Ask Me Anything - Introduction to Smart Licensing on Catalyst Switches - Page 2

ciscomoderator · ‎07-29-2020

This topic is a chance to clarify your questions about smart licensing on Cisco Catalyst switches, including 9000 (9200, 9300, 9400, 9500, 9500H, and 9600 Series) and 3000 (3650 and 3850 Series) switches. Cisco experts will review and clarify the benefits, basic concepts, considerations, different types of registrations, and general FAQs. In addition, a live demonstration on how to register a license with a Cisco server will be provided.

To participate in this event, please use the button below to ask your questions

Ask questions from Thursday, July 30 to Friday, August 7 2020

Featured Expert

Luis Celis is a Technical Consulting Engineer on the Enterprise Routing & Switching team at Cisco’s Technical Assistance Center in Mexico. He provides top-level technical support for global customers with Catalyst 9000 and 6800 switches. Previously, he collaborated with the Service Provider team. Before joining Cisco, he worked with Ericsson solving customers challenges and providing solutions for massive network optimizations. Luis holds a bachelor’s degree in Communications and Electronics Engineering from the Instituto Politecnico Nacional (IPN) in Mexico.

Luis might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Switching category.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

Do you know you can get answers before opening a TAC case by visiting the Cisco Community.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

ciscomoderator · ‎07-31-2020

Is there an IPv6 endorsed set of config guidance?

andresfr · ‎07-31-2020

Configuring Smart Licensing for IPv6 is pretty similar when compared to the IPv4 configuration.

However, there are some considerations:

IPv6 routing should be enabled
The source interface must have an IPv6 routable address
The Service Provider must support IPv6 and we should have IPv6 connectivity to the destination host (CSSM in our example - Direct Cloud Access)
The device should be able to resolve tools.cisco.com to the corresponding IPv6 address.

Note:

Cisco Smart Licensing registration portal tools.cisco.com can be resolved using both IPv4 and IPv6. This can be validated using online DNS lookup tools and querying multiple times.

IPv4 addresses:
72.163.4.38
173.37.145.8

IPv6 addresses:
2001:420:1101:5::a
2001:420:1201:5::a

Note: This configuration is for reference only.

Configuration

1. Enable call Home

configure terminal
 service call-home

2. Enable routing

ipv6 unicast-routing

3. DNS

ip name-server <IPv6_address> #Your local DNS server IPv6 address
ip name-server vrf Mgmt-vrf <IPv6_address>  #(Optional depending on the interface used for Internet Connectivity)

You could also try using the Google Public DNS IPv6 addresses:

2001:4860:4860::8888
2001:4860:4860::8844

Another configuration that could be used for troubleshooting/testing purposes (if you suspect of DNS issue) but is not recommended as a permanent configuration is to define a static hostname to address mapping:

ipv6 host tools.cisco.com 2001:420:1201:5::a

3.a. DNS Source Interface. This interface should be able to ping tools.cisco.com using the "source" keyword.

ip domain lookup
ip domain lookup source-interface <interface_type/interfaca_id> #(Gi0/0 for example but can also be a VLAN interface)

4. Domain name

ip domain-name yourdomain.com #Only if not present

5. Configure the call home profile. (Optional since is normally configured by default for this method)

call-home
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
  active
  reporting smart-licensing-data
  destination transport-method http
  no destination transport-method email
  destination address http  https://tools.cisco.com/its/service/oddce/services/DDCEService

6. HTTP configuration

Ensure the source-interface that you select can reach CSSM "ping tools.cisco.com source x"

ip http server
ip http authentication local
ip http secure-server
ip http client source-interface <VlanID/Gi0/0> #Gi0/0 if using Mgmt-vrf

7. Get Token from Cisco CSSM HTTP. You might have done this already
https://software.cisco.com/#SmartLicensing-Inventory

8. Enter the Token on the device by running the following command:

Switch# license smart register idtoken <id_token>

9. You can check the results by running the following verification commands.

show license all
show license status
show call-home profile all

If you want to use IPv4 instead for Smart Licensing but you're having some interfaces configured with IPv6, then please be aware of the following software bugs:

IOS XE need a knob to prefer ipv4 over ipv6 dns response for ios DNS client
CSCvs39104

With ip http client source-interface defined, DNS resolution never falls back from AAAA to A record
CSCvp26804

ciscomoderator · ‎07-31-2020

What happens if I upgrade a switch to a code that needs SA and I don't have it? Could you say a very complete answer? What happens if my device with SA stops having communication with the Cisco cloud?

andresfr · ‎07-31-2020

This question has been answered already.