Re: Use event manager to install licenses Cisco 1111-8p

jens.petter.johansen · ‎03-02-2020

I am looking for some help in how to solve the instalation of licenses on the Cisco 1111-8p router

We are primarly using a provisioning system to send configuration to the router.

The system will log in to the unit, and copy down the running config file and save it to startup config + reboot router

This is a push and forgett system, so when the router comes up the system has another state and do not talk to the router.

But, I still have to install the:

securityk9 and hseck9 licens, and that involves some reboots to achive a full instalation, in essens two more reboots

First thing I was thinking about was to use EMM to do this for me, but I have now tested and I am not able to get this working, not even close... I was hoping somebody had done something similar and could help

PS, we are using a smart server instance to install licenses from, so I have a call-home function on the router, that and I am registring with the server like this

service call-home
ip host xxxxxxxx 1.2.3.4

call-home
source-ip-address "loopback-ip"
no http secure server-identity-check
profile "CiscoTAC-1"
active
anonymous-reporting-only
destination transport-method http
no destination transport-method email
destination address http http://xxxxxxxxx/Transportgateway/services/DeviceRequestHandler
no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

license smart enable

do licens smart register idtoken 128471230847812098+1238+12412\4I&"/(&")(/"=¤(?

this will registre with the server instance:
then:
license boot level securityk9
reboot
license feature hseck9
platfor hardware crypto througput un-unthrottled
and again reboot

I want to be able to somehow make these reboot and commands between them to happen with no intervention from user

Or, if somebody have a better idea, I am all open.

Dan Frey · ‎03-03-2020

I think something like this may work. Device initially boots up into IPBASE license and line actions 040 to 170 are executed and device reboots. When device comes back it has security license installed now HSEC license will be installed with line action 200 - 300; EEM policy deregisters its self, config is saved and device reboots.

event manager applet licenseManager

event timer countdown time 90 maxrun 60

action 010 cli command "enable"

action 015 cli command "show ver | inc License Level:"

action 030 regexp "License Level: ([a-zA-Z]+)" $_cli_result match LICENSE

action 040 string equal $LICENSE ipbase

action 050 if $_string_result eq 1

action 060 cli command "conf t"

action 080 cli command "license smart enable"

action 090 cli command "do license smart register idtoken TOKEN"

action 100 wait 30

action 110 cli command "license boot level secuirtyk9"

action 130 cli command "end"

action 140 syslog msg "Security license will be installed after reboot"

action 150 cli command "wr"

action 160 reload

action 170 end

action 200 string equal $LICENSE security

action 210 if $_string_result eq 1

action 220 cli command "conf t"

action 230 cli command "license feature hseck9"

action 240 cli command "platfor hardware crypto througput un-unthrottled"

action 250 cli command "no event manager applet licenseManager"

action 260 syslog msg "HSEC license will be installed after reboot"

action 270 cli command "end"

action 280 cli command "wr"

action 290 reload

action 300 end

jens.petter.johansen · ‎03-06-2020

thanks for input.

I am trying to understand what you are trying to achive with line 015 "action 015 cli command "show ver | inc License Level:"

under show version on my Cisco 1111-8p with 16.9.4, there is no line for "License Level" match.

Is the target here to look and see if ipbase is installed?

show version from my 1111

lab-lisens-r1#sh ver
Cisco IOS XE Software, Version 16.09.04
Cisco IOS Software [Fuji], ISR Software (ARMV8EB_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.9.4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Thu 22-Aug-19 17:25 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

lab-lisens-r1 uptime is 19 minutes
Uptime for this control processor is 21 minutes
System returned to ROM by Reload Command at 09:43:29 CET Fri Mar 6 2020
System restarted at 09:46:43 CET Fri Mar 6 2020
System image file is "bootflash:c1100-universalk9_ias.16.09.04.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9

Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None None None
securityk9 None None None
ipbase ipbasek9 Permanent ipbasek9

The current throughput level is unthrottled

Smart Licensing Status: Smart Licensing is DISABLED

cisco C1111-8PLTEEA (1RU) processor with 1452854K/6147K bytes of memory.
Processor board ID FCZ2342C3JQ
2 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
4294966432 terminal lines
2 Cellular interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
2863103K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

Dan Frey · ‎03-06-2020

Yes, line 015 is to identify what license is currently installed. I got that output from a CSR1kv that was already registered to a smart license server. I see when the device is not smart licensed the output of that command does not have "License level" as you stated below. " License level". should be present after the device is registered with smart license server. To address this update these two lines:

action 040 string equal $LICENSE security

action 050 if $_string_result eq 0

The first time EEM runs the security license should not be present so lines 040 to 170 will run. After security license is installed via smart license server lines 200 - 300 will be executed.