What happens to my Cisco device when its license expires?
It’s happened before. It’ll happen again. You log in and see the dreaded “out of compliance” message. What’s going to happen? In this article, we’re going to break down out of compliance licensing for Cisco products and tell you exactly what will happen.
But first, a quick note on SLP.
Smart Licensing by Policy (SLP): Your best friend.
When Cisco released the Catalyst 3600 and 3800 series switches in 2014, they introduced their Smart Licensing portal. You were required to register your switch to the Smart Licensing interface starting in IOS version 16.9.
It sucked because you had to register the boxes with the portal, and in certain environments where boxes are air-gapped, or management interfaces aren’t allowed to send traffic to the Internet, you had to deploy a local licensing proxy. You had to check entitlement BEFORE you brought the box into production, and that created a lot of customer friction (I think that’s the PC way of saying it…).
Cisco heard the feedback, and as of IOS-XE 17.3(2) or 17.4(1), they changed the licensing mechanism to Smart Licensing by Policy (SLP). With SLP, there is NO requirement to register your device to bring it into production. Furthermore, there is no functionality restriction if the license expires. Operationally, SLP makes Cisco licensing work on the honor system.
I’m not going into all the details about SLP and the reporting requirements in this article, but there are resources that outline all the details.
In short, you want to make sure that your install base of devices is running an IOS revision that is equal to or greater than IOS-XE 17.3(2) or 17.4(1).
So, what happens when a license expires?
Cisco tells you EXACTLY what will happen if a device’s license expires. The matrix is published at this link (CCO login required, no special access needed) and is a living document that is continuously updated.
Cisco makes a lot of products, and this doc is rather large, so let me give you the summary of what you’re looking for.
Example 1: Cisco ISR 4300 (last generation)
To find out what happens when an ISR 4300 expires, scroll down until you find the Cisco 4000 Series ISRs.
You’ll see that the current licensing model is SLP (Smart Licensing by Policy), which is active as of 17.3(2).
If you move to the right, you’ll see the enforcement section.
If your ISR 4300 loses its licensing, it will function normally with three caveats.
- On the 4300 platform, Cisco sold a Boost license (which removed the router rate limiters). Per this doc, if the Boost license is removed, the platform limiter will be enforced.
- Cisco controls encryption export compliance with an HSEC license by limiting encrypted throughput to 250Mbps. If your router is ordered and shipped to the US, you *should* have an HSEC license pre-loaded, but if you remove it, encrypted throughput will be limited.
- You’ll get annoying syslog messages that you’re out of compliance.
Example 2: Cisco Catalyst 8300 Router or 9300 Switch (basically, anything current generation)
For the newer hardware platforms, Cisco has relaxed virtually all enforcement mechanisms. If you’re out of compliance, it’ll nag you to get into compliance but not enforce any operational restrictions.
Overall, Cisco is (wisely) choosing to handle licensing compliance via out of band auditing compared to enforcement on their most popular products.
Ok, what platforms do I need to keep an eye on that WILL enforce?
Here’s a list of popular product lines that will impact traffic and/or the management interface and a summary. This isn’t meant to be exhaustive. I’ve also linked to the product’s licensing guide on the bold header. Most pages require a basic CCO login.
- Meraki. If you let your license expire, your devices turn into a toaster. From the time your organization license expires, you have a 30-day grace period, then Meraki blocks all traffic except management.
- Cisco Secure Firewalls. No major secret here — all security manufacturers enforce having an active license to receive their cloud-based threat services. If your license expires, you won’t be able to make changes to the platform for the feature that’s expired. For instance, if your Threat license expires, you won’t be able to update any rules that reference an IPS function.
- ISE. If you’re running it as a lab/eval mode, after 90 days you must license. In eval mode, the menus go away. If you’ve already licensed it, it’ll keep running but show you an Out of Compliance message every time you login.
- ASAv: If your license expires running a version prior to 9.14(1), throughput is limited to 100 Kbps after a reboot. 9.14(1) and later, it doesn’t throttle. Update yo’ stuff!
- Collaboration Products: Generally, if you’re running on-prem CUCM, CUC, CER, UCCX or UCCE, you’ll get a grace period of 90 days after you violate license compliance, then the platform will go into read-only mode. Call processing continues normally.
Renewal Caveats
Just a couple notes on renewals.
If you have a subscription that has lapsed for more than 90 days, you’ll probably need to book a new order. Your pricing may or may not be the same.
You can’t add new subscriptions to EOL products. For instance, even though that snazzy ASA5525 you’ve had in your data center for the last fifteen years is perfectly fine, you can’t buy a new threat subscription for it.
The issues I commonly see are when Cisco is in the middle of an end-of-life process on a device, and it’s past the New Service Attachment Date. For instance, the ASA5515-X went EOL on February 24, 2027, but you could still add service to it until August 25, 2018.
If you wanted to add one year of service on August 26, 2018, Cisco wouldn’t allow it.
Summary
I hope you found this helpful and may all your devices support Smart Licensing by Policy.
Liam Keegan is a long-time CCIE, automation nerd and entrepreneur. You can find him on LinkedIn.