License Management

This section describes the procedure for managing CloudEOS license files.

Pay-As-You-Go (PAYG) in Cloud

This section of the document provides a high level overview about verifying the Pay-as-you-go (PAYG) instance installed on the CloudEOS Router products on various supported public platform.

Overview

Pay-as-you-go (PAYG) is a software consumption model supported by various public cloud provider to charge the consumer based on the usage. Other software consumption model on public cloud provider is Bring-your-own License(BYOL). Each vendor who publish their product on public cloud imposes a license requirement for the real usage of their product in which case, the consumer needs to get the BYOL from the vendor in order to use the product in the public cloud.

One of the major benefits of the PAYG method is that there are no wasted resources and consumer only pays for the services procured rather than provisioning for a fixed amount of resources that may or may not be used. Another advantage of PAYG is that, consumers can quickly deploy the product on the public cloud without the need to contact the vendor for license. Normally public cloud provider distinguish each published product by vendor with a unique ID. This unique ID is stored in the cloud provider metadata server. Vendor product should check for the unique ID to distinguish its products from BYOL and PAYG, and allow consumers to use without the requirement of license from vendor.

License Verification

The following commands are used to verify if an SFE and IPsec licenses are installed in PAYG mode for CloudEOS.

Note: The show license command does not show licenses installed through PAYG feature.

Example show output for SFE

If SFE license is installed and validated, the following output is displayed -

switch# show platform sfe licensing

Licensing Information
---------------------
 License TC created: no
 Number of throttled interfaces: 0

If SFE license is not installed the following output is displayed -

switch# show platform sfe licensing

Licensing Information
---------------------
License TC created: yes
Number of throttled interfaces: 1
Interfaces throttled:
Ethernet1: 80 Mbps"

Example show output for IPsec

If IPsec is not installed the following output is displayed.

switch# show ip sec connection
! No valid IPsec license found. IPsec is disabled.

If IPsec is installed the following output is displayed.


switch# show ip sec connection
TunnelSource DestStatusUptime Input Output RekeyTime
Tunnel63 1.0.0.1 1.0.0.2 Established 22 minutes 0 bytes0 bytes34 minutes
If no valid certificate is installed, it displays configured IPsec connections.

Troubleshooting

The following $curl command is used to verify the if an AWS / Azure instance is an PAYG instance. This command is executed under Bash mode.

PAYG support for AWS

The step shown in the example below is used to verify if an AWS instance is an PAYG instance. AWS customers can verify the product code of their PAYG instance by querying instance identity document from their running CloudEOS Router instance.

  • To retrieve the instance identity document, use the following command from your running instance:
 
[switch]$ curl http://169.254.169.254/latest/dynamic/instance-identity/document
{
"accountId" : "083837402522",
"architecture" : "x86_64",
"availabilityZone" : "us-west-1b",
"billingProducts" : null,
"devpayProductCodes" : null,
"marketplaceProductCodes" : [ "cdcwmm26cap8fqlnkwuqte405" ],
"imageId" : "ami-017900c328c2edfbe",
"instanceId" : "i-058ebba29bd475e8b",
"instanceType" : "c5.xlarge",
"kernelId" : null,
"pendingTime" : "2020-05-01T06:53:42Z",
"privateIp" : "11.0.4.101",
"ramdiskId" : null,
"region" : "us-west-1",
"version" : "2017-09-30"
}

PAYG support for Azure

The step shown in the example below is used to verify if an Azure instance is an PAYG instance.

Example metadata showing the SKU:

[switch]$ curl -H Metadata:true "http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01"
{"location":"westus",
"name":"adhip-test",
"offer":"cloudeos-router-payg",
"osType":"Linux",
"placementGroupId":"",
"platformFaultDomain":"0",
"platformUpdateDomain":"0",
"publisher":"arista-networks",
"resourceGroupName":"adhip2",
"sku":"cloudeos-4_23_0-payg",
"subscriptionId":"ba0583bb-4130-4d7b-bfe4-0c7597857323",
"tags":"","version":"4.23.0",
"vmId":"c23a7526-44c5-43af-bcf5-8b2419105393",
"vmSize":"Standard_D4_v3"
$
 

PAYG support for GCP

The Arista CloudEOS instance needs network connectivity and DNS resolution to use the GCP metadata server "metadata.google.internal" for various services including license validation. Normally the CloudEOS automatically picks up and configures the default route and DNS server( GCP default DNS server: 169.254.169.254) through DHCP during the initial instance bringup. However, to make sure the instance is able to access the DNS server and reach GCP metadata server properly, use the below CLI command as well as the license ID matches 3403635045915687054 for the PAYG image.
cloudEos#bash curl http://metadata.google.internal/computeMetadata/v1/instance/licenses/0/id -H "Metadata-Flavor:Google"
3403635045915687054
Note: If you are using your own DNS server and/or DHCP server, please make sure that the above commands work properly by setting up the proper DNS resolution/routes.
The following Cloud EOS commands helps in licensing to bypass the DNS/network connectivity issues in case of issues due to custom DHCP/DNS setup:
cloudeos-router-payg-router-vm# ip host metadata.google.internal 169.254.169.254
cloudeos-router-payg-router-vmr# ip route 169.254.169.254/32 Ethernet1 <default_vpc_router>

where <default_vpc_router> is the second address in the primary IP range for the subnet in which Ethernet1 resides. For example, default_vpc_router is 10.1.2.1 in 10.1.2.0/24 subnet belonging to Ethernet1 in the google cloud.

However, note that, other features which needs access to the cloud provider web APIs like CloudHA, may still have issues with your own DNS/DHCP setup unless carefully planned. If you are using your own DNS/DHCP servers, please see details at https://cloud.google.com/compute/docs/internal-dns.

Bring-Your-Own-License (BYOL) in Cloud and On-Prem

License files for CloudEOS and vEOS

CloudEOS and vEOS license files are available to unlock performance limitations and enable IPSec.

Installing License Files

License files are files that are imported via the CLI. Contact your local SE for assistance in obtaining a license. Use the license import command to download a license file. Save the file to /mnt/flash/ or a server. For example purposes, the licenses below are non-functional.


switch#license import flash:vEOSLic-1.json
switch#license import flash:IPSecLic-1.json

License files may also be imported via http. The following example illustrates the structure of the licence files import.

http:some-url/license.json

Verifying Installed License Files

Use the show license command to display details regarding the active licenses and device-specific information needed for licensing. For example purposes, the licenses below are non-functional.

switch#show license
Customer name: Arista Test Customer
System Serial number: 6FF552005130CB93A1048182A0FE585C
System MAC address: 5254.0062.ab2e
Domain name: Unknown
Platform: CloudEOS-KVM

License feature: IPSec
License parameter: None
Count: 1
Start: 2018-01-31 00:43:31
Expiration: 2026-12-30 16:00:00
Active: yes

License feature: CloudEOS - Virtualized EOS
Throughput: Not Throttled
Count: 1
Start: 2018-01-31 00:42:48
Expiration: 2026-12-30 16:00:00
Active: yes

 

Update License Files (Optional)

Use the license update command forces the system to evaluate the license files already present in the license store.

switch#license update

Obtaining and Installing Soft Expiry

Users can obtain license files from Arista that extend the time for which the customer can use a certain feature without any limitations. The license for the feature is considered expired, but the feature continues to work until the grace period as mentioned in the license file lapses.

For example, with a license file such as the one below, customer can continue to use vEOS without any limitations for ten days beyond expiry date.

{
"LicenseFileVersion": "1.0",
"CustomerName": "Arista Test Customer",
"LicenseSerialNumber": "ARISTA-TEST-DAYSPAST1",
"Signature": {
"SigningCertPEM": "-----BEGIN CERTIFICATE-----7brkfssZDrRIatxKEkv6Oc
\nh4kXO2mvvMJxQDf7VvGXEC3fSRURLwPz//6JMx942iOKsES8ZT9nT2q9MxJXfInn\n3EcKGmPWKQR4n2qH
fmq6sfk2eFBUYIrZBm9RUbVbyLZLCOv2KxJ7FFZ9LV1jp5An\nAyHLJUMQqqw/kvUUvUq1bI/PtEOlNc9Ndt
/3yeh+HByzIw8/f+gjKkUjQpVncuqS\nkFotBPNNj/LjbQD40R/tJ0z/8sPXCGJuo4mE9s/MwnWmkAHxpZyC
ccMBlNp3LkJk\nFHcsVb36Vclv5XWDe5AxU+0sQjEB4LGP7nYo8wjjvSZIpYXRiAmDRGuAGi/W/W3F\n6hEQ
661JK4KPJvoQsMqYaO/TkZPIXEAdgEDkmj0=\n-----END CERTIFICATE-----\n",
"Hash": "f076d2cac1eac2a8261915e0b2ce4cb547e9c98bda070d001140daf3c3bd3694",
"Signature": "304502201ca6fab964d8a3aade43d306232fcf52b9503fc22f4552
d58fb5a95e1b9e13e6022100dff97ad4f37389b55887f0ec06c9ef29d55a75e668e4da654deaf8037633a9bd"
},
"Features": {
"vEOS": [
{
"Count": 1,
"Value": "",
"Valid": {
"NotBefore": "2000-01-01T00:00:00Z",
"NotAfter": "2001-01-01T00:00:00Z"
},
"BehaviorModifier": {
"DaysAllowedPastExpiration": 10
}
}
]
},
"BindingInfo": {
"SystemMAC": "",
"DomainAddress": "",
"SerialNumber": "2BC6A772072B04BED43DCCF8777F036F"
}
}



-- 

Additional Licensing Show Commands

The following CLIs can be used to verify if a license file is valid, when it expires, what license files are installed and any relevant information regarding a license. The show license commands do not list features that are unlocked by external license files or means.

 

Show License Files

Use the show license files command to display all information related to the active licenses installed. For example purposes, the licenses below are non-functional.

switch#show license files

License name:2017.11.02.08.23.23.053684_IPSecLic-1yr.json
Contents:
{
"BindingInfo": {
"DomainAddress": "",
"SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
"SystemMAC": "02:9c:a8:a5:51:5a"
},
"CustomerName": "Arista Test",
"Features": {
"IPSec": [
{
"Count": 1,
"Valid": {
"NotAfter": "2018-12-31T00:00:00Z",
"NotBefore": "2017-11-02T15:21:22Z"
},
"Value": ""
}
]
},
 (truncated)
}

License name:2017.11.03.12.27.24.016515_vEOSLic-1234.json
Contents:
{
"BindingInfo": {
"DomainAddress": "",
"SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
"SystemMAC": ""
},
"CustomerName": "Arista Test",
"Features": {
"CloudEOS": [
{
"Count": 1,
"Valid": {
"NotAfter": "2018-12-31T00:00:00Z",
"NotBefore": "2017-11-02T00:00:00Z"
},
"Value": ""
}
]
},
"LicenseFileVersion": "1.0",
(truncated)
END CERTIFICATE-----\n"

 

show license expired

The show license expired command will display the same as the show license command, but only displays expired license files.

switch#show license expired
System Serial number:2BC6A772072B04BED43DCCF8777F036F
System MAC address:06:1b:8a:48:8d:0c
Domain name: Unknown

License feature:IPSec
	License parameter:None
	Count:1
	Start:2017-10-05 21:49:13
	Expiration: 2017-10-09 17:00:00
	Active: expired


License feature:CloudEOS-Virtualized EOS
	License parameter:None
	Count:1
	Start:2017-10-05 21:47:34
	Expiration: 2017-10-09 17:00:00
	Active: expired

 

show license all

The show license all command will display all license files that are active, expired or license files that have not yet been activated.

switch#show license all
System Serial number:2BC6A772072B04BED43DCCF8777F036F
System MAC address:06:1b:8a:48:8d:0c
Domain name: Unknown

License feature:IPSec
	License parameter:None
	Count:1
	Start:2017-12-30 16:00:00
	Expiration: 2018-12-30 16:00:00
	Active: in future

	License parameter:None
	Count:1
	Start:2017-09-18 13:56:45
	Expiration: 2017-12-30 16:00:00
	Active: yes

	License parameter:None
	Count:1
	Start:2017-10-05 21:49:13
	Expiration: 2017-10-09 17:00:00
	Active: expired


License feature:CloudEOS-Virtualized EOS
	License parameter:None
	Count:1
	Start:2017-10-08 17:00:00
	Expiration: 2017-12-30 16:00:00
	Active: yes

	License parameter:None
	Count:1
	Start:2017-12-30 16:00:00
	Expiration: 2018-12-30 16:00:00
	Active: in future

	License parameter:None
	Count:1
	Start:2017-10-05 21:47:34
	Expiration: 2017-10-09 17:00:00
	Active: expired