License Management

This section discusses the procedure for managing CloudEOS license files.

Pay-As-You-Go (payg) in Cloud

This section discusses verifying the Pay-As-You-Go (payg) instance installed on the CloudEOS router products on various supported public platforms.

Overview

Pay-As-You-Go (payg) uses a software consumption model supported by various public cloud providers that charges the consumer based on usage. Another software consumption model on public cloud providers uses Bring-your-own License (BYOL). Each vendor publishes its product on the public cloud and imposes a license requirement for the real usage of its product, and you must obtain the BYOL from the vendor to use the product in the public cloud.

payg method does not waste resources, and you pay only for the services procured rather than provisioning for a fixed amount of resources that may or may not be used. Another advantage of payg provides quick deployment of the product on the public cloud without contacting the vendor for a license. Normally, public cloud providers distinguish each published product by the vendor with a unique ID, and stores the unique ID on the cloud provider metadata server. Vendor products check for a unique ID to distinguish their products from BYOL and payg and allow you to use them without the vendor license requirement.

License Verification

Use the following commands to verify the Software forwarding Engine (SFE) and IPsec licenses installed in the payg mode for the CloudEOS router.

 

Note: The show license command does not show licenses installed through the payg feature.

 

Example show output for SFE

 

If the SFE license installs and validates, the following output displays: 
router# show platform sfe licensing

Licensing Information
---------------------
 License TC created: no
 Number of throttled interfaces: 0

 

If you have not installed the SFE license, the following output appears: 
router# show platform sfe licensing

Licensing Information
---------------------
License TC created: yes
Number of throttled interfaces: 1
Interfaces throttled:
Ethernet1: 80 Mbps"

 

Example Show Output for IPsec

If you have not installed the IPSec license, the following output displays: 
router# show ip sec connection
! No valid IPsec license found. IPsec is disabled.

 

If you installed the IPSec license, the following output displays: 
router# show ip sec connection
Tunnel      Source     Dest    Status      Uptime     Input     Output     Rekey    Time
Tunnel63   1.0.0.1   1.0.0.2   Established 22 minutes   0 bytes    0 bytes    34     minutes
If no valid certificate is installed, it displays configured IPsec connections.

 

Troubleshooting payg Licensing

Use the $curl command to verify if an aws or Azure instance supports payg. Execute the command in the Bash mode.

payg support for aws

Use the following command to verify if an aws instance supports payg licensing. aws customers can verify the payg instance product code by querying identity documents from the CloudEOS router instance.
  • To retrieve the instance identity document, use the following command from your running instance:

     

     
[switch]$ curl http://169.254.169.254/latest/dynamic/instance-identity/document
{
  "accountId" : "083837402522",
  "architecture" : "x86_64",
  "availabilityZone" : "us-west-1b",
  "billingProducts" : null,
  "devpayProductCodes" : null,
  "marketplaceProductCodes" : [ "cdcwmm26cap8fqlnkwuqte405" ],
  "imageId" : "ami-017900c328c2edfbe",
  "instanceId" : "i-058ebba29bd475e8b",
  "instanceType" : "c5.xlarge",
  "kernelId" : null,
  "pendingTime" : "2020-05-01T06:53:42Z",
  "privateIp" : "11.0.4.101",
  "ramdiskId" : null,
  "region" : "us-west-1",
  "version" : "2017-09-30"
}

     

payg support for Azure

Use the command in the following example verifies if an Azure instance supports payg.

 

Metadata displaying the SKU on an Azure Instance
[switch]$ curl -H Metadata:true "http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01"
{"location":"westus",
"name":"adhip-test",
"offer":"cloudeos-router-payg",
"osType":"Linux",
"placementGroupId":"",
"platformFaultDomain":"0",
"platformUpdateDomain":"0",
"publisher":"arista-networks",
"resourceGroupName":"adhip2",
"sku":"cloudeos-4_23_0-payg",
"subscriptionId":"ba0583bb-4130-4d7b-bfe4-0c7597857323",
"tags":"","version":"4.23.0",
"vmId":"c23a7526-44c5-43af-bcf5-8b2419105393",
"vmSize":"Standard_D4_v3"
$

 

payg support for Google Cloud Platform (GCP)

The Arista CloudEOS instance requires network connectivity and DNS resolution to use the GCP metadata server, metadata.google.internal , for various services, including license validation. Normally, the CloudEOS instance automatically configures the default route and GCP DNS server, 169.254.169.254 , using DHCP during the initial instance start up. However, to ensure the instance can access the DNS server and reach the GCP metadata server properly, use the following command, and verify that the license ID matches 3403635045915687054 for the payg image.

 

router# bash curl http://metadata.google.internal/computeMetadata/v1/instance/licenses/0/id -H "Metadata-Flavor:Google"
3403635045915687054

 

Note: If using your DNS server and DHCP server, please be sure the commands work properly by setting up the proper DNS resolution/routes.

 

The following CloudEOS commands allow licensing to bypass the DNS and network connectivity issues due to a custom DHCP and DNS setup:

 

cloudeos-router-payg-router-vm# ip host metadata.google.internal 169.254.169.254
cloudeos-router-payg-router-vmr# ip route 169.254.169.254/32 Ethernet1 default_vpc_router

 

The default_vpc_router uses the second address in the primary IP range for the Ethernet 1 subnet. for example, the default VPC router uses the IPv4 address, 10.1.2.1 , in the 10.1.2.0/24 subnet belonging to Ethernet1 in GCP.

However, note that other features require access to the GCP Web APIs, such as CloudHA, may still have issues with your DNS and DHCP setup unless carefully planned. If you use your DNS and DHCP servers, please review the details here .

Bring-Your-Own-License (BYOL) in Cloud and On Premises

License files for the CloudEOS router

CloudEOS router license files unlock performance limitations and enable IPSec.

Installing License Files

Import license files using the CLI. Contact your local SE for assistance with obtaining a license. Use the license import command to download a license file. Save the file to /mnt/flash/ directory or a server. Your license files have a similar format to the following example licenses:

 

router# license import flash:veosLic-1.json
router# license import flash:IPSecLic-1.json

 

As a second option, import license files using HTTP. The following output displays the structure of the import of license files:

 

http://www.mylicense.com/license.json

 

Verifying Installed License Files

Use the show license command to display details regarding the active licenses and device-specific information needed for licensing.

 

router# show license
Customer name: Arista Test Customer
System Serial number: 6FF552005130CB93A1048182A0FE585C
System MAC address: 5254.0062.ab2e
Domain name: Unknown
Platform: CloudEOS-KVM

License feature: IPSec
License parameter: None
Count: 1
Start: 2018-01-31 00:43:31
Expiration: 2026-12-30 16:00:00
Active: yes

License feature: CloudEOS - Virtualized EOS
Throughput: Not Throttled
Count: 1
Start: 2018-01-31 00:42:48
Expiration: 2026-12-30 16:00:00
Active: yes

 

Updating License Files (Optional)

The license update command forces the system to evaluate the license files currently in the license store.

 

switch# license update

 

Obtaining and Installing Soft Expirations

Obtain license files from Arista that extend the time you can use a certain feature without limitations. The license for the feature may be expired, but the feature continues to work until the grace period, as mentioned in the license file, lapses.

for example, with a license file as displayed, customers can continue to use without any limitations for ten days beyond the expiry date.

 

{
        "LicenseFileVersion": "1.0",
        "CustomerName": "Arista Test Customer",
        "LicenseSerialNumber": "ARISTA-TEST-DAYSPAST1",
        "Signature": {
                "SigningCertPEM": "-----BEGIN CERTIFICATE-----7brkfssZDrRIatxKEkv6Oc
\nh4kXO2mvvMJxQDf7VvGXEC3fSRURLwPz//6JMx942iOKsES8ZT9nT2q9MxJXfInn\n3EcKGmPWKQR4n2qH
fmq6sfk2eFBUYIrZBm9RUbVbyLZLCOv2KxJ7FFZ9LV1jp5An\nAyHLJUMQqqw/kvUUvUq1bI/PtEOlNc9Ndt
/3yeh+HByzIw8/f+gjKkUjQpVncuqS\nkFotBPNNj/LjbQD40R/tJ0z/8sPXCGJuo4mE9s/MwnWmkAHxpZyC
ccMBlNp3LkJk\nFHcsVb36Vclv5XWDe5AxU+0sQjEB4LGP7nYo8wjjvSZIpYXRiAmDRGuAGi/W/W3F\n6hEQ
661JK4KPJvoQsMqYaO/TkZPIXEAdgEDkmj0=\n-----END CERTIFICATE-----\n",
                "Hash": "f076d2cac1eac2a8261915e0b2ce4cb547e9c98bda070d001140daf3c3bd3694",
                "Signature": "304502201ca6fab964d8a3aade43d306232fcf52b9503fc22f4552
d58fb5a95e1b9e13e6022100dff97ad4f37389b55887f0ec06c9ef29d55a75e668e4da654deaf8037633a9bd"
        },
        "Features": {
                "veos": [
                        {
                                "Count": 1,
                                "Value": "",
                                "Valid": {
                                        "NotBefore": "2000-01-01T00:00:00Z",
                                        "NotAfter": "2001-01-01T00:00:00Z"
                                },
                                "BehaviorModifier": {
                                        "DaysAllowedPastExpiration": 10
                                }
                        }
                ]
        },
        "BindingInfo": {
                "SystemMAC": "",
                "DomainAddress": "",
                "SerialNumber": "2BC6A772072B04BED43DCCF8777F036F"
        }
}



--

 

Additional Licensing Show Commands

Use the following commands to verify the validity of a license file, the expiration date, installed license files, and any relevant information regarding a license. The show license commands do not list features unlocked by external license files.

 

Use the show license files command to display all information related to the installed active licenses.

router# show license files

License name:  2017.11.02.08.23.23.053684_IPSecLic-1yr.json
Contents:
{
    "BindingInfo": {
        "DomainAddress": "",
        "SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
        "SystemMAC": "02:9c:a8:a5:51:5a"
    },
    "CustomerName": "Arista Test",
    "Features": {
        "IPSec": [
            {
                "Count": 1,
                "Valid": {
                    "NotAfter": "2018-12-31T00:00:00Z",
                    "NotBefore": "2017-11-02T15:21:22Z"
                },
                "Value": ""
            }
        ]
    },
   (truncated)
}

License name:  2017.11.03.12.27.24.016515_veosLic-1234.json
Contents:
{
    "BindingInfo": {
        "DomainAddress": "",
        "SerialNumber": "C3F3580316A92EE8D97DB70C967EAAA4",
        "SystemMAC": ""
    },
    "CustomerName": "Arista Test",
    "Features": {
        "CloudEOS": [
            {
                "Count": 1,
                "Valid": {
                    "NotAfter": "2025-12-31T00:00:00Z",
                    "NotBefore": "2020-11-02T00:00:00Z"
                },
                "Value": ""
            }
        ]
    },
    "LicenseFileVersion": "1.0",
    (truncated)
END CERTIFICATE-----\n"

 

The show license expired command displays the same information as the show license command but only displays expired license files.

router# show license expired
System Serial number:  2BC6A772072B04BED43DCCF8777F036F
System MAC address:    06:1b:8a:48:8d:0c
Domain name:           Unknown

License feature:  IPSec
	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:49:13
	Expiration:         2017-10-09 17:00:00
	Active:             expired


License feature:  CloudEOS  -  Virtualized EOS
	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:47:34
	Expiration:         2017-10-09 17:00:00
	Active:             expired

 

The show license all command displays all active or expired license files, or unactivated license files.

 

router# show license all
System Serial number:  2BC6A772072B04BED43DCCF8777F036F
System MAC address:    06:1b:8a:48:8d:0c
Domain name:           Unknown

License feature:  IPSec
	License parameter:  None
	Count:              1
	Start:              2017-12-30 16:00:00
	Expiration:         2018-12-30 16:00:00
	Active:             in future

	License parameter:  None
	Count:              1
	Start:              2017-09-18 13:56:45
	Expiration:         2017-12-30 16:00:00
	Active:             yes

	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:49:13
	Expiration:         2017-10-09 17:00:00
	Active:             expired


License feature:  CloudEOS  -  Virtualized EOS
	License parameter:  None
	Count:              1
	Start:              2017-10-08 17:00:00
	Expiration:         2017-12-30 16:00:00
	Active:             yes

	License parameter:  None
	Count:              1
	Start:              2017-12-30 16:00:00
	Expiration:         2018-12-30 16:00:00
	Active:             in future

	License parameter:  None
	Count:              1
	Start:              2017-10-05 21:47:34
	Expiration:         2017-10-09 17:00:00
	Active:             expired