IOS XE Smart Licensing Using Policy API

Product Instance Configuration

This section describes what you must configure on the product instance to enable your Smart Licensing application to communicate with the product instance.

Prerequisites

Ensure that the software version running on the product instance is a version that supports SLP. If the version is a supported one, SLP is enabled by default and the only available licensing model on the product instance.
SLP was first introduced in Cisco IOS XE Amsterdam 17.3.2.

Code Snippet
CopyDevice# show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

<output truncated>

Configuring a Management Interface and an IP Route

This section describes possible configurations, to establish communication between the product instance and your Smart Licensing application. Steps marked as "(Required)" are required for all product instances, all other steps may be required or optional, depending on the kind of product instance and network requirements.
Beginning in privileged EXEC mode, configure the required commands on the product instance:

Step 1: show ip interface brief

Displays a summary of the usability status of interfaces configured for various IP addresses.

Step 2: configure terminal

Enters the global configuration mode.

Step 3: (Required) interface interface-type-number

Configures an interface as the management interface and enters the interface configuration mode.

Step 4: vrf forwarding vrf-name

Associates a virtual routing and forwarding (VRF) instance or a virtual network with a layer 3 interface. Configure this command only if you are using VRF.

Step 5: (Required) ip address {ipv4-address subnet-mask | ipv6-address}

Defines the IP address for the interface or VRF. Configure an IPv4 address and subnet mask or IPv6 address.

Step 6: negotiation auto

Enables auto-negotiation operation for the speed and duplex parameters of an interface.

Step 7: exit

Exits the interface configuration mode and enters the global configuration mode.

Step 8: (Required) ip route ip-address ip-mask subnet mask

Configures a route and gateway on the product instance. You can configure either a static route or a dynamic route.

Step 8: exit

Exits the global configuration mode and enters privileged EXEC mode.

Step 9: copy running-config startup-config

Saves changes to the configuration file.

Enabling an HTTP Server with an Authentication Method

This task uses the username command to establish an authentication method. You can use other authentication methods such as TACACS, an encrypted password, etc.
Steps marked as "(Required)" are required for all product instances, all other steps may be required or optional, depending on the kind of product instance and network requirements.

Beginning in privileged EXEC mode, configure the required commands on the the product instance:

Step 1: configure terminal

Enters the global configuration mode.

Step 2: username name privilege level password password

Establishes a username-based authentication system. This enables your Smart Licensing application to use the product instance native REST.

The privilege keyword sets the privilege level for the user. Enter 15 as the privilege level for the user.

The password allows access to the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

Step 3: (Required) ip http server or ip http secure-server

The ip http server command enables the HTTP server on your IP or IPv6 system, including a Cisco web browser user interface. The HTTP server uses the standard port 80, by default.

The ip http secure-server command enables a secure HTTP (HTTPS) server. The HTTPS server uses the Secure Sockets Layer (SSL) version 3.0 protocol.

Step 4: (Required) ip http authentication local

Specifies a particular authentication method for HTTP server users.
The local keyword means that the login user name, password and privilege level access combination specified in the local system configuration (by the username global configuration command) should be used for authentication and authorization.

Step 5: end

Exits the global configuration mode and enters privileged EXEC mode.

Step 6: copy running-config startup-config

Saves changes to the configuration file.

Verifying Product Instance Configuration

This section provides sample product instance configuration - for your reference, and ways to verify configuration to ensure connectivity.

Sample output for management interface and IP route configuration, on a Catalyst 9300 Switch:

Code Snippet
Code Snippet - 1
Copy    Device# show run | inc ip route
    ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 192.0.2.1
Copy    Device# show run interface gigabitEthernet 0/0
    Building configuration...

    Current configuration : 120 bytes
    !
    interface GigabitEthernet0/0
     vrf forwarding Mgmt-vrf
     ip address 192.0.2.1 255.255.255.0
     negotiation auto
    end

Sample output where an HTTP server is enabled and an authentication method is configured, on a Catalyst 9300 Switch:

Code Snippet
Code Snippet - 1
Copy    Device# show run | i username
    username cisco privilege 15 password 0 cisco
    Device#
Copy    Device# show run | i http
    ip http server
    ip http authentication local
    ip http secure-server
          destination transport-method http

To verify HTTP connectivity, enter the show ip http server session-module command in privileged EXEC mode. Check that SL_HTTP is active.

Code Snippet
Copy    Switch#show ip http server session-module 

    HTTP server application session modules:
    Session module Name  Handle Status   Secure-status   Description
    HTTP_IFS              1      Active   Active         HTTP based IOS File Server              
    SL_HTTP               2      Active   Active         HTTP REST IOS-XE Smart License Server   
    OPENRESTY_PKI         3      Active   Active         IOS OpenResty PKI Server                
    NBAR2                 4      Active   Active         NBAR2 HTTP(S) Server                    
    HOME_PAGE             5      Active   Active         IOS Homepage Server                     
    BANNER_PAGE           6      Active   Active         HTTP Banner Page Server                 
    WEB_EXEC              7      Active   Active         HTTP based IOS EXEC Server              
    GSI7F2B924F17E8-lic   8      Active   Active         license agent app                       
    GSI7F2B99D93110-web   9      Active   Active         wsma infra                              
    GSI7F2B99B41D40-web   10     Active   Active         wsma infra                              
    NG_WEBUI              11     Active   Active         Web GUI

To verify that the product instance is reachable, ping the product instance from the device where your Smart Licensing application is installed. A successful ping confirms that the product instance is reachable.

To ensure that the REST APIs from your Smart Licensing application to the product instance work as expected, from a Web browser on the device where your application is installed, verify https://<product-instance-ip>/.

Next