© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 13

Integrated Services Router

Generation Two (ISR-G2)

(1900, 2900, 3900)

Software Licensing Overview

Revised

December 20, 2011

Provided by

Technical Services

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 13

Table of Contents

Scope........................................................................................................................................ 3

The Universal Image ................................................................................................................. 3

Migration Table ......................................................................................................................... 4

Description of Licenses Available ............................................................................................. 4

Technology Package and Feature Licenses ............................................................................. 6

Technology Package Licenses .............................................................................................. 6

Feature Licenses ................................................................................................................... 7

Right To Use (RTU) Migration .................................................................................................. 7

RTU Releases ....................................................................................................................... 7

Preceding RTU ................................................................................................................... 7

Existing RTU ...................................................................................................................... 7

Lifetime RTU ...................................................................................................................... 8

Migration Paths ...................................................................................................................... 8

Preceding RTU —> Existing/Lifetime RTU ......................................................................... 8

Existing RTU —> Lifetime RTU .......................................................................................... 9

Lifetime RTU (After Migration) .......................................................................................... 10

The Security Technology Package Evaluation Right to Use License ...................................... 11

Activating the Security Technology Package ................................................................... 11

Acceptance of the End User License Agreement (EULA) ................................................ 11

Noteworthy License Commands ............................................................................................. 12

Technology-Package License Activation and Deactivation Commands .............................. 12

License Show Commands ................................................................................................... 12

Other License Commands ................................................................................................... 12

Terminology ............................................................................................................................ 13

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 13

Scope This document was created to provide an overview of Cisco's ISR G2 software licensing. The

information contained in this document was extracted from Cisco's White Paper on this topic as well

as Cisco’s ISR-G2 IOS Software Activation Guide. Please refer to these documents for more

information.

The Universal Image With the introduction of the new wave of ISRs, Cisco is taking the opportunity to change the way IOS

software is packaged. Previously, each platform and release version would result in between seven

and eleven different IOS images with different features and capabilities in every image.

With the next generation (G2) ISRs, all features are included in a single Universal Image. Two

universal images are available on each platform:

1. Universal images with the "universalk9" designation in the image name: This universal image

offers all the Cisco IOS features including strong crypto features such as VPN payload, Secure

UC etc. The strong enforcement of encryption capabilities provided by Cisco Software

Activation satisfies requirements for the export of encryption capabilities.

2. Universal images with the "universalk9_npe" designation in the image name: Some countries

have import requirements that require that the device does not support any strong crypto

functionality such as VPN payload etc. in any form. To satisfy the import requirements of those

countries, this universal image does not support any strong payload encryption such as VPN

payload, secure voice, etc.

Premium features beyond what is included in the default IP Base package are generally grouped into

three major Technology Packages: Data, Security and Unified Communications. These three

packages represent the vast majority of features available in IOS.

In addition to the three major Technology Packages, additional Feature Licenses are available for

premium features requiring subscription services or counted quantities.

Each ISR G2 ships with a Universal image that contains all Cisco IOS features. IPBase, DATA, UC

(Unified Communications) and SEC (Security) technology packages are enabled in the universal

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 13

image via Cisco Software Activation licensing keys. Each licensing Key is unique to a particular

device and is obtained from Cisco by providing the Product ID and Serial Number of the router and a

Product Activation Key (PAK), which is provided by Cisco at time of software purchase. Cisco installs

license key(s) for software specified at time of initial router purchase.

Migration Table

Previous 12.4 Feature Set Recommended Technology Package Licenses

IP Base IPBASE

IP Voice UC

Enterprise Base DATA

Enterprise Services DATA + UC

SP Services DATA + UC

Advanced Security SEC

Advanced IP Services SEC + UC + DATA

Advanced Enterprise Services SEC + UC + DATA

Note: Default memory configuration for a ISR G2 is 512MB of DRAM and 256MB of Flash.

This configuration will support the activation of all Technology Package Licenses.

Description of Licenses Available Permanent: A Permanent License is a license that never expires. Once a permanent license is

installed on a router, it is good for that particular feature set for the life of the router even across IOS

versions. For example, once a UC, Security or Data license is installed on a router, the subsequent

features for that license will be activated even if the router is upgraded to a new IOS release. A

permanent license is the most common license type used when a feature set is purchased for a

device.

Evaluation: An evaluation license has gone through three revisions on the ISR-G2 devices. The first

version was also known as a Temporary license and was good for 60 days. After the 60 days of

activation the license would expire and the features for that license would quit working. Cisco later

revised this license so that it would not expire for 12 years. This was only intended to be a temporary

solution until Cisco could move to the final version. This last version brought back the 60 day

evaluation period, but this license automatically transitions into a Right-To-Use (RTU) license after that

period.

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 13

The IOS running on the ISR-G2 determines what version of the Evaluation license is available. The

following table breaks out IOS releases by Evaluation license version:

Preceding RTU Existing RTU Lifetime RTU

60 day Evaluation License.

Could not be extended.

Initial RTU support.

Provided 12-year Evaluation

License

Intended to be a temporary

solution until Lifetime RTU

support was available.

Initial evaluation period of 60 days.

Transition to Lifetime RTU license without customer intervention.

Agreement of EULA.

• 15.0(1)M; 15.0(1)M1; 15.0(1)M2; 15.0(1)M3

• 15.1(1)T; 15.1(1)T1

• 15.1(2)T; 15.1(2)T1

• 15.0(1)M4; 15.0(1)M5

• 15.1(1)T2; 15.1(1)T3

• 15.1(2)T2; 15.1(2)T3

• 15.1(3)T; 15.1(3)T1

• 15.1(4)M

• 15.0(1)M6 or later

• 15.1(1)T4 or later

• 15.1(2)T4 or later

• 15.1(3)T2 or later

• 15.1(4)M1 or later

• 15.2(1)T or later

Right to Use (RTU): Starting with Cisco IOS Releases 15.0(1)M6, 15.1(1)T4, 15.1(2)T4, 15.1(3)T2,

and 15.1(4)M, Evaluation Licenses are replaced with Evaluation Right To Use licenses. Evaluation

Right to Use licenses automatically become Right to Use licenses after the initial evaluation period of

60 days. These licenses are available on the honor system and require the customer’s acceptance of

the End User License Agreement (EULA). The EULA is automatically applied to all Cisco IOS

software licenses.

Counted: A Counted License is a license that actually counts something in the router. A typical

example would be the number of SSLVPN connections possible on a router. These are analogous to

the counted paper licenses used with routers in the past. However, with the new Cisco Software

Activation infrastructure the management of these licenses is greatly simplified.

Subscription: A Subscription License is a license that allows access to a feature or capability for a

given amount of time unless the subscription is renewed. Subscription Licenses typically relate to

regular updates from a third party service such as a Content Filtering License which provides regular

updates from a filtering database.

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 13

Technology Package and Feature Licenses

Technology Package Licenses

Technology

Package

Description

IPBase

Offers features found in IPBase IOS image on ISR 1800,2800 and 3800 + Flexible Netflow

+ IPV6 parity for IPV4 features present in IPBase. Some of the key feature are AAA BGP,

OSPF, EIGRP, ISIS, RIP PBR IGMP, Multicast, DHCP, HSRP, GLBP, NHRP, HTTP, HQF,

QoS, ACL, NBAR, GRE, CDP, ARP, NTP, PPP, PPPoA, PPPoE, RADIUS, TACACS,

SCTP, SMDS, SNMP, STP, VLAN, DTP, IGMP, Snooping, SPAN, WCCP, ISDN, ADSL

over ISDN, NAT—Basic X.25, RSVP, NTP, Flexible Netflow etc.

SEC (Security)

Offers the security features found in Advanced Security IOS image on ISR 1800,2800 and

3800 e.g. IKE v1 / IPsec / PKI, IPsec/GRE, Easy VPN w/ DVTI, DMVPN, Static VTI,

Firewall, Network Foundation Protection, GETVPN etc.

DATA

Data features found in SP Services and Enterprise Services IOS image on ISR 1800,2800

and 3800 e.g. MPLS, BFD, RSVP ,L2VPN, L2TPv3 ,Layer 2 Local Switching , Mobile IP,

Multicast Authentication, FHRP—GLBP ,IP SLAs, PfR ,DECnet, ALPS, RSRB, BIP,

DLSw+, FRAS, Token Ring ,ISL, IPX,STUN, SNTP, SDLC, QLLC etc.

UC (Unified

Communication)

Offers the UC Features found in IPVoice IOS image on ISR 1800,2800 and 3800 e.g.

TDM/PSTN Gateway, Video Gateway[H320/324],Voice Conferencing, Codec Transcoding,

RSVP Agent (voice), FAX T.37/38, CAC/QOS, Hoot-n-Holler etc.

Note: UC is not supported on 1941 routers.

IP Base comes shipped as a permanent license on all ISR-G2 devices. The other three technology packages: Data, Security, and Unified Communications come with an Evaluation license as the default, but a permanent license may be purchased. Note: To complete the CCNA Security and CCNP labs, the Security Technology Package activation is required. Data and Unified Communications are not needed with the current curricula.

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 13

Feature Licenses

Software Activation Feature Licenses

Feature License Name Prerequisites License Type

SSLVPN IPBase + SEC (Seck9 only) Counted

Intrusion Prevention IPBase + SEC Subscription

Content Filtering IPBase + SEC Subscription

SNA Switching IPBase + DATA Permanent

GateKeeper IPBase + UC Permanent

CUE IPBase + UC Counted

Lawful Intercept IPBase + SEC + UC + DATA Permanent

Note: Software Activation Feature Licenses are typically upgrades to one or more Technology

Package Licenses and can be included on new routers or upgraded through Cisco

Software Activation.

Right To Use (RTU) Migration This section describes migrating to Existing or Lifetime RTU release and recommends actions to take before upgrading. The first course of action is to consider what release your router is running and then follow the recommended actions if any.

RTU Releases

Preceding RTU

Preceding RTU releases are customers’ running IOS releases with 60 days of evaluation licenses. These include the following releases:

• 15.0(1)M; 15.0(1)M1; 15.0(1)M2; 15.0(1)M3 • 15.1(1)T; 15.1(1)T1 • 15.1(2)T; 15.1(2)T1

Customers running these releases with evaluation licenses and planning to upgrade to Existing or Lifetime RTU releases are affected.

Existing RTU

Initial RTU support was provided in the Existing RTU releases listed below:

• 15.0(1)M4; 15.0(1)M5 • 15.1(1)T2; 15.1(1)T3

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 13

• 15.1(2)T2; 15.1(2)T3 • 15.1(3)T; 15.1(3)T1 • 15.1(4)M

Such arrangement basically provided 12-year evaluation licenses and was intended to be a temporary solution until Lifetime RTU support was available. This temporary RTU solution provided immediate relief for customers facing licensing-related overhead.

Lifetime RTU

A Lifetime RTU release license includes the following:

1. Initial evaluation period of 60 days

2. Transition to Lifetime RTU license without customer intervention

RTU transition warning/complete Syslogs/Traps are provided 10 days and 5 days before transition and on the actual day of transition. Customers running the following Lifetime RTU releases are not impacted:

• 15.0(1)M6 or later

• 15.1(1)T4 or later

• 15.1(2)T4 or later

• 15.1(3)T2 or later

• 15.1(4)M1 or later

• 15.2(1)T or later

Migration Paths

There are basically two IOS release migration paths a typical customer must take to upgrade to Existing or Lifetime RTU release.

Preceding RTU —> Existing/Lifetime RTU

This procedure covers customers running IOS Preceding RTU releases with evaluation licenses that have not expired and wishing to migrate to Existing or Lifetime RTU releases. The Existing/Lifetime RTU license keys have changed and require re-acceptance of the end user license agreement. A migration performed without the recommended upgrade procedure results in a loss of functionality related to features that relied on the presence of Preceding RTU license. Before upgrading, perform the following steps:

Step 1: On the Preceding RTU router, save the startup-config to a location of your choice—it could

be a compact flash, tftp server, etc. Note: If any other configuration is required before upgrade, this must be completed and the configuration should be saved before proceeding with this step. The example below is for a tftp server.

Router# copy startup-config tftp://<tftp_server>/<user_id>/startup-config

Step 2: Edit the startup-config and add the ―license accept end user agreement‖ as shown below in bold right after the ―license udi pid ….‖ entry.

license udi pid C3900-SPE250/K9 sn FHH1313001U

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 13

license accept end user agreement

Step 3: Copy the startup-config back to the Preceding RTU router. The example below is for tftp a server.

Router# copy tftp://<tftp_server>/<user_id>/startup-config startup-config

Step 4: Do not save the configuration. Step 5: Reload the router, without saving the configuration, with the upgrade release, either

Existing or Lifetime RTU release. After reload, you can see that the configurations related to licenses are rejected.

Step 6: Do not save the configuration. Step 7: Immediately reload again, without saving the configuration, with the same Existing or

Lifetime RTU release. After reload, all the configurations are preserved. Step 8: Verify license-related configurations and feature functionality.

Existing RTU —> Lifetime RTU

This procedure covers customers running IOS Existing RTU releases with Eval/RTU licenses and wishing to upgrade to Lifetime RTU releases. The Lifetime RTU license keys have changed and require re-acceptance of the end user license agreement. A migration performed without the recommended upgrade procedure results in a loss of functionality related to features that relied on the presence of Existing RTU release license. Before upgrading, perform the following steps: Note: If the global ―license accept end user agreement‖ has already been performed on the Existing RTU release router, then Steps 1 and 2 can be skipped. Step 1: On the Existing RTU release router, configure the global end user license agreement:

Router(config)# license accept end user agreement Step 2: Save the configuration.

Router# write

Step 3: Upgrade to Lifetime RTU IOS Release.

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 13

Lifetime RTU (After Migration)

Once you migrate to a Lifetime RTU release, as the license keys have changed, the RTU license restarts from time zero. This means that for the first 60 days, the Lifetime RTU license is considered to be in evaluation mode. The show CLI output displays the ―EvalRightToUse‖ for the initial 60 days. An example of this output is shown below.

Router# show license Index 4 Feature: datak9

Period left: 8 weeks 4 days Period Used: 0 minute 0 second License Type: EvalRightToUse License State: Active, In Use License Count: Non-Counted License Priority: Low

After approximately 60 days, the Lifetime RTU license transitions to ―RightToUse‖ without any further customer intervention. Syslogs and Traps are sent 10 days and 5 days before transition and on the actual day of transition to provide notice of pending/completion of license transition. After the transition, the show CLI output displays ―RightToUse‖ for the License Type. An example of this output is shown below.

Router# show license Index 4 Feature: datak9

Period left: Life time License Type: RightToUse License State: Active, In Use License Count: Non-Counted License Priority: Low

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 13

The Security Technology Package Evaluation Right to Use License The Security Technology License needs to be activated on the ISR-G2 devices to perform the labs in

the CCNA Security and CCNP curricula. Academies with a valid NetAcad Maintenance Contract are

authorized to use the Security Technology Package Right to Use (RTU) license. You will still need to

agree to the End-User License agreement (EULA).

Note: Activation of the Security Technology Package Right to Use license does not require a new

license key. NetAcad Maintenance is not providing a Permanent License where a new license key

would be needed. It is granting legal access for continued use of the Right to Use license beyond the

60 day evaluation period.

Activating the Security Technology Package

To activate the Security Technology Package on an ISR-G2 device perform the steps below. Technology package evaluation licenses are activated using the license boot module module-name technology-package package-name command:

1. enable

2. configure terminal

3. license boot module module-name technology-package securityk9

4. exit

5. write

6. reload

The module-name, in step 3, is replaced with either ―c1900‖ or ―c2900‖ depending on the router

model you are working on. Use the ? with the module command to see the module name for your

router.

Acceptance of the End User License Agreement (EULA)

Use the license accept end user agreement command in global configuration mode to configure a one-time acceptance of the EULA for all Cisco IOS software packages and features. After the command is issued and the EULA accepted, the EULA is automatically applied to all Cisco IOS software licenses; the EULA is not displayed and the user is not prompted to accept the EULA. The following example shows how to configure a one-time acceptance of the EULA: Router(config)#license accept end user agreement

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 13

Noteworthy License Commands

Technology-Package License Activation and Deactivation Commands

(config)# license boot module <module name> technology-package <package-name> -

Activate a Technology Package License.

(config)# license boot module <module name> technology-package <package-name>

disable – disables the technology package license.

Note: The above commands are entered in Global Configuration Mode. Once the command

has been executed then the configuration must be saved and the device rebooted for

the command to take effect.

License Show Commands

# show license all – Displays information about all licenses in the device.

# show license feature - Allows you to determine the licenses activated on the device.

# show license udi – Displays all the UDI values that can be licensed in a system. You need

the UDI of the device as part of the process to obtain a license.

# show version – The bottom of this output will display a summary table showing the status of

each Technology-Package License.

Other License Commands

(config)# license accept end user agreement – This global configuration mode command is

used to accept the End-User License Agreement (EULA). The EULA is

automatically applied to all Cisco IOS software licenses.

# license save credentials flash0:<filename> – Saves license credential information

associated with a device.

# license save flash0:<filename> – Saves a copy of all licenses in a device and stores them

in a format required by the command on flash0. Other locations are also

available and can be listed by using the ―?‖ prompt. Note: Make sure to do this

prior to issuing the ―license clear‖ command as you will need a copy of this

information to re-install a cleared license ―license install‖.

# license clear <LicenseName> – This command will remove a license on the device. Make

sure you perform a ―license save” prior to clearing a license.

# license install <file location & name> - Used to install a saved license. Please refer to

―license save‖ and ―license clear‖ commands listed above.

© 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 13

Terminology CLM (Cisco License Manager): Cisco License Manager is a standalone application from Cisco that

helps you rapidly deploy multiple Cisco software licenses across their networks. Cisco License

Manager can discover network devices, view their license information, and acquire and deploy

licenses from Cisco. The application provides a graphical user interface (GUI) that simplifies

installation and helps enable you to automate license acquisition, as well as perform multiple licensing

tasks from a central location. You can also use the Cisco License Manager application programming

interface (API) to create your own programs for performing licensing tasks. CLM is free of charge and

can be downloaded from CCO. CLM 3.0 will support ISR G2, and can support 500,000 devices.

CSA (Cisco Software Activation): The mechanism used to activate software features and

components on next- generation ISR G2. CSA is used to generate a unique license key for a feature

set or technology package on a specific device and activate that functionality on the ISR.

PAK (Product Authorization Key): A PAK is an 11 digit alpha numeric key created by Cisco

manufacturing and defines the Feature Set associated with the PAK. PAK is not tied to a specific

device until the license is created. A PAK can be purchased that generates any specified number of

licenses. The total number of licenses the PAK can generate is specified during the ordering process.

Regardless of the number of upgrades purchased, the customer will only receive one PAK per router

family type. Such PAKs are called multi-use PAKs or Bulk PAKs.

SAL (Software Activation License): An XML text file with a .lic extension that is provided by Cisco.

New devices are shipped with a Software Activation License pre-installed for features ordered with the

router. New functionality can be enabled with a new SAL. A Software Activation License (SAL)

enables specific functionality in the IOS Universal image. Each SAL is unique to a particular device

and cannot be used on a different device.

Software Claim Certificate: Used for licenses that require software activation. The claim certificate

provides the Product Activation Key (PAK) for your license and important information regarding the

Cisco End User License Agreement.

UDI (Unique Device Identifier): The Unique Device Identifier is made up of two components: the

Product ID (PID) and Serial Number (SN). Serial Number is an 11 digit number which uniquely

identifies a device. The Product ID identifies the type of device. This information can be found using

the show license UDI command on the router CLI. This information is also present on a pull-out label

tray found on the device (Pictured below).