Changes in Traditional Licenses

This section explains the changes that certain traditional licenses are undergoing, to continue to be supported in the Smart Licensing Using Policy environment. These changes may involve actions that the system performs automatically, actions that you must perform, or both, and have been called out accordingly.

Phasing Out of Device-Specific HSECK9 Licenses

HSECK9 licenses are supported on various Cisco Aggregation, Integrated Services, and Cloud Services Routers. On Cisco 1000 Series Integrated Services Routers and Cisco 4000 Series Integrated Services Routers, the license name is tagged according to the router model (For example, a Cisco 4461 Integrated Services Router that is using an HSECK9 license, uses “ISR_4400_Hsec”).

This section explains what is changing for these device-specific HSECK9 licenses, how it affects you, actions (if any) that you may have to take, and the options available to you as device-specific HSECK9 license holder.

For the list of device-specific HSECK9 licenses, see HSECK9 License Mapping Table for Routing Product Instances.

What is Changing for Device-Specific HSECK9 Licenses

Device-specific HSECK9 licenses that are available on Cisco 1000 Series Integrated Services Routers and Cisco 4000 Series Integrated Services Routers, are being phased-out to simplify HSECK9 license management.

Starting with Cisco IOS XE Bengaluru 17.6.1a, instead of tagging HSECK9 licenses according to router model (for example, ISR_4331_Hsec), HSECK9 licenses are tagged as Router US Export Lic for DNA (DNA_HSEC). If you want to purchase new HSECK9 licenses for these products, you should buy DNA_HSEC.

If the software version running on the product instance is Cisco IOS XE Bengaluru 17.6.1a or later, it has the following implications:

  • A device-specific HSECK9 license that is already IN-USE, continues to be supported and no further action is required.

  • An unused device-specific HSECK9 license in the Smart Account and Virtual Account in CSSM can still be used on the product instance. Mutiple options are available and you can proceed with the suitable one. For more information, see the Available Options for an HSECK9 License section below.

For more information about ordering an HSECK9 license, see: Ordering Information for HSECK9 Licenses.

Product Instances Affected by this Change

Cisco 1000 Series Integrated Services Routers and Cisco 4000 Series Integrated Services Routers

Available Options for an HSECK9 License

The following table provides information about the options available to you as the holder of an unused device-specific HSECK9 license. It also covers additional scenarios where no action is required but have been provided for the purpose of clarification or confirmation.

Clarifications and definitions for important terms and abbreviations used in the tables below:

  • Device-specific HSECK9 license: refers to HSECK9 license name that is tagged to the device model

  • DNA_HSEC: Router US Export Lic for DNA

  • Honor (HSECK9 license): Means if the HSECK9 format exists on the product instance, then HSECK9 or export-controlled functionality is allowed. But you cannot install a new HSECK9 license in that form.

  • SLP: Smart Licensing Using Policy

  • SL: Smart License.

  • PAK: Product Activation Key

Table 1. Available Options for an HSECK9 License

Current State

HSECK9 Entitlement-Type in CSSM

Current Software Version on the Product Instance

Result and Required Action If Applicable​

Product instance is not using an HSECK9 license

Device-specific HSECK9 license

Cisco IOS XE Bengaluru 17.6.1a or later

 If you want to use an HSECK9 license, choose one of the following options:

  • Option 1: Install SLAC for device-specific HSECK9 license in offline mode.

    Complete: Generating and Downloading SLAC from CSSM to a File and Installing a File on the Product Instance.

  • Option 2: Purchase DNA-HSEC-UPGD= at 0 USD from CCW, convert device-specific HSECK9 license to DNA_HSEC, and install SLAC to use DNA_HSEC.

    Complete: Converting a Device-Specific HSECK9 License, and then request and install SLAC for DNA_HSEC according to the topology you have implemented.

  • Option 3:

    1. Downgrade to any release between 17.3.x and 17.5.x.

    2. Install SLAC for the device-specific HSECK9 license according to the topology you have implemented.

    3. Revert to Cisco IOS XE Bengaluru 17.6.1a or later release.

Product instance is not using an HSECK9 license

DNA_HSEC

Cisco IOS XE Bengaluru 17.6.1a or later

If you want to use an HSECK9 license, install SLAC for DNA_HSEC according to the topology you have implemented.

Product instance is not using an HSECK9 license

Device-specific HSECK9 license

Any release between Cisco IOS XE Amsterdam 17.3.2 and Cisco IOS XE Bengaluru 17.5.x

If you want to use an HSECK9 license, install SLAC for the device-specific HSECK9 license according to the topology you have implemented.

Product instance is using an HSECK9 PAK license or an SLR authorization code including an HSECK9 license.

Device-specific HSECK9 license

or

DNA_HSEC​

Cisco IOS XE Amsterdam 17.3.1 or any earlier release

If you want to upgrade to Cisco IOS XE Amsterdam 17.3.2 or a later release: No further action required.

Device-led conversion (DLC) is automatically triggered on upgrade and the HSECK9 PAK license or the SLR authorization code including an HSECK9 license ​is honored.

Product instance is using an HSECK9 license.

Device-specific HSECK9 license

or

DNA_HSEC​

Cisco IOS XE Amsterdam 17.3.4 or later release in the 17.3.x train (>=17.3.4).

or

Cisco IOS XE Bengaluru 17.4.2 or later release of the 17.4.x train (>=17.4.2).

or

Cisco IOS XE Bengaluru 17.5.x​ (17.5.x​)

No further action required.

The HSECK9 license that is being used is honored.

Product instance is not using an HSECK9 license

DNA_HSEC​

>=17.3.4, or >=17.4.2, or 17.5.x​

If DNA_HSEC is the entitement type in the CSSM, this means the device was ordered with software version 17.6.1a or later in CCW.​

Further, if DNA_HSEC is purchased with hardware, SLAC is factory-installed. But if it is not, ensure that you install SLAC in one of the following ways (choose one option):

SLAC may or may not be installed

DNA_HSEC

Cisco IOS XE Everest 16.10.1a to Cisco IOS XE Amsterdam 17.3.1

Note

 

Although available as an option, we do NOT recommend this conversion since the releases involved are end of software maintenance.

If you want to convert DNA_HSEC licenses to device-specific HSECK9 license, complete this process:

  1. Go to Support Case Manager. Click OPEN NEW CASE > Select Software Licensing.

    Provide a reason for downgrade and a proof of purchase of the existing HSEC license.

  2. The support team will contact you and request you to raise a purchase order for device-specific HSECK9 spares (For example, FL-4330-HSEC-K9= for ISR4330), with 100 percent discount.

  3. The support team revokes the same number of DNA_HSEC licenses as in purchase order. The support team also processes the request including seeking internal approvals for the discount. Once approved, the order goes through.

  4. The applicable number of device-specific HSECK9 licenses are deposited in your Smart Account and Virtual Account in CSSM.

SLAC may or may not be installed

Device-specific HSECK9 license

Cisco IOS XE Fuji 16.9.x

Note

 

Although available as an option, we do NOT recommend this conversion since the releases involved are end of software maintenance.

If you want to convert the device-specific HSECK9 licenses to PAK HSECK9 licenses, open a case.

Go to Support Case Manager. Click OPEN NEW CASE > Select Software Licensing.

The support team will contact you to start the process or for any additional information.
Table 2. Licensing Model Where HSECK9 License is Used and Release Matrix

Release

Licensing Model Available with the Release

PAK HSECK9 Supported?

SLR including HSECK9 Supported?

SLP; SLAC with Device- Specific HSECK9 Supported?

SLP; SLAC with DNA_HSEC Supported?
<=16.9 PAK Yes Not applicable Not applicable Not applicable
16.10.1a – 17.3.1 SL Honor Yes Not applicable Not applicable
17.3.2-17.3.3, 17.4.1 SLP Honor Honor Yes No
>=17.3.4, >=17.4.2,17.5.x, SLP Honor Honor Yes Honor or install offline
>=17.6.1a SLP Honor Honor Honor or install offline Yes

Snapshots for PAK Licenses

There is a significant change in the way Product Activation Key (PAK) licenses are handled by the system. This section explains the change, how it affects you, actions (if any) that you may have to take, and the options available to you as a PAK license holder.

What is a PAK License

A license issued by using PAK fulfilment is called a PAK license. For example, an “adventerprise” license available on Cisco ASR 1000 can be PAK-fulfilled, a “securityk9” license, which is available on a Cisco 4000 Series ISR can also be PAK fulfilled. Similarly, an HSECK9 license which is available on various Cisco routers, can be PAK-fulfilled.

What is Changing for PAK Licenses - Snapshots for PAK Licenses

Starting with Cisco IOS XE Dublin 17.11.1a, the library that manages PAK licenses is deprecated from the software image.

In order to support and honor any existing PAK licenses, the system automatically performs the following actions in select release trains:

  • The system takes a snapshot of the PAK license. This snapshot serves as a permanent record of the PAK license - as it is, at the time of the snapshot.

  • The system automatically triggers a Device-Led Conversion (DLC) process. After DLC, the PAK-fulfilled license is available in your Smart Account.

    For information about the DLC process, see: After Upgrading the Software Version. DLC is triggered for all topologies in the Smart Licensing Using Policy environment.

The system takes snapshots for a PAK license and automatically triggers DLC only in and until the following releases and trains:

  • Cisco IOS XE Amsterdam 17.3.5 and later releases of the 17.3.x train.

  • Cisco IOS XE Bengaluru 17.6.2 and later releases of the 17.6.x train.

  • All releases of subsequent trains: Cisco IOS XE Cupertino 17.7.x, Cisco IOS XE Cupertino 17.8.x, Cisco IOS XE Cupertino 17.9.x, and until Cisco IOS XE Dublin 17.10.x.


Caution

Starting with Cisco IOS XE Dublin 17.11.1a, the PAK-managing library is discontinued and the provision to take a snapshot is no longer available. DLC is not available either. Software images from Cisco IOS XE Dublin 17.11.1a onwards rely only on the snapshotted information about PAK licenses.

If you have a PAK license without a snapshot, and you want to upgrade to Cisco IOS XE Dublin 17.11.1a or a later release, you will have to upgrade twice. First upgrade to one of the above-mentioned releases where the system can take a snapshot of the PAK license and complete DLC, and then again upgrade to the required, later release.

Only permanent PAK licenses are honored; any evaluation PAK licenses are not.

Once a snapshot is taken, any changes to the PAK license are not supported. Even if you downgrade the software version (after the snapshot is taken) to an earlier release, make a change in the PAK license (including trying to return it), and then revert to the later release, the PAK license change is not supported.

To know if the PAK license on a product instance has been snapshotted, enter the show platform software sl-infra pak-info command in privileged EXEC mode. 
If a snapshot has been taken, the following information is displayed in the command’s output: 
Device# show platform software sl-infra pak-info  
<output truncated>

Pak License Snapshot Information
=================================
Platform Supports PAK License snapshot
PAK License Snapshot integrity check pass
PAK License Snapshot available

<output truncated>

Product Instances that Support PAK Licenses

The following product instances support PAK licenses. If you are using one of these product instances and a PAK license is being used on the product instance, refer to the Available Options for a PAK License section, to know more about what you can do.

  • Cisco 1000 Series Integrated Services Routers

  • Cisco 4000 Series Integrated Services Routers

  • Cisco ASR 1000 Series Aggregation Services Routers

  • Cisco Cloud Services Router 1000v

  • Catalyst 8000V Edge Software (Only if it is a Cloud Services Router 1000v on which a .bin upgrade to Cisco IOS XE Bengaluru 17.4.1 or a later release has been performed)

Available Options for a PAK License

If you have a PAK license, you can proceed in the following ways:


Note

If there are multiple PAK licenses on the product instance, either continue using all of them or remove and return all of them. If you forsee the need for changes in the PAK licenses you have, remove all the PAKs license and start afresh by configuring Smart licenses on the product instance.

Permanent License Reservation in the Smart Licensing Using Policy Environment

What is a Permanent License Reservation

A Permanent License Reservation (PLR) enables you to use an unlimited count of any license on the product instance. The PLR code is an authorization code generated by CSSM that must installed on the product instance in order to authorise any license request.

A PLR is suited to a high-security deployment or entirely air-gapped networks where a product instance cannot communicate online, with anything outside its network.

PLR Requirements in the Smart Licensing Using Policy Environment

The use of PLR in the Smart Licensing Using Policy environment requires:

  • Software version Cisco IOS XE Dublin 17.10.1a or later.

  • Version 3 of the PLR code.

Product Instances that Support PLR in the Smart Licensing Using Policy Environment

  • Catalyst 8000V Edge Software

  • Cisco Cloud Services Router 1000v (Has been .bin upgraded from a CSRv image to a Catalyst 8000V software image)

How an Existing PLR is Handled - Upgrade and Downgrade

Current Setup

Condition

(If This Action is Performed)

Result and Implication

Product Instance: Cisco Cloud Services Router 1000v

PLR status: PLR is activated. An older version of the PLR code installed (Version 1 or Version 2).

Software version: Cisco IOS XE Everest 16.5.x to Cisco IOS XE Amsterdam 17.3.x.

You perform a .bin upgrade to software version Cisco IOS XE Dublin 17.10.1a or later release.

All existing features that have been enabled are honored and continue to work - except for throughput greater than 250 Mbps, and any export-controlled features that require an HSECK9 license.

The older version of the PLR code is not removed from the product instance, but it is not supported.

To restore throughput and to use an HSECK9 license, upgrade the PLR code to Version 3. See: Upgrading a PLR.

Product Instance: Cisco Cloud Services Router 1000v

PLR status: PLR is activated. An older version of the PLR code installed (Version 1 or Version 2).

Software version: Cisco IOS XE Everest 16.5.x to Cisco IOS XE Amsterdam 17.3.x.

 You perform a .bin upgrade to a release between Cisco IOS XE Bengaluru 17.4.x and Cisco IOS XE Cupertino 17.9.x.

All existing features that have been enabled are honored and continue to work - except for throughput greater than 250 Mbps, and any export-controlled features that require an HSECK9 license.

The older version of the PLR code is not removed from the product instance, but it is not supported.

To use PLR, you must upgrade the software version to Cisco IOS XE Dublin 17.10.1a and then upgrade the PLR code to Version 3.

See: Upgrading a PLR.

Product Instance: Cisco Cloud Services Router 1000v Router (.bin upgraded to a Catalyst 8000V software image)

PLR status: PLR is activated. Version 3 of the PLR code is installed.

Software version: Cisco IOS XE Dublin 17.10.1a or later.

You downgrade to Cisco IOS XE Amsterdam 17.3.x or earlier release.

After downgrade, the older version of the software image cannot validate the PLR code Version 3 and does not honor or support it.

The product instance behaves as if no licenses are installed.

The PLR code is not removed from product instance.

Product Instance: Cisco Cloud Services Router 1000v Router (.bin upgraded to a Catalyst 8000V software image)

PLR status: PLR upgrade is not complete. An older version (Version 1 or Version 2) of the PLR code installed.

Software version: Cisco IOS XE Dublin 17.10.1a or later.

You downgrade to Cisco IOS XE Amsterdam 17.3.x or earlier release.

After downgrade the older version of the software image can validate the PLR code and use it to fulfill license requests.

Activating, Upgrading to, Deactivating a PLR in the Smart Licensing Using Policy Environment

  • If you are implementing PLR on a Catalyst 8000V Edge Software, see: Activating a PLR.

  • If you performing a .bin upgrade on a Cisco Cloud Services Router 1000v Router and want to continue using PLR, see: Upgrading a PLR.

  • If you want to deactive a PLR, see: Deactivating a PLR.