I had a great holiday and enjoyed my time off, I hope you all did as well. Now I have to get my head back in the game. Several notable announcements have come out of the Cisco Security group while I was away. The first one I’d like to highlight is a new SSLVPN licensing schema.
The wait is over! Cisco now offers a temporary SSLVPN license key that is similar to other vendors, like Juniper’s ICE (in case of emergency) licensing. Cisco calls their new feature flex licensing.
Flex licensing allows companies to add additional and temporary SSLVPN licenses to their ASAs at a reduced cost. Use cases would include network outages, storms, seasonal or temporary events, emergencies, pandemics, etc. These licenses expire after 60 days of total use. This means you could use 2 days of your flex license for a snow storm then revert back to your permanent license and still have 58 days left. When the license expires you’ll need to purchase a new one and you cannot combine more than one flex license together. Only one at a time. What happens when a license expires you ask? Well nothing until you reboot the ASA. It will continue to work and relies on the honor system until a reboot at which time the permanent license is restored.
Flex licensing is supported on all ASA platforms except the 5505. It is offered in 250, 750, 1000, 2500, 5000 or 10,000 user counts. When you enter in a flex license key the ASA will merge the permanent key with the flex key. It will pick the highest value for each feature. So if your permanent key has a 250 license and your flex has a 750 then the ASA will pick 750 and allow 750 concurrent connections.
To enable your flex license you simply enter the activation-key command on the ASA and enter in your flex key. It looks like this
ASA5520(config)# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490
Things to remember are:
-Flex licenses are tied to individual devices by serial number. So you’ll need to have one flex license for each ASA you want flex available on.
-The flex license continues to count down even if the ASA is turned off. So be sure to revert to the permanent key before an extended shutdown to save your flex days.
-Flex licensing required 8.0.4 or 8.1.2 code on the ASA
-Flex licensing is meant for a single device or a VPN load-balancing cluster. It is not meant for a SSLVPN ASA Failover pair.
For more information see here:
http://www.cisco.com/en/US/products/ps6120/products_licensing_informatio...
So are flex licenses important to your business?
The opinions and information presented here are my personal views and not those of my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.
Advertisement: |
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
license keys are a step backward for Cisco
Although SSL VPNs of various flavors can tunnel though restrictive firewalls, we're sticking with L2TP/IPsec for our VPN needs because it is already implemented by a wide variety of commercial and open-source vendors, in software and embedded devices. L2TP/IPsec works on PIX, works on ASA, is supported by many other router, firewall, and VPN concentrator vendors, is supported by Apple, and is supported by Microsoft. It's even supported on the iPhone, as you've pointed out in your column.
Why would we be interested in licensing a proprietary VPN on a per-user basis from Cisco when all our ASAs support unlimited L2TP/IPsec connections out of the box? Cisco is trying to force people to use their AnyConnect SSL based VPN by refusing to support their L2TP/IPsec client on 64-bit Windows. Instead of paying for AnyConnect, we'd be better off paying for a 64-bit Windows L2TP/IPsec client from someone other than Cisco. Then we'd still have that investment if we switched firewall/VPN concentrator vendors.
License keys are a huge step backward for Cisco. Traditionally, Cisco products were expensive but provided great value through an ongoing commitment to firmware updates that few other vendors had. The only license keys were in acquired products like PIX.
That just isn't the case any more. Cisco is the new Microsoft, milking their installed base for additional revenue without providing value. License keys themselves are an annoying maintenance headache. I used to pay not to deal with license keys by paying a premium for Cisco hardware, but it seems like Cisco is telling us that those days are over -- they want a fat premium up front, a large premium for SmartNet support, and license keys and licensed features on top of that.
Luckily for us, there are a lot of new players in this space who understand why techie Cisco users used to be so insanely loyal. I imagine we'll be switching to the upstart competitors because they're offering what Cisco used to offer: a great product and a commitment to ongoing firmware support and new features, for a fair price.
We're not interested in license keys, they provide no value for us whatsoever, and they add plenty of costs and headaches. Flex licenses are a band-aid on an inane licensing situation.
Post new comment