Cisco User Connect Licensing (UCL) provides per-user based licensing for individual Cisco Unified Communications applications, including the applications server software, user licensing, and a soft client. User Connect Licensing is available in Essential, Basic, Enhanced, and Enhanced Plus versions. Article, Cisco Licensing Explained, Enterprise Agreements, Licenses. Traditionally, Cisco licensing has offered a perpetual licensing model in which you buy once and keep the license through the life of the hardware. Once that hardware has been replaced, the license is obsolete, and the new hardware will need its own set of license (s).
Cisco Licensing – Cisco Licenses Explained
- 6 March, 2019
Article, Cisco Licensing Explained, Enterprise Agreements, Licenses
Traditionally, Cisco licensing has offered a perpetual licensing model in which you buy once and keep the license through the life of the hardware. Once that hardware has been replaced, the license is obsolete, and the new hardware will need its own set of license(s). In the event you RMA the device, you’re eligible for a one time transfer of that license to the new hardware but for all intents and purposes that is the exception to the rule. This is true for all hardware.
The software features you buy on top of the hardware are licensed separately and require their own support contract. If you want to get IPS (Intrusion Prevention System) feature for your firewall, you’ll need a software license or entitlement.
This leads to a situation where one single device will have two support contracts associated to it. One for the hardware failure and the underlying operating system and another for the software support and updates you’d get specific to the IPS example above.
This perpetual method of ownership still requires you to have a support contract at all times to get the latest updates. What happens if you let the support lapse but keep the Cisco licensing? The core feature of the IPS module will continue to work as is. However, the module will stop receiving the latest threat updates leaving you more vulnerable to new threat vectors. You would also not be eligible to call Cisco support (TAC) and get assistance with the IPS software module.
How does support work for Cisco licensing?
There are two models and SKU’s you’ll normally see on your order and build of material sheets; Smartnet (SNT) and Software Support Services (SWSS). At a glance, these might look quite similar but there are fundamental differences that, if not accounted for, can leave a company vulnerable to security threats or extended downtime. In this article, we’ll examine the differences.
Smartnet only applies to the hardware. Depending on the level purchased, you get anywhere from 8x5xNBD (next business day) up to 24x7x2hours replacement on that hardware. This also grants you operating system updates similar to getting Windows updates while your Smartnet is valid.
Software Support Service (SWSS) has one single purpose. To keep the software add-on features updated and eligible for support.
Now let’s revisit our earlier example with more detail to see how these apply in a real-world scenario. Let’s say you have a Cisco Firepower NGFW (Next-Gen Firewall) withAMP(Advanced Malware Protection), IPS (Intrusion Prevention System) and URL Filtering. You are up for renewal. You get a build of materials that has an SNT and SWSS SKU’s on it. You choose to buy the SNT but leave out the SWSS because you assume the hardware replacement will cover the software and could even be cheaper.
The SNT gets renewed and things seem to work as before. Two months down the road, you’re looking into the URL module to and realize it hasn’t been receiving updates for some time. You call support and provide your details. Support will now tell you that while your hardware is in coverage you are not eligible for signature updates due to the lack of SWSS (software support services). You now have to work with your Cisco team and “re-instate” coverage which is often more expensive than keeping it current.
Let’s flip the scenario. You bought SWSS but left out SNT (Smartnet). You experience a hardware failure. You call support and they’ll tell you the reverse. There’s nothing they can do with helping you replace your hardware and you’ll need to contact your Cisco Account Team to buy new hardware with new licenses attached to it. The whole SNT and SWSS cycle starts again.
The lesson here is to always ensure that your Smartnet and Software subscriptions remain in sync to avoid these scenarios that we see all too often. The larger the environment, the higher the operation overhead this creates.
Operational challenges
There are significant challenges, especially in larger and geographically dispersed organizations, to keep your support and Cisco licensing in harmony given that growth and purchasing needs can originate from various sides of the business. Different teams and cost centres can also have their own strategies as to what they consider best practices. This leads to a lot of operational challenges and it’s not uncommon to sense dread in an organization around “renewal time.”
This is the bane of most IT and procurement teams as it requires a lot of manual inventory, reconciliation, lifecycle management and roadmap reviews. Many excel spreadsheets are passed around and many meeting hours are used up for a process that should take a fraction of the time. This continuous burden and pushback from customers force Cisco to think and innovate around the issue.
This think tank led to the formation of Cisco Enterprise Agreements.
Cisco Enterprise Agreements
Cisco Enterprise Agreements came to light when organizations asked for a more agile way handling their Cisco licensing needs, especially when considering that the majority of the new Cisco platforms are software-centric and are best utilised with software features enabled.
The goal of the Cisco Enterprise Agreement is twofold: reduce overall cost vs a perpetual licensing model and demonstrate a significant reduction in operational overhead.
You can find an in-depth look at Cisco Enterprise Agreements here.
The Tesrex Review & Renew is a two-week process that will pinpoint all the areas where you can save money and streamline management. Click here to learn more about this no-obligation engagement.
This is the first article in our series concerning Cisco Licensing and Enterprise Agreements. Please ensure you have signed up to be notified of when the rest of this series is released by clicking the blue icon in the bottom right-hand corner.
You can read Part 2 here.
Book a 30 minute chat
Arrange a short call with a Cisco Licensing expert. They can answer any of your questions.
The Cisco licenses play an important role in Cisco hardware upgrading, the HSEC-K9 license and the SEC-K9 license, the two Cisco license are designed for Cisco ISR G2 routers. Both are for Cisco ISR G2. May be you wanna know that the difference between SEC-K9 license and HSEC-k9 license?
What’s the main difference between SEC-K9 and HSEC-k9 license?
The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9 license, the ISRG2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. The Cisco 1941, Cisco 2901, and Cisco 2911 already have maximum encryption capacities within export limits.
The HSEC license and curtailment was introduced in the Cisco IOS Software Release 15.0(1)M1 and will be enforced on all images following that release.
Designed to comply with both local and U.S. export requirements for global distribution to all countries, the SEC-K9 license enables standard encryption (VPN payload and secure voice) on the ISR G2 platforms. This license enforces a curtailment on the maximum number of encrypted tunnels and the maximum encrypted throughput on the ISR G2 platforms. The SEC-K9 license limits the number of concurrent encrypted sessions and maximum encrypted throughput per device. This limit helps ensure that the ISR G2 complies with U. S. government export restrictions regardless of the final destination country.
If you purchase a Cisco ISR G2 chassis and later decide to turn on security features, you must buy a SEC-K9 license. The administrator must download the license to the router and follow the license installation instructions that come with the license to be able to use the security features on the router.
The SEC-K9 permanent licenses apply to the Cisco 1900, 2900, and 3900 ISR G2 platforms; these licenses limit all encrypted tunnel counts to 225 tunnels maximum for IP Security (IPsec), Secure Sockets Layer VPN (SSL VPN), a secure time-division multiplexing (TDM) gateway, and secure Cisco Unified Border Element (CUBE) and 1000 tunnels for Transport Layer Security (TLS) sessions.
The SEC-K9 license limits encrypted throughput to less than or equal to 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps. This requirement applies for the Cisco 1900, 2900, and 3900 ISR G2 platforms.
All threat defense and VPN features that are supported on the Cisco ISR G2 routers are functionally available for configuration with the SEC-K9. The image that includes this license is the universal-k9 image. For example, the Cisco IOS release version is c3900-universalk9-mz.SPA.150-1.M1.
To order the licenses as spares, you need the output of the following command-line interface (CLI) command: show license udi, shown at the end of this section. You must enter the product ID (PID) and the serial number into the tool to complete the order. This information makes the license unique for a particular router, and the license is not transferrable between routers.
The command output follows:
3925-perf#sh license udi
Device# PID SN UDI
—————————————————————————–
*0 C3900-SPE100/K9 FOC133037J9 C3900-SPE100/K9:FOC133037J9
For more information about software license activation on the ISR G2 platforms, please visit: https://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html
You can order the HSEC-k9 license from the Cisco.com website for the Cisco 2900, 3900 ISR G2 , 3925E and 3945E platforms. You can order the HSEC license as a spare for e-delivery.
After you complete the ordering, the license is delivered as an attachment in an email message. The attachment has a “.lic” suffix. For example, FOC133037J9_20100322212822257.lic is a license file generated for a specific ISR G2 router.
You should perform all of the following steps on a Windows PC or laptop. Using an Apple Macintosh has been found to cause problems with loading and installation of the license on the router.
The email containing the license file also contains instructions to load and install the HSEC-k9 license on the ISR G2 router. Please follow the instructions carefully.
To begin with, the ISR G2 router should have a SEC-K9 security feature license that has already been installed on the router. If the router does not have a SEC-K9 license installed, you can purchase the license as a spare using the ordering tool from the Cisco.com website.
More rules for ordering and stocking the ISR G2 HSEC-K9 license, you can read the Q&A for Cisco ISR G2 SEC and HSEC Licensing-Export Control Part.https://www.cisco.com/c/dam/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/qa_c67_606268.pdf
More examples that are related to Cisco 2900 router license will share here
Q1: We have installed a 60 day license for the security k9. The Cisco 2900 router we got. And we are trying to set up a client to site vpn on this and it still does not recognize the ipsec and isakmp commands. Is there a command I need to do to now enable ipsec and isakmp?
For the above problem, make sure your Cisco 2900 took the license, issue ‘show license’ and verify. Show license shows that it is in there and active. I rebooted and it still throws an error whenever i issue crypto ipsec or crypto isakmp
Here is your problem: from “show license”
License State: Active, Not in Use, EULA accepted
“not in use” is the key. Try using “license modify priority securityk9 high” or the config command “license boot module c2900 tech securityk9” to make this feature in use, rather than not in use.
Q2: We know the ISR2 series included VPN hardware acceleration but there is a “HSEC” which included an “advanced” encryption card. We are just trying to get my head around it. Is the HSEC bundle really needed over the standard SEC bundle? Now we need to support a 50meg Internet connection with 4 Site-to-Site VPNs and use of the firewall, NAT and QOS on each router. We are looking at the Cisco2921-SEC/K9 bundle. Does this sound about right?
Ahem, if your internet link is 50mb, then a 2921 (non-HSEC) can handle the encryption/decryption. The standard SEC license comes with a software-based rate limiter of 85 Mbps each way. If the protocol does not handle loss/retransmissions very well, throughput can easily plummet. Testing in a lab environment with two Cisco 2921s, I saw speeds drop to 25 Mbps.
Cisco License Installation
Also info on the HSEC license can be found here in regards to what it is and what t does for you. It allows for addition through for encrypted traffic NASA higher number of VPN tunnels.
Cisco License Cost
More Related Cisco License Topics