Re: [c-nsp] IOS-XE Smart licensing

Wed, 24 Feb 2021 06:50:28 -0800 

On 24/02/2021 13:28, Dave Bell wrote:

Thanks.  I was afraid of that.

Based on:
https://community.cisco.com/t5/routing/c5921-smart-licensing-fail-to-send-out-call-home-http-message/td-p/3860001

It appears to be using http (not https?) to connect to:
http://tools.cisco.com/its/service/oddce/services/DDCEService

Seriously?!  No https?
And is it only gonna connect to 173.37.145.8 or will other IPs try to connect? So should I create some ACL to *only* allow 173.37.145.8:80 to protect my routers? 

What have others done?

-Hank


I believe it's required that it must stay there.
You can run an on-prem version of the manager which your routers can call in to. This will then call into Cisco for you.
https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html <https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html>
It's all a massive pain. We have kit that randomly stops calling in, and generates angry messages in dashboards.
The sneaky alternative is that it's all honour based anyway (at least for the range we are using). Just let it sit in eval mode and move on with your life. 

Regards,
Dave
On Wed, 24 Feb 2021 at 11:22, Hank Nussbacher <[email protected] <mailto:[email protected]>> wrote: 

    So we bought a bunch of ASR1009x along with IOS-XE and are encountering
    the joy of Smart licensing.

    Once we have our license established, do we need to leave the
    "call-home" section?

    To me it screams "security violation" and something I'd like to
    permanently disable after getting the license activated.

    Or does Cisco like to have their routers constantly ping the mothership
    in regards to the licensing?


    Regards,

    Hank

    _______________________________________________
    cisco-nsp mailing list [email protected]
    <mailto:[email protected]>
    https://puck.nether.net/mailman/listinfo/cisco-nsp
    <https://puck.nether.net/mailman/listinfo/cisco-nsp>
    archive at http://puck.nether.net/pipermail/cisco-nsp/
    <http://puck.nether.net/pipermail/cisco-nsp/>



_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to