CISCO Catalyst 9300 Series Switches User Guide

What to do next
After you configure a license level, the change is effective after a reload. To know if reporting is required, you can wait for a system message or refer to the policy-using show commands.

• The system message, which indicates that reporting is required: %SMART_LIC-6-REPORTING_REQUIRED: A Usage report acknowledgment will be required in [dec] days. [dec] is the amount of time (in days) left to meet reporting requirements.
• If using show commands, refer to the output of the show license status privileged EXEC command and check the Next ACK deadline field. This means a RUM report must be sent and the ACK must be installed by this date.

The method that you can use to send the RUM report, depends on the topology you have implemented. Refer to the workflow for the applicable topology in the How to Configure Smart Licensing Using Policy: Workflows by Topology section of the Smart Licensing Using Policy chapter in this guide.

Installing SLAC for an HSECK9 Key

This section shows you the various methods of installing SLAC for an HSECK9 key. Each method corresponds with a particular topology in the Smart Licensing Using Policy environment. For information about all the supported topologies, see the Supported Topologies section of the Smart Licensing Using Policy chapter in this guide.

Note The only topology that you cannot implement if you want to use an HSECK9 key, is Connected to CSSM Through a Controller. The “controller” here is Cisco DNA Center. The Cisco DNA Center GUI does not provide an option to generate a SLAC for Cisco Catalyst switches that support HSECK9.

**Installing SLAC: Connected Directly to CSSM

**

This task shows you how to request and install SLAC when the device (product instance), is directly connected to CSSM.

Before you begin

• Ensure that the device is one that supports HSECK9. See Supported Platforms and Releases, on page 2.
• Ensure you have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in CSSM.
• Ensure that you have completed Steps from 1 through 3 of the Connected Directly to CSSM topology. See Workflow for Topology: Connected Directly to CSSM.

Procedure

| Command or Action| Purpose
---|---|---
Step 1| enable

Example:

Device> enable

| Enables privileged EXEC mode. Enter your password, if prompted.
Step 2| license smart authorization request { add |

replace } _featurename { all | local }

Example:

Device# license smart authorization request add hseck9 local

| Requests a SLAC from CSSM or CSLU or SSM On-Prem.

•  Specify if you want to add to or replace an existing SLAC:

•  add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the

existing SLAC, and the requested key.

•  replace : This replaces the existing SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are

returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic

feature.

•  _featurename : Enter the name of the

export-controlled license for which you want to request an addition or a

replacement of the SLAC. Enter “hseck9” to request and install SLAC for the

HSECK9 key.

•  Specify the device by entering one of these options:

•  all : Gets the authorization code for all devices in a High Availability and stacking set-up.

| Command or Action| Purpose
---|---|---
| | Note If you have added a

device (where SLAC is not installed) to an

existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot

request SLAC for a particular member. Your only options are: either the active, or the entire stack.

•  local : Gets the authorization code for the active device in a High Availability and stacking set-up. This is the default option.

Step 3| (Optional) license smart sync { all | local }

Example:

Device# license smart sync local

| Triggers the product instance to synchronize with CSSM, or CSLU, or SSM On- Prem, to send and receive any pending data.

This step is optional and applies only to scenarios where the product instance is connected to CSSM, or CSLU or SSM

On-Prem, and where the product instance initiates communication. The corresponding topologies are: Connected Directly to CSSM , Connected to CSSM Through CSLU (product instance-initiated), and SSM On-Prem

Deployment (product instance-initiated communication).

Here, the command manually triggers synchronization and completes the SLAC installation process. Otherwise SLAC is applied to the product instance the next time the product instance contacts CSLU or SSM On-Prem.

What to do next
Required Tasks After Installing SLAC, on page 18

Installing SLAC: No Connectivity to CSSM and No CSLU

This task shows you how to request and install SLAC in an air-gapped network, where a device (product instance) cannot communicate online, with anything outside its network.
There are two parts to this task. The first part (in the first step) requires you to generate and download a SLAC file for each HSECK9 key, from CSSM – you will need a workstation that has connectivity to the Internet and the CSSM Web UI. Step 2 onwards are commands that you must configure to import a downloaded SLAC file into the product instance.

Before you begin

• Ensure that the device is one that supports HSECK9. See Supported Platforms and Releases, on page 2.
• Ensure you have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in CSSM.
• Ensure that you have completed Step 1 of the No Connectivity to CSSM and No CSLU topology. See Workflow for Topology: No Connectivity to CSSM and No CSLU.

Procedure

| Command or Action| Purpose
---|---|---
Step 1| Generating and Downloading SLAC from CSSM to a File| This task is performed on the CSSM Web UI.
Step 2| enable

Example:

Device> enable

| Enables privileged EXEC mode. Enter your password, if prompted.
Step 3| copy source filename bootflash:

Example:

Device# copy tftp://10.8.0.6/user01/example.txt bootflash:

| (Optional) Copies the file from its source location or directory to the flash memory of the product instance. You can also import the file directly from a remote location and install it on the product instance (next step).

•  source : This is the source location of file. The source can be either local or remote.

•  bootflash: : This is the destination for boot flash memory.

Step 4| license smart import _filepathfilename

Example:

Device# license smart import bootflash:example.txt

| Imports and installs the file on the product instance. For _filepathfilename , specify the location, including the filename. After installation, a system message displays the type of file you installed.

Note When installing SLAC for multiple product instances (as in a stacking set-up), ensure that you download a separate .txt SLAC

file for each UDI. Import and install one file at a time.

What to do next
Required Tasks After Installing SLAC, on page 18

Installing SLAC: Connected to CSSM Through CSLU (Product Instance-

Initiated)

This task shows you how to request and install SLAC when the device (product instance) is connected to CSSM through CSLU and where the product instance initiates communication, that is, the product instance is configured to push the required information to CSLU.

Before you begin

• Ensure that the device is one that supports HSECK9. See Supported Platforms and Releases, on page 2.
• Ensure you have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in CSSM.
• Ensure that you have completed Steps 1 through 3 of the Connected to CSSM Through CSLU (Product Instance-Initiated Communication) topology. See Workflow for Topology: Connected to CSSM Through CSLU → Tasks for Product Instance-Initiated Communication.

Procedure

| Command or Action| Purpose
---|---|---
Step 1| enable

Example:

Device> enable

| Enables privileged EXEC mode. Enter your password, if prompted.
Step 2| license smart authorization request { add |

replace } _featurename { all | local }

Example:

Device# license smart authorization request add hseck9 local

| Requests a SLAC from CSSM or CSLU or SSM On-Prem.

•  Specify if you want to add to or replace an existing SLAC:

•  add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the

existing SLAC, and the requested key.

•  replace : This replaces the existing SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are

returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic

feature.

| Command or Action| Purpose
---|---|---
| | •  _featurename : Enter the name of the

export-controlled license for which you want to request an addition or a

replacement of the SLAC. Enter “hseck9” to request and install SLAC for the

HSECK9 key.

•  Specify the device by entering one of these options:

•  all : Gets the authorization code for all devices in a High Availability and stacking set-up.

Note If you have added a device (where SLAC is not installed) to an

existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot

request SLAC for a particular member. Your only options are: either the active, or the entire stack.

•  local : Gets the authorization code for the active device in a High Availability and stacking set-up. This is the default option.

Step 3| (Optional) license smart sync { all | local }

Example:

Device# license smart sync local

| Triggers the product instance to synchronize with CSSM, or CSLU, or SSM On- Prem, to send and receive any pending data.

This step is optional and applies only to scenarios where the product instance is connected to CSSM, or CSLU or SSM

On-Prem, and where the product instance initiates communication. The corresponding topologies are: Connected Directly to CSSM , Connected to CSSM Through CSLU (product instance-initiated), and SSM On-Prem

Deployment (product instance-initiated communication).

| Command or Action| Purpose
---|---|---
| | Here, the command manually triggers

synchronization and completes the SLAC installation process. Otherwise SLAC is applied to the product instance the next time the product instance contacts CSLU or SSM On-Prem.

What to do next
Required Tasks After Installing SLAC, on page 18

**Installing SLAC: Connected to CSSM Through CSLU (CSLU-Initiated)

**

This task shows you how to request and install SLAC when the device (product instance) is connected to CSSM through CSLU and where CSLU initiates communication, that is, CSLU is configured to pull the required information from the product instance.
This task requires you to configure certain commands on the product instance, certain tasks in the CSSM Web UI, and certain tasks in the CSLU interface.

Before you begin

• Ensure that the device is one that supports HSECK9. See Supported Platforms and Releases, on page 2.
• Ensure you have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in CSSM.
• Ensure that you have completed Steps 1 through 3 of the Connected to CSSM Through CSLU (Product Instance-Initiated Communication) topology. See Workflow for Topology: Connected to CSSM Through CSLU → Tasks for CSLU-Initiated Communication.

Procedure

| Command or Action| Purpose
---|---|---
Step 1| enable

Example:

Device> enable

| Enables privileged EXEC mode. Enter your password, if prompted.
Step 2| license smart authorization request { add |

replace } _featurename { all | local }

Example:

Device# license smart authorization request add hseck9 local

| Requests a SLAC from CSSM or CSLU or SSM On-Prem.

•  Specify if you want to add to or replace an existing SLAC:

•  add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the

existing SLAC, and the requested key.

| Command or Action| Purpose
---|---|---
| | •  replace : This replaces the existing

SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are

returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic

feature.

•  _featurename : Enter the name of the

export-controlled license for which you want to request an addition or a

replacement of the SLAC. Enter “hseck9” to request and install SLAC for the

HSECK9 key.

•  Specify the device by entering one of these options:

•  all : Gets the authorization code for all devices in a High Availability and stacking set-up.

Note If you have added a device (where SLAC is not installed) to an

existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot

request SLAC for a particular member. Your only options are: either the active, or the entire stack.

•  local : Gets the authorization code for the active device in a High Availability and stacking set-up. This is the default option.

Step 3| Requesting SLAC for One or More Product Instance (CSLU Interface)| This task is performed on the CSLU interface.
| Command or Action| Purpose
---|---|---
Step 4| Generating and Downloading SLAC from CSSM to a File| This task is performed on the CSSM Web UI.
Step 5| Import from CSSM (CSLU Interface)| This task is performed on the CSLU interface. After you have completed it, the uploaded codes are applied to the product instances the next time CSLU runs an update.

What to do next
Required Tasks After Installing SLAC, on page 18

Installing SLAC: SSM On-Prem Deployment (Product Instance-Initiated)

This task shows you how to request and install SLAC when the device (product instance) is connected to SSM On-Prem and where the product instance initiates communication, that is, the product instance is configured to push the required information to SSM On-Prem. Here you first create a request file in SSM On-Prem, upload the request in the CSSM Web UI, generate SLAC, import the SLAC into the SSM On-Prem server. Finally configure the commands on the product instance to request and install SLAC.

Before you begin

• Ensure that the device is one that supports HSECK9. See Supported Platforms and Releases, on page 2.
• Ensure you have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in CSSM.
• Ensure that you have completed Steps 1 through 3 c. of the SSM On-Prem Deployment (Product Instance-Initiated) topology. See Workflow for Topology: SSM On-Prem Deployment → Tasks for Product Instance-Initiated Communication.

Procedure

| Command or Action| Purpose
---|---|---
Step 1| Submitting an Authorization Code Request (SSM On-Prem UI)| This task is performed on the SSM On-Prem UI.
Step 2| Generating and Downloading SLAC from CSSM to a File| This task is performed on the CSSM Web UI.
Step 3| enable

Example:

Device> enable

| Enables privileged EXEC mode. Enter your password, if prompted.
Step 4| license smart authorization request { add |

replace } _featurename { all | local }

Example:

| Requests a SLAC from CSSM or CSLU or SSM On-Prem.
| Command or Action| Purpose
---|---|---
| Device# license smart authorization request add hseck9 local| • Specify if you want to add to or replace an

existing SLAC:

| •  add : This adds the requested key to an existing SLAC. The new SLAC will contain all the keys of the

existing SLAC, and the requested key.

| •  replace : This replaces the existing SLAC. The new SLAC will contain only the requested key. All HSECK9 keys in the existing SLAC are

returned. When you enter this keyword, the product instance checks if these existing keys are in-use. If they are, an error message is displayed, telling you to first disable the corresponding cryptographic

feature.

| •  _featurename : Enter the name of the

export-controlled license for which you want to request an addition or a

replacement of the SLAC. Enter “hseck9” to request and install SLAC for the

HSECK9 key.

| •  Specify the device by entering one of these options:
| •  all : Gets the authorization code for all devices in a High Availability and stacking set-up.
| Note If you have added a device (where SLAC is not installed) to an

existing stack where SLAC is already installed, use the replace and all options. This requests SLAC for all the devices in the stack. You cannot

request SLAC for a particular member. Your only options are: either the active, or the entire stack.

| Command or Action| Purpose
---|---|---
| | •  local : Gets the authorization code for

the active device in a High Availability and stacking set-up. This is the default option.

Step 5| (Optional) license smart sync { all | local }

Example:

Device# license smart sync local

| Triggers the product instance to synchronize with CSSM, or CSLU, or SSM On- Prem, to send and receive any pending data.

This step is optional and applies only to scenarios where the product instance is connected to CSSM, or CSLU or SSM

On-Prem, and where the product instance initiates communication. The corresponding topologies are: Connected Directly to CSSM , Connected to CSSM Through CSLU (product instance-initiated), and SSM On-Prem

Deployment (product instance-initiated communication).

Here, the command manually triggers synchronization and completes the SLAC installation process. Otherwise SLAC is applied to the product instance the next time the product instance contacts CSLU or SSM On-Prem.

What to do next
Required Tasks After Installing SLAC, on page 18

Installing SLAC: SSM On-Prem Deployment (SSM On-Prem-Initiated)

This task shows you how to request and install SLAC when the device (product instance), is connected to SSM On-Prem and where SSM On-Prem initiates communication, that is, SSM On-Prem is configured to pull the required information from the product instance. Here you create a request file in SSM On-Prem, upload the request in the CSSM Web UI, generate SLAC, import it into the SSM On-Prem server. Finally, synchronize SSM On-Prem with the product instance.

Before you begin

• Ensure that the device is one that supports HSECK9. See Supported Platforms and Releases, on page 2.
• Ensure you have the required number of HSECK9 keys in the applicable Smart Account and Virtual Account in CSSM.
• Ensure that you have completed Steps 1 through 3 a. of the SSM On-Prem Deployment (Product Instance-Initiated) topology. See Workflow for Topology: SSM On-Prem Deployment → Tasks for SSM On-Prem Instance-Initiated Communication.

Procedure

| Command or Action| Purpose
---|---|---
Step 1| Submitting an Authorization Code Request (SSM On-Prem UI).| This task is performed in the SSM On-Prem UI.
Step 2| In the SSM On-Prem UI, navigate to Reports

Synchronisation pull schedule with the devices > Synchronise now with the device.

| This step is optional. If you don’t synchronize immediately after importing the codes, the uploaded codes are applied to the product instances the next time SSM On-Prem runs an update.

What to do next
Required Tasks After Installing SLAC, on page 18

Required Tasks After Installing SLAC
This task shows you the activities that you must complete after installing SLAC. The information here applies to all methods of installing SLAC.

Procedure

• Step 1 Verify SLAC installation and HSECK9 key usage.

  • Check that the authorization status in the output of the show license authorization privileged EXEC command displays: Status: SMART AUTHORIZATION INSTALLED on . This means SLAC is installed. If you have installed more than one SLAC (in a High Availability or stacking set-up), ensure that all connected devices display the above status.

  • Check that the usage status and count in the output of the show license summary privileged EXEC command displays: NOT IN USE and 0. This means that the HSECK9 key is available but is not in-use yet.

  • The following system messages are displayed after SLAC installation:

  • Error Message %SMART_LIC-6-AUTHORIZATION_INSTALL_SUCCESS: A new licensing authorization code was successfully installed on: [chars].
    [chars] is the UDI where the SLAC was installed.

  • %SMART_LIC-6-EXPORT_CONTROLLED: Usage of export controlled features is allowed for feature hseck9.

• Step 2 Configure the cryptographic feature.
  The following IPsec configuration is for example purposes only. For information about configuring the feature, see the Configuring IPsec chapter of the Security Configuration Guide, Cisco IOS XE (Catalyst 9300 Switches).
  Example:

  • Device# configure terminal
  • Enter configuration commands, one per line. End with CNTL/Z.
  • Device(config)# int tu10
  • Device(config-if)# tunnel mode ipsec ipv4
  • Device(config-if)# end

• Step 3 Again check HSECK9 key usage.
  After you configure the cryptographic feature, the usage status and count in the output of the show license summary privileged EXEC command changes to: IN USE and 1.
  Note The system counts only one HSECK9 key as IN USE at a given point in time. Even if you have installed SLAC on more than one device in a stacking step-up, the usage count in the output of the show license summary command displays only 1. This is because only oneHSECK9 key is used at a given point in time – the one on the active. The HSECK9 key on the standby is used when a switchover occurs. When the standby becomes the new active, usage count remains 1, because it is still only one key that is being used.

• Step 4 Check if reporting is required.
  The method that you can use to send the RUM report, depends on the topology you have implemented. Refer to the workflow for the applicable topology in the How to Configure Smart Licensing Using Policy: Workflows by Topology section of the Smart Licensing Using Policy chapter in this guide.
  To know if reporting is required, you can wait for a system message or refer to the policy using show commands.

  • The system message, which indicates that reporting is required: %SMART_LIC-6-REPORTING_REQUIRED:
    A Usage report acknowledgement will be required in [dec] days.
    [dec] is the amount of time (in days) left to meet reporting requirements.

  • If using show commands, refer to the output of the show license status privileged EXEC command. Check the Next ACK deadline field. You must send the RUM report and ensure that the ACK is installed by this date.

Returning a SLAC
This task shows you how to return a SLAC and return the HSECK9 key to your license pool in CSSM. You can use this task with all topologies.
You may want to return a SLAC and HSECK9 key under these circumstances:

• You no longer want to use the cryptographic feature, which requires an HSECK9 key.
• You want to return the device for Return Material Authorization (RMA), or decommission it permanently. When you return a device to Cisco, you have to configure the licence smart factory reset privileged EXEC command, which removes all licensing information (except the licenses in-use) from the product instance, including any authorization codes, RUM reports and so on. Before you perform a factory reset, return the SLAC code. We also recommend that you send a RUM report to CSSM before removing licensing information from the product instance.

Before you begin
Disable or unconfigure the cryptographic feature for which you used the HSECK9 key and ensure that the usage status for the HSECK9 key is NOT IN USE.

Procedure

| Command or Action| Purpose
---|---|---
Step 1| enable

Example:

Device> enable

| Enables privileged EXEC mode. Enter your password, if prompted.
Step 2| show license summary

Example:

Device# show license summary

License Usage:

| (Optional) Displays license usage summary. This step applies only if you are returning a SLAC.
| Command or Action| Purpose
---|---|---
| License           Entitlement Tag Count Status

————————————————————-

network-advantage (C9300-24 Network Advan…)    1 IN USE

dna-advantage      (C9300-24 DNA Advantage)   1 IN USE

network-advantage (C9300-48 Network Advan…)    2 IN USE

dna-advantage      (C9300-48 DNA Advantage)   2 IN USE

C9K HSEC       (Cat9K HSEC)

1 IN USE

| If the status of the HSECK9 key is displayed

as IN USE even after the cryptographic feature is disabled, then perform the next step. This is the case in the accompanying example

If the status of the HSECK9 key is displayed as NOT IN USE skip to Step 5.

Step 3| platform hsec-license-release

Example:

Device# configure terminal Device(config)# platform hsec-license- release

HSEC license is released Device(config)# exit

| (Optional) Enters the global configuration mode, releases the HSECK9 license, and returns to privileged EXEC mode.

If the cryptographic feature using the HSECK9 key has been disabled or unconfigured, and the it is still displayed as IN USE, this command

forces the system to change the HSECK9 key status to NOT IN USE.

Step 4| show license summary

Example:

Device# show license summary

License Usage:

License           Entitlement Tag Count Status

| Ensure that the status of the license or key that you want to return is NOT IN USE. If it is in-use, you must first disable the feature.

network-advantage (C9300-24 Network Advan…)    1 IN USE

dna-advantage      (C9300-24 DNA Advantage)   1 IN USE

network-advantage (C9300-48 Network Advan…)    2 IN USE

dna-advantage      (C9300-48 DNA Advantage)   2 IN USE

C9K HSEC          (Cat9K HSEC)

0 NOT IN USE

Step 5| license smart authorization return { all | local }

{ offline [ path ] | online }

Example:

Device# license smart authorization return all online

OR

Device# license smart authorization return all offline

Enter this return code in Cisco Smart

| Returns an authorization code back to the license pool in CSSM. A return code is displayed after you enter this command.

Specify the product instance:

•  all : Performs the action for all connected product instances in a High Availability or stacking set-up.

•  local : Performs the action for the active product instance. This is the default option.

| Command or Action| Purpose
---|---|---
| Software Manager portal:

UDI: PID:C9300X-24HX,SN:FOC2519L8R7

Return code:

Cr9JHx-L1x5Rj-ftwzg1-h9QZAU-LE5DT1-babWeL-FABPt9- Wr1Dn7-Rp7

OR

Device# license smart authorization return all

offline bootflash:return-code.txt

| Specify if you are connected to CSSM or not:

•  If connected to CSSM, or if you have implemented a topology where the product instance-initiates communication (CSLU or SSM On-Prem), enter online. The code is automatically returned to CSSM and a confirmation is returned and installed on the product instance. If you choose this option, the return code is automatically submitted to CSSM.

| •  If not connected to CSSM, or if you have implemented a topology with

CSLU-initiated or SSM On-Prem initiated communication, enter offline [ _filepathfilename ]. If you enter only the offline keyword, copy the return code that is displayed on the CLI and enter it in CSSM. If you save the return code to a file, you can copy the code from the file and enter the same in CSSM. The file

format can be any readable format (You

will not be uploading this). For example:

| Device# license smart authorization
| return local offline
| bootflash:return-code.txt
| Complete this task to enter the return code in CSSM: Entering a SLAC Return Code in CSSM and Removing a Product

Instance.

Step 6| show license authorization| Displays licensing information. Check the License Authorizations header in the output. If the return process is completed correctly, the Last return code: field displays the return

code.

| Example:
| Device# show license authorization
| License Authorizations

======================

Overall status:

Active: PID:C9300X-24HX,SN:FOC2519L8R7

| Status: NOT INSTALLED

Last return code:

Cr9JHx-L1x5Rj-ftwzg1-h9QZAU-LE5DT1-

babWeL-FABPt9-Wr1Dn7-Rp7 Standby:

PID:C9300X-48HXN,SN:FOC2524L39P Status: NOT INSTALLED

Member: PID:C9300X-48HX,SN:FOC2516LC92

| Status: NOT INSTALLED