Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
0
Replies

Cisco Smart Licensing behind Transparent Proxy w/ SSL decryption (Sattelite vs TG)

Tymofii Dmytrenko
Level 1
Level 1

‎01-08-2019 11:51 AM

I hope this is the right discussion board. I have the following query

 

We are looking to onboard our devices using Smart Licensing model - the majority of the licenses have been now migrated to SL (from Traditional PAKs). Now, here's the challenge I am facing. In our environment Internet is being offered from central and local (DIA) locations. In all cases it traverses WSA using transparent interception (PBR). We also decrypt SSL traffic and then re-encrypt using our internal Root CA. It works fine up to the point when non domain devices have to go outside.

 

Network infrastructure accessing Smart Licensing portal is the use case. It won't work because switches and routers won't trust the certificate presented by WSA (internal PKI). What is the best and easiest solution to this?

 

I was thinking about few aviailable options

  • Bypass proxy for traffic coming from network devices and/or to Cisco Smart License portal
    • Very hard to bypass all management IP addresses - OAM nightmare, so bypassing based on the source is not an option
    • I am not sure what are Smart License IP addresses, therefore cannot bypass by destination. Also, I assume it will be a range of IP addresses which might change in future as it's a cloud service (unless Cisco uses anycast) - can't find any information around this
  • Manually adding our internal Root CA to each device's trustpool
    • Not sure if this will work at all and it's quite tedious
  • Deploy Transport Gateway. This one seems like the easiest option. However, according to the configuration guide I have to specify HTTP(S) proxy in the configuration. Is this mandatory requirement? What if I do not specify HTTP(S) proxy in TG's config will it still proxy requests from devices directly into the Internet? If so, this is ideal as I can bypass TG's IP address from SSL inspection and then configure Call Home on every device to use TG - they will trust its certificate as it will download Cisco Licensing Root CA once registered. Anyone deployed it before?
  • Deploy Smart License Manager Sitellite. This is another option, but concerns are the same as with Transport Gateway.

Anyone from Cisco to offer some help here?

 

My Catalysts 9500 24Y4C are running in Eval at the moment (50 days left) and I don't want to have a bad morning in less than two months time. Also, I am scared to upgrade my C9Ks and C3Ks to anything newer than Fuji 16.8... as starting from 16.9 Smart License is the only supported one.

 

Thanks

3 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents