Manage HSEC Licenses

Feature History

Feature Name

Release Information

Description

Manage HSEC Licenses

Cisco IOS XE Catalyst SD-WAN Release 17.9.2a

Cisco vManage Release 20.9.2

This feature enables you to install high security (HSEC) licenses on devices managed by Cisco SD-WAN Manager. An HSEC license is required to enable devices to support encrypted traffic throughput of 250 Mbps or higher.

Information About Managing HSEC Licenses

Devices that use Smart Licensing Using Policy, and that must support an encrypted traffic throughput of 250 Mbps or greater, require an HSEC license. This is a requirement of US export control regulation.

You can use Cisco SD-WAN Manager to install HSEC licenses. Cisco SD-WAN Manager contacts Cisco Smart Software Manager (SSM), which provides a smart license authorization code (SLAC) to load onto a device. Loading the SLAC on a device enables an HSEC license.

Cisco SD-WAN Manager Requests HSEC Licenses for Devices

Use the following workflow:

  1. Synchronize license information between Cisco Smart Software Manager (SSM) and Cisco SD-WAN Manager for all HSEC-compatible devices.

    See Synchronize HSEC Licenses, Online Mode and Synchronize HSEC Licenses, Offline Mode.

  2. Install the HSEC licenses on the desired devices.

    See Install HSEC Licenses.

Benefits of Managing HSEC Licenses

By addressing numerous license-related tasks, including the installation of HSEC and other licenses, Cisco SD-WAN Manager consolidates the workflow for license management. Installing HSEC licenses using Cisco SD-WAN Manager makes it unnecessary to install HSEC licenses individually by CLI.

For information about managing Smart Licensing Using Policy for devices in the network, see Manage Licenses for Smart Licensing Using Policy.

Supported Devices for Managing HSEC Licenses

HSEC-compatible Cisco IOS XE Catalyst SD-WAN devices

Prerequisites for Managing HSEC Licenses

  • Cisco SSM account with the required licenses.

  • HSEC-compatible devices available in the Cisco SD-WAN Manager device list.

  • Synchronizing license information between Cisco SSM and Cisco SD-WAN Manager requires one of the following:

    • Online method: Internet access for Cisco SD-WAN Manager.

      Cisco SD-WAN Manager must be able to connect to Cisco SSM.

    • Offline method: Access to your Cisco SSM account through an internet-connected web browser.

Restrictions for Managing HSEC Licenses

Restriction

Description

Installing HSEC licenses using Cisco SD-WAN Manager

Cisco SD-WAN Manager does not query devices to determine whether they have an HSEC license installed. If you install an HSEC license on a device without using Cisco SD-WAN Manager, then Cisco SD-WAN Manager does not account for that license, and continues to list the device as eligible for an HSEC license. If you use Cisco SD-WAN Manager to install the same HSEC license that has already been installed outside of Cisco SD-WAN Manager, there is no change to the license. If you use Cisco SD-WAN Manager to install a different HSEC license on the device, the device will have two HSEC licenses installed.

You can use the show license authorization command on a device to check whether the device has an HSEC license installed.

Uninstalling an HSEC license

Cisco SD-WAN Manager does not support uninstalling an HSEC license from a device. If you need to do this to release the license for use elsewhere, contact Cisco TAC for assistance. If you uninstall the HSEC license from a device with assistance from TAC, Cisco SD-WAN Manager will not be able to correctly report the HSEC license status for the device.

Generic HSEC entitlement tag

The introduction of Cisco Digital Network Architecture (Cisco DNA) licensing changed how entitlement tags work for HSEC licenses. Instead of tagging licenses according to a router model (for example, ISR_4331_Hsec), HSEC licenses are generic, tagged as DNA_HSEC.

 Note

This change does not apply to the Cisco Catalyst 8000V.

For devices using Cisco IOS XE Release 17.6.1a or later, use an HSEC license with a generic DNA_HSEC entitlement tag rather than a license tagged according to the router model. However, if you have an HSEC license tagged according to a specific router model, you can use one of the following workarounds to use the license with Cisco IOS XE Release 17.6.1a or later or to convert the license:

  • Option 1: Install a smart license authorization code (SLAC) for a device-specific HSEC license in offline mode. To do this, use the procedures described in the following sections of Smart Licensing Using Policy for Cisco Enterprise Routing Platforms:

    Generating and Downloading SLAC from CSSM to a File

    Installing a File on the Product Instance

  • Option 2: Convert a device-specific HSEC license to a DNA_HSEC license, as follows:

    1. Order a DNA-HSEC-UPGD= license, at no charge, from the Cisco Commerce Workspace.

    2. Convert the device-specific HSEC license to a DNA_HSEC license, using the Converting a Device-Specific HSECK9 License procedure described in Smart Licensing Using Policy for Cisco Enterprise Routing Platforms.

    3. Install a SLAC on the device to enable you to use the DNA_HSEC license.

  • Option 3: Downgrade the device to a release earlier than Cisco IOS XE Release 17.6.1a, install the HSEC license, then upgrade the Cisco IOS XE software to a later release. The router continues to use the installed HSEC license.

Synchronize HSEC Licenses, Online Mode

Information about synchronizing HSEC licenses in the online mode.

Before You Begin

  • This procedure requires Cisco SD-WAN Manager to have internet access. If Cisco SD-WAN Manager does not have internet access, such as for security reasons, use the Synchronize HSEC Licenses, Offline Mode procedure.

  • This procedure requires entering credentials for your Cisco Smart Account

Synchronize HSEC Licenses, Online Mode

  1. From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library.

  2. Click the Sync and Install HSEC Devices workflow.

  3. Click Sync Licenses and then click Next.

  4. Click Online and then click Next.

  5. Enter the credentials for your Cisco SSM account and then click Next.

  6. On the HSEC Device Activation Overview page, click Next.

  7. On the Select Virtual Account page, choose a virtual account from the drop-down list. The list is populated by the Cisco SSM account that you logged into in a previous step.

  8. On the Select HSEC-Compatible Devices page, select the devices on which you want to install an HSEC license and then click Summary.

     Note

    If an HSEC-compatible device already has an HSEC license installed by Cisco SD-WAN Manager, then the device is not selectable.

  9. Review the summary and then click Assign to begin the synchronization. Cisco SD-WAN Manager loads the requested licenses from Cisco SSM and assigns them to the devices.

  10. The process of loading and assigning licenses may take several minutes. You can monitor the progress by viewing the Cisco SD-WAN Manager task list.

  11. After the HSEC licenses have been loaded and assigned, to install them, use the Install HSEC Licenses procedure.

Synchronize HSEC Licenses, Offline Mode

Before You Begin

  • If Cisco SD-WAN Manager has internet access, we recommend using the Synchronize HSEC Licenses, Online Mode procedure.

  • Use this procedure if Cisco SD-WAN Manager does not have internet access, such as for security reasons.

  • This procedure requires entering credentials for your Cisco SSM Account.

Synchronize HSEC Licenses, Offline Mode

  1. From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library.

  2. Click the Sync and Install HSEC Licenses workflow.

  3. Click Sync Licenses and then click Next.

  4. Click Offline and then click Next.

  5. On the HSEC Device Activation Overview page, click Next.

  6. Click Download Process and then click Next.

  7. On the Offline Mode - Sync Licenses Task page, select the devices on which to install an HSEC license.

  8. Click Next.

  9. Click Download HSEC Device File.

  10. On the summary page, click Download to download a file to a local location.

    The file contains the list of devices that require an HSEC license.

  11. Click Done.

  12. Click Cisco Smart Software Manager to open Cisco SSM.

  13. Log in to Cisco SSM and complete the following two steps:

     Note

    The details of procedures in the Cisco SSM portal are outside the scope of this documentation and subject to change.

    1. Upload the file that you downloaded from Cisco SD-WAN Manager. The procedure is identical to uploading a usage report file, as described in License Management Offline Mode.

    2. Download the Acknowledgement file.

      This file contains the HSEC licenses required for the devices that you selected.

  14. From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library.

  15. Click the Sync and Install HSEC Devices workflow.

  16. Click Sync Licenses and then click Next.

  17. Click Offline and then click Next.

  18. On the HSEC Device Activation Overview page, click Next.

  19. Click Upload Process and then click Next.

  20. On the Upload Smart License Authorization Code File page, upload the acknowledgement file that you downloaded from Cisco SSM.

  21. Click Summary.

    The process of loading and assigning licenses may take several minutes. You can monitor the progress by viewing the Cisco SD-WAN Manager task list.

After the HSEC licenses have been loaded and assigned, to install them, use the Install HSEC Licenses procedure.

Install HSEC Licenses

  1. From the Cisco SD-WAN Manager menu, choose Workflows > Workflow Library.

  2. Click the Sync and Install HSEC Licenses workflow.

  3. Click Install Devices.

  4. Select the desired devices on which to install an HSEC license.

  5. Click Install to install the licenses.

    You can monitor the progress by viewing the Cisco SD-WAN Manager task list.

  6. Reboot the Cisco IOS XE Catalyst SD-WAN device to complete the installation process.

For more information on HSEC licenses, see HSEC License FAQs.

Verify HSEC License Installation

  1. From the Cisco SD-WAN Manager menu, choose Administration > License Management.

  2. Above the table click Device. The HSEC license information appears in two columns.

    Column

    Description

    HSEC Compatible

    Yes or No indicate HSEC compatibility.

    HSEC Status

    • scheduled: An HSEC license is pending installation on the device.

    • success: An HSEC license is installed on the device.