[c-nsp] IOS-XE Smart licensing

Hank Nussbacher hank at interall.co.il
Wed Feb 24 09:46:20 EST 2021 

On 24/02/2021 13:28, Dave Bell wrote:

Thanks.  I was afraid of that.

Based on:
https://community.cisco.com/t5/routing/c5921-smart-licensing-fail-to-send-out-call-home-http-message/td-p/3860001

It appears to be using http (not https?) to connect to:
http://tools.cisco.com/its/service/oddce/services/DDCEService

Seriously?!  No https?

And is it only gonna connect to 173.37.145.8 or will other IPs try to 
connect?  So should I create some ACL to *only* allow 173.37.145.8:80 to 
protect my routers?

What have others done?

-Hank

> I believe it's required that it must stay there.
> 
> You can run an on-prem version of the manager which your routers can 
> call in to. This will then call into Cisco for you.
> 
> https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html 
> <https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html>
> 
> It's all a massive pain. We have kit that randomly stops calling in, and 
> generates angry messages in dashboards.
> 
> The sneaky alternative is that it's all honour based anyway (at least 
> for the range we are using). Just let it sit in eval mode and move on 
> with your life.
> 
> Regards,
> Dave
> 
> On Wed, 24 Feb 2021 at 11:22, Hank Nussbacher <hank at interall.co.il 
> <mailto:hank at interall.co.il>> wrote:
> 
>     So we bought a bunch of ASR1009x along with IOS-XE and are encountering
>     the joy of Smart licensing.
> 
>     Once we have our license established, do we need to leave the
>     "call-home" section?
> 
>     To me it screams "security violation" and something I'd like to
>     permanently disable after getting the license activated.
> 
>     Or does Cisco like to have their routers constantly ping the mothership
>     in regards to the licensing?
> 
> 
>     Regards,
> 
>     Hank
> 
>     _______________________________________________
>     cisco-nsp mailing list cisco-nsp at puck.nether.net
>     <mailto:cisco-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/cisco-nsp
>     <https://puck.nether.net/mailman/listinfo/cisco-nsp>
>     archive at http://puck.nether.net/pipermail/cisco-nsp/
>     <http://puck.nether.net/pipermail/cisco-nsp/>
>

More information about the cisco-nsp mailing list