Using Cisco Smart Licensing on IOS-XE

Converting PAKs to Smart Licenses

First, convert existing PAKs to smart licensing by going to the Traditional Licensing Portal, selecting the PAK, and from the “Smart Accounts” tab, select “Convert selected PAKs to smart licensing”.

SmartLicensingConvert

Note that PAKs entered via the Smart Licensing portal are not automatically converted.

Router CLI Configuration

In config mode, enable DNS resolution on the device to communicate w/ Cisco

ip domain-lookup
ip name-server 8.8.8.8

Configure Smart Call-home

service call-home
call-home
 contact-email-addr me@mydomain.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email

In software versions prior to 16.12, Smart Licensing will need to be enabled in config mode:

license smart enable

Creating and Applying Smart License Tokens

Visit the Smart Licensing Portal, select the PAK, and generate a token.

SmartLicensingNewToken

In enable mode, paste the token in via CLI:

license smart register idtoken XXXXXXX

Verify token has been accepted and registration successful

show license status

Finish by configuring and verifying any features added by the license

platform hardware throughput level mb 250
Wait for 250M license request to succeed

license boot level ax
% use 'write' command to make license boot config take effect on next boot

Router# show platform hardware throughput level 
The current throughput level is 250000 kb/

Re-initializing Licenses after Software Downgrade

When upgrading or especially downgrading IOS-XE versions, you’ll typically see an error the that license has already been used:

Router#show license status
Smart Licensing is ENABLED

Registration:
  Status: UNREGISTERED - REGISTRATION FAILED
  Export-Controlled Functionality: Not Allowed
  Initial Registration: FAILED on Mar 20 01:22:15 2019 GMT

Failure reason: The product regid.2013-08.com.cisco.CSR1000V,1.0_1562da96-9176-4f99-a6cb-14b4dd0fa135 and sudi containing udiSerialNumber:9PFNTCW3Y0L,udiPid:CSR1000V has already been registered.

Or red herring messages like this:

%SMART_LIC-3-AUTH_RENEW_FAILED: Authorization renewal with the Cisco Smart Software Manager or satellite : Response error: Data and signature do not match 
%SMART_LIC-3-AUTH_RENEW_FAILED: Authorization renewal with the Cisco Smart Software Manager or satellite : NULL 
%SMART_LIC-3-AUTH_RENEW_FAILED: Authorization renewal with the Cisco Smart Software Manager or satellite : verify RESP fail

Simple fix: just re-install a token with the “force” option at the end, i.e:

license smart register idtoken XXXXXXX force
Advertisement

Activating Throughput License on 4351 (FL-44-PERF-K9)

Time to replace the office 2951s with 4351s.  Since the Internet pipes are 300 Mbps, we purchased the FL-44-PERF-K9 upgrades, which bump the throughput from a 200 Mbps to 400 Mbps cap.  I entered the PAK on the Cisco License Portal, installed the license, but noticed upon testing there was still a 200 Mbps limit.  The license commands indicated that the license had been installed, but not enabled/activated.

Router#show license feature 
Feature name Enforcement Evaluation Subscription Enabled RightToUse 
appxk9 yes yes no no yes 
uck9 yes yes no no yes 
securityk9 yes yes no no yes 
ipbasek9 no no no yes no 
FoundationSuiteK9 yes yes no no yes 
AdvUCSuiteK9 yes yes no no yes 
cme-srst yes yes no no yes 
hseck9 yes no no no no 
throughput yes yes no no yes 
internal_service yes no no no no

The licensing magic trick? Configure the platform to jump from 200 Mbps to 400 Mbps:

Router(config)#platform hardware throughput level 400000 
% The config will take effect on next reboot

Upon rebooting, NOW the throughput license is enabled.

Router#sh license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse 
throughput yes yes no yes yes

Router#show platform hardware throughput level 
The current throughput level is 400000 kb/s

Cisco 2921 Router with HSEC License

cerm

After replacing our 2821 routers with 2921s, I encountered a dilemma.   The 2821s were used to terminate Site to Site IPSec tunnels to AWS, and thanks to offloading crypto operations in their AIM-VPN/SSL-2 modules, could easily push 120 Mbps of traffic.  Not quite so with the 2921s, as I immediately started seeing a whole lot of these:

%CERM-4-RX_BW_LIMIT: Maximum Rx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
%CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license

As it turns out, there’s a 85 Mpbs software rate limiter due to Crypto export restrictions.

Router# show platform cerm-information
Crypto Export Restrictions Manager(CERM) Information:
 CERM functionality: ENABLED

----------------------------------------------------------------
 Resource Maximum Limit Available
 ----------------------------------------------------------------
 Tx Bandwidth(in kbps) 85000 85000
 Rx Bandwidth(in kbps) 85000 85000

Since one of the tunnels carries a replication job that needs to complete within an hour, I needed to match if not exceed what the 2821s had been doing.  The dilemma then was to purchase an L-FL-29-HSEC-29 license which would remove the rate limiter, or simply scrap them in favor of a new 4331 or 4351 router.  The decision really hinged on how much throughput a 2921 with HSEC license would deliver.  After not finding anything on the Googles or Cisco Forums, I turned to Reddit and was pointed to two links.

First was the ISR G2 performance whitepaper from Cisco, which gave an IPSec max throughput of 207 Mbps.  This seemed a bit high to me, and was confusing because it did not state whether this was bi-directional or one-way.

Second was a Miercom Report listing values of 70 Mbps for the 2911 and 150 Mbps of the 2951 respectively.  Since the 2921 is closer in terms of hardware to the 2951 but with 20% less horsepower, I ballparked 125 Mbps for the 2921.

Our reseller had quoted $780 for an HSEC license, but after poking around eBay I found someone willing to sell for $200/each.  Sold!  They were applied this morning.

hsec_throughput

I was a bit surprised to see the CPU is still well short of 100%.  Would guess that the bottleneck is either on the remote side, or at the sever level.

hsec_cpu

So doing the math, 130 Mbps / (1/.78) = 166.66 Mbps. I found it amusing that this was exactly halfway between the estimates of 125 and 207 Mpbs.