ICND2 200-105

ICND2 200-105

Cisco IOS Licensing Overview

Here's the thing you need to understand, we're now going to have an operating system that can pretty much do it all, but does that mean we can do it all? No. We've got to get a Product Activation Key, or PAK, that we load into our chassis that is based on a feature that we have purchased, okay. This is going to allow us to get a license and that license is then applied, installed in the chassis, and that gives us a feature. For instance, I want to do Voice over IP, or VoIP. A lot of routers can do that. You got things like unity, you have Call Manager Express, we're going to be doing this sort of thing. And so we have to be mindful of this elevated management workflow that is now our burden, our responsibility, as the people who interface with these router chassis.

Cisco IOS Feature Sets Hierarchy and Licensing

So back in the days when we started, this is what we had available to us. Not specifically, this exact set of operating systems because they have evolved over time. All right, we just need basic functionality, let's grab the bottom one. We want to add voice, let's grab IP Voice. Security, different service provider (SP) services, or full load enterprise services, you purchased the OS you needed.

We have this universal image, which replaces everything that we had before. And once this universal image is on our device, what does it have? Well by default, it's going to have the base image, base image comes with it. So just basic IOS functionality. But from there, this is where we purchased those licenses. So do I want to provide some MPLS support? I have to get the license for that. What about voice over IP, or VoIP? Got to get the license for that. Some security features, VPNs, Internet Protocol Security, or IPsec, firewall support? Got to pay for that as well. So when you purchase your device you just have this one IOS image, but then you unlock the different features by paying for the licenses for those different features.

Technology Package LicenseFeatures
IPBase Entry-level IOS functionality
DATA MPLS, ATM, Multiprotocol support
Unified Communications VoIP, IP Telephony
Security IOS Firewall, IPS, IPSec, 3DES, VPN

So here we can see that example looking at the output of show license. Right now, what do we have currently active on this device in use?

Router#show license
Index 1 Feature: ipbasek9
           Period left: Life time
           License Type: Permanent
           License State: Active, In Use
           License Count: Non-Counted
           License Priority: Medium
Index 2 Feature: securityk9
           Period left: Not Activated
           Period used: 0 minute 0 second
           License Type: EvalRightToUse
           License State: Not in Use, EULA not accepted
           License Count: Non-Counted
           License Priority: Non...

It's just the base, I'm looking here, and I don't see that the security package is active and the rest of it is omitted. But this would go through all of these different packages, show us the licenses, and then that might explain why, hey, I can't configure Context-Based Access Control, or CBAC, on my router. CBAC being a security thing, but you got the idea.

Permanent license installation

We do need to get these license files installed in Flash. We also want to back them up too, right? But get them installed in Flash, but just their existence in Flash does not suffice to install license. This is a permanent license.

R1#license install flash0:uck9-2900-SPE150_K9-FHH12250057.xml

Some licenses do have a certain amount of time and you have to be mindful of the way the time works in some of the licensing environments too. Sometimes, they're cumulative, sometimes they're not. But in any case, this is a permanent one and we're basically to say, "Hey, I got this license here you go." And what does it look like? Looks like unified communications, so to me this looks like a VoIP license that I'm installing inside of my chassis. So I can do things like work as an IP telephony gateway, and then I'm going to reload, and I'm going to do that show license again to see exactly what licenses are running on the chassis.

Evaluation license installation

Can we try out a feature set before we decide to purchase the real deal? Yes. Cisco does have the ability to utilize evaluation licenses, a slightly different command as you can see here for that license.

R1#license boot module c2900 technology-package uck9

So license boot module in order for us to activate that particular evaluation license, and typically, we're dealing with a 30-day evaluation license. In this case, this is looking to me like we are installing a unified communications evaluation license here as well.

Whatever you do, don't do this for production gear. You can lab this up with these evaluations. But don't put it into production because that's really going to burn you. It's better to, you know, be relatively reactionary and go oh, you know, I can't do that right now than to have it work and then stop working because a licensed feature has died because it was an evaluation. This is the paradigm and predicament we can get ourselves into on a lot of different chassis. If we want to verify how much time is left in this evaluation license, we can verify that using the show licenses command as well. So not only does that provide us with the permanent licenses we have but also the evaluation licenses and the time period remaining on them.

Backing up and uninstalling the license

This functionality of backing up the license is kind of... you know, for me it's not really a backing up in the true, strictest sense of the word because it's still just local to the chassis. But it's a great command to do, don't get me wrong.

R1#license save flash:all_licenses.lic

So here you're saying, "Hey, here is license file I want you to save it to." And you've created a local copy of your license files.

At some point in time, we may no longer require the license that is installed on our router. So what do we do to remove it? Well there are three things we have to do. First and foremost, we have to disable the technology package. We're doing that here with the license boot module command. But I want you to look at the end, what did we type in? Disable, disable!

Router(config)#license boot module c3900 technology-package uck9 disable

And then notice we had to reload the device. We reloaded the device so that way there we were no longer using that particular technology package. But now we have to remove the license itself. So once the router is reloaded and we're back in the privileged EXEC mode, we can say license clear and then the particular license we want to remove. In this case, the uck9 license.

Router#license clear uck9
Router#configure terminal
Router(config)#no license boot module c3900 technology uck9 disable

But then, we typed in a command earlier to disable the technology package, right? That command above license boot module disable at the end. Do we need that anymore, is it required?

No. And this is kind of the hardest thing to understand from this discussion is, we do still have that command there that is disabling it. But now it's disabling something we don't have, let's clear up our config. So very seldom do we just have to clean up our config, that's what we're doing there. And then we exit, reload again, and we are finally, done divesting ourselves from whatever that license was.