[c-nsp] Rehosting a perpetual CSR1000V license

Chris Jones chrisj at aprole.com
Thu Jul 23 05:57:04 EDT 2020 


> On 23 Jul 2020, at 18:59, Mark Tinka <mark.tinka at seacom.com> wrote:
> 
> 
> 
>> On 23/Jul/20 10:43, Lukas Tribus wrote:
>> 
>> You just need a route to a HTTP proxy (like tinyproxy) in your FIB,
>> just like you already need reachability for monitoring systems, NMS,
>> radius servers etc.
> 
> All those monitoring systems live in the IGP, which is in FIB.
> 
> 
>> 
>> No default route or full table necessary on any boxes, just IP
>> reachability of a single, very simple forwarding proxy.
> 
> Things that call home into the cloud tend to be a bit flaky. Adding a
> proxy to that can mix things up quite nicely, and I'd prefer to avoid
> that altogether.
> 

+1 on that - this is precisely why we went down the SSM route and not “proxy direct to cloud”

> 
>> - if the Cisco Licensing Cloud suddenly denies valid licenses due to
>> temporary technical problems
> 
> I would expect that the SSM server has some grace period during which it
> can lose communication with the mothership before starting to become a
> threat to local operations. Not having that would be bad design, as the
> Internet is well, not infallible. Those with SSM can enlighten us.

SSM only needs to check in once a year (if I remember correctly) before things REALLY break, and generally once a month if you don’t want it to alarm.  So loss of comms doesn’t phase it too much

It’s got an airgapped mode where it can be synced via a “sneaker net” file rather than direct https comms to Cisco, too. Not so much an issue for most SP networks I’d suggest, but I imagine it comes in useful in some circumstances where you’re dealing with a network with no internet access at all.

As a final point the routers also have a grace period (measured in days, but I forget how long - our SSM box stays up without too many issues other than patching) - so losing SSM for a short period of time isn’t going to cause a problem.

> 
> 
>> 
>> - if the US gov suddenly imposes sanctions against your country (and
>> in the simpliest scenario - you are unable to pay for subscriptions
>> because international payments are blocked - this is happening right
>> now between RIPE and iranian LIRs)
> 
> Well, this affects you even when you don't have an on-prem SSM server, then.
> 
> In our case, it helps to have backbone in other continents...
> 
> Mark.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list