The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides an overview of MACsec Smart Licensing. Smart Licensing feature is a standardized licensing platform that simplifies the Cisco software experience and helps you to understand how Cisco software is used across your network. Smart Licensing is the next generation licensing platform for all Cisco software products. MACsec licensing allows you to enable CSL permanent and Smart Licensing on Cisco ASR 1000 platforms.
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
MACsec and DLC Support |
Cisco IOS XE Fuji 16.9.1 |
Smart Licensing feature is a standardized licensing platform that simplifies the Cisco software experience and helps you to understand how Cisco software is used across your network. Smart Licensing is the next generation licensing platform for all Cisco software products. No commands were introduced or modified by this feature. |
Effective with Cisco IOS XE Fuji Release 16.9.1, MACsec Smart Licensing (SL) is supported on the following platforms:
|
Ports |
License Feature |
License PID |
Supported Platform |
||
|---|---|---|---|---|---|
|
MIP-100 (RP2/RP3) |
ASR1001-HX |
ASR1002-HX |
|||
|
BUILT-IN 1 GE ports |
MACSEC1G |
FLSA1-MACSEC1G |
N/A |
Yes |
Yes |
|
BUILT-IN 10 GE ports |
MACSEC10G |
FLSA1-MACSEC10G |
N/A |
Yes |
Yes |
|
EPA-18X1GE |
MACSEC1G |
FLSA1-MACSEC1G |
Yes |
N/A |
Yes |
|
EPA-10X10GE |
MACSEC10G |
FLSA1-MACSEC10G |
Yes |
N/A |
Yes |
|
EPA-1X40GE |
MACSEC40G |
FLSA1-MACSEC40G |
Yes |
N/A |
Yes |
|
EPA-2X40GE |
MACSEC40G |
FLSA1-MACSEC40G |
Yes |
N/A |
Yes |
|
EPA-QSFP-1X100GE |
MACSEC100G |
FLSA1-MACSEC100G |
Yes |
N/A |
Yes |
MACsec licenses are available for each port and are applicable only for physical ports (sub-interfaces do not require additional license). Device Led Conversion (DLC) support is available for MACsec port licenses to ensure that your paper licenses are added to smart account.
The Device-led conversion allows license migration from Classic to Smart license automatically for licences that are on the devices. The devices needs to be registered in Cisco Smart Software Manager (SSM) for automatic conversion to smart license.
 Note |
|
One unit of MACsec license is used when a port containing MACsec configuration is unshut or when the configuration is applied on an unshut port.
One unit of MACsec license is released when a port containing MACsec configuration is shut or when the configuration is removed from an unshut port.
MACSec support is available in Cisco Software License (CSL) and Smart License (SL) modes from Cisco IOS XE Fuji 16.9.1. However, for releases after 16.9.1, MACSec will support only Smart License.
The following scenarios explain how an existing router is deployed and migrated to Cisco IOS XE Fuji 16.9.1:
If MACsec permanent licenses are installed on the device before upgrading (prior to Cisco IOS XE Fuji 16.9.1 release), then these licenses are used after the upgrade.
Before the upgrade, assume the following:
Router is operating on a release prior to Cisco IOS XE Fuji 16.9.1
MACsec is configured on four un-shut 1G interfaces
Four MACSEC1G permanent licenses are installed
After the upgrade, four MACSEC1G licenses are used.
When MACsec is configured on unshut ports, ideally EvalRTU licenses should be used after the upgrade. Since EvalRTU support is not available, the license request is skipped and a warning message is displayed. For example:
%IOSXE_LICENSE_POLICY_MANAGER-4-INSUF_PERM_LIC: 0/0/0: Insufficient MACSEC40G permanent license, skipping license request assuming customer has honour licenseBefore the upgrade, assume the following:
Router is operating on a release prior to Cisco IOS XE Fuji 16.9.1
MACsec is configured on four un-shut 1G interfaces
After the upgrade
No MACsec license is used
Warning message is displayed
If you install four permanent licenses at a later point of time, then these licenses are used immediately
To avoid Out of Compliance scenario, all Product Activation Keys (PAK) and non-PAK licenses should be added to customer's virtual CSSM account.
The Device Led Conversion (DLC) feature migrates licenses to Smart Account. For DLC to work properly, all licenses should be enabled in CSL mode before migrating to SL mode.
Perform the following steps to migrate to SL Mode:
Upgrade from releases prior to Cisco IOS XE 16.9.1 to Cisco IOS XE 16.9.1
Upgrade to Cisco IOS XE Fuji 16.9.1 in CSL mode
Migrate to SL mode and trigger DLC
Upgrade from releases prior to Cisco IOS XE Fuji 16.9.1 to later releases
Upgrade to Cisco IOS XE Fuji 16.9.1 in CSL mode
Migrate to SL mode and trigger DLC
Upgrade to releases later than Cisco IOS XE Fuji 16.9.1
Feedback