EMEA Airheads How licensing works in Aruba OS 8.x

How Licensing Works In AOS 8.X
10:00 GMT | 11:00 CEST | 13:00 GST
Aug 29th, 2017
Presenter: Maniraj Durairaj
maniraj.durairaj@hpe.com

2
Overview:
• ArubaOS 8.x supports centralized Licensing architecture and it is enabled by default.
• Primary and Backup Mobility Master can share a single set of licenses.
• Managed Device(MD) Maintain the license information from Mobility Master(MM) even if it stops communication between
them.
Supported Topology:
• Mobility Master(MM) acting as licensing server to all associated Managed Device(MD).
• Standalone Controller acting as licensing server to another Standalone Controller.
Unsupported:
• Mobility Master acts as a licensing server to both its associated MD and stand alone.

3
MM Redundancy
• Uses VRRP for Redundancy.
• Shares Single Set of License among them.
• MD connects to MM using the VRRP IP.
• If MM primary is unavailable the MM secondary takes over VRRP IP ownership.
• MD connected to redundant servers use license from the shared pool.

5
• MM maintains a license database.
• All Sharable licenses for MD are managed through MM.
• All the Sharable licenses must be installed on MM.
• If a controller holds licenses installed before Migration to 8.x is no longer valid.
• Those license key must be regenerated and installed on MM, then map it to the MD.
• When an AP associates to the MD, the MD updates MM. MM recalculates and sends the revised license count to its
associated MDs.
• Usage of per AP license from the license pool also consumes 1 PEFNG and 1 RF Protect license count though the
feature is not used by the AP.
• It considers platform limit regardless of the license available in the pool.
• It supports multi-version licensing.

7
Sharable License Vs Controller-Specific License (Box License)
• Sharable License: These sharable license types can be assigned to a licensing pool and used by any device within
a group of managed devices.
• Example: AP, ACR, PEF, RF Protect, VMC, MM and WebCC
• Controller-Specific License: A non-sharable licenses is generated using a controller serial number, and can only
be used by the individual controller for which it was generated. It is also termed as Box License.
• Example: PEFV

8
Evaluation Licences Vs Permanent Licences
Permanent License:
• A permanent license permanently enables the desired software module on a specific Aruba controller.
• You obtain permanent licenses through the sales order process only.
• Permanent software license keys are sent to you via email.
Evaluation License:
• An evaluation license allows you to evaluate the unrestricted functionality of a software module on a specific
controller for 90 days (in three 30-day increments).
• Evaluation licenses are added to Mobility Master and made sharable within a licensing pool.
• An expired evaluation license will remain in the license database until the controller is reset using the command
write erase all, where all license keys are removed.
• An expired evaluation license has no impact on the normal operation of the controller, but it is kept in the license
database to prevent abuse.

9
When an evaluation period expires:
• The controller automatically backs up the startup configuration and reboots itself at midnight (according to the
system clock).
• All permanent licenses are unaffected. The expired evaluation license feature is no longer available and is displayed
as Expired in the WebUI

10
Perpetual Licences vs Suscription Licences
Perpetual Licenses:
• A perpetual license is a purchased license that has no end date; once installed, it does not expire. Most purchased
licenses are perpetual licenses.
Subscription Licenses:
• The Web Content and Classification (WebCC) license is a subscription license that enables WebCC features only
for the duration of the subscription (1,3,5,7 or 10 years).

12
1. AP License:
• An AP license is required for each operational LAN-connected, mesh, or remote AP that is advertising at least one
BSSID (virtual-AP).
• Usage Basis: Per AP
2. ACR License:
• This license enables ArubaOS Advanced Cryptography (ACR) features. A license is required for each active client
termination using Suite-B algorithms or protocols.
• Usage Basis: Per Client Session
3. PEF License:
• One operational AP using one or more Policy Enforcement Firewall (PEF) features, such as intelligent application
identification, policy-based traffic management and controls, or stateful user firewalls.

13
4. PEFV License: (Alias Box License)
• The PEFV license allows a network administrator to apply firewall policies to clients using a VPN to connect to the
controller. This license is mandatory for the Aruba VIA VPN client, but optional for all other VPN clients. The PEFV
license is purchased as a single license that enables the functionality up to the full user capacity of the controller.
• Usage Basis: Per Controller
5. RFProtect License:
• An RFProtect (RFP) license is required for each operational AP using one or more RF Protect features, such as
spectrum analysis and Wireless Intrusion Protection (WIP).
6. MM License:
• Starting with ArubaOS 8.0.1, the MM license is required to terminate devices (controllers or APs) on Mobility Master.
If the Mobility Master does not have sufficient MM licenses and an AP fails to obtain a license, that AP can get an IP
address and connect to its controller, but will not broadcast an SSID.
• Usage Basis: Associated device (Per Controller/Per AP)

14
7. VMC License:
• Starting with ArubaOS 8.0.1, the VMC license is a sharable license required to terminate APs on a virtual
controller(MD). In ArubaOS 8.0.0, the VMC-TACT and VMC-TACT8 licenses are non-sharable licenses that must be
installed on a virtual machine before you can install ArubaOS as a controller on that VM.
8. WebCC License: (Alias Subscription License)
• The Web Content Classification (WebCC) license is a subscription based, per-AP license that supports Web content
classification features on an AP for the duration of the subscription period (up to10 years per license).

LICENSE SERVER FAILOVER BEHAVIOURS

16
The following sections describe failover behaviours:
• Mobility Master Fails Over to a Backup Mobility Master
• Mobility Master Must be Replaced
• Mobility Master is Unreachable
• A Managed Device is Unreachable
• An AP Fails Over to Another Licensing Client

17
Mobility Master Fails Over to a Backup Mobility Master:
• If Primary MM fails, Secondary MM retains the shared license until Secondary MM reboots.
• If Primary MM is unavailable and Secondary MM reboots before the Primary MM is available then the MD retains
the license for 30 days.
• The MD retains the license for 30 days if primary and Backup MM is unavailable.
Mobility Master needs to be replaced:
• If the MM needs to be replaced, the license keys must be regenerated and installed on the new Mobility Master.
• In Redundancy topology, need not to reinstall the license key.
• The replaced MM will sync with the secondary/backup MM and update its license database.

18
Mobility Master unreachable to MD:
• Exchanges periodic heartbeats between MM and MD(every 30 seconds).
• If consecutive heartbeat misses the MD marks MM as down.
• MD uses license from MM for 30 days.
• If MM is not reachable for the complete 30 days by MD, it removes all the shared license received.
• Post 30 days of MM unreachable the existing APs are functional until they are rebooted.
• The new APs trying to connect to MD will not be active due to insufficient license.
MD unreachable to MM:
• Exchanges periodic heartbeats between MM and MD(every 30 seconds).
• If consecutive heartbeat misses the MM marks MD as down.
• MM adds license of the MD back to the license pool.

19
AP Failover to another License Client(MD):
• AP fails over from MD 1 to another MD 2 the AP will be active even if the MD 2 do not have sufficient license until
the respective AP reboots.
• If no sufficient license on MD 2 and the AP moved from MD 1 to MD 2 reboots, then the AP will be down due to
insufficient license.

21
Licensing Pool Topologies:
• Allows us to configure Customized Licensing pools.
• MD share all the sharable license from the Global pool on MM.
Global Pool:

22
Example:
• 100 Sharable license installed on the Mobility Master(MM). (AP License for Example)
• All the license are now available for MD from the Global License Pool “/” in MM.
• Assume US Domain uses 25 AP License, India uses 35 AP License and China uses 15 AP license.
• The remaining license in the Global Pool is 25.
US 25
India 35
China 15
--------------------------
Total: 75
• Global Pool 100 – Used License 75 = 25 Remaining License

24
• A custom licensing pool USA is created (/USA).
• Assume 40 license is allocated to USA pool.
• Then the remaining license in the Global pool(/) is (100-40) = 60 License.
• The USA associated MD can use only the allocated 40 license and can not exceed the count though there are
license available in the Global pool.
• The rest domains India & China can use the rest 60 license from the Global license pool.

26
• Created custom License pool for each configuration node.
− USA Pool (/USA) 40
− India Pool (/India) 35
− China Pool (China) 25
• Now none of the MDs are associated to the Global License pool.
• There a 0 license left in the Global Pool (/).

28
• From 8.x all the shareable & subscription license can be installed only on the MM.
• The box license can be either installed directly to MD(CLI) or installed to MD through MM.
• Licenses cannot be added directly to a managed device(MD) via the managed device's WebUI.
How to get the Licenses:
• HPE Aruba licensing Web site https://hpe.com/networking/support
− License Registration ID (From sales account manager or authorized reseller)
− Auto-generated ArubaOS passphrase for Mobility Master
− Auto-generated ArubaOS passphrase for any managed device (MD) installed on a server VM (virtual controller)
− Serial numbers of physical controllers.
• From AOS: 8.0.1, VM serial number is not required to generate a Mobility Master (VMM) or virtual mobility controller
(VMC) license.
Additional Information:
• In ArubaOS 8.0.0 VMM & VMC requires a serial number.
• This serial number is obtained from reseller.
• It is configured via the command “product serial-number <serial-number>”.

29
• The Passphrase is generated using UUID parameter which is supposed to be unique for each VM device.
• It is used to avoid using the same license for different VMM and VMC.
• Each virtual machine is automatically assigned a universally unique identifier (UUID).
• The UUID is a 128-bit integer. The 16 bytes of this value are separated by spaces, except for a dash between the
eighth and ninth hexadecimal pairs.
− A sample UUID looks like this:
− 56 4d ef 2d 3f d4 14 e2-2e 04 c5 34 3a ec ee 65

30
• To identify MM Passphrase/ Serial Number
• (Maniraj-Aruba-MM) [mynode] #cd /mm
• (Maniraj-Aruba-MM) [mm] #show license passphrase
• MM6FCB559-Yxc3r30/-9xM9Oj8y-5V/1GpgI-7WWmoIkU
• (Maniraj-Aruba-MM) [mm] #show inventory
• Mgmt Port HW MAC Addr : 00:0C:29:FC:B5:59
• HW MAC Addr : 00:0C:29:FC:B5:63
• Product key# : MM6FCB559
• Activate license : Not Applicable
• Active device type : MM
• (Maniraj-Aruba-MM) [mm] #

31
VMM (Virtual Mobility Master):
• LIC-MM-VA-xx should be installed on VMM. (Per Device)
• LIC-MC-VA-xx should be installed on VMC if it is an MD. (Per AP)
• LIC-MM-VA-xx will be consumed by both MDs and APs
− e.g. LIC-MM-VA-500 can support say 10 MDs and 490 APs. So total 500 devices.
• LIC-MC-VA-xx will be consumed by Aps on VMC.
Standalone VMC (Virtual Mobility Controller):
• LIC-MC-VA-xx should be installed on standalone VMC.
• MCM (Mobility Controller Master/72xx-MC) and standalone 7xxx
• On MCM i.e. legacy master and standalone 7xxx controllers, MM/MC licenses are not required.
• VMC is not supported on MCM.
Note:
• LIC-MM-VA-xx stands for license-mobility master-virtual appliance-xx
• LIC-MC-VA-xx stands for license-mobility controller-virtual appliance-xx

32
VMC device types to be supported

33
VMM device types to be supported

34
My Networking Portal(Public Facing):
• www.hpe.com/networking/support
• www.hpe.com/networking/mynetworking
Internal Sites:
HPE License Acquisition Portal:
• https://hpn-app.houston.hpe.com/LicenseAcquisition/Default.aspx
HPE Customer Look UP Portal:
• https://hpn-app.houston.hpe.com/CustomerLookup/

LICENSE TRANSFER FROM 6.X TO 8.X

42
Installing the License
WebUI:

46
From CLI:
(Maniraj-Aruba-MM) [mynode] (config) #cd /mm
Maniraj-Aruba-MM) [mm] (config) #license-pool-profile-root
(Maniraj-Aruba-MM) ^[mm] (License root(/) pool profile) #
acr-license-enable enable ACR feature
no Delete Command
pefng-licenses-enable enable PEFNG feature
rfp-license-enable enable RFP feature
webcc-license-enable enable WebCC feature
xsc-license-enable enable XSEC feature
(Maniraj-Aruba-MM) ^[mm] (License root(/) pool profile) #

47
Installing License on Standalone

48
Standalone pointing to external server

50
Adding Device Specific License From MM to MD
• MM can remotely adding an MD’s box license to MD when MD’s console access is blocked from configuration
during zero touch provisioning.
• MM remotely installs box license on MD by specifying the MD’s IP address and the license key.
• MM CLI infrastructure internally sends license installation request to the specified MD’s IP address.
• MD processes the request and installs the license as if the command were issued on MD.
• MD finally sends the CLI response to MM with proper CLI execution results.
• We don't support remote license "delete" action command due to security reason.

53
Through CLI:
Syntax:
• (Mobility Master) [mynode] #license remote ip-addr <ip of MD> add <License Key>
Example:
• (Mobility Master) [mynode] #license remote ip-addr 10.16.10.33 add dZISoMMz-
lZsTr0DR-5bTBubyp-mDhDm7hQ-ZLibcbqp-xc7mOZJG-C4Qt/UgJ-DKts3b6H-AJmbd5PL-

54
(Maniraj-Aruba-MD) #Show log system 50
Jan 20 22:20:04 :399838: <3893> <WARN> |cfgm| handleLicenseMessage: State(READY:UPDATE SUCCESSFUL:CFGID-1:PEND-1:INITCFGID:1)
FD=26:Received License Update
Jan 20 22:20:04 :399838: <3893> <WARN> |cfgm| handleLicenseMessage: State(READY:UPDATE SUCCESSFUL:CFGID-1:PEND-1:INITCFGID:1)
FD=26:Moving out of activation state for License update.
Jan 20 22:20:04 :399838: <3893> <WARN> |cfgm| handleLicenseMessage: State(READY:UPDATE REQUIRED:CFGID-1:PEND-1:INITCFGID:1)
FD=26:License triggered config request sent
Jan 20 22:20:11 :399838: <3893> <WARN> |cfgm| Updating MM license limits limits:32
Jan 20 22:20:11 :399838: <3934> <WARN> |licensemgr| __license_send_fp_update sending update with PEFNG disabled
Jan 20 22:20:11 :399838: <3934> <WARN> |licensemgr| __license_send_fp_update 193 FEATURE_PEF_VPN is set
Jan 20 22:20:11 :399838: <3934> <WARN> |licensemgr| __license_send_fp_update sending update with RFP disabled
Jan 20 22:20:11 :399838: <3934> <WARN> |licensemgr| __license_send_fp_update sending update with XSEC disabled
Jan 20 22:20:11 :399838: <3893> <WARN> |cfgm| handleLicenseMessage: State(READY:UPDATE REQUIRED:CFGID--1:PEND-1:INITCFGID:1)
FD=26:Received License Update
Jan 20 22:20:11 :399838: <3893> <WARN> |cfgm| handleLicenseMessage: State(READY:UPDATE REQUIRED:CFGID--1:PEND-1:INITCFGID:1)
FD=26:License triggered config request sent
Jan 20 22:20:13 :334023: <3963> <ERRS> |profmgr| Config update for config node:/sc, cmd:user any sys-svc-telnet deny , error:
Failed to update configuration to application
Jan 20 22:20:15 :399838: <3893> <WARN> |cfgm| Saving config bitmap with PEF_VPN(3)(off)

55
Subscription License(WebCC)
• In 6.5, We introduced WebCC subscription license but upon license expiry WebCC feature continue to work without
any impact.
• In 6.5.1, The WebCC license enforcement will now affect the functionality and disallow the support of cloud lookup
for Web Content classification.
• It is the same functionality in 8.x.
• WebCC license come with 1,3,5,7 or 10 years subscription.
• Subscription time starts from the time the license key is generated from the licensing Web site.
• The WebCC license usage is minimum active AP count received from STM and available WebCC license count.
• After License expires, grace period of 120 days is provided.
• Subscription licenses cannot be renewed.
• Licensemgr sends the WebCC license limits to apps. If a license expires the new limits are published accordingly.
• WebCC license enforcement will be done by WebCC App.
• From licensemgr publishes the apps an additional field for license which will be used to determine if WebCC license
enforcement needs to be applied.

56
Enforcement Triggers:
• When AP’s UP are more than WebCC licenses limit in controller.
• When WebCC license expires.
Note:
• WebCC classification works with only controller cache when enforcement triggers.
• In Centralized license enabled case, The Cloud updates will be disabled in all the nodes.

57
When AP’s License usage is greater than WebCC license.
(Maniraj-Aruba-MM) ^[mm] #show license-usage client
License Clients License Usage for pool /
----------------------------------------
Hostname IP Address Mac addr AP Lic. PEF Lic. RF Protect Lic. xSec Lic. ACR Lic. WebCC Lic. MM Lic. VMC
Lic. Last update (secs. ago)
-------- ---------- -------- ------- -------- --------------- --------- -------- ---------- ------- ---
----- -----------------------
Maniraj-Aruba-MM 10.17.164.179 00:0c:29:fc:b5:63 2 0 0 0 0 1 0 0
10
Maniraj-Aruba-MD 10.17.169.151 00:1a:1e:00:b7:a8 0 0 0 0 0 0 1 0
21
TOTAL 2 0 0 0 0 1 1 0
Total no. of clients: 2

58
(Maniraj-Aruba-MM) ^[mm] #show web-cc status
Web Content Classification Status
---------------------------------
Service Status
------- ------
Web Content Classification enabled : Yes
DNS/Name Server configured : Yes
URL Cloud lookup server reachable : Yes
Cloud lookup/update available : No

59
• When AP’s License usage is equal to WebCC license.(We install an additional WebCC license to match AP
license)
Maniraj-Aruba-MM) ^[mm] # show license
29la2Kb2-tDLp7tZT-DxAmSs+S-nfwGEz00-CMORopJX-bpk 2017-01-18 Never E Access Points: 2
W1eN0hke-5P+jxmu9-QsPFcNwB-FDGpTg49-q18U5Ros-alI 2017-01-18 2018-01-18(2017-04-18) ES WebCC: 1
AWgsgyQ1-otO5CZ7k-incbKLe/-x6Zlycnd-Qpwcc2VO-zc8 2017-01-19 2018-01-19(2019-04-19) ES WebCC: 1
Maniraj-Aruba-MM) ^[mm] #show license-usage client
----------------------------------------
-------- ---------- -------- ------- -------- --------------- --------- -------- ---------- ------- ---
----- -----------------------
10
21
TOTAL 2 0 0 0 0 2 1 0

60
---------------------------------
Service Status
------- ------
Cloud lookup/update available : Yes

61
• When WebCC license Expires
Maniraj-Aruba-MM) ^[mm] # show license
29la2Kb2-tDLp7tZT-DxAmSs+S-nfwGEz00-CMORopJX-bpk 2017-01-18 Never E Access Points: 2
DxAmSs+S-5P+jxmu9-QsPFcNwB-FDGpTg49-x6Zlycnd-alI 2016-01-18 Expired(Expired) S WebCC: 1
AWgsgyQ1-otO5CZ7k-incbKLe/-x6Zlycnd-Qpwcc2VO-zc8 2017-01-19 2018-01-19(2019-04-19) ES WebCC: 1
(Maniraj-Aruba-MM) ^[mm] #show license-usage client
----------------------------------------
-------- ---------- -------- ------- -------- --------------- --------- -------- ---------- ------- ---
----- -----------------------
10
21
TOTAL 2 0 0 0 0 1 1 0

62
---------------------------------
Service Status
------- ------
Cloud lookup/update available : No

68
Eval License:
(Maniraj-Aruba-MM) [mm] (config) #license-pool-profile "/md/Mani-Banglore"
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") #ap-licenses eval key "z0nFTS4c-
rUkHnyRJ-qHpJtdPK-GXdL2UCL-UcyGGnuw-YxzkCJS3-jvbmSxL+-cbzSFZlj-MNAEvYz/-NEQ" 12
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") # pefng-licenses eval key "J6kL3BzQ-
jLSyTL+/-ByJi+BPc-lvsEDKkd-kQV6VQ3r-XA/aZ5QT-YyOQH4Xz-I4ZcLHxp-e4DQ96Z9-5G8" 12
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") # rfp-licenses eval key "YnUvN6cV-
XG4p+ssF-+tUU3/HZ-bUvIBMYe-16pT+F7r-15xwzZRg-NSK2GM1Q-P+DuYd/m-KerLxXDC-jWg" 12
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") # webcc-licenses eval key "jGgl+NLl-
MVifMjVq-JMVpusWw-xL4O9seI-PPQUQ2Yv-HHDKLBV0-kkmarJTn-1yUE91Sa-eK+rZETx-Il8" 12
Permanent License:
(Maniraj-Aruba-MM) [mm] (config) #license-pool-profile "/md/Mani-Banglore"
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") #ap-licenses 12
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") # pefng-licenses 12
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") # rfp-licenses 12
(Maniraj-Aruba-MM) [mm] (License pool profile "/md/Mani-Banglore") # webcc-licenses 12

69
Useful Commands
On License Server:
• Show license debug
• Show license aggregate
• Show license server-table
• Show license-usage client
• Show license keys
• Show license platform-limits
• Show license-pool-profile <profile>
• Show license-pool-profile-root
• Show license heartbeat stats
• Show master-redundancy
• Show license key xxx pool-associations

70
On License Client:
• Show license debug
• Show license client-table
• Show license-usage ap/user/client
• Show license platform-limits

71
Logging:
logging level debugging system process licensemgr
Other Useful Commands:
show web-cc status
show log system all | include licensemgr
show log errorlog all | include licensemgr
show snmp trap-list | include License
show snmp trap-queue | include license

EMEA Airheads How licensing works in Aruba OS 8.x

More Related Content

What's hot (20)

Similar to EMEA Airheads How licensing works in Aruba OS 8.x (20)

More from Aruba, a Hewlett Packard Enterprise company (20)

Recently uploaded (20)

EMEA Airheads How licensing works in Aruba OS 8.x