[c-nsp] IOS-XE Smart licensing
Hagen Amen
hagen.a.amen at multco.us
Wed Feb 24 10:00:42 EST 2021
Hi,
you can also specify HTTPS:
source-interface Loopback0
http-proxy "<proxy-IP>" port 8080
no http secure server-identity-check
no destination transport-method email
profile "<myorg-profile>"
reporting smart-licensing-data
destination transport-method http
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
I do bounce my smart-account access through a proxy I manage. I found that
more comfortable that running their on-prem satellite, or letting my
devices phone-home directly.
ttyl,
Hagen Amen | Multco IT Networking
On Wed, Feb 24, 2021 at 6:48 AM Hank Nussbacher <hank at interall.co.il> wrote:
> External Sender - Be Suspicious of Attachments, Links, and Requests for
> Payment or Login Information.
>
> --------------------------------------------------------------------------------------------------------------------------------------------
>
> On 24/02/2021 13:28, Dave Bell wrote:
>
> Thanks. I was afraid of that.
>
> Based on:
>
> https://community.cisco.com/t5/routing/c5921-smart-licensing-fail-to-send-out-call-home-http-message/td-p/3860001
>
> It appears to be using http (not https?) to connect to:
> http://tools.cisco.com/its/service/oddce/services/DDCEService
>
> Seriously?! No https?
>
> And is it only gonna connect to 173.37.145.8 or will other IPs try to
> connect? So should I create some ACL to *only* allow 173.37.145.8:80 to
> protect my routers?
>
> What have others done?
>
> -Hank
>
> > I believe it's required that it must stay there.
> >
> > You can run an on-prem version of the manager which your routers can
> > call in to. This will then call into Cisco for you.
> >
> > https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html
> > <https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html>
> >
> > It's all a massive pain. We have kit that randomly stops calling in, and
> > generates angry messages in dashboards.
> >
> > The sneaky alternative is that it's all honour based anyway (at least
> > for the range we are using). Just let it sit in eval mode and move on
> > with your life.
> >
> > Regards,
> > Dave
> >
> > On Wed, 24 Feb 2021 at 11:22, Hank Nussbacher <hank at interall.co.il
> > <mailto:hank at interall.co.il>> wrote:
> >
> > So we bought a bunch of ASR1009x along with IOS-XE and are
> encountering
> > the joy of Smart licensing.
> >
> > Once we have our license established, do we need to leave the
> > "call-home" section?
> >
> > To me it screams "security violation" and something I'd like to
> > permanently disable after getting the license activated.
> >
> > Or does Cisco like to have their routers constantly ping the
> mothership
> > in regards to the licensing?
> >
> >
> > Regards,
> >
> > Hank
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > <mailto:cisco-nsp at puck.nether.net>
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > <https://puck.nether.net/mailman/listinfo/cisco-nsp>
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > <http://puck.nether.net/pipermail/cisco-nsp/>
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
[This email was encrypted for your privacy and security]
More information about the cisco-nsp
mailing list