January 19, 2018
Cisco Smart Licensing Demystified
Get up to speed on a licensing development that is only going to grow.
For those who have not heard, Cisco Systems is shifting its licensing strategies. Gone — well, almost gone — are the days of PAK keys and questions on when to use it or not. The company has moved to a new licensing model, referred to as smart licensing. I say almost gone because not every product has made it to smart licensing as of yet. In fact, in the grand scheme of things, there are very few products on smart licensing at this time. So this adds to the confusion a bit more. Throughout this blog, I will guide you through the nuances and make you a wizard of smart licensing.
There is a hierarchy to smart licensing that starts with the organization (ORG). A company can have one ORG and it is essentially the domain name of your organization. In my case, it would be cdw.com. This is important to note, as there really can be just one, unless you have different domains for various companies within your larger organization.
So with the top-level ORG, you have an administrator(s) of the organization who has total rights to the smart licensing ORG. They can add users to the ORG and assign rights to them. It is important to know who those users are in a company as their Cisco Connect Online identification (CCO ID) is tied to the organization. If you had one administrator and he or she leaves, then you would not have any administrators left in your company.
This also means that there is a new bit of cleanup needed in the event of staffing changes. Users can be added to an ORG either manually by an administrator or they can request access to smart licensing by going to http://software.cisco.com. They log in using there CCO credentials and click on the link to request access to an existing smart account. This kicks off a workflow and an email is sent to all administrators of the ORG to approve.
Roles and Structure
In smart licensing, you have four definable roles: smart account user, smart account administrator, smart account approver and a user or administrator over a specific virtual account. Smart account users can manage assets within the organization and all virtual accounts, but cannot add or delete virtual accounts or manage users access. Users with this designation can see all licenses for the organization.
Next in the hierarchy of smart licensing is the structure. So you have the ORG and beneath that you have items called virtual accounts. Think of these as folders that can be used to manage licenses and organize them.
It is important to note that the virtual account is the last leaf node in your hierarchy. You cannot nest a virtual account inside of another virtual account. Virtual accounts also work as a demarcation for security of licenses. There is not a sense of departments or divisions in smart licensing so virtual accounts take on this role. For large organizations, one can get creative with virtual accounts to suit most of your needs.
Infrastructure is the next building block we need to talk about. For smart licensing to work, each device needs to have access to the smart licensing system. There are three possible connections you can have, each with its own benefits and drawbacks.
First, there is the “any server can connect to the internet” model. This is, by far, the preferred model as it has most of the benefits. A drawback to this model is that some companies, for security purposes, may not let their servers access the internet. It is important to know that this is not the internet accessing the servers. It refers to allowing the server to connect out on the internet to the Cisco smart licensing infrastructure over SSL. This allows the server to sync to the smart licensing platform, keeping license usage and other things up to date.
Second, you can have the smart license virtual appliance model. This acts as a smart licensing proxy where the internal machines connect to it and then it connects to the internet. This is a more secure option if you don’t want to allow all devices access out to the internet.
Third, we can do one more variant of the proxy server called a sneaker-net model. Instead of allowing the proxy server out to the internet, we can manually update the appliance with a file upload/download method from Cisco. This method, while being the most secure, is also by far the worst, as you have to maintain it manually.
The last part of the building blocks would be the token. This item lets the smart licensing server sync with the devices and their licenses. As an example, let’s say I have a vCUSP 5 session license in my smart license account. From the licensing portal, I create a token and assign it to one of the vCUSP 5 session licenses available to me in the portal.
When I go to the vCUSP licensing section, I tell it how to get to the smart licensing server, and then I provide my token ID. The server communicates to the licensing server and uses that token to authenticate itself and get the entitlements it has available to it.
If I grow and need 10 sessions, I would simply revoke the five-session token and create a new token assigning two five-session licenses to that token. Then I go to the device and put in the new token ID and have it go out and re-license itself, giving it more sessions. Devices communicate back to the server every 90 days unless a manual license sync is done.
How It Works in Practice
So let’s put everything together, taking into consideration different needs. For a small company with a small IT department, everyone might be an administrator of the ORG. I may choose not to use virtual accounts and let all my licenses just fall into the default virtual account. For a medium-size company, you may still want to have everyone operate as an ORG administrator but also use virtual accounts to hold licenses of certain types.
For instance, I may want to create a networking, security and unified communications virtual account to place my licenses into. This reduces the clutter of finding licenses in a sea of entitlements. Since I am the ORG administrator, I can see all virtual accounts and can browse and use any licenses that the company owns. Medium/large/enterprise-size companies may wish to have certain ORG admins and then create the virtual account hierarchy that fits their needs.
You can create a departmental structure. Suppose the company is international: Since we cannot nest virtual accounts, I could choose to make US-UC, EU-UC and EMEA-UC virtual accounts. In each virtual account, I put the licenses for each region, and I assign virtual account administrators from the various regions. Those administrators can, in turn, assign users to their virtual account, allowing them to use the licenses and see the licenses they have access to.
One Issue to Address
There are some known issues with the licensing model. From the unified communications perspective, we have found one major pitfall with the licensing proxy appliance model. If you know how current Cisco Unified Workspace Licensing (CUWL/CUWL Pro) works, you know that a device has the ability to borrow up from a lower tier to an upper tier in the event that the lower-tier licenses are used and one is needed. This allows you to make the best use of your licenses and be creative automatically. This model works perfectly fine if you let your voice appliance talk directly to the smart licensing cloud servers. But if you introduce the proxy appliance, it does not know how to borrow up. This is a flaw and hopefully Cisco will rectify this in future releases of the license proxy appliance.
Smart licensing is new and is here to stay; it is important that people educate themselves and start planning now for the future of Cisco licensing. All products will be migrated to the smart model and having a good plan and knowledge ahead of time will save you headaches during the migration process. Check back, as we will continue to write blogs on this topic as the features solidify and get added.