License Management

This section discusses the procedure for managing CloudEOS license files.

Pay-As-You-Go (PAYG) in Cloud

This section discusses a high-level overview of verifying the Pay-as-you-go (PAYG) instance installed on the CloudEOS router products on various supported public platforms.

Overview

Pay-as-you-go (PAYG) is a software consumption model supported by various public cloud providers that charges the consumer based on usage. Other software consumption model on public cloud providers is Bring-your-own License(BYOL). Each vendor that publishes its product on the public cloud imposes a license requirement for the real usage of its product, in which case the consumer needs to get the BYOL from the vendor to use the product in the public cloud.

One of the major benefits of the PAYG method is that there are no wasted resources, and the consumer only pays for the services procured rather than provisioning for a fixed amount of resources that may or may not be used. Another advantage of PAYG is that consumers can quickly deploy the product on the public cloud without contacting the vendor for a license. Normally, public cloud providers distinguish each published product by the vendor with a unique ID. This unique ID is stored in the cloud provider metadata server. Vendor products should check for a unique ID to distinguish their products from BYOL and PAYG and allow consumers to use them without the vendor's license requirement.

License Verification

Use the following commands to verify if the Software Forwarding Engine (SFE) and IPsec licenses are installed in PAYG mode for CloudEOS router.

 

Note: The show license command does not show licenses installed through the PAYG feature.

 

Example show output for SFE

 

Ifthe SFE license is installed and validated, the following output will appear: 
router# show platform sfe licensing

Licensing Information
---------------------
 License TC created: no
 Number of throttled interfaces: 0

 

If the SFE license is not installed, the following output will appear: 
router# show platform sfe licensing

Licensing Information
---------------------
License TC created: yes
Number of throttled interfaces: 1
Interfaces throttled:
Ethernet1: 80 Mbps"

 

Example show output for IPsec

If IPsec is not installed, the following output will appear: 

router# show ip sec connection
! No valid IPsec license found. IPsec is disabled.

 

If IPsec is installed, the following output displays: 

router# show ip sec connection
TunnelSource DestStatusUptime Input Output RekeyTime
Tunnel63 1.0.0.1 1.0.0.2 Established 22 minutes 0 bytes0 bytes34 minutes
If no valid certificate is installed, it displays configured IPsec connections.

 

Troubleshooting

Use the $curl command to verify whether an AWS / Azure instance is a PAYG one. Execute the command in the Bash mode.

PAYG support for AWS

Use the step in the following example to verify if an AWS instance is a PAYG instance. AWS customers can verify their PAYG instance's product code by querying identity documents from their CloudEOS router instance.
  • To retrieve the instance identity document, use the following command from your running instance: 
    [switch]$ curl http://169.254.169.254/latest/dynamic/instance-identity/document
{
  "accountId" : "083837402522",
  "architecture" : "x86_64",
  "availabilityZone" : "us-west-1b",
  "billingProducts" : null,
  "devpayProductCodes" : null,
  "marketplaceProductCodes" : [ "cdcwmm26cap8fqlnkwuqte405" ],
  "imageId" : "ami-017900c328c2edfbe",
  "instanceId" : "i-058ebba29bd475e8b",
  "instanceType" : "c5.xlarge",
  "kernelId" : null,
  "pendingTime" : "2020-05-01T06:53:42Z",
  "privateIp" : "11.0.4.101",
  "ramdiskId" : null,
  "region" : "us-west-1",
  "version" : "2017-09-30"
}

     

PAYG support for Azure

The step shown in the following example is used to verify if an Azure instance is a PAYG instance.

 

Example Metadata Showing the SKU:
[switch]$ curl -H Metadata:true "http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01"
{"location":"westus",
"name":"adhip-test",
"offer":"cloudeos-router-payg",
"osType":"Linux",
"placementGroupId":"",
"platformFaultDomain":"0",
"platformUpdateDomain":"0",
"publisher":"arista-networks",
"resourceGroupName":"adhip2",
"sku":"cloudeos-4_23_0-payg",
"subscriptionId":"ba0583bb-4130-4d7b-bfe4-0c7597857323",
"tags":"","version":"4.23.0",
"vmId":"c23a7526-44c5-43af-bcf5-8b2419105393",
"vmSize":"Standard_D4_v3"
$

 

PAYG support for GCP

The Arista CloudEOS instance needs network connectivity and DNS resolution to use the GCP metadata server "metadata.google.internal" for various services, including license validation. Normally, the CloudEOS automatically configures the default route and DNS server( GCP default DNS server: 169.254.169.254) through DHCP during the initial instance bringup. However, to ensure the instance can access the DNS server and reach the GCP metadata server properly, use the following CLI command, and the license ID matches 3403635045915687054 for the PAYG image.

 

router# bash curl http://metadata.google.internal/computeMetadata/v1/instance/licenses/0/id -H "Metadata-Flavor:Google"
3403635045915687054

 

Note: If you are using your own DNS server and/or DHCP server, please make sure that the above commands work properly by setting up the proper DNS resolution/routes.

 

The following Cloud EOS commands help in licensing to bypass the DNS/network connectivity issues in case of issues due to custom DHCP/DNS setup:

 

cloudeos-router-payg-router-vm# ip host metadata.google.internal 169.254.169.254
cloudeos-router-payg-router-vmr# ip route 169.254.169.254/32 Ethernet1 <default_vpc_router>

 

where <default_vpc_router> is the second address in the primary IP range for the subnet in which Ethernet1 resides. For example, default_vpc_router is 10.1.2.1 in 10.1.2.0/24 subnet belonging to Ethernet1 in the google cloud.

However, note that other features needing access to the cloud provider web APIs, like CloudHA, may still have issues with your DNS/DHCP setup unless carefully planned. If you use your own DNS/DHCP servers, please see the details at https://cloud.google.com/compute/docs/internal-dns.

Bring-Your-Own-License (BYOL) in Cloud and On-Prem

License files for CloudEOS router

CloudEOS router license files are available to unlock performance limitations and enable IPSec.

Installing License Files

License files are files that are imported via the CLI. Contact your local SE for assistance in obtaining a license. Use the license import command to download a license file. Save the file to /mnt/flash/ or a server. For example purposes, the licenses below are non-functional.

 


router# license import flash:vEOSLic-1.json
router# license import flash:IPSecLic-1.json

 

License files may also be imported via HTTP. The following example illustrates the structure of the import of licensefiles.

 

http:some-url/license.json

 

Verifying Installed License Files

Use the show license command to display details regarding the active licenses and device-specific information needed for licensing. For example purposes, the licenses below are non-functional.

 

router# show license
Customer name: Arista Test Customer
System Serial number: 6FF552005130CB93A1048182A0FE585C
System MAC address: 5254.0062.ab2e
Domain name: Unknown
Platform: CloudEOS-KVM

License feature: IPSec
License parameter: None
Count: 1
Start: 2018-01-31 00:43:31
Expiration: 2026-12-30 16:00:00
Active: yes

License feature: CloudEOS - Virtualized EOS
Throughput: Not Throttled
Count: 1
Start: 2018-01-31 00:42:48
Expiration: 2026-12-30 16:00:00
Active: yes

 

Update License Files (Optional)

The license update command forces the system to evaluate the license files already in the license store.

 

router# license update

 

Obtaining and Installing Soft Expiry

Users can obtain license files from Arista that extend the time the customer can use a certain feature without limitations. The license for the feature is considered expired, but the feature continues to work until the grace period, as mentioned in the license file, lapses.

For example, with a license file such as the one following, customers can continue to use without any limitations for ten days beyond the expiry date.

 

{
        "LicenseFileVersion": "1.0",
        "CustomerName": "Arista Test Customer",
        "LicenseSerialNumber": "ARISTA-TEST-DAYSPAST1",
        "Signature": {
                "SigningCertPEM": "-----BEGIN CERTIFICATE-----7brkfssZDrRIatxKEkv6Oc
\nh4kXO2mvvMJxQDf7VvGXEC3fSRURLwPz//6JMx942iOKsES8ZT9nT2q9MxJXfInn\n3EcKGmPWKQR4n2qH
fmq6sfk2eFBUYIrZBm9RUbVbyLZLCOv2KxJ7FFZ9LV1jp5An\nAyHLJUMQqqw/kvUUvUq1bI/PtEOlNc9Ndt
/3yeh+HByzIw8/f+gjKkUjQpVncuqS\nkFotBPNNj/LjbQD40R/tJ0z/8sPXCGJuo4mE9s/MwnWmkAHxpZyC
ccMBlNp3LkJk\nFHcsVb36Vclv5XWDe5AxU+0sQjEB4LGP7nYo8wjjvSZIpYXRiAmDRGuAGi/W/W3F\n6hEQ
661JK4KPJvoQsMqYaO/TkZPIXEAdgEDkmj0=\n-----END CERTIFICATE-----\n",
                "Hash": "f076d2cac1eac2a8261915e0b2ce4cb547e9c98bda070d001140daf3c3bd3694",
                "Signature": "304502201ca6fab964d8a3aade43d306232fcf52b9503fc22f4552
d58fb5a95e1b9e13e6022100dff97ad4f37389b55887f0ec06c9ef29d55a75e668e4da654deaf8037633a9bd"
        },
        "Features": {
                "vEOS": [
                        {
                                "Count": 1,
                                "Value": "",
                                "Valid": {
                                        "NotBefore": "2000-01-01T00:00:00Z",
                                        "NotAfter": "2001-01-01T00:00:00Z"
                                },
                                "BehaviorModifier": {
                                        "DaysAllowedPastExpiration": 10
                                }
                        }
                ]
        },
        "BindingInfo": {
                "SystemMAC": "",
                "DomainAddress": "",
                "SerialNumber": "2BC6A772072B04BED43DCCF8777F036F"
        }
}



--

 

Additional Licensing Show Commands

Use the following CLIs to verify if a license file is valid, when it expires, what license files are installed, and any relevant information regarding a license. The show license commands do not list features unlocked by external license files or means.

 

Show License Files

Use the show license files command to display all information related to the active licenses installed. For example purposes, the licenses below are non-functional.

 

router# show license files

License name:  2017.11.02.08.23.23.053684_IPSecLic-1yr.json
Contents:
{
    "BindingInfo": {
        "DomainAddress": "",
        "SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
        "SystemMAC": "02:9c:a8:a5:51:5a"
    },
    "CustomerName": "Arista Test",
    "Features": {
        "IPSec": [
            {
                "Count": 1,
                "Valid": {
                    "NotAfter": "2018-12-31T00:00:00Z",
                    "NotBefore": "2017-11-02T15:21:22Z"
                },
                "Value": ""
            }
        ]
    },
   (truncated)
}

License name:  2017.11.03.12.27.24.016515_vEOSLic-1234.json
Contents:
{
    "BindingInfo": {
        "DomainAddress": "",
        "SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
        "SystemMAC": ""
    },
    "CustomerName": "Arista Test",
    "Features": {
        "CloudEOS": [
            {
                "Count": 1,
                "Valid": {
                    "NotAfter": "2018-12-31T00:00:00Z",
                    "NotBefore": "2017-11-02T00:00:00Z"
                },
                "Value": ""
            }
        ]
    },
    "LicenseFileVersion": "1.0",
    (truncated)
END CERTIFICATE-----\n"

 

show license expired

The show license expired command will display the same as the show license command but only display expired license files.

router# show license expired
System Serial number:  2BC6A772072B04BED43DCCF8777F036F
System MAC address:    06:1b:8a:48:8d:0c
Domain name:           Unknown

License feature:  IPSec
	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:49:13
	Expiration:         2017-10-09 17:00:00
	Active:             expired


License feature:  CloudEOS  -  Virtualized EOS
	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:47:34
	Expiration:         2017-10-09 17:00:00
	Active:             expired

 

show license all

The show license all command will display all license files that are active, expired, or license files that have not yet been activated.

 

router# show license all
System Serial number:  2BC6A772072B04BED43DCCF8777F036F
System MAC address:    06:1b:8a:48:8d:0c
Domain name:           Unknown

License feature:  IPSec
	License parameter:  None
	Count:              1
	Start:              2017-12-30 16:00:00
	Expiration:         2018-12-30 16:00:00
	Active:             in future

	License parameter:  None
	Count:              1
	Start:              2017-09-18 13:56:45
	Expiration:         2017-12-30 16:00:00
	Active:             yes

	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:49:13
	Expiration:         2017-10-09 17:00:00
	Active:             expired


License feature:  CloudEOS  -  Virtualized EOS
	License parameter:  None
	Count:              1
	Start:              2017-10-08 17:00:00
	Expiration:         2017-12-30 16:00:00
	Active:             yes

	License parameter:  None
	Count:              1
	Start:              2017-12-30 16:00:00
	Expiration:         2018-12-30 16:00:00
	Active:             in future

	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:47:34
	Expiration:         2017-10-09 17:00:00
	Active:             expired