Technical Guide

Licensing
Feature Overview and Configuration Guide

Introduction
This guide describes AlliedWare Plus™ product licensing and how to configure it. Licensing is used
to control access to software features and software versions.

The following license types are described:

 Permanent licenses to enable features

 Permanent licenses to enable software release versions

 Subscription licenses to allow access to services, including AMF, OpenFlow and Unified Threat
Management services

Products and software version that apply to this guide

This guide applies to all AlliedWare Plus products, running version 5.4.4 or later.

 Version 5.4.6-2.1 simplified subscription licensing by introducing the command license update
online.

 Version 5.4.8-1.1 subscription licensing for UTM Offload available on the AR4050S

Feature support may change in later software versions. For the latest information, see the following
documents:

 The product’s Datasheet

 The product’s Command Reference

These documents are available from the above links on our website at alliedtelesis.com.

C613-22066-00 REV G alliedtelesis.com

 Licensing

Contents
Introduction .........................................................................................................................................1
Products and software version that apply to this guide ...............................................................1

Licensing terminology .........................................................................................................................3

Licensing overview ..............................................................................................................................4

Permanent licenses for features ...................................................................................................4
Permanent licenses for software release versions........................................................................4
Subscription licenses....................................................................................................................4

Permanent licenses for features: Obtaining and applying a new feature license................................5
Purchase a feature license for your switch ...................................................................................5
Activate the feature key ................................................................................................................6
Apply the feature license on your switch ....................................................................................10
Confirm the feature license application on your switch..............................................................10
Display a summary of your feature keys.....................................................................................10
Troubleshooting ..........................................................................................................................11

Permanent licenses for features: Licensing on VCStack™ and VCStack Plus™ .............................12
Configuring feature licensing on VCStack and VCStack Plus ....................................................12

Permanent licenses for software release versions

(SwitchBlade x908, SwitchBlade x980 GEN2, and SwitchBlade x8100 only) ..........................15
License certificate files ...............................................................................................................16
Release licensing for VCStack and VCStack Plus ......................................................................17
Applying a release license (SBx908 and SBx908 GEN2 only) ....................................................17
Applying a Release License (SBx8100 only)...............................................................................19
Configuring release licensing on VCStack and VCStack Plus....................................................21

Subscription licenses ........................................................................................................................21

Capability Response File ............................................................................................................22
Automatically obtaining and activating licenses
- for software versions 5.4.6-2.x and later ..........................................................................22
Firewall rules ...............................................................................................................................23
Verifying the update ....................................................................................................................24
Manually obtaining and activating licenses ................................................................................25
Transferring a subscription license to a new device ...................................................................28
Log messages for subscription licensing ...................................................................................28

C613-22066-00 REV G Introduction | Page 2

 Licensing

Licensing terminology
See the table below for descriptions of licensing terms:

Table 1: Licensing Terminology and descriptions

TERM DESCRIPTION

Activation This is the process of using a command to enter a valid license into your switch. Once the license
has been entered, the software version or features of the license are fully valid and usable on your
switch.
Activating a software version entitles you to technical support, and means your switch will not output
console or log messages requesting activation.
Feature A particular software capability function or protocol that is enabled with a valid software license.
Examples of capabilities that are licensable features are OSPF, L3 Multicast routing and VRRP. A
software feature license key enables one or more features on a device. Allied Telesis provides feature
license keys that enable a specified bundle of features. Activating the license will simultaneously
enable that full bundle of features but will ignore features that are not included in the bundle.

License A particular software object that enables features or releases on a device. A license is a combination
of an identifying license label and a license key.
License Certificate A plain text file containing a table of license keys in CSV format. Each line of the file contains a MAC
(SwitchBlade x908 and address, a license name, and a license key.
SwitchBlade x8100 only)

License key An encrypted string of characters associated with a particular license that when activated on a
device enables a specific feature or release on your switch. License keys are long encrypted strings
from which the device can extract information such as issue date, expiration interval, release
identifier, MAC address, and customer name.
License Label A descriptive name associated with a license. The license generation process initially assigns a
default label for each license. However, this label is user editable.

Software release A version of the software that runs on a device. A release is typically identified by a version number
version that comprises the following components: product number, major release number, minor release
number, or maintenance release number. For example, 5.4.6 is a major release, 5.4.6-0.3 is the third
maintenance release of the 5.4.6 major release, and 5.4.6-1.2 is the second maintenance release of
the first minor release of 5.4.6. The software release file will have the suffix .rel at the end of the
filename. The product number is prefixed before the software version number.

Example: SBx908-5.4.6-0.1.rel is the major 5.4.6 software release file for SBx908 series switches. A
series of maintenance and minor releases will typically be released during the lifetime of a given
major software version. These software releases can include:
■ Maintenance releases, numbered in the format SBx908-5.4.6-0.x.rel. Each time a new
maintenance release in the series is created, the number for the release is formed by
incrementing the last digit.
■ Minor version files, numbered by incrementing the first digit after the dash. For example:
■ SBx908-5.4.6-1.1.rel is the first minor release that contains new functionality after the initial
5.4.6 release, and
■ SBx908-5.4.6-1.2.rel is the second maintenance release of the first minor release, and
■ SBx908-5.4.6-2.1.rel is the second minor release.

C613-22066-00 REV G Licensing terminology | Page 3

 Licensing

Licensing overview

Permanent licenses for features

These licenses fall into two categories: base licenses and further feature licenses.

 Base licenses
You can view the base license features by running the show license command. Base licenses are
not user configurable. A sample output is shown below.

Output 1: Example from show license

Index :0
License name :Base License
Customer name :ABC Consulting
Quantity of licenses :1
Type of license :Full
License issue date :15-Jan-2015
License expiry date :N/A
Features include :VRRP OSPF-64 RADIUS-100 Virtual-MAC

 Further feature licenses

Purchasing feature license keys provides you with access to additional software features that are
not included with a base license. These enable advanced features such as Layer 3 routing.

Permanent licenses for software release versions

For some products, a release license is required in order to upgrade to a new major software
version. These licenses are quite separate to those that enable specific features. A release license is
simply an additional certificate that is linked to a licensed device.

Subscription licenses
Subscription licenses enable you to subscribe to services, including AMF, OpenFlow and Unified
Threat Management.

Subscription licenses maintain the feature’s continued operation, and also enable you to access
definition updates for Unified Threat Management services on AR-series UTM firewalls. For
example, the web control and antivirus features depend on third parties regularly supplying updated
signature files that are used to block new URLs or filter out new viruses.

Virtual UTM Firewall feature licenses

When you purchase a feature license, you need to supply the serial number. From software version
5.5.2-0.1 onwards, on the Virtual UTM Firewall, you use the VST-APL's serial number.

C613-22066-00 REV G Licensing overview | Page 4

 Licensing

Permanent licenses for features: Obtaining and applying

a new feature license
This section describes AlliedWare Plus feature licensing and its configuration. Feature licenses
enable support of advanced features on AlliedWare Plus devices.

In versions 5.4.6-x.x, licensing changed for AMF masters and controllers (version 5.4.6-1.x) and
OpenFlow (version 5.4.6-2.x). These changed from being offered as permanent feature licenses to
subscription-based licenses (see "Subscription licenses" on page 21).

Feature licenses are applied with the license command and displayed with the show license and
show license brief commands.

Note: The license command is not supported when operating in secure mode.

Follow these steps to apply feature licenses:

1. “Purchase a feature license for your switch”

2. “Activate the feature key”

3. “Apply the feature license on your switch”

4. “Confirm the feature license application on your switch”

Purchase a feature license for your switch

To request a feature key, contact your Allied Partner (your local Allied Telesis sales office, distributor,
or reseller). Please provide the following information:

 the first time you request a feature key: your company, your name, and your contact details,
including an email address

 the switch model or models that you want to use the feature on

 the name of the feature license that you want to use. Each feature license contains a group of
related features. For available licenses, see the switch’s Datasheet.

 for each model, the number of switches you want to use each feature on

 whether you want a full (permanent) license or a 30-day trial license for testing purposes.

C613-22066-00 REV G Permanent licenses for features: Obtaining and applying a new feature license | Page 5
 Licensing

The first time you request a feature key, your Allied Partner will create an account for you in the Allied
Telesis Licensing System. The system will send you an email when this happens, like the following
example:

Note the Username and Password—you need these to log on and activate the feature key.

After creating an account, your Allied Partner will create the feature key. You will receive an email
when the key has been created, as the next section describes.

Activate the feature key

Step 1: Access the URL from the email
When an Allied Partner creates a feature key for you, you receive an email like the following example.

Click on the link in the email to go to the Allied Telesis Licensing system.

C613-22066-00 REV G Permanent licenses for features: Obtaining and applying a new feature license | Page 6
 Licensing

Step 2: Log into the system

Log in using the Username and Password provided by your Allied Partner. The system opens at your
Home Page, as the following figure shows.

Step 3: Activate the feature key

Enter the feature key number from the email into the Feature
TIP:
Key Number field and click Activate Feature Key.
If you lose the email, use the Find
Feature Key option to find the feature
The system displays a summary of the details of the feature key number. This option is available
key, like the following figure shows. from the left-hand menu.

C613-22066-00 REV G Permanent licenses for features: Obtaining and applying a new feature license | Page 7
 Licensing

Read the End User License Agreement, click on the check box to accept it, then click on the
Activate Feature Key button.

C613-22066-00 REV G Permanent licenses for features: Obtaining and applying a new feature license | Page 8
 Licensing

This opens the Feature Key Details page, which includes the command for you to enter on your
switches, like the following figure shows.

Step 4: Save the license certificate (recommended)

You can save and print a copy of the license certificate for later reference. This provides a
permanent record of the license key.

Click on the View License Certificate link in the Available Actions section. This downloads the
certificate as a PDF file.

Step 5: Copy the enabling command

From either the Feature Key Details page or the license certificate, copy the command, which
takes the form:

license <license-name> <password>

You need to enter this command on each switch that the feature key applies to, as the next section
describes.

C613-22066-00 REV G Permanent licenses for features: Obtaining and applying a new feature license | Page 9
 Licensing

Apply the feature license on your switch

To activate the feature on the switch, enter Privileged Exec mode, then enter the command from the
Feature Key Details page or the license certificate:

awplus#license <license-name> <password>

The license name can be an arbitrary alpha-numeric string. However, we recommend that you use
the value from the Feature Key Details page, to make it easier to see which licenses you have
installed.

Note: If the feature license contains a license for a protocol, then that protocol will restart. This
action may result in a brief loss of network traffic. We recommend only installing licenses
during scheduled maintenance on devices operating in a live environment. After adding a
feature license, the feature may need to restart. The console displays a warning message
before the feature restarts.

Confirm the feature license application on your switch

You can display which feature licenses are applied by running either the show license or show
license brief command.

Output 2: Example from show license brief

awplus#show license brief

Board region: Global
Software Release Licenses
---------------------------------------------------------------------
1 Base License 1 Base License
Full N/A
Current enabled features for displayed licenses:
EPSR-MASTER, IPv6Basic, LAG-FULL, MLDSnoop, OSPF-64, RADIUS-100, RIP,
VRRP

Display a summary of your feature keys

In the Allied Telesis Licensing System, from the Customer Home Page, you can get a report of the
licenses you have bought in a specified time period—the current month by default.

To see the report, click on the Customer Feature Key Summary Report link under the Available
Reports section of the Customer Home Page. The following figure shows an example of a report.
You can export the report as a CSV file by clicking on the Export link underneath the report.

C613-22066-00 REV G Permanent licenses for features: Obtaining and applying a new feature license | Page 10
 Licensing

Troubleshooting
If the license does not make the feature available, make sure that:

 no extra characters were pasted in when the key was copied to the switch’s command line. For
example, make sure that you did not copy a carriage return from the licensing site or the
certificate PDF.

Use the following command to see the key value:

awplus#show license

 the license applies to the appropriate switch model, by checking the board ID.

Use the following command to see the board ID:

awplus#show system

 the switch’s time matches the time on the license. For example, if you create a license on 20
January, but the switch’s time is 19 January, then the license will only become valid a day later.

Use either of the following commands to see the switch’s time:

awplus#show system
awplus#show clock

Use the following command to change the switch’s time:

awplus#clock set <hh:mm:ss> <day> <month> <year>

C613-22066-00 REV G Permanent licenses for features: Obtaining and applying a new feature license | Page 11
 Licensing

Permanent licenses for features: Licensing on

VCStack™ and VCStack Plus™
It is important for the integrity of the stack that all stack members have the same feature licenses.
However, the stack will still form even if the members of the stack do not have the same feature
licenses installed. In this situation, the features available to stack members is defined by those
licensed on the Master.

However, if the licenses installed on the stack members are not identical, then a stack Master
failover can cause features to stop operating. If a stack member that lacks a particular license
becomes the new stack Master, then that particular feature will not operate on the stack.

Note: If you try to stack switches together that are from different OEM territories (for example, a
Japanese switch and a European switch), the switches may have different base feature
licenses. In this situation, a stack may form, but a warning message may be generated to
inform you that the feature licenses do not match on all stack members. Contact Allied Telesis
support to resolve this situation.

For step-by-step instructions on configuring licensing on stacked switches, see the section
"Configuring release licensing on VCStack and VCStack Plus" on page 21.

Configuring feature licensing on VCStack and VCStack Plus

This section describes the licensing configuration for stacked switches. As explained above, it is
important for the integrity of the stack that all stack members have the same feature licenses,
although a stack can still form if its members have differing feature licenses.

If you introduce a new stack member that lacks a certain feature license that is possessed by the
other stack members, a warning message will be generated to inform you that the stack may not
operate to its full potential.

The key point is that to maintain consistent behavior across the stack, all member switches must
have the same feature licenses enabled.

See the Overview of Virtual Chassis Stacking (VCStack) guide for a stacking overview and more
information on the stack formation process. This is available on alliedtelesis.com.

Adding a new switch to a stack

Prior to the 5.4.4 software release, stacks could form only if all members of the stack had the same
features licensed. In practice, when a new switch was to be added to an existing stack, it first had to
have feature licenses applied to it before it could be connected to the stack.

In version 5.4.4 that restriction was lifted, so that there is no requirement for a newly added stack
member to have exactly the same set of feature licenses installed as the existing members.

If there is a feature licensing mismatch, a warning message will inform you that the stack may not
operate to its full potential. In this case you should follow the instructions in “Adding a new feature
license to a stack” below, to correct the problem.

C613-22066-00 REV G Permanent licenses for features: Licensing on VCStack™ and VCStack Plus™ | Page 12
 Licensing

Note: If there is a release license mismatch, wait until the new switch boots, then login and update
the license by following the process described in "Applying a Release License (SBx8100
only)" on page 19 or "Applying a release license (SBx908 and SBx908 GEN2 only)" on
page 17. If there is a release license mismatch, the new switch will successfully join the stack,
but it will operate in the unsupported unlicensed mode.

Adding a new feature license to a stack

Follow this section to add a new feature license to all members of a VCStack, including any newly
installed unlicensed members. If you need to license a single stack member then follow the steps in
"Adding a new switch to a stack" on page 12.

Perform the following tasks to add a new feature license to a VCStack:

1. “Purchase the license and activate the license key”

2. “Apply a feature license to all members of a VCStack”

3. "Reboot the stack (optional)" on page 14

Step 1: Purchase the license and activate the license key

Follow the instructions in "Purchase a feature license for your switch" on page 5 and "Activate the
feature key" on page 6.

Step 2: Apply a feature license to all members of a VCStack

Use the license command to apply the required feature license to the VCStack, as shown in the
following output example. The license command will add a license to all stack members and the no
license command will remove a license from all stack members.

Output 3: Example from license to add a feature license to a stack

awplus#license IPv6
Qd0NvZJ8DutyLAYbsM8pCpY1d8Ho9mzygweBp+paBqVu7By1bTZ+Jipo57
A restart of affected modules may be required.
Would you like to continue? (y/n): y

Stack member 1 installed 1 license

1 license installed.

Prior to version 5.4.4, you needed to apply feature licenses to each stack member using the license
member command. Since version 5.4.4, the license command applies feature licenses to all stack
members. You do not need to use the remote-login command to log into stack members from a
Master to individually apply the license to each stack member.

If a stack member already has the new license installed, the license command will be ignored for
that stack member and no action will take place. This means a license will only be applied to devices
that need it. This allows you to easily bring an individual stack member into sync with the other
members of the stack.

C613-22066-00 REV G Permanent licenses for features: Licensing on VCStack™ and VCStack Plus™ | Page 13
 Licensing

Step 3: Reboot the stack (optional)

You may choose to reboot the stack after installing a new license, by using either the reboot
command or the reload command.

Note: Rebooting is optional and it is good practice, as it enables you to check the stack’s operation.
However, if you choose not to reboot, the newly licensed features will still run on the stack.

Output 4: Example from reboot showing a valid license console message

reboot system? (y/n): y

URGENT: broadcast message:
System going down IMMEDIATELY!
... Rebooting at user request ...
Flushing file system buffers...
Unmounting any remaining filesystems...
Restarting system.
Bootloader 2.0.13 loaded
Press <Ctrl+B> for the Boot Menu
Verifying release... OK
Booting...
Starting base/first... [ OK ]
Mounting virtual filesystems... [ OK ]

______________ ____
/\ \ / /______\
/ \ \_ __/ /| ______ |
/ \ | | / | ______ |
/ \ \ / / \ ____ /
/______/\____\ \/ /____________/

Received event network.initialized

Received event standalone
10:17:31 awplus IMI[1718]: SFL: The current software is licensed. Exiting unlicensed mode.
12:11:23 awplus-2 VCS[1865]: Member 1 (eccd.6d48.e560) has joined the stack
12:11:24 awplus-2 VCS[1865]: Member 3 (eccd.6d5e.2614) has joined the stack
12:11:26 awplus-2 VCS[1865]: Member 1 (eccd.6d48.e560) has become the Active Master

Received event network.activated

Loading default configuration

.
done!
Received event network.configured
awplus login: manager
Password: awplus>

C613-22066-00 REV G Permanent licenses for features: Licensing on VCStack™ and VCStack Plus™ | Page 14
 Licensing

Permanent licenses for software release versions

(SwitchBlade x908, SwitchBlade x980 GEN2, and
SwitchBlade x8100 only)
This section describes AlliedWare Plus release licensing on the SBx908, SBx908 GEN2, and
SBx8100.

The SBx908, SBx908 GEN2, and SBx8100 switches require their operating system software to be
licensed. You cannot upgrade these switches to a new major version unless they have a release
license installed for that software version.

Release licenses are linked to MAC addresses, so each SwitchBlade device has a different release
license.

To make it easier for you to apply licenses to devices, Allied Telesis supplies all your licenses in the
form of a single file called a license certificate. This file contains multiple release licenses listed in
Comma Separated Value (CSV) format. You can load this file onto multiple devices. The device’s
software searches the file to find any license(s) that match MAC addresses existing on the device,
and then applies the matching license. For more information about license certificate files, see
"License certificate files" on page 16.

Unlicensed operation
The switch will operate in an unlicensed mode if:

 it does not have a release license key for the currently running software release file, or

 you install a new software release file before installing an appropriate release license.

Unlicensed restrictions
If the device is in unlicensed mode, operation is limited in the following ways. Console and log
messages are produced every hour to indicate that the device is unlicensed. The boot system and
boot system backup commands are rejected until a release license is applied. This restriction
prevents you from setting the device to boot with unlicensed software. Licensed mode operation
enables unrestricted usage.

Devices without a valid release license will display the following console message at startup and
login:

Output 5: Example displaying a release license error message

11:04:56 awplus IMI[1696]: SFL: The current software is not licensed.

awplus login: manager
Password:
ERROR: No valid release license found for current software version. This
violates the End User License Agreement (EULA) for AlliedWare Plus.
Please contact Allied Telesis to obtain a valid release license and
ensure continued support.

C613-22066-00 REV G Permanent licenses for software release versions (SwitchBlade x908, SwitchBlade x980 GEN2, and
SwitchBlade x8100 only) | Page 15
 Licensing

Software versions
Each major software release file is specified by a three-digit, period-separated reference number, for
example, 5.4.4A or 5.4.4. The release license key enables you to use associated minor and
maintenance releases, and earlier releases.

For example, to use a 5.4.4-0.3 maintenance release or a 5.4.4-1.4 minor release you only need a
5.4.4 major release license key. A 5.4.5 release license key will allow you to use a 5.4.5 software
release file, and would also allow you to use a 5.4.4 software release file.

License certificate files

A license certificate is a file that is used to install release license keys in a convenient manner and
can contain release license keys for multiple devices.

The certificate file is accessed by the device using the license certificate command. This instructs
the device to search through the file and apply a license that matches its MAC address.

License certificates are a convenient way to apply release licenses to multiple devices. The same
certificate file can be loaded onto multiple different devices, and each device will find its license
within the file. This is more convenient than having a set of device-specific files and having to
carefully load the right file onto the right device.

You can store the certificate file on a central TFTP server and issue each device in the network with
an identical license certificate command.

Output 6: Example of the license certificate file contents

# Release licenses for ABC Consulting

0000-5e00-5318, 544-SBx908,
f7AFZiAA4p9OROHNBjghPyxwThvaUYNdgN8RpCUaVbfk22nw==

A license certificate file is an ASCII-encoded text file in CSV format. It consists of a number of lines
of text with each line terminated by an end of line character. The file may also contain comment lines
preceded by a hash (#) character. Each non-comment line consists of three, comma-separated
fields, as described in the following table.

C613-22066-00 REV G Permanent licenses for software release versions (SwitchBlade x908, SwitchBlade x980 GEN2, and
SwitchBlade x8100 only) | Page 16
 Licensing

Table 2: Contents of a license certificate file

FIELD DESCRIPTION

MAC address A switch’s MAC address, encoded as a set of 12 hexadecimal characters (numerals 0 to 9
and characters A to F) with a dash (-) separating every four hexadecimal characters.
Example: 0000-5e00-5318.
Name A license label that describes the contents of the license. This field is a string of letters and
numbers up to 15 alphanumeric characters in length, typically of the form:
xyz-<modelname> where
■ xyz are the three numbers in the release version name (e.g. for release 5.4.4, the xyz
value is 544).
■ <modelname> is an abbreviation of the part name for the target device.
Example: If the target device is a Switchblade x908, the name is 544-SBx908.

License key It can contain the following symbolic characters: underscore (_) characters, plus (+) signs,
forward slash key (/) characters, and equal (=) signs. You cannot change the license key.
The license key is generated by an algorithm implemented in the Allied Telesis license
generation system. Example:
f7AFZiAA4p9OROHNBjghPyxwThvaUYNdgN8RpCUaVbfk22nw==

Release licensing for VCStack and VCStack Plus

In order for a stack to form, each switch within the stack and each module within a chassis, needs to
be running the same version of AlliedWare Plus software. In the case of SBx908, SBx908 GEN2, and
SBx8100 switches, this has implications for the presence of release licenses for the software version
you are running.

The points to note regarding missing release licenses are:

 If a stack member within a switch, or a module within a stack member chassis, lacks a release
license for the software version it is running, the switch or module is deemed to be operating in
unlicensed mode.

 The stack will form successfully, even if one or both of the switches in the stack is operating in
unlicensed mode. However, unlicensed mode should be considered a temporary operating mode,
and we strongly advise that you upgrade your software version as soon as possible.

Applying a release license (SBx908 and SBx908 GEN2 only)

Release licenses are applied with the license certificate command, then validated with the show
license or show license brief commands. Follow these steps:

1. “Record the MAC address for the switch”

2. “Obtain a release license for the switch”

3. “Apply the release license on the switch”

4. “Confirm release license application”

Step 1: Record the MAC address for the switch

A release license is tied to the MAC address of the switch.

C613-22066-00 REV G Permanent licenses for software release versions (SwitchBlade x908, SwitchBlade x980 GEN2, and
SwitchBlade x8100 only) | Page 17
 Licensing

Switches may have several MAC addresses. Use the show system mac license command to show
the switch MAC address for release licensing:

Output 7: Example from show system mac license

awplus# show system mac license

MAC address for licensing:

0000.5e00.5310

Step 2: Obtain a release license for the switch

Contact your authorized Allied Telesis support center to obtain a release license for the MAC
address you displayed in step 1.

Step 3: Apply the release license on the switch

Use the license certificate command to apply a release license to the switch.

Note: The license certificate file can be stored on internal Flash memory, or an external SD card, or
on a server accessible by the TFTP, SCP or HTTP protocols.

Entering a valid release license changes the console message displayed about licensing:

Output 8: Example from license certificate

11:04:56 awplus IMI[1696]: SFL: The current software is not licensed.

awplus#license certificate demo1.csv
A restart of affected modules may be required.
Would you like to continue? (y/n): y
11:58:14 awplus IMI[1696]: SFL: The current software is licensed. Exiting
unlicensed mode.

Stack member 1 installed 1 license

1 license installed.

Step 4: Confirm release license application

On a stand-alone switch, use the commands show license or show license brief to confirm release
license application.

On a stacked switch, use the command show license member or show license brief member to
confirm release license application.

The show license command displays the contents of the base feature license and any other feature
and release licenses installed on the switch.

C613-22066-00 REV G Permanent licenses for software release versions (SwitchBlade x908, SwitchBlade x980 GEN2, and
SwitchBlade x8100 only) | Page 18
 Licensing

Output 9: Example from show license

awplus# show license

OEM Territory : ATI USA
Software Licenses
---------------------------------------------------------------------
Index : 1
License name : Base License
Customer name : ABC Consulting
Quantity of licenses : 1
Type of license : Full
License issue date : 20-Mar-2015
License expiry date : N/A
Features included : EPSR-MASTER, IPv6Basic, MLDSnoop,
OSPF-64,RADIUS-100, RIP, VRRP
Index : 2
License name : 5.4.5-rl
Customer name : ABC Consulting
Quantity of licenses : -
Type of license : Full
License issue date : 20-Mar-2015
License expiry date : N/A
Release : 5.4.5

Applying a Release License (SBx8100 only)

New switches are supplied with the software and release license pre-loaded. However, if you wish to
upgrade your switch’s software, you can obtain and load the current release software license.
Release licenses are applied with the license certificate command, then validated with the show
license or show license brief command. Follow these steps:

1. “Record the MAC addresses of the Control cards”

2. “Obtain the release license for the Control cards”

3. “Apply the release license on the Control cards”

4. "Confirm release license application" on page 20

If your Control card is in a stacked chassis, you do not need to perform these steps on each chassis
in the stack, only on the stack Master.

If your license certificate contains release licenses for each Control card present in a stacked
chassis, entering the license certificate command on the stack Master will automatically apply the
release licenses to all the Control cards within the stack.

Step 1: Record the MAC addresses of the Control cards

The release licenses are tied to each Control card’s MAC address in a chassis.

A chassis and its modules may have their own MAC addresses. Use the show system mac license
command to see the Control card MAC addresses to use for release licensing. Note that on the
SBx8100 the chassis MAC address is not used for release licensing.

C613-22066-00 REV G Permanent licenses for software release versions (SwitchBlade x908, SwitchBlade x980 GEN2, and
SwitchBlade x8100 only) | Page 19
 Licensing

Output 10: Example from show system mac license

awplus#show system mac license

MAC address for licensing:

Card MAC Address

------------------------------------
1.5 0000.5e00.5310
1.6 0000.5e00.5317

Chassis MAC Address 0000.5e00.5325

Step 2: Obtain the release license for the Control cards

Contact your authorized Allied Telesis support center to obtain a release license for the MAC
addresses you displayed in step 1.

Step 3: Apply the release license on the Control cards

Use the license certificate command to apply the release license to each Control card installed in
your chassis or stack.

Note: The license certificate file can be stored on internal Flash memory, a USB device or on a
server accessible by the TFTP, SCP or HTTP protocols.

Installing a valid release license changes the console licensing message:

Output 11: Example from license certificate

11:04:56 awplus IMI[1696]: SFL: The current software is not licensed.

awplus# license certificate demo1.csv
A restart of affected modules may be required.
Would you like to continue? (y/n): y
11:58:14 awplus IMI[1696]: SFL: The current software is licensed.
Exiting unlicensed mode.

Stack member 1 installed 1 license

1 license installed.

Step 4: Confirm release license application

On a stand-alone chassis, use the show license or show license brief command to confirm release
license application.

On a stacked chassis, use the command show license member or show license brief member to
confirm release license application.

The show license command displays the base feature license and any other feature and release
licenses installed on AlliedWare Plus chassis:

C613-22066-00 REV G Permanent licenses for software release versions (SwitchBlade x908, SwitchBlade x980 GEN2, and
SwitchBlade x8100 only) | Page 20
 Licensing

Output 12: Example from show license

awplus# show license

OEM Territory : ATI USA
Software Licenses
---------------------------------------------------------------------
Index : 1
License name : Base License
Customer name : ABC Consulting
Quantity of licenses : 1
Type of license : Full
License issue date : 20-Mar-2015
License expiry date : N/A
Features included : IPv6Basic, LAG-FULL, MLDSnoop,RADIUS-
100, Virtual-MAC, VRRP
Index : 2
License name : 5.4.5-rl
Customer name : ABC Consulting
Quantity of licenses : -
Type of license : Full
License issue date : 20-Mar-2015
License expiry date : N/A
Release : 5.4.5

Configuring release licensing on VCStack and VCStack Plus

This section describes what to do after adding a new switch to a stack, or if you are upgrading
switches in a stack.

First confirm whether a new release license is needed on the stack, by using the show license
member brief all command to display release licenses.

If the stack does not have an appropriate release license, follow the procedure in "Applying a release
license (SBx908 and SBx908 GEN2 only)" on page 17 or "Applying a Release License (SBx8100
only)" on page 19. The same procedure applies for both adding and upgrading release licenses on
stand-alone and stacked switches.

The license certificate command applies release licenses in the certificate file to any devices in the
stack that match the MAC addresses shown in the license certificate file. Therefore, If the license
certificate file contains all the required release licenses for all stack members, you can run the
license certificate command once on the stack Master to apply release licenses to all stack
members automatically.

A reboot or reload is unnecessary after updating the release license on an existing stack.

Subscription licenses
This section describes subscription licenses. These licenses include:

 Unified Threat Management security feature subscriptions on AlliedWare Plus UTM Firewalls

 AMF master and controller subscriptions

 OpenFlow licenses

 UTM Offload subscription licenses available on the AR4050S only (from 5.4.8-1.1)

C613-22066-00 REV G Subscription licenses | Page 21

 Licensing

Subscription licenses are managed through the Allied Telesis Download Center.

Subscription licenses maintain the feature’s continued operation and also enable you to access
definition updates for Unified Threat Management services on AR-series UTM firewalls. For
example, the web control and antivirus features depend on third parties regularly supplying updated
signature files that are used to block new URLs or filter out new viruses.

Capability Response File

Subscription licenses are contained in a Capability Response File (CRF). Each CRF is tied to a
device serial number and contains all the information about the subscription licenses that have been
allocated to the device. A single CRF contains all of the subscription licenses for a device. Each CRF
is created by the Allied Telesis Download Center as part of the licensing process and can be loaded
onto the device and processed to activate a subscribed service. You can obtain the CRFs from the
Allied Telesis Download Center.

Automatically obtaining and activating licenses - for software versions

5.4.6-2.x and later
Software version 5.4.6-2.x introduced simplified installation of licenses. Simply run the following
command:

awplus#license update online

When the command license update online is entered, the device will:

1. Connect to the Download Center

2. Check if new or changed licenses are available for the device, keyed to the device’s serial number

3. For each such license it finds, download and install the license.

Note that AlliedWare Plus devices do not automatically connect to the Download Center and check
whether licenses are available. They only check when you run the license update online command.

On VCStacks, running license update online updates all stack members. Each stack member
individually checks for licenses on the Download Center and installs any that are found.

On SBx8100 systems, running license update online updates all CFCs that are present, including
all CFCs on both chassis in a stack. Each CFC individually checks for licenses on the Download
Center and installs any that are found.

C613-22066-00 REV G Subscription licenses | Page 22

 Licensing

Firewall rules
Subscription licensing originating from firewall
Most firewalls block all traffic by default, so in order for the ‘license update online’ command to
function correctly, you may need to configure your firewall to allow outbound DNS lookups and
HTTPS connections. The following figure shows a recommended example configuration for an Allied
Telesis AR-Series firewall, when the WAN interface to the Internet is configured as a ppp0 interface
and the subscription licensing is being performed from the firewall itself.

zone public
network wan
ip subnet 0.0.0.0/0 interface ppp0
host ppp0
ip address dynamic interface ppp0

firewall
rule 10 permit https from public.wan.ppp0 to public.wan
rule 20 permit dns from public.wan.ppp0 to public.wan
protect

These rules permit DNS and HTTPS packets to any destination IP address, if:

■ the source IP address of the packets is the IP address of the ppp0 interface, and
■ the packets are egressing the firewall via interface ppp0.

DNS packets are permitted so that the device can look up the address of the Download Center.
HTTPS packets are permitted so the secure communication session with the Download Center can
proceed.

The rule uses a subnet of 0.0.0.0/0 to match on any destination IP address.

The “from” part of the rule uses “public.wan.ppp0” because the firewall itself is originating the
connection to the Download Center, rather than allowing traffic to flow through it. The traffic that is
involved in the connection to the Download Center originates from the IP address of the PPP
interface.

Subscription licensing through the firewall

AlliedWare Plus devices configured with features such as AMF and OpenFlow also use subscription-
based licensing. These devices could be located within a private firewall zone, accessing the
subscription service located in the Internet, via the AR-Series firewall.

In order to allow access to the subscription licensing services from a private zone to the Internet,
firewall permit rules need to be created.

C613-22066-00 REV G Subscription licenses | Page 23

 Licensing

zone private
network lan
ip subnet 10.1.1.0/24 interface vlan1

zone public
network wan
ip subnet 0.0.0.0/0 interface ppp0
host ppp0
ip address dynamic interface ppp0

firewall
rule 30 permit https from private to public
rule 40 permit dns from private to public.wan
protect

These rules permit DNS and HTTPS packets to any destination IP address, to allow devices located
within a private zone to access subscription-based services located on the Internet through the AR-
Series firewall. If the firewall is also performing NAT, then corresponding NAT-based masquerade
rules for HTTPS and DNS will also need to be configured. For more information about firewall and
NAT rules, see the Firewall and Network Address Translation (NAT) Feature Overview and
Configuration Guide.

Verifying the update

The update process normally takes approximately 5 seconds.

If the console does not respond for 10 or more seconds after typing the command, a network,
routing or firewall configuration error is probably preventing the connection from establishing. If this
happens, you can abort the command by pressing Ctrl-C, or wait for the command to time out after
30 seconds.

If the connection to the Download Centers fails and times out, an error message will be generated
on the CLI to indicate the problem. If you abort the command, no error message is displayed.

If the update is successful, the device will produce log messages to say which features have had
their licensing state updated (activated, deactivated, or expiration/count changed). If the command
completes successfully but there are no licenses available for the device, or no change in the
licenses already on the device, no log messages will be produced.

You can also use the show license external command to confirm which licenses are active on the
device after the update has been applied.

C613-22066-00 REV G Subscription licenses | Page 24

 Licensing

Manually obtaining and activating licenses

If the device to be licensed does not have Internet access, or is running version 5.4.6-1.x and earlier,
you cannot use automatic licensing installation as described in the previous section. Instead, you
need to download the CRF file and activate it manually.

Prior to undertaking the process described in this section, you must have first purchased one or
more service subscriptions. Contact your authorized Allied Telesis distributor or reseller for
information about how to purchase subscriptions.

Once your CRF purchase has been successfully processed, the CRF file containing the license(s) for
the service(s) you have subscribed to will be available for download from the Allied Telesis Download
Center.

The following steps show how to configure subscription licensing manually:

1. “Download your CRF”

2. "Activate your CRF" on page 26

3. "Verify your CRF activation" on page 28

Step 1: Download your CRF

You can download a CRF from the Allied Telesis Download centre by logging into your account. To
obtain an account, contact your customer support representative.

Once you have reached the Download Central Homepage, you can locate your device type by
clicking Search Devices from the Devices menu on the left as shown in Figure 1 below. You can
select your specific device by clicking the serial number from the Serial Number list as shown in
Figure 1 below.

Figure 1: The Search Devices page

C613-22066-00 REV G Subscription licenses | Page 25

 Licensing

Figure 2: The View Device page

From the View Device page, you can download a CRF file by clicking the Download Capability
Response link. You should see a pop-up window as shown in Figure 3, “Opening a CRF,” on
page 26 which allows you to either open or download a CRF file. CRFs are saved as .bin files that
can be renamed for convenience. If you cannot see the pop-up window, you may need to check
your web browser’s settings to ensure the pop-up window is not blocked by the web browser.

Figure 3: Opening a CRF

Step 2: Activate your CRF

Now you will need to activate your CRF. After you have downloaded your CRF, you can transfer it
onto the device’s Flash storage by any preferred method. For example, you can use the copy
command to copy the CRF file from a USB device to your Flash storage.

To list the non-hidden files in the root of the USB device, use the command:

awplus#dir usb

C613-22066-00 REV G Subscription licenses | Page 26

 Licensing

Output 13: Example from dir usb

awplus#dir usb
2386 -rwx Apr 24 2015 10:11:46 A05050G144700002.bin

To copy your CRF file from a USB device into your Flash storage, use the command below:

awplus#copy usb flash

Output 14: Example from copy usb flash

awplus#copy usb flash

Enter source path with file name[]:A05050G144700002.bin
Copying...
Successful operation

Alternatively, you can copy your CRF file from a TFTP server into your Flash storage. For example,
you can copy a CRF file from the TFTP server with IP address 192.168.1.254 into the Flash storage
by using the following command:

awplus#copy tftp flash

Output 15: Example from copy tftp flash

awplus#copy tftp flash

Enter source host name []:192.168.1.254
Enter source path with file name[]:A05050G144700002.bin
Enter destination file name[A05050G144700002.bin]:
Copying...
Successful operation

To display the URL of the CRF file in the Flash storage, use the command below:

awplus#dir *.bin

Output 16: Example from dir *.bin

awplus#dir A05050G144700002.bin
2386 -rwx Apr 24 2015 10:20:53 flash:/A05050G144700002.bin

Once your CRF is present in the device’s local storage, you need to activate it. To activate it on
software version 5.4.6-2.x or later, use the following command:

awplus#license update file <CRF-url>

To activate it on versions prior to 5.4.6-2.x, use the following command:

awplus#license update <CRF-url>

For this command to successfully activate the device, your CRF must be valid and be tied to the
serial number of the device.

C613-22066-00 REV G Subscription licenses | Page 27

 Licensing

Note: No messages will print if your CRF is imported successfully.

Step 3: Verify your CRF activation

You can verify the license by using the following command.

awplus#show license external

Note: The time shown in the example is local time, which is automatically converted from UTC time.
Also note that the show license external command only shows licenses that are currently
activated.

Output 17: Example from show license external

awplus#show license external

Licensed features:

Application Control (Procera)

Start date : 24-Feb-2015 12:00AM
Expiry date : 24-Feb-2016 11:59PM
Web Control (Digital Arts)
Start date : 24-Feb-2015 12:00AM
Expiry date : 24-Feb-2016 11:59PM

Transferring a subscription license to a new device

If you RMA a device and receive a replacement device, you need to transfer the license to the
replacement device. To do this, use the following steps:

1. The replacement device must exist in the Allied Telesis Download Center before you can transfer
the license. So when you receive the replacement device, advise your Allied Telesis representative
of the serial number. Your representative will attach the device to your account in the Allied Telesis
Download Center.

2. Once that has been done, log into the Allied Telesis Download Center, and choose the device you
wish to replace on your Download Central page.

3. In the menu item, select “Return Device”, and enter the serial number of the replacement device
and the RMA number.

4. Confirm that page, to transfer the license to the new device.

Log messages for subscription licensing

The following types of log message types can be printed for subscription licensing:

 warnings that a license is due to expire soon.

 indications that a license has expired.

 indications that a (future-dated) license has now become active.

Licenses start at 00:00:00 UTC on the start date and expire at 23:59:59 UTC on the expiry date.
License checks occur on boot and at 23:59:59 UTC daily.

C613-22066-00 REV G Subscription licenses | Page 28

You may see these log messages after the initialization processes when you boot up the device. You
can also set up appropriate syslog monitoring to look for these messages. For more information
about log messages, see the Logging Feature Overview and Configuration Guide available on
alliedtelesis.com.

Log message for license expiry warnings

License expiry times are displayed in the local time that is configured on each switch. Unless a
license is renewed, its licensed function will cease to operate after the license expiry time.

Output 18: Example log message when a subscription license is due to expire

licensing[1204]: License 'IP Reputation (Proofpoint)' is due to expire

in 7 days at Wed Feb 24 20:59:59 2016

Warning messages will be printed in the log 28 days, 21 days, 14 days, 7 days, and 1 day prior to a
license expiring. The Allied Telesis Download Center will also send you an email reminder prior to
your license expiring.

Log message for license expiry notifications

Output 19: Example log message when a subscription license has expired

licensing[1212]: License IP Reputation (Proofpoint) expired. All

features associated with this license have been deactivated

Your subscription license has now expired and its features are no longer operational. Contact your
authorized Allied Telesis distributor or reseller for further licensing.

Log message for license activation

Output 20: Example log message when a subscription license has been successfully activated

licensing[1208]: License IP Reputation (Proofpoint) activated. All

features associated with this license have been started.

Your license has reached its activation date and its features are now configurable.

C613-22066-00 REV G

NETWORK SMARTER
North America Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895
Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
EMEA & CSA Operations | Incheonweg 7 | 1437 EK Rozenburg | The Netherlands | T: +31 20 7950020 | F: +31 20 7950021

alliedtelesis.com
© 2022 Allied Telesis, Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.