IOS Licensing

Ever since Cisco created IOS, they shipped it as a single image file. This made installation very easy as you just download an image, copy it to your router or switch and configure your device to boot using the new image. When you want a newer version you’ll have to download a new IOS image…there are no patches or bugfixes.

Ever since Cisco was founded there has been an IOS image for each model, but there’s a different IOS image for the different versions of each model.

For example, the Cisco 1800 series integrated services router has the following models:

  • 1801,1802,1803 and 1805.
  • 1811 and 1812.
  • 1841
  • 1861 and 1861E

You might think that there is one IOS image just for the “1800 series” but this is not the case. There are 4 different IOS image. The 1801, 1802, 1803 and 1805 share a IOS image, so do the 1811 and 1812. For the 1841 there’s a separate IOS image and the 1861 and 1861E also share an IOS image.

To make things worse, there are also different IOS images for the different feature sets. Depening on the features you require you have to pay for a certain IOS image. For example if you want to run a VPN you might require the “security features” or if you want to use your router for voice over IP you might need the “voice features”.

Here’s what it looks like:

Cisco IOS Images Options

This is an example of the different IOS images for one router model, let’s say the 1861. You can get the IP base image which has some basic features. If you want voice features then you can buy the IOS image with just the voice feature set or one of the images on the right side that also has other feature sets. Of course, the more feature sets the more expensive the IOS image will be…

This is how Cisco ended up with many different IOS images. Different models, feature sets and versions.

Nowadays Cisco ships a universal image that has all feature sets included. We still have different IOS images depending on the model and version, but nu longer different IOS images with feature sets. Instead of all these different IOS images there’s just one:

Cisco IOS Universal Image

When you buy a Cisco device nowadays it will include an IOS image that has all feature sets but you will have to unlock them.

Previously it was possible to download just any IOS image from the Cisco website. Once you have a CCO account with download access you could download whatever you want. The problem was that many Cisco customers would just buy a router with the IP base IOS image and download the most advanced IOS image for it. There was no check to see if you had permission to run the IOS image that you downloaded.

Since the introduction of the 1900, 2900 and 3900 routers Cisco introduced the universal IOS image. These newer routers called Integrated Services Routers Generation 2 (ISR G2) use these newer IOS images.

When you buy any of these routers it will run the IP Base image by default and if you want extra features you can unlock them with a license key. The feature sets are now called technology packages:

  • IP Base
  • Data
  • Unified Communitications
  • Security

IP Base has the default IOS commands. Data supports features like MPLS, ATM and some others. Unified Communications has voice over IP features and security offers the IOS firewall, intrusion prevention system, IPSEC, etc.

If you buy a router with one of these technology packages then Cisco will activate them for you in the factory. Of course you can always buy and activate them later too.

The technology packages can be activated manually but for customers with large networks Cisco also released an application called CLM (Cisco License Manager). This free tool runs on Windows and Linux and communicates with the Cisco product license registration portal on the Internet to install license keys on your devices.

Let’s take a look how we can activate a license for one of the technology packages manually!

The routers that support the new licensing model have a unique device identifier (UDI). This number is a combination of the product ID (PID) and a serial number (SN). You can view this number on your router:

Router#show license udi
Device#   PID                   SN              UDI

-----------------------------------------------------------------------------

*0        CISCO2951             FHH1211P025     CISCO2951:FHH1212P052

The show license udi command gives us the PID, SN and UDI.

In order to proof that we paid for a license we need something called a PAK (Product Authorization Key). This PAK has a unique number and Cisco uses it to check what license you have bought.

This PAK will be connected to the UDI of the router to create a license key. This can be done by going to the Cisco Product License Registration Portal on the website where you enter the PAK and the UDI. Cisco will check if your PAK and UDI are valid and that you haven’t activated the PAK before for another router. If everything is OK, they will e-mail you the license key.

The next step will be to copy the license file to your router; you can use any method you like for this…TFTP, USB flash drive, etc. Once the license file is on your router you need to use the license install command to install it. Let’s see what licenses are active on this router:

Router#show license
Index 1 Feature: ipbasek9
  Period left: Life time
  License Type: Permanent
  License State: Active, In Use
  License Count: Non-Counted
  License Priority: Medium
Index 2 Feature: securityk9
  Period left: Not Activated
  Period Used: 0 minute 0 second
  License Type: EvalRightToUse
  License State: Not in Use, EULA not accepted
  License Count: Non-Counted
  License Priority: None
Index 3 Feature: uck9
  Period left: Not Activated
  Period Used: 0 minute 0 second
  License Type: EvalRightToUse
  License State: Not in Use, EULA not accepted
  License Count: Non-Counted
  License Priority: None
Index 4 Feature: datak9
  Period left: Not Activated
  Period Used: 0 minute 0 second
  License Type: EvalRightToUse
  License State: Not in Use, EULA not accepted
  License Count: Non-Counted
  License Priority: Medium
       [OUTPUT OMITTED]

First we’ll use the show license command to verify what licenses are enabled. This router only has the default IP base image and none of the technology packages are enabled right now.

Router#show license feature

Feature name             Enforcement  Evaluation  Subscription   Enabled

ipbasek9                 no           no          no             yes
securityk9               yes          yes         no             no
uc                       yes          yes         no             no
data                     yes          yes         no             no
gatekeeper               yes          yes         no             no
LI                       yes          no          no             no
SSL_VPN                  yes          yes         no             no
ios-ips-update           yes          yes         no             no
SNASw                    yes          yes         no             no

You can also use the show license feature command. This gives a better overview of the technology packages.

Show version will also show you license information:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

555 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Dear Adrian,

    I’d have to check it but I think this is because it is an evaluation license we are using.

    Rene

  2. Dear Rene,

    How Could I know if IOS support BFD or it need License . in what category BFD exist ?

  3. Roughly what cost are we looking at for a licence? What does an older IOS cost?

  4. Hi Maher,
    let me clarify some thing, because i faced this issue before an i opened a TAC case with cisco team.

    for examole (cme-srst license)–for voice enabled router-- it is (right to use ) and you can enable it on the router and the router will show you that it is evaluation license and will expire after 8 weeks but it will be continue and never expired even if the router is reloaded.

    for example (seck9 license), it is evaluation license and not Right to use. you can enable it on the router but it will expire after 8 weeks. so you must purchase a license for seck9 feature.

  5. Hello again Mahmoud

    What you describe for the voice and security licenses makes sense. Keep the following in mind:

    RTU or Right to Use licenses are licenses that use the “honour system” that is, they will always function even if their evaluation period has expired. This follows Cisco’s traditional IOS licensing scheme where the license is not tied down to a serial number or UDI (Unique Device Identifier). This is why even after a reboot, the feature continues to function.

    Evaluation licenses can be enabled, but they will expire after the evaluation period.

    ... Continue reading in our forum

9 more replies! Ask a question or join the discussion by visiting our Community Forum