cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

200
Views
0
Helpful
17
Replies
khgrant
Cisco Employee

Best Practice for CSR1000v Smart licensing during Day0 or Day1.

 

All,

 

 

I need a reliable method to activate a smart license using a token on CSR1000v.

 

I’ve seen various approaches, mostly referencing Openstack.

 

My use case is on VMWare.

 

 

Activating a smart license doesn’t appear to be supported in the cisco-ios NED.

 

 

Curious how others are handling this in a production environment.

 

 

-Scott

 

1 ACCEPTED SOLUTION

Accepted Solutions
khgrant
Cisco Employee

 

Hi Scott,

 

Going back to your original question. The IOS Ned has an action to execute arbitrary commands in enable mode.

 

 

admin@ncs% request devices device 867-2 live-status ios-stats:exec any args "license activate bla bla"

 

result

 

license activate bla bla

 

  ^

 

% Invalid input detected at '^' marker.

 

 

866-2#

 

 

admin@ncs%

 

 

— but this particular ISR did not seem to support the command you mention

 

 

Stefano

 

View solution in original post

17 REPLIES 17
khgrant
Cisco Employee

Scott,

     I think you can include the token in the day-zero configuration that is used to launch the CSR.  I know ESC encodes the day-zero as an input for OpenStack using the API where the day-zero is represented as a config-drive.  I'm not sure if VMware has a means of including a day-zero configuration.  I presume there is a method using the OVF.

     Another option is to use PNP process on the CSR.  The CSR can call-home to the NSO and the NSO can respond with an 'on-boarding' configuration.  The configuration returned in the BODY of the HTTP POST could include the configuration which contains the token.

Scott W.

khgrant
Cisco Employee

 

Thanks for the information Scott.

 

The onboarding method w NSO seems like our best option.

 

I will do some homework on that.

 

 

If anyone on the list has been successful setting this up, please reach out.

 

khgrant
Cisco Employee

 

The default behavior of CSR call-home is to use DHCP to retrieve an IP address on the "WAN" interface.  The response provides the gateway address for default route, name-server, and IP address.  We will have to intercept the HTTP POST as the CSR will want to target devicehelper.cisco.com.  This could be a local DNS resolving 'devicehelper.cisco.com' to the NSO IP address.  The NSO has a package for on-boarding CPE.  The package is used in VMS, I'll see if this is something that can be extracted.  Perhaps, it is already included in the NFVO package.  I've been a strong proponent of pulling this piece out of VMS and creating a separate 'service' specifically for on-boarding.  I'm not sure automating this is important though as you're likely to spin the CSR up once for many partners. 

If that path doesn't play out quickly, I'm pretty sure that VMware will allow you to specify a file to attach to the CSR as a drive mounted during the boot process.  The day-zero config would be loaded with the token embedded in the file.

Finally, if we have on-boarded the CSR in NSO, you could simply push the config with token to the instance. 

Scott

 

khgrant
Cisco Employee

 

Hi Scott

 

Yes you can use the cisco-pnp package - no  extraction from anything needed. It can be used standalone for physical CPE, as well as for virtual ones. There is no dependency from NFVO package to cisco–pnp, but for example the vbranch package makes use of it together with nfvo (to onboard a new ENCS, not to boot up VNFs)

 

 

In general however you will need to set the config via a config drive or you will be limited to showing vCSR VNFs.

 

 

Stefano

 

khgrant
Cisco Employee

 

Hi Team,

 

 

May I expand the scope and ask for best practice to „release” the consumed Smart License before un-deploying a virtual appliance? I know that worst case after 90 days the Smart License Server will free the license of a non-responding device but looking for more agile solution.

 

 

Regards,

 

Gabor

 

khgrant
Cisco Employee

 

Hi!

 

 

In the NFVO component we have a feature called staged delete to address this exact issue. The staged delete functionality allows you to hook in code that executes between your service releases its VNFs and the deletion of the VMs in the VIM.

 

 

In this hook you can release licenses (and possibly other resources as well) before allowing the system to continue and delete the VMs.

 

 

Br,

 

Fredrik

 

khgrant
Cisco Employee

 

Hi Fredrik,

 

 

Do you have an example on how to hook the code that would release the license?

 

 

Thanks

 

Kali

 

khgrant
Cisco Employee

 

Yes, see the NFVO component bundle, it contains an example called tailf-nfvo-staged-delete-example.

 

 

Br,

 

Fredrik

 

khgrant
Cisco Employee

 

The default behavior of CSR call-home is to use DHCP to retrieve an IP address on the "WAN" interface.  The response provides the gateway address for default route, name-server, and IP address.  We will have to intercept the HTTP POST as the CSR will want to target devicehelper.cisco.com.  This could be a local DNS resolving 'devicehelper.cisco.com' to the NSO IP address.  The NSO has a package for on-boarding CPE.  The package is used in VMS, I'll see if this is something that can be extracted.  Perhaps, it is already included in the NFVO package.  I've been a strong proponent of pulling this piece out of VMS and creating a separate 'service' specifically for on-boarding.  I'm not sure automating this is important though as you're likely to spin the CSR up once for many partners. 

 

[Kali] I guess it should be possible to define ‘ip host’ entry in day0 configuration file of NSO to control the DNS resolution of ‘devicehelper.cisco.com’ to point to NSO, agree?

 

If the assumption is that I can control day0 configuration file of CSR1KV; what are the pros&cons between configuring license token in day0 configuration file vs. PnP?

 

If that path doesn't play out quickly, I'm pretty sure that VMware will allow you to specify a file to attach to the CSR as a drive mounted during the boot process.  The day-zero config would be loaded with the token embedded in the file.

Finally, if we have on-boarded the CSR in NSO, you could simply push the config with token to the instance.

 

Can I configure the license via NED or via day1 configuration file? I could not make it working this way. By ‘push the config’ you mean day1, right?

 

Thanks

 

Kali

 

khgrant
Cisco Employee

 

There are several entry points for configuration of license on the CSR:

 

 

1.  Assert the day zero configuration as a boot file:  day--1-config. It's not really a day zero since you actually have to preconfigure the file.  File delivered via mobile, flash drive, console,..

 

 

2.  Assert the configuration in response to the PNP HTTP POST to devicehelper.cisco.com (or redirect POST to NSO PNP server).  Redirect can be via DHCP options, DNS IP redirect, or HTTP 302 redirect

 

 

3.  Assert configuration via NSO push via the NED.

 

 

I am pretty sure any method could be used to insert the token used for licensing.

 

  Scott

khgrant
Cisco Employee

 

Option 3 is preferable but I don't see it available in the NED.

 

Hopefully I've missed something.

 

The license activate is not done in config mode, so I don't think it's represented by the allowed NED command structure.

 

From within config mode, it can be run interactively with "do license activate ......" but I've failed to see how to do it within the netconf template.

 

 

khgrant
Cisco Employee

 

Hi Scott,

 

Going back to your original question. The IOS Ned has an action to execute arbitrary commands in enable mode.

 

 

admin@ncs% request devices device 867-2 live-status ios-stats:exec any args "license activate bla bla"

 

result

 

license activate bla bla

 

  ^

 

% Invalid input detected at '^' marker.

 

 

866-2#

 

 

admin@ncs%

 

 

— but this particular ISR did not seem to support the command you mention

 

 

Stefano

 

khgrant
Cisco Employee

 

Stefano !!!!!

 

 

We have never met but you are on my xmas gift list now!

 

This is exactly what I’ve been searching for !!!!!

 

 

I will test this immediately and let you know.

 

 

Sincere thanks for the help.

 

 

-Scott

 

khgrant
Cisco Employee

 

Stefano , Arkadiusz ,

 

 

Looking around last night at this , I discovered a new option I’m pursuing.

 

Within the cisco-ios NED there is a command option <exec>.

 

Using John Mullooly’s labs as a reference , I’m able to execute the following interactively with success.

 

 

admin@ncs(config)# devices device testrtr config

 

admin@ncs(config-config)# exec “DO License Register ……”

 

 

The last important piece is whether or not the <exec> tag can be used in a template.

 

So far, I’m unsuccessfully.

 

 

BTW: If there is another alias more appropriate for this conversation, please let me know.