most (unnecessarily) complicated piece of equipment I have had to deal with. Makes something simple like registering licenses with SSM very hard. Why can't DNAC just talk to the SSM and have some trusted comms channel to exchange data (perhaps using Cisco signed CA) to talk Cisco-Cisco ? The only creds we should provide is perhaps a username and a login. But asking the user to setup the API stuff is one step too far.

Its 2025 and I still no updated documentation for this process. 

Preston Chilcote
Cisco Employee
Cisco Employee

@Charles V There's no need to configure Smart License after IOS 17.3.2. It has been replaced with Smart License Using policy (SLP) (which despite the similar name, works differently).   Look for documentation (especially youtube videos) on Smart License Using policy.  It's especially easy to deploy if you have Catalyst Center deployed.

 

 

 

I would highly recommend getting all of your Cat9K devices to 17.12.4 if you're not already on that release. Let's leave older IOS-XE (16.12) out of this discussion for now.  My journey with Smart Licensing has been a miserable and tedious one. In the beginning (before I heard DNAC can help with this) I started out lovingly SSH'ing to every device and pasting the 'call-home' config into each device, and ensuring that the Inventory in On-Prem SSM reflected the device. Then a colleague told me that DNAC could handle this at scale.  It's true - it can. But here are some facts that apply to customers who have Catalyst devices, On-prem SSM, and a DNAC:

- On-prem SSM is no longer required when you have SLUP capable IOS-XE devices, but you must configure DNAC into Smart Proxy Mode - this turns DNAC into a licensing gateway box - In this mode DNAC logs into (SSH I think) IOS-XE SLUP devices and fetches files and then uploads them to the cloud on your behalf (proxy). Here's the kicker - if you have SLUP devices, then you MUST either run DNAC in Proxy Mode, or Direct Mode or else you can't manage SLUP devices in DNAC itself - in other words, you must change the mode from On-Prem SSM to one of the others - and then you suddenly have features in DNAC to manage the SLUP devices. There is a conversion process that DNAC can handle for you, and you have to convert all your devices to use the new world. But here's what they don't tell you

  • The comms between devices and DNAC can fail if the devices check the CRL of the DNAC certificate (since this is https traffic) - ensure that you have provisioned your devices with CRL none
  • If you have Cat9K's with VRFs and many interfaces, then check that you always configure the specific source interface and VRF (BTW, VRF support gets better in newer releases ... and was quite broken before 17.9.6)
  • In line vty, do not turn off the output transport (DNAC uses this to initiate SCP for SWIM operations) 

Smart Proxy Mode is great and IOS-XE 17.3.2 and later device use SLUP - you can ignore/delete the 'call-home and 'license smart transport' commands in the show run, because SLUP uses HTTPS mechanisms to transport a little file from the flash to DNAC. But as mentioned above, you must ensure that devices can talk securely to DNAC for this to happen.

Older devices still using call-home, that are not SLUP compatible but support smart transport can be converted through DNAC GUI to have their config changed to use DNAC as their gateway. Luckily DNAC will provision its enterprise IPv4 address into the 'license smart url' URL so you don't have to faff around with DNS resolution (which was the bane of my life with call-home, because I had to resolve the FQDN of the on-prem SSM on my devices). The only gotcha I found with this one is that you have to sometimes tell the IOS-XE devices which source interface to use for https comms, as well as VRF (if applicable) - DNAC cannot do this for you because it's not clever enough to make that decision. And again, in this mode, the call-home section of the config is no longer used.

The long story short, is that 17.12.4 made my life easier, because DNAC/CatCenter was finally happy with this release and seems to manage the devices really well in Proxy Mode. 

if you decide that you don't want DNAC to be your Licensing middle man, then you can manually configure your SLUP devices to talk to your on-prem CSSM in CSLU mode. Ensure that your on-prem has the CSLU enabled (all the latest versions have this) and then use 'license smart transport cslu' and the corresponding URL that points to your on-prem - but beware of CRL checks, VRF hurdles and DNS resolution (if the URL contains FQDN). Of the hours I have wasted on this ...

I think On-prem SSM will stay around for a while, since many other Cisco products talk to it (ISE, Prime, FMC, etc.)

 

Review Cisco Networking for a $25 gift card