Configure Cisco Smart Licensing Using Policy (CSLU)

Here's a Cisco link and a video tutorial to configure Cisco Smart Licensing Using Policy (CSLU). Below are the commands to be used in a Cisco IOS-XE device. 

In the Cisco Smart Software Manager (CSSM, a.ka. Smart License), click the blue hyperlink > CLSU Transport URL.

ip name-server <PRIMARY DNS IP> <SECONDARY DNS IP>
ip domain lookup 
ip domain lookup source-interface Loopback0
ip http client source-interface Loopback0

license smart transport cslu

license smart url cslu https://<ON PREM SMART LICENSE SERVER IP>/cslu/v1/pi/<VIRTUAL ACCOUNT>

crypto pki trustpoint SLA-TrustPoint
 revocation-check none

#license smart sync all

 

I've configured CLSU in a Cisco 8000v router 

C8000v#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

C8000v(config)#ip name-server 10.6.6.7 10.8.8.9

C8000v(config)#ip domain lookup

C8000v(config)#ip domain lookup source-interface Loopback0

C8000v(config)#ip http client

C8000v(config)#license smart transport cslu

C8000v(config)#license smart url cslu https://myccsm01.com/cslu/v1/pi/my-va-4

C8000v(config)#crypto pki trustpoint SLA-TrustPoint

C8000v(ca-trustpoint)# revocation-check none

C8000v(ca-trustpoint)#end

C8000v#write memory

Building configuration...

[OK]

Oct  3 00:47:39.403 UTC: CSR CSL:pid = C8000V, sn = 91Y2A1B1234

Oct  3 00:47:39.948 UTC: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file

Oct  3 00:47:39.979 UTC: CSR CSL:

LIC_OBJSTORE_OPEN: IFS open successful. Objname: satimeflagsync.data, App ID:3

Oct  3 00:47:39.990 UTC: CSR CSL:

LIC_OBJSTORE_WRITE: IFS write successful. Objname: satimeflagsync.data, Bytes written: 2384, Write offset: 2384, App ID: 3

Oct  3 00:47:39.990 UTC: CSR CSL:

LIC_OBJSTORE_CLOSE: IFS close successful. FD:0, App ID: 3

C8000v#ping mycssm01.com source Loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.7.9, timeout is 2 seconds:

Packet sent with a source address of 10.4.6.41

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 116/116/116 ms

C8000v#license smart sync all

Nov 25 09:59:34.556 UTC: CSR CSL:

LIC_OBJSTORE_STAT:Unable to get the size of the object - No such object, App ID: 3

Nov 25 09:59:34.564 UTC: CSR CSL:

LIC_OBJSTORE_STAT:Unable to get the size of the object - No such object, App ID: 3

Nov 25 09:59:34.572 UTC: CSR CSL:

LIC_OBJSTORE_STAT: IFS stat successful. Path: /1759269975.rum.  Objsize: 1047, App ID: 3

Nov 25 09:59:34.581 UTC: CSR CSL:

LIC_OBJSTORE_OPEN: IFS open successful. Objname: 1759269975.rum, App ID:3

Nov 25 09:59:34.590 UTC: CSR CSL:

LIC_OBJSTORE_READ: IFS read successful. Objname: 1759269975.rum, Bytes read: 1047, Read offset: 1047, App ID: 3

LIC_OBJSTORE_OPEN: IFS open successful. Objname: saRumReportMetaData.txt, App ID:3

Nov 25 09:59:37.141 UTC: CSR CSL:

LIC_OBJSTORE_WRITE: IFS write successful. Objname: saRumReportMetaData.txt, Bytes written: 6880, Write offset: 6880, App ID: 3

Nov 25 09:59:37.141 UTC: CSR CSL:

LIC_OBJSTORE_CLOSE: IFS close successful. FD:0, App ID: 3

Nov 25 09:59:37.159 UTC: CSR CSL:

LIC_OBJSTORE_OPEN: IFS open successful. Objname: satimeflagsync.data, App ID:3

Nov 25 09:59:37.168 UTC: CSR CSL:

LIC_OBJSTORE_WRITE: IFS write successful. Objname: satimeflagsync.data, Bytes written: 2384, Write offset: 2384, App ID: 3

Nov 25 09:59:37.168 UTC: CSR CSL:

LIC_OBJSTORE_CLOSE: IFS close successful. FD:0, App ID: 3

<OUTPUT TRUNCATED>

Validate the Smart License status using the show license summary command.

C8000v#show license summary

Account Information:

  Smart Account: <none>

  Virtual Account: <none>

 

License Usage:

  License                 Entitlement Tag               Count Status

  -----------------------------------------------------------------------------

  network-advantage_T0    (NWSTACK_T0_A)                    1 IN USE

  dna-advantage_T0        (DSTACK_T0_A)                     1 IN USE

You can also validate the Smart License status in the CSSM server (either Cisco public cloud or On Prem), go to Smart Licensing > Inventory > Product Instance tab > Event Log.

Copying Files in a Cisco Nexus 9000 Switch

Here's a Cisco link in copying or transferring a Nexus config file to a remove server (or local USB). This is useful if you're doing an RMA and needed to quickly transfer config from old to new Nexus switch. If you're using the USB flash drive/disk, make sure it's formatted to FAT16. 

 

N9K# copy running-config usb1:my-config.cfg

Copy complete, now saving to disk (please wait)...

Copy complete.

 

 

N9K# dir usb1:

       4096    Feb 06 09:41:48 2026  System Volume Information/

      34494    Feb 06 09:41:48 2026  autorun.ico

        194    Feb 06 09:41:48 2026  autorun.inf

      23462    Mar 07 03:55:23 2026  my-config.cfg

 2058225152    Feb 06 11:18:24 2026  nxos.9.3.x.bin

The NX-OS file transfer took a few minutes to finish. Make sure your USB drive has enough memory.

N9K# copy nxos64-cs.10.x.M.bin usb1:nxos64-cs.10.x.M.bin

Copy progress 70% 1957560KB

file error

Destination: No space left on device

Junos OS File Directory and MD5 Checksum

I needed to download the Junos OS used in our MX device.

You can use the file list /var/temp CLI command to check the OS image stored (dir or show bootflash: in Cisco)

admin@junos> file list /var/tmp/

 

/var/tmp/:

Jtac-logs.tgz

LOCK_FILE

appidd_cust_app_trace

appidd_trace_debug

bcast.bdisp.log

bcast.disp.log

bcast.rstdisp.log

bcast.undisp.log

current-config.txt

ebmq_authd_vty

ebmq_bbe-pfcp-proxy-vty_vty

ex_autod_config

ex_autod_rollback_cfg

junos-vmhost-install-mx-x86-64-2x.4Rx.8.tgz

krt_rpf_filter.txt

mmcq_authd

mmcq_bbe-cupm

mmcq_bbeStatsdGetCollector

mmcq_cupm-bbe-up-pfcp-proxyd

mmcq_cupm-ep_RepClientUpEpClient

mmcq_cupm-ep_RepServerUpEpClient

mmcq_mmdb_rep_mmcq

mmcq_sdb_bbe_mmcq

netproxy

package.log

pc /

pfe_debug_commands

phone-home/

pics/

pkg_cleanup.log.err

re0.tgz

rtsdb/

sd-upgrade/

To validate the image MD5 checksum, use the file checksum md5 <path/file> command. 

admin@junos> file checksum md5 /var/tmp/junos-vmhost-install-mx-x86-64-2x.4Rx.8.tgz   
MD5 (/var/tmp/junos-vmhost-install-mx-x86-64-2x.4Rx.8.tgz) = 0d02de0cc7aec60825d2dbe513e0af12

Go to the Juniper Software Downloads site, search for the Product, OS and Version. Click Checksums (a hyperlink) to view the MD5, SHA1, etc.

Click the tgz file (a hyperlink), click "I Agree" to proceed.

You can download the OS image locally in your PC or directly to your Juniper device. To download the OS image from your device, just run the file copy <URL destination> command (copy/paste the URL string).

Configure Policy-Based Routing (PBR) in a Cisco Router

Here's a link in configuring a Policy-Based Routing (PBR) in a Cisco router. I was trying to configure PBR on a customer VRF to test or simulate customer traffic to a new FortiGate firewall. The customer traffic is currently NAT'd to a Cisco ASA firewall.

CE#trace vrf CUST 8.8.8.8 source 192.168.199.1

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.6.9.50 0 msec 0 msec 0 msec

  2 216.12.34.5 0 msec 0 msec 4 msec   // CISCO ASA HOP

  3 72.250.194.1 0 msec 4 msec 0 msec

 

<OUTPUT TRUNCATED>

 

  9  *  *  * 

 10 8.8.8.8 4 msec 8 msec 8 msec

 

Note you'll need to apply PBR in the "ingress" or LAN interface. You also can't configure a Loopback interface then do a ping test sourced locally from the said Loopback. The ping test should be sourced from an IP host/subnet that's "behind" or a Layer 3 hop away from the router doing the PBR.

You'll also need to consider local traffic flows, i.e. if a host would need to access internal resources such as DNS, then you'll need a deny ACL (extended) to exclude those IP/subnets.

PE#show access-list 199 
Extended IP access list 199
    10 deny ip 192.168.199.0 0.0.0.255 10.1.1.0 0.0.0.255   // EXCLUDE INTERNAL DNS TRAFFIC 
    20 permit ip 192.168.199.0 0.0.0.255 any   // PERMIT 192.168.199.0/24 TO INTERNET (NEW FW)

PE#show run | sec route-map MY-PBR   // NO NEED TO CONFIGURE: set vrf <VRF>  
route-map MY-PBR permit 10 
 match ip address 199
 set ip next-hop 172.20.8.12

PE(config)#interface GigabitEthernet0/0/1   // LAN INTERFACE
PE(config-if)#ip policy route-map MY-PBR


CE#ping vrf CUST 8.8.8.8 source 192.168.199.1 rep 10   // GOOGLE DNS
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1 
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 4/8/20 ms


CE#ping vrf CUST 72.163.4.185 source 192.168.199.1   // CISCO.COM
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.163.4.185, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

CE#traceroute vrf CUST 8.8.8.8 source 192.168.199.1       

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.6.9.50 0 msec 0 msec 0 msec

  2 172.20.8.12 msec 4 msec 0 msec   // FORTIGATE HOP

  3 66.12.34.56 0 msec 0 msec 0 msec

 

<OUTPUT TRUNCATED>

 11  *  *  * 
 12 8.8.8.8 4 msec 4 msec 4 msec

 

The PBR was confirmed working when CE router traceroute hop via the new FortiGate IP address. I also checked the NAT translations via the FortiView Sessions. The other RFC1918 IP subnets were still NAT'd via the Cisco ASA firewall.

Cisco Nexus cli alias Command

You can use the cli alias <command> to create a shortcut on your favorite Cisco commands. An example would be an alias for write memory (or just a wr) in a Cisco Nexus switch (it only supports copy run start).


N5K# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
N5K(config)# cli ?
  alias  Define an alias
  var    Define a variable

N5K(config)# cli alias ?
  name  Specify the alias

N5K(config)# cli alias name ?
  WORD  Alias command (Max Size 30)

N5K(config)# cli alias name wr ?
  LINE  Alias definition

N5K(config)# cli alias name wr copy run start ?
  <CR>  
  LINE   Alias definition

N5K(config)# cli alias name wr copy run start
N5K(config)# show run | i cli
cli alias name wr copy run start
N5K(config)# alias         // NEXUS VERIFICATION COMMAND
CLI alias commands
==================
alias  :show cli alias
wr     :copy run start
N5K(config)# wr
[########################################] 100%
Copy complete, now saving to disk (please wait)...

SecureCRT Button for Saved Credentials

Here's a link in managing login credentials to multiple systems or devices in SecureCRT. This can be a more viable and secure password manager tool. There's also another feature in SecureCRT wherein you can add a button to automate your device login. This prevents an admin from forgetting his username/password and avoids being locked out due to multiple login attempts. 

To create a saved a Credential in SecureCRT, go to Options tab > Global Options > General > Credentials > Add

Type a Title > Username > Move up Authentication: Password > click Edit (gear icon) > select: Store Password > Type the password twice to confirm > OK. 

 

To add a new SecureCRT button > right-click (bottom area) > New Button

Select Function: Credentials > Select the newly created Credential > Select Send: Password.

Type a Label > select the Icon color > optional type a Description > OK.

SSH to a Cisco device and click the new button when prompted for a password.

svr01 ~]$ ssh -l cisco-admin 172.16.1.254

### ASA LAB ###

cisco-admin@172.16.1.254's password: <CLICK BUTTON>
User cisco-admin logged in to LAB-ASA5515x
Logins over the last 81 days: 3.  Last login: 00:59:39 UTC Sep 28 2025 from 192.168.1.100
Failed logins since the last login: 1.  Last failed login: 09:06:35 UTC Dec 5 2025 from 192.168.1.168
Type help or '?' for a list of available commands.
LAB-ASA5515x> 

Deleting Multiple Files in a Cisco Flash

Here's a Cisco link in managing files inside a device's flash memory or directory. In this example, I've transferred some dummy packet capture files.

C8000v#copy tftp://192.168.1.100/pcap3.pcap bootflash:

Destination filename [pcap3.pcap]?

Accessing tftp://192.168.1.100/pcap3.pcap...

Loading pcap3.pcap from 192.168.1.100 (via GigabitEthernet1): !

[OK - 125 bytes]

 

125 bytes copied in 0.067 secs (1866 bytes/sec)

 

 

C8000v#dir | i .pcap                                 

38      -rw-              125   Dec 1 2025 07:44:02 +00:00  pcap3.pcap

37      -rw-              125   Dec 1 2025 07:43:39 +00:00  pcap2.pcap

35      -rw-              125   Dec 1 2025 07:42:46 +00:00  pcap1.pcap

13      drwx             4096  Sep 25 2025 16:27:20 +00:00  pcap

C8000v#

 

 

You'll need to manually press Enter in deleting each file even when using a wildcard (*).

C8000v#delete *.pcap

Delete filename [*.pcap]?

Delete bootflash:/pcap3.pcap? [confirm]^U

Delete of bootflash:/pcap3.pcap aborted!

Delete bootflash:/pcap1.pcap? [confirm]^U

Delete of bootflash:/pcap1.pcap aborted!

Delete bootflash:/pcap2.pcap? [confirm]^U

Delete of bootflash:/pcap2.pcap aborted!

 

 

In order to delete all files without pressing Enter, include the /force keyword. In this scenario, I deleted all packet capture with a file extension of .pcap in a Cisco 8000v.

C8000v#delete ?

  /force      Force delete

  /recursive  Recursive delete

  bootflash:  File to be deleted

  crashinfo:  File to be deleted

  flash:      File to be deleted

  nvram:      File to be deleted

 

C8000v#delete /force *.pcap

C8000v#dir | i .pcap      

13      drwx             4096  Sep 25 2025 16:27:20 +00:00  pcap

C8000v#