11 Jun 2024

Installing/Checking Cisco Anyconnect VPN/Secure Client licenses for Cisco ASA devices

There are currently two licensing models for Cisco Secure Client, that is until Cisco decides to change or rename them once again!

* Cisco Secure Client Plus

* Cisco Anyconnect APEX

The APEX features also cover the ones in Plus, so simply a basic and advanced license. The important thing is the change to a total unique-user and term-based model. This means if you have 1000 users, you buy 1000 licenses, even if you will never have 1000 concurrent connected users. Then you can install this license to as many Cisco ASA devices as you want. (Check  Reference Link #1 and under Sharing Process to install to devices with different serial numbers)

To check your current license in a Cisco ASA 8.3+ device, use the "show activation-key" command. Under Licensed features for this platform you will get the license numbers for this current device. The naming might be confusing here, so AnyConnect Premium Peers shows APEX licenses, AnyConnect Essentials shows Plus licenses.

The important thing here is, IF you have High Availability setup with active/standby units, the licenses will be combined. Different features have different calculations for combining the licenses. VPN licenses add up to each other. As long as the devices stay in the HA setup, they will both use the combined licenses numbers. 

The combined numbers are listed under: Failover cluster licensed features for this platform

For example primary device below has only 2 Premium licenses, but since the standby unit has 5000, both devices will be available for 5000 VPN users.

To check the actual licenses installed in the standby unit, use the command: "failover exec standby show activation-key"

You will receive activation keys, when you use PAK/PIN to generate licenses with the specific serial-numbers of the devices.

To install these use the command: "activation-key 0xXYZ 0xXYZ"

Don't forget to install a license on your Standby Unit! This will have to have been generated with the devices own serial number. Command: "failover exec standby activation-key 0xXYZ 0xXYZ"

I remind this, because if you ever separate the devices, and break the HA setup, the device will revert to the actual licenses installed on itself, instead of using the combined licensing model.

You can check the reference links below for Cisco Documentation on this topic.


fw# show activation-key

Serial Number:  FCHxxxxxxx
Running Permanent Activation Key: 0xXYZ 0xXYZ

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 500            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5555 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 500            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual

This platform has an ASA5555 VPN Premium license.

The flash permanent activation key is the SAME as the running permanent key.


References:

  1. Cisco Secure Client Licensing FAQ
  2. Cisco ASA Licensing documentation
  3. Secure Client Ordering Guide
  4. End-Of-Life announcement for Cisco Anyconnect Secure Mobility Client 4.x 

1 Feb 2024

Spanning Tree Protection

Here are my notes on STP protection methods.

Root Guard
Port never becomes Root Port.
Guards against receiving an unwanted/unexpected Superior BPDU
If received, Port is put into root-inconsistent state. Entire port is disabled.
When superior BPDU is no more received, port cycles back through STP States.
Default disabled on switch ports.

(config-if)# spanning-tree guard root
# show span inconsistent-ports

BPDU Guard
Used on ports that a BPDU would never be received. (eg: Access ports)
If any BPDU is received, port is put into err-disabled state.
You recover either manually or using an errdisable timeout.
Default disabled on switch ports. Enabled on all Portfast ports.

# spanning-tree portfast bpduguard default
(config-if)# [no] span bpduguard enable

Loop Guard
Used to track BPDU activity. If a non-designated port stops receiving BPDUs, instead of transitioning through STP States, port is put into loop-inconsistent state. Port is blocked on per-VLAN-basis, until BPDUs are received again, moves through states.
In EtherChannel, the whole channel is blocked for that VLAN.
Default disabled on switch ports.

# span loopguard default
(config-if)# [no] span guard loop

UDLD
Protects against Unidirectional links. (Fiber TX/RX links)
Echos special Layer 2 UDLD messages in intervals. (Default 15 sec)
Normal mode, only syslog is entered,
aggresive mode, recovery is tried and port is errdisabled.
On EtherChannel only offending link is disabled.
Default disabled on all ports, if globally enabled, only fiber ports are configured.

# udld {enable | aggressive | message time seconds}
(config-if)# udld {enable | aggresive | disable}
# show udld
# reset udld (re-enable errdisabled UDLD ports)

BPDU Filter
Used to prevent BPDUs from being sent and processed on that port.
Effectively disables STP on the port.
Default disabled.

# span portfast bpdufilter default
(config-if)# span bpdufilter {enable | disable}


stp protection

31 Jan 2024

802.1D Spanning Tree Protocol (vanilla)

I do a lot of Switch/VLAN migration these days because of the ongoing Data Center migration, so a Spanning Tree refreshment was necessary, here are some of my notes on the topic.

Convergence phases
1. Elect Root Bridge
2. Elect a Root Port for each switch
3. Elect designated ports for each segment

STP Algorithm
Root BridgeID (priority + MAC) (8 bits = 2+6)
Root Path Cost
Sender BID
Sender PortID (port priority + port number)

Port Roles
Root Port
Designated Port
Blocked Port

Port States
Disabled
Blocking
Listening
Learning
Forwarding






Types of BPDU
Configuration BPDU (sent by root bridge, default every 2 seconds)
TCN BPDU (Topology Change Notification, the detecting bridge sends upstream)
BPDU with TCA set (TC Ack, the upstream bridge receiving TCN sends this back)
BPDU with TC flag (Root bridge sends this downstream, to tell other bridges to age their CAM tables, in Forward-Delay time)

Cisco Proprietary enhancements
PortFast: Use in ports with only hosts, skips Listen/Learn and jumps to Forwarding
UplinkFast: Use in Access Layer, to detect direct failures. Tracks backup root port and raises it to Forwarding state quickly. (Cuts back 15+15 seconds)
BackboneFast: Used to detect indirect failures. All switches must enable. Uses RLQ (Root Link Query) mechanism to detect topology. (Cuts back on 10 sec. of Max-Age timer)

Useful show commands
show span summary
show span root
show span bridge
show span vlan xxx
show span vlan xxx detail