Blog - Edgeium

Cisco Smart Licensing: Disabling Smart Agents for Enhanced Control

Written by Eric Sommers | 11.19.2024

Cisco’s Smart Licensing has sparked ongoing debate—impacting how businesses manage hardware, software, and licensing policies. As Cisco shifts gears, users are left navigating a complex landscape of compliance, entitlement, and transferability. What does this mean for your network, your costs, and even your data security?

In this post, we’ll break down the key changes, examine their real-world implications, and provide actionable insights to help you stay ahead of the curve.

Cisco's Smart Licensing Reversion

Cisco's Smart Licensing has gone back to its pre-Smart Licensing state. This seems like another attempt to separate Cisco’s hardware from its software. Right now, they’re verifying the entitlement to use the software.

Think about it: Can a Cisco switch work without IOS? Nope. Without a way to configure the hardware, it’s pretty much useless. This shows that software essential for a device to function should always be transferable.

Supreme Court Justice Stevens once said, "The whole point of the first sale doctrine is that once the copyright owner places a copyrighted item in the stream of commerce by selling it, he has exhausted his exclusive statutory right to control its distribution."

Cisco argues that the first sale doctrine doesn’t apply because of Vernor v. Autodesk. But let’s think about this: Is the software on a Cisco switch more like the software in a kitchen appliance or more like Microsoft Office, which needs a license activation key before installation? A microwave does nothing without software to run it. Boxed software is different. For example, we can’t just drop a copy of Cisco’s IOS on another OEM’s box and expect it to work. The two bundled together are the product, and we can buy different bundles based on the features we need.

Smart Licensing and the Smart Licensing Using Policy (SLP) were introduced primarily to benefit Cisco's shareholders. Since Chuck Robbins became CEO in 2015, he has focused on transitioning Cisco from a hardware-centric to a software-centric company, aiming to increase the company's valuation significantly. Under his leadership, initiatives such as DNA, Cisco Prime, and Cisco ONE have been launched. However, implementing smart licensing has led to considerable time and financial costs for all parties involved.

What Was Smart Licensing?

According to Cisco, Smart Licensing was “reinventing licensing” and “transforming how we think about Cisco.” If you add it all up, Cisco’s goal was to “reinvent and transform how we think about Cisco licensing.” Do you need any reinventing or transformations around their licensing? What if we just left  it as a perpetual license because, without the software, the device isn’t functional? 

Beginning with IOS XE version 16.9, all hardware was suddenly required to “phone home” or check in with a Cisco cloud license validation/entitlement system known as Cisco Smart Software Manager or CSSM. If entitlement wasn’t validated, the new version of software would eventually disable the device. 

The market's agreement with Smart Licensing likely went unnoticed by many legal departments of Cisco’s customers. According to their Terms of Use V5, Smart Licensing collected and stored extensive software license usage information, including product ID numbers, serial numbers, unique virtual device identifiers, equipment models, license and hardware versions, host names, IP addresses, system contacts, installed memory, installed flash, boot versions, chassis series, MAC addresses, slot IDs, card types, and card families.
 
At the bottom of the Terms of Use, it states that Cisco, being a global company, may need to transfer personal information both within and outside of the United States under their Privacy Statement. By using Smart Licensing, users consented to the transfer, processing, and storage of such information outside their country of residence, where data protection standards may differ. This raises concerns about which countries are involved and the global differences in data protection laws.

Smart Licensing Using Policy (SLP)

The Smart Licensing Using Policy (SLP) is in effect starting with IOS XE 17.3.2. At 17.3.2, we’re back to what it was like before 16.9 with a new “requirement” to report license usage to the Smart Account at some point. The “requirement” is more of a suggestion here.

What’s New with SLP Compared to Smart Licensing?

Understanding the critical differences between the Smart Licensing Using Policy (SLP) and the previous Smart Licensing system is essential for adapting to the latest requirements and benefits.

  • Products will no longer boot into evaluation mode.
  • Per-product software registration is not required.
  • Phone Home with Cisco Cloud is no longer required.

Which Platforms/Images are Subject to SLP?

It's important to know which platforms and images are affected by the Smart Licensing Using Policy (SLP) to ensure proper compliance and management.

  • All IOS-XE 17.3.2 / 17.4.1 and later releases
  • Catalyst 9000 series switches
  • ASR1K, ISR1K, ISR4K
  • Virtual routers beginning with 17.4.1
  • Catalyst 9800 series wireless controllers and APs
  • IR 1101
  • IE 3200, 3300, and 3400 series industrial ethernet switches
  • Catalyst 8200, 8300, and 8400

How Often is Reporting Required?

Understanding the frequency and conditions under which reporting is required is essential for maintaining compliance with Cisco's licensing policies. Cisco’s Smart Licensing framework also distinguishes between enforcement types and export statuses, which define specific reporting requirements. 

Perpetual Licenses

For perpetual licenses, reporting is required within 90 days if software use changes. If there is no change, no report is ever needed. This ensures that software usage is accurately tracked without imposing unnecessary reporting burdens on users.

Subscription Licenses

Subscription licenses and reporting are mandatory within 90 days of any change in software use. The licensing framework now includes three defining components: License Type, Enforcement Type, and Export Status. These components determine the reporting requirements and time frames, ensuring compliance and proper license management.

License Type

Perpetual licenses are the traditional model, where a one-time purchase grants ongoing use. On the other hand, subscription licenses require periodic renewal and incur additional recurring costs. This model aligns with the shift towards software-as-a-service (SaaS) and provides flexibility in licensing options.

Enforcement Type

Licenses can be categorized as Not Enforced or Enforced. Not Enforced licenses do not require authorization or registration before use, offering ease of deployment. Enforced licenses, however, require approval, and an authorization code must be installed on the target device to enable the specified features. This ensures controlled access and compliance.

  • Restricted features are subject to U.S. trade control laws and require authorization before use, with a code needed to access these features (e.g., HSECK9).
  • Not Restricted features are not subject to these trade controls, allowing for broader and simpler deployment. This classification helps manage compliance with international trade regulations.

For the most part, this is a win for the market. However, Smart Accounts aren’t obsolete yet, but I suspect they will be, as reporting and the time required to manage this effort don’t add much, if any, value to the end user.

Export Status

The required information to “reconcile” is:

  • Hardware serial numbers
  • Software unique ID serial numbers
  • Software product package and entitlement tag
  • Software use count per license
  • Time and date stamp

The SLP Status output of the sho lic all command provides a comprehensive Smart Licensing Status. This output details the License Type, Enforcement Type, and Export Status for all installed software, alongside tables summarizing policy requirements and usage reporting time frames.

Why is the Use of Smart Accounts Not Obsolete if We’re Not Required to Use Them?

The system's internal timer reports daily errors in the run log related to Call Home and reporting, and currently, there is no way to permanently disable this feature. Here are key points to consider:

  • Temporary Solutions: Commands like no service call-home and no call-home can temporarily disable the services and error messages. However, the Smart Agent automatically re-enables them upon reboot. Similarly, the license smart transport off command is ineffective long-term.
  • Recommended Solution: The most effective approach observed so far is using an EEM script that runs upon boot to disable the Smart Agent:
    event manager applet disable-call-home-on-boot
    event syslog pattern "SYS-5-RESTART" // This pattern matches the system restart message.
    action 1.0 cli command "configure terminal"
    action 2.0 cli command "no call-home"
    action 3.0 cli command "no service call-home"
    action 4.0 cli command "end"
    action 5.0 syslog msg "Call-home service has been disabled after reboot."

Recent updates also highlight critical vulnerabilities in the Cisco Smart Licensing Utility, specifically:

  • CVE-2024-20439 and CVE-2024-20440: These vulnerabilities could allow an unauthenticated, remote attacker to:
    • Collect sensitive information.
    • Administer Cisco Smart Licensing Utility services on a system while the software runs.

Action Required: Cisco has released software updates to address these vulnerabilities. It is crucial for users to:

  1. Identify affected versions.
  2. Migrate to a fixed release as outlined in the table below.

Disabling Smart Agents

If you discover an alternative method to disable Smart Agents, we’d love to hear from you! We’re committed to keeping this blog updated with the latest and most effective solutions.

Cisco’s Smart Licensing has reverted to a pre-Smart Licensing state, reigniting discussions about the balance between hardware and software integration. Central to this conversation are the implications of the first sale doctrine and the critical role IOS plays in Cisco switches.

While Smart Licensing and the Smart Licensing Using Policy (SLP) were designed to streamline operations, they’ve introduced complexities, from increased costs to concerns over data protection and system vulnerabilities. Addressing these challenges requires a proactive approach to ensure compliance, security, and efficiency.

Ready to optimize your network management? Contact Edgeium today to learn how we can help you navigate Cisco’s Smart Licensing policies and improve your organization’s network efficiency