Ever since Cisco created IOS, they shipped it as a single image file. This made installation very easy as you just download an image, copy it to your router or switch and configure your device to boot using the new image. When you want a newer version you’ll have to download a new IOS image…there are no patches or bugfixes.
Ever since Cisco was founded there has been an IOS image for each model, but there’s a different IOS image for the different versions of each model.
For example, the Cisco 1800 series integrated services router has the following models:
- 1801,1802,1803 and 1805.
- 1811 and 1812.
- 1841
- 1861 and 1861E
You might think that there is one IOS image just for the “1800 series” but this is not the case. There are 4 different IOS image. The 1801, 1802, 1803 and 1805 share a IOS image, so do the 1811 and 1812. For the 1841 there’s a separate IOS image and the 1861 and 1861E also share an IOS image.
To make things worse, there are also different IOS images for the different feature sets. Depening on the features you require you have to pay for a certain IOS image. For example if you want to run a VPN you might require the “security features” or if you want to use your router for voice over IP you might need the “voice features”.
Here’s what it looks like:
This is an example of the different IOS images for one router model, let’s say the 1861. You can get the IP base image which has some basic features. If you want voice features then you can buy the IOS image with just the voice feature set or one of the images on the right side that also has other feature sets. Of course, the more feature sets the more expensive the IOS image will be…
This is how Cisco ended up with many different IOS images. Different models, feature sets and versions.
Nowadays Cisco ships a universal image that has all feature sets included. We still have different IOS images depending on the model and version, but nu longer different IOS images with feature sets. Instead of all these different IOS images there’s just one:
When you buy a Cisco device nowadays it will include an IOS image that has all feature sets but you will have to unlock them.
Previously it was possible to download just any IOS image from the Cisco website. Once you have a CCO account with download access you could download whatever you want. The problem was that many Cisco customers would just buy a router with the IP base IOS image and download the most advanced IOS image for it. There was no check to see if you had permission to run the IOS image that you downloaded.
Since the introduction of the 1900, 2900 and 3900 routers Cisco introduced the universal IOS image. These newer routers called Integrated Services Routers Generation 2 (ISR G2) use these newer IOS images.
When you buy any of these routers it will run the IP Base image by default and if you want extra features you can unlock them with a license key. The feature sets are now called technology packages:
- IP Base
- Data
- Unified Communitications
- Security
IP Base has the default IOS commands. Data supports features like MPLS, ATM and some others. Unified Communications has voice over IP features and security offers the IOS firewall, intrusion prevention system, IPSEC, etc.
If you buy a router with one of these technology packages then Cisco will activate them for you in the factory. Of course you can always buy and activate them later too.
The technology packages can be activated manually but for customers with large networks Cisco also released an application called CLM (Cisco License Manager). This free tool runs on Windows and Linux and communicates with the Cisco product license registration portal on the Internet to install license keys on your devices.
Let’s take a look how we can activate a license for one of the technology packages manually!
The routers that support the new licensing model have a unique device identifier (UDI). This number is a combination of the product ID (PID) and a serial number (SN). You can view this number on your router:
Router#show license udi
Device# PID SN UDI
-----------------------------------------------------------------------------
*0 CISCO2951 FHH1211P025 CISCO2951:FHH1212P052
The show license udi command gives us the PID, SN and UDI.
In order to proof that we paid for a license we need something called a PAK (Product Authorization Key). This PAK has a unique number and Cisco uses it to check what license you have bought.
This PAK will be connected to the UDI of the router to create a license key. This can be done by going to the Cisco Product License Registration Portal on the website where you enter the PAK and the UDI. Cisco will check if your PAK and UDI are valid and that you haven’t activated the PAK before for another router. If everything is OK, they will e-mail you the license key.
The next step will be to copy the license file to your router; you can use any method you like for this…TFTP, USB flash drive, etc. Once the license file is on your router you need to use the license install command to install it. Let’s see what licenses are active on this router:
Router#show license
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 3 Feature: uck9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 4 Feature: datak9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: Medium
[OUTPUT OMITTED]First we’ll use the show license command to verify what licenses are enabled. This router only has the default IP base image and none of the technology packages are enabled right now.
Router#show license feature
Feature name Enforcement Evaluation Subscription Enabled
ipbasek9 no no no yes
securityk9 yes yes no no
uc yes yes no no
data yes yes no no
gatekeeper yes yes no no
LI yes no no no
SSL_VPN yes yes no no
ios-ips-update yes yes no no
SNASw yes yes no noYou can also use the show license feature command. This gives a better overview of the technology packages.
Show version will also show you license information:
Dear Rene, excellent explanation! Thanks a lot!
Can you please explain why, after activating security tech package and accepting EULA, the sh lic output of shows ‘License State: Not in Use, EULA not accepted’.? Why ‘not in use’? And why 'eula not accepted?
Thank you!
A.
Dear Adrian,
I’d have to check it but I think this is because it is an evaluation license we are using.
Rene
Dear Rene,
How Could I know if IOS support BFD or it need License . in what category BFD exist ?
Dear Abdelrahman,
Take a look at Cisco’s feature navigator. You can use it to find supported features/protocols on different models/IOS versions.
Rene
Hi Rene,
I have quite understand.
If I have older devices, for example 18xx series.
How I can find the best images for this devices. As you say, I can download it free. This one right or not?
But if I have devices 19xx, 29xx,39xx,… series, we have the universal sets in this image by default.
If I want to add more features sets, I have to buy and active it later. If I dont buy this features, I have evaluation period (60 days)for all features (ipbasek9, securityk9, uck9, gatekeeper,SSL_VPN,LI, IOS-IPS-UPDATE, SNASw ,hseck9, WAAS_Express )?
Thanks