Cisco Licensing Architecture – Cisco Licensing and Registration
Cisco Licensing Architecture
The Cisco Secure Firewall supports both smart licensing and classic licensing models. A smart license provides a pool of software licenses that you can apply to any applicable devices throughout your company. Unlike a traditional classic license, a smart license enables you to register a device without its product activation key (PAK). Moreover, it enables you to enable a security feature immediately while its purchase order is still in progress; thus, you can avoid any initial delays due to logistics and approval. Classic license is used to enable security features in the legacy firewall devices.
Table 3-2 describes the key differences between the two licensing models: the classic license and smart license.
Table 3-2 Comparisons Between Classic License and Smart License
Classic License | Smart License | |
Supervision | Provides a limited view. You are unable to view all of the licenses that are owned and used by your company. | Provides a complete view. You can view the usages of all of your licenses and devices from a single portal in real time. |
Scope | Device-specific licensing. Licenses are specific to only one device. | Company-specific licensing. You can apply licenses across any applicable devices in your company. |
Activation | A PAK is required to unlock and register a device. | A PAK is not required to complete registration. |
After you purchase the Secure Firewall solution, Cisco assigns your smart licenses and entitlement to a smart account that is created exclusively for your organization. You can manage the smart licenses of your company using the Cisco Smart Software Manager (SSM)—a cloud-based web application at cisco.com. With administrative privileges, you can create additional virtual accounts within your company’s master account and organize the licenses based on the departments or locations. When necessary, you can also transfer licenses and entitlements between the virtual accounts.
Figure 3-1 shows the web interface of the Cisco SSM cloud application where you can generate a new token for your Cisco Secure Firewall products. By entering this token into your management center, you can connect your management center with the Cisco SSM cloud.
Figure 3-1 Cisco Smart Software Manager (SSM) at Cisco.com
Depending on a company’s security posture and policy, Cisco offers different architectures to enable smart licenses. They are
- Direct cloud access
- On-premises server
- Offline access
Direct Cloud Access
In the direct cloud access architecture, the Secure Firewall managers—management center and device manager—obtain smart licenses from the Cisco Smart Licensing Cloud. They can connect to the cloud directly over the Internet or via a proxy server. The manager applications use a process called Smart Agent, which communicates with the Cisco Smart Licensing Cloud and registers the manager with it. After a successful registration, the Cisco cloud issues an ID certificate. The Smart Agent process uses this certificate to communicate with the Cisco cloud from time to time and to track the status of entitlements.
Figure 3-2 shows the communication between the Smart Agent of a management center and the Cisco Smart Licensing Cloud. When they are connected over the Internet, you can add, remove, and transfer your company’s smart licenses using the Cisco SSM cloud application.
Figure 3-2 Connections Between a Management Center and the Cisco Smart Licensing Cloud