cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
56131
Views
116
Helpful
19
Replies
Highlighted

ASR 1000-X series licenses.

Dears,

I need help to understand the AR 1000 licenses.

1) What is the main advantage of the IPSec license (FLASR1-IPSEC-RTU), can the Encryption work without it?

2) I have understood that ordering a Cisco ASR 1000 Advanced IP Services License  (ASR SLASR1-AIS) should have the encryption enabled, if this is correct, why i need to purchase the IPSec license?

3) what is the difference between the Advanced IP Service and Advanced Enterprise Service licences ? Cisco only specifies that the AIS is same to AES but doesn't include "older protocols?

4) I have understood that RTU license is embedded in the Router, does this means that accepting EULA will enable it, but for example if i didn't purchase the IPSec license and then accept the EULA, it will be an evaluation license what will happen when the evaluation period finish?

Regards,

Muhannad

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

IP Services includes the lPSec licence.  Buy it again would leave you with two copies of it.  A waste of money.

View solution in original post

19 REPLIES 19
Highlighted
Advisor

1. Enables IPSec VPN support.

2. As I understand it, Advanced IP Services includes the IPSec licence above.

3. As I understand it, adds support for protocols you wont see any more, like DECNET, etc.  They are legacy protocols.

4. When the evaluation runs out those features stop working.

Check out this licence feature comparison.

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/qa_c67-452124.html

Description

Details

Cisco ASR 1000 Series RP1/2 IP Base without Cryptography

Includes only basic IP features: IPv4 and IPv6 basic services and standard routing protocols

  No Secure Shell (SSH) Protocol
  No crypto
  No older protocols
  No Systems Network Architecture (SNA) switching
  No broadband or Cisco Intelligent Services Gateway (ISG) features
  No Layer 3 or Layer 2 VPN features
  No security features

Cisco ASR 1000 Series RP1/2 IP Base

Includes only basic IP features and SSH, but:

  No crypto
  No older protocols
  No SNA switching
  No broadband or ISG features
  No Layer 3 or Layer 2 VPN features
  No security features

Cisco ASR 1000 Series RP1/2 Advanced IP Services without Cryptography

Includes all features and session border controller and lawful intercept, but:

  No crypto
  No older protocols
  No SNA switching

Cisco ASR 1000 Series RP1/2 Advanced IP Services

Includes all features and session border controller and lawful intercept, but:

  No older protocols
  No SNA switching

Cisco ASR 1000 Series RP1/2 Advanced Enterprise Services without Cryptography

Includes all features and older protocols, session border controller, and lawful intercept, but:

  No crypto
  No SNA switching

Cisco ASR 1000 Series RP1/2 Advanced Enterprise Services

Includes all features and older protocols, session border controller, and lawful intercept, but:

  No SNA switching
Highlighted

Dear Philip,

 

Thanks for your response.

I am still confused regarding the following:

If i have purchased the Cisco ASR 1000 Series RP1/2 Advanced IP Services which includes all features, do i still need to purchase the IPSec license if i need to configure VPN in my ASR Routers?

 

I have understood from the following that after selecting the suitable IOS XE, i should add the required software license of this feature, which mean that i should add the IPSec license:

First, select a Cisco IOS XE Software consolidated package that supports the required features. Second, check whether this feature requires a software license. If it does, you must purchase the required license in addition to the Cisco IOS XE consolidated package. The consolidated package and license are linked to the chassis.

 

Please let me know if i am understaning the issue correctly or not?

 

Regards,

Muhannad

Highlighted

Correct, you do not need to buy an IPSec licence.

Highlighted

Dear Philip,

 

Ref to Cisco Documnetations:

First, select a Cisco IOS XE Software consolidated package that supports the required features. Second, check whether this feature requires a software license. If it does, you must purchase the required license in addition to the Cisco IOS XE consolidated package. The consolidated package and license are linked to the chassis.

 

Which mean i should purchase the IPSec license along with the IP services IOS XS, this is what i have understood?

 

Regards,

Muhannad

Highlighted

IP Services includes the lPSec licence.  Buy it again would leave you with two copies of it.  A waste of money.

View solution in original post

Highlighted

Thanks Philip,

You made it clear for me.

I think I have left with only one question:

We only need the IPsec license if we are having IP base software, correct?

Regards,

Muhannad

Highlighted

If you have IP Base then yes, you need to buy the IPSec licence.

Highlighted

This is incorrect. You still need the IPSec license in addition to IP Services or Enterprise Services to use 3DES or AES encryption.

The following is an up to date ordering guide:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/guide-c07-731639.html

Example 13 is for a secure WAN router. It needs an advanced IOS feature set, IPSec license and a firewall license.

Most ASR1k licenses are honor-based so are not enforced by the router however you need to purchase licenses for the features you use to be compliant.

Highlighted

***************************************************
THIS INFORMATION IS INACCURATE - SEE BELOW
***************************************************
For everybody googling and landing on this community post when researching whether you need a separate IPSec license even if you have Adv IP Services or Adv Ent Services licenses - the answer is "YES". You do need an separate IPSEC LICENSE SKU to be compliant and adhere to the honor system. The licenses themselves are RTU - which means that even if you purchased the IPSec license there is no application of a PAK / license key to the device for this to work. Take it from a guy has been there and learned it the hard way on 5x ASRs and still don't have a t-shirt to show off.
Highlighted

Cisco licensing is so confusing !! Anyway, I'm after the following:

 

  • Cisco ASR 1001-X Chassis with 16GB DRAM
  • module - for WAN presented UTP links from provider
  • module - for 10Gbps backbone links via UTP
  • IOS that can support basic IP feature SSH, SNMP, OSPF, IPsec over GRE tunneling

Any recommendation for me @ugot2nome  ?

Highlighted

https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/guide-c07-731639.html#_Toc516199255

The IOS is Universal but you will need the Advanced Enterprise License to turn on some of the Service Provider functionalities along with the RTU entitlement licenses. In the above linked document - see Example 5 and Table 23 as an example but some of these are platform specific. Bottom line - identify number of 1/10GB ports, features needed and then size the box appropriately.

The safest bet is to open a Cisco TAC support ticket and route it to the License group with your questions.

Highlighted

Hi, I noticed that "No Systems Network Architecture (SNA) switching" (DLSW) is listed as not support in any ASR Technology package, IP Base, AIS or AES. Is DLSW  just not supported, or is an additional feature license needed (with any of the 3 technology packages?), if so which one.

 

Thanks

Mick Russell 

Highlighted
Beginner

Leaving this here in case someone else runs into the same issue as me.

 

Concerning the RTU and EULA acceptance, I ran into an odd issue with IWAN when adding a site.

 

APIC didn't accept my ASR router being added into IWAN inventory at first. It gave a warning about ipsec license not being present. I made sure all the 'license boot level' type commands were in there. No PAK file to install, so that wasn't needed. What did it was the 'license right-to-use move ipsec' command. It complained about EULA not being accepted, but the 'license accept end user agreement' command didn't do anything. APIC let me go ahead and add the router and then provision it as normal, anyway. SUCCESS!

 

>enable

#license right-to-use move <feature_name>

Highlighted
Cisco Employee

The answer marked solved above is incorrect as others have noted. The IP Services image does include the IPSec encryption features. But you still need to purchase the FLASR1-IPSEC-RTU license in order to USE it.

 

In short you must purchase IP Services + IPSec-RTU.

 

Hope that helps.

Content for Community-Ad