Centralized Licensing in a Multi-Controller Network

In order to configure each feature on the local controller, the master controller(s) must be licensed for each feature configured on the local controllers. Centralized licensing simplifies licensing management by distributing licenses installed on one controller to other controllers on the network. One controller acts as a centralized license database for all other controllers connected to it, allowing all controllers to share a pool of unused licenses. The primary and backup licensing server can share single set of licenses, eliminating the need for a redundant license set on the backup server. Local licensing client controllers maintain information sent from the licensing server even if licensing client controller and licensing server controller can no longer communicate.

You can use the centralized licensing feature in a master-local topology with a redundant backup master, or in a multi-master network where all the masters can communicate with each other (for example, if they are all connected to a single AirWave server.) In the master-local topology, the master controller acts as the primary licensing server, and the redundant backup master acts as the backup licensing server. In a multi-master network, one controller must be designated as a primary server and a second controller configured as a backup licensing server.

Centralized licensing can distribute the following license types:

AP
PEFNG
RF Protect
xSec
ACR

This section includes the following topics:

Primary and Backup Licensing Servers
Communication between the License Server and License Clients
Replacing a Controller
Failover Behaviors
Configuring Centralized Licensing

Primary and Backup Licensing Servers

Centralized licensing allows the primary and backup licensing server controllers share a single set of licenses. If you do not enable this feature, the master and backup master controller each require separate, identical license sets. The two controllers acting as primary and backup license servers must use the same version of ArubaOS, and must be connected on the same broadcast domain using the Virtual Router Redundancy Protocol (VRRP). Other client controllers on the network connect to the licensing server using the VRRP virtual IP address configured for that set of redundant servers. By default, the primary licensing server uses the configured virtual IP address. However, if the controller acting as the primary licensing server becomes unavailable, the secondary licensing server will take ownership of the virtual IP address, allowing licensing clients to retain seamless connectivity to a licensing server.

 

Only one backup licensing server can be defined for each primary server.

The example below shows a primary and backup license server connected using VRRP. Licenses installed on either the primary or backup server are shared between that pair of servers. If the primary and backup controllers each had 16 AP licenses, 16 PEFNG licenses and 16 xSec licenses installed, they would share a combined pool of 32 AP, 32 PEFNG and 32 xSec licenses. Any license client controllers connected to this pair of redundant servers could also use licenses from this license pool.

Figure 1  Shared Licenses on a Primary and Backup Licensing Server

 

Communication between the License Server and License Clients

When you enable centralized licensing, information about the licenses already installed on the individual client controllers are sent to the licensing server, where they are added into the server’s licensing table. The information in this table is then shared with all client controllers as a pool of available licenses. When a client controller uses a license in the available pool, it communicates this change to the licensing server master controller, which updates the table before synchronizing it with the other clients.

Client controllers do not share information about built-in licenses to the licensing server. A controller using the centralized licensing feature will use its built-in licenses before it consumes available licenses from the license pool. As a result, when a client controller sends the licensing server information about the licenses that client is using, it only reports licenses taken from the licensing pool, and disregards any built-in licenses used. For example, if a controller has a built-in 16-AP license and twenty connected APs, it will disregard the built-in licenses being used, and will report to the licensing server that it is using only four AP licenses from the license pool.

When centralized licensing is first enabled on the licensing server, its licensing table only contains information about the licenses installed on that server. When the clients contact the server, the licensing server adds the client licenses to the licensing table, then it sends the clients back information about the total available licenses for each license type. In the following example, the licenses installed on two client controllers are imported into the license table on the license server. The licensing server then shares the total number of available licenses with other controllers on the network.

Figure 2   Licenses Shared by Licensing Clients

 

When new AP associates with a licensing client, the client sends updated licensing information to the server. The licensing server then recalculates the available total, and sends the revised license count back to the clients. If a client uses an AP license from the license pool, it also consumes a PEFNG and RF Protect license from the pool, even if that AP has not enabled any features that would require that license. A controller cannot use more licenses than what is supported by its controller platform, regardless of how many licenses are available in the license pool.

Figure 3   License Pool Reflecting Used licenses

 

 

Supported Topologies

The following table describes the controller topologies supported by this feature.

Table 1: Centralized Licensing Topologies

Topology Example

All controllers are master controllers.

The master and standby licensing servers must be defined.

A single master controller is connected to one or more local controllers.

Only the master controller can be a license server. A local controller can only be license client, not a license server.

A master and standby master are connected to one or more local controllers.

The master license server will reside on the master controller, and the standby license server will reside on the standby master controller. Local controllers can only be license clients, not license servers.

Unsupported Topologies

The centralized licensing feature does NOT support topologies where multiple master controllers have one or more attached local controllers.

Figure 4   Topologies Not Supported by Centralized Licensing

 

Adding and Deleting licenses

New licenses can be added to any controller managed by a centralized licensing system, although best practices recommends adding them to the primary licensing server, for easier management and tracking of licenses across a wide network. Licenses can only be deleted from the controller on which the license is installed.

Starting with ArubaOS 6.3.x, you no longer need to reboot a controller after adding or deleting a license, regardless of whether or not centralized licensing is enabled. If you delete a license from a licensing client or server and there are no longer enough licenses to support the number of active APs on the network, the APs continue to stay active until they reboot. If there are not sufficient available licenses to bring up an AP after it reboots, that AP will not become active.

Centralized licensing supports evaluation licenses. When a client controller has an evaluation license installed, those license limits will be sent to the licensing server and added to the license pool as long as the evaluation period is active. When the evaluation period expires, the client with the expired license sends its revised limits to the license server. The licensing server removes the evaluation licenses from its license table, then sends updated license pool information to other clients on the network.

Replacing a Controller

If the controller acting as a license server needs to be replaced, the keys installed on the previous license server will need to be regenerated and added to the new license server. If a controller acting as license client needs to be replaced, you must regenerate the license keys installed on the client and reinstall them on the replacement client or the licensing server.

Failover Behaviors

If the primary licensing server fails, the controller acting as a backup license server will retain the shared license limits until the backup server reboots. If both the primary and backup license servers fail, or if the backup controller reboots before the primary controller comes back up, license clients will retain the license limits sent to them by the licensing server for 30 days.

 

Although a client controller retains its licensing information for 30 days after it loses contact with the licensing server, if the client reboots at any time during this 30 day window, the window will restart, and the client will retain its information for another 30 days.

Client is Unreachable

The centralized licensing feature sends keepalive heartbeats between the license server and the licensing client controllers every 30 seconds. If the licensing server fails to receive three consecutive heartbeats from a client, it assumes that the licensing client is down, and that any APs associated with that client are also down or have failed over to another controller . Therefore, the licensing server adds any licenses used by that client back into to the available pool of licenses. If the license server fails to contact a license client for 30 consecutive days, any licenses individually installed on that client will be removed from the server’s license database.

 

The WebUI of the licensing client and the licensing server both display a warning message when a licensing client and licensing server are unable to communicate.

Server is Unreachable

If a licensing client does not receive 3 consecutive heartbeats from the server, it assumes that the server is down, and that any APs directly associated to the server are also down or have failed over to another controller. The client then adds any licenses used by the licensing server into to the pool of available licenses on that client. When a license client is unable to reach a license server for 30 consecutive days, it removes any shared licenses pushed to it from the licensing server, and reverts to its installed licenses. If the 30-day window has passed and yet controller does not have enough installed licenses for all its associated APs, the controller will nonetheless continue to support each AP. However, when an AP reboots and its controller does not have enough licenses, that AP will not come up.

Configuring Centralized Licensing

The steps to configure centralized licensing on your network vary, depending upon whether you are enabling this feature in a network with a master-local controller topology, or in a network where all controllers are configured as masters. Before you enable this feature, you must ensure that the controllers are able to properly communicate with the licensing master. Once you have identified your deployment type, follow the steps in the appropriate section below

Pre-Configuration Setup in an All-Master Deployment

Follow the steps described below to configure the centralized licensing feature in a network with all master controllers.

1. Ensure that the controllers that will use this feature are associated with the same AirWave server.
2. Identify a controller you want to designate as the primary licensing server. If that controller already has a redundant backup controller, that backup controller will automatically become the backup license server
3. (Optional) If your primary licensing server does not yet have a dedicated, redundant backup controller and you want to use a backup server with the centralized licensing feature, you must identify a second controller to use as the backup licensing server, and create a virtual router on the primary licensing server.
4. (Optional) Establish secure IPsec tunnels between the primary licensing server controller and the licensing client controllers by enabling control plane security on that cluster of master controllers, or by creating site-to-site VPN tunnels between the licensing server and client controllers. This step is not required, but if you do not create secure tunnels between the controllers, the controllers will exchange clear, unencrypted licensing information. This step is not required for a master-local topology.

Pre-Configuration Setup in a Master/Local Topology

By default, the master controller in a master-local topology is the primary licensing server. If this master controller already has a redundant standby master, that redundant master will automatically act the backup licensing server with no additional configuration. If your primary licensing server does not yet have a redundant standby controller and you want to use a backup server with the centralized licensing feature, you must identify a second controller you want to designate as the backup licensing server, and define a virtual router on the primary licensing server.

Enabling Centralized Licensing

The following steps describe the procedure to enable centralized licensing on both the licensing master and licensing clients.

Using the WebUI

1. Access the WebUI of the primary licensing master controller, navigate to Configuration > Controller and select the Centralized Licenses tab.
2. Select Enable Centralized Licensing.
3. (Optional) If the licensing server already has a dedicated redundant standby controller, that standby controller will automatically become the backup license server. If the primary licensing server in your deployment does not have a dedicated, redundant master controller but you want to define a backup server for the licensing feature, follow steps a-c below:
a. In the VRRP ID field, enter the Virtual Router ID for the Virtual Router you configured in the Pre-Configuration Setup task in the section above.
b. In the Peer’s IP address field, enter the IP address of the backup licensing server.
c. In the License Server IP field, enter the virtual IP address for the Virtual Router used for license server redundancy.
4. Click Apply to save your settings.

If you are deploying centralized licensing on a cluster of master controllers, you must define the IP address that the licensing clients in the cluster use to access the licensing server.

5. Access the WebUI of a licensing client, navigate to Configuration > Controller and select the Centralized Licenses tab.
6. Select Enable Centralized Licensing.
7. In the License Server IP field, enter the IP address the client will use to connect to the licensing server. If you have defined a backup licensing server using a virtual router ID, enter the IP address of that virtual router.
8. Click Apply to save your settings.
9. Repeat steps 5-8 on each licensing client in the cluster.

Using the CLI

Access the command-line interface of the licensing server, and issue the following commands in config mode:

(host) (config) #license profile

(host) (License provisioning profile) #centralized-licensing-enable

If the licensing server already has a dedicated redundant standby controller, that standby controller will automatically become the backup license server. If the primary licensing server in your deployment does not have a redundant master controller but you want to define a backup server for the licensing feature, issue the following commands on the licensing server.

(host) (License provisioning profile) #License server-redundancy

(host) (License provisioning profile) #License-vrrp <vrId>

(host) (License provisioning profile) #Peer-ip-address <ip>

If you are deploying centralized licensing on a cluster of master controllers, access the command-line interface of a licensing client controller, and issue the following commands in config mode:

(host) (config) #license profile

(host) (License provisioning profile) #centralized-licensing-enable

(host) (License provisioning profile) # license server-ip <ip>

If a controller is designated as standby license server, it should not have the license-server-ip value configured.

Monitoring and Managing Centralized Licenses

A centralized licensing server displays a wide variety of licensing data that you can use to monitor licenses and license usage. The following tables are available on the Network > Controller > Centralized License Management > Information page of the Licensing server WebUI.

License server Table

This table displays information about the different types of licenses in the license table, and how many total licenses of each type are available and used. This table includes the following information:

Table 2: License Server Table Data

Column

Description

Service Type

Type of license on the licensing server.

Aggregate Licenses

Number of licenses in the licensing table on the licensing server.

Used Licenses

Total number of licenses of each license type reported as used by the licensing clients or licensing server.

Remaining Licenses

Total number of remaining licensing available in the licensing table.

License Client Table

This table displays centralized license limits applied to each licensing client. This table includes the following information:

Table 3: License Client Table Data

Column

Description

Service Type

Type of license on the licensing client.

System Limit The maximum number of licenses supported by the controller platform.

Server Licenses

Number of licenses sent from the licensing server..

NOTE: This number is limited by the total license capacity of the controller platform. A controller cannot use more licenses than is supported by that controller platform, even if additional license are available.

Used Licenses

Total number of licenses of each license type used by the licensing client controller.

Contributed Licenses

Total number of licenses of each license type contributed by the licensing client controller.

Remaining Licenses

Total number of remaining licensing available on this controller. This number is also limited by the total license capacity of the controller platform.

License Client(s) Usage Table

This table displays information about the different types of licenses in the license table, and how many total licenses of each type are available and used.

Table 4: License Clients(s) Usage Table Data

Column

Description

Hostname

Name of the licensing client controller.

IP Address

IP address of the licensing client controller.

AP

Total number of AP licenses used by a licensing client associated with this controller.

PEF

Total number of Policy Enforcement Firewall (PEF) licenses used by a licensing client associated with this controller.

RF Protect

Total number of RFprotect licenses used by a licensing client associated with this controller.

xSec Module

Total number of Extreme Security (xSec) licenses used by a licensing client associated with this controller.
ACR Total number of advanced Cryptography (ACR) licenses used by a licensing client associated with this controller.
Last update (secs. ago) Time, in seconds, that has elapsed since the licensing client received a heartbeat response.

Aggregate License Table

Issue this command from the command-line interface of the centralized licensing server controller to view license limits sent by licensing clients.

Table 5: Aggregate License Table Data

Column

Description

Hostname

Name of the licensing client controller.

IP Address

Name of the licensing client controller.

AP

Total number of AP licenses sent from licensing clients associated with this controller.

PEF

Total number of Policy Enforcement Firewall (PEF) licenses sent from licensing clients associated with this controller.

RF Protect

Total number of RFprotect licenses sent from licensing clients associated with this controller.

xSec Module

Total number of Extreme Security (xSec) licenses sent from licensing clients associated with this controller.
ACR Total number of advanced Cryptography (ACR) licenses sent from licensing clients associated with this controller.

License Heartbeat Table

This table displays the license heartbeat statistics between the license server and the license client.

Table 6: License Heartbeat Table Data

Column

Description

IP address

IP address of the licensing client.

HB Req

Heartbeat requests sent from the licensing client.

HB Resp

Heartbeat responses received from the license server.

Total Missed

Total number of heartbeats that were not received by the licensing client.

Last Update

Number of seconds elapsed since the licensing client last sent a heartbeat request.