Cisco IOS licensing is a critical operational topic that every CCNA candidate must understand—not because you'll be configuring it daily, but because it directly affects device functionality and troubleshooting. On the 200-301 exam, you'll encounter questions about license types, evaluation periods, and the license activation process. In real network engineering, knowing how to verify and manage licenses ensures you can deploy features like IP routing or security without unexpected downtime. This chapter covers the essentials of Cisco IOS licensing, aligning with the 'Network Fundamentals' domain.
Jump to a section
Imagine you buy a luxury car that comes with a standard engine, but the manufacturer offers optional performance upgrades—like a sports mode that boosts horsepower and a navigation system. These upgrades are already built into the car's computer, but they're locked. To unlock them, you need a license key that you purchase separately. The car has a 'evaluation mode' where you can try the sports mode for 60 days without buying the key. After that, if you don't purchase the license, the sports mode reverts to standard.
Now, think of the car's computer as Cisco IOS software. The base features (like basic switching) are always available. The optional upgrades (like advanced IP routing or security features) are the technology packages that require a license. The evaluation period is the 60-day grace period Cisco provides. The license key is the 'license file' you install on the router or switch.
In this analogy, the car's VIN is the device's serial number. The license key is tied to that VIN—you can't use a key from one car on another. Similarly, Cisco licenses are tied to the device's unique identifier (UDI). If you sell the car, you can transfer the license to the new owner, but you need to deactivate it first. In Cisco terms, this is called 'license transfer'—you revoke the license from the old device and activate it on the new one.
Finally, the car's dashboard shows which upgrades are active. In Cisco, you use 'show license' commands to see which features are licensed, their status (active, expired, or evaluation), and the evaluation time remaining. If you fail to purchase a license, the feature stops working—just like the sports mode disabling after the trial ends. This analogy captures the core mechanics: built-in features, license-locked upgrades, evaluation periods, and device-specific licensing.
What is Cisco IOS Licensing?
Cisco IOS licensing is the mechanism that controls access to premium software features on Cisco routers and switches. It ensures that you only use features you've paid for, while allowing a temporary evaluation period. Licensing is tied to the device's unique device identifier (UDI), which combines the product ID (PID) and serial number. This prevents license sharing across devices.
Why Does Licensing Exist?
Cisco separates its IOS software into different 'technology packages' (like IP Base, IP Services, or Advanced Enterprise Services) to offer tiered functionality. For example, a Cisco ISR 4000 series router might come with IP Base (basic routing) but require an additional license for IPsec VPN or MPLS. Licensing allows Cisco to sell these features modularly, and it gives customers flexibility to purchase only what they need. On the exam, you need to know the common license types for routers and switches.
How Licensing Works: Step by Step
License Types: There are two main types: permanent licenses (purchased and installed indefinitely) and evaluation licenses (time-limited, usually 60 days). Some platforms also support subscription licenses.
License Storage: Licenses are stored in the device's persistent storage (e.g., flash memory) as files with a .lic extension. The device reads these files during boot.
Evaluation Period: When you enable a feature that requires a license without having one, the device enters an evaluation period (typically 60 days). During this time, the feature works fully. The 'show license' command displays the remaining evaluation time.
License Activation: To permanently activate a license, you obtain a license file from Cisco's licensing portal (using the device's UDI) and install it via the 'license install' command. The device then uses that license file to authorize the feature.
License Verification: Use 'show license' to see all licenses and their status. Use 'show license feature' to see which features are available and whether they are licensed.
Key States and Defaults
Evaluation Period: 60 days (default). This is a common exam number.
License State: 'Active', 'Inactive', 'Expired', or 'Evaluation'.
License Count: Some licenses are per-device (unlimited use once purchased), others are per-feature or per-session (e.g., VPN peers).
UDI: Consists of PID (e.g., ISR4331/K9) and Serial Number (e.g., FGL12345678).
IOS CLI Verification Commands
Here are the essential commands with example output:
Router# show license
Index 1 Feature: ipbasek9 Period left: Life time
License Type: Permanent
License State: Active, In use
Index 2 Feature: securityk9 Period left: 59 days 23 hours
License Type: Evaluation
License State: Active, In useRouter# show license feature
Feature name Enforcement Evaluation Subscription Enabled
ipbasek9 yes no no yes
securityk9 yes yes no yesRouter# show license status
License Status: EVALUATION MODE
Evaluation period: 59 days 23 hoursInteraction with Related Protocols
Licensing does not directly interact with routing protocols, but it controls whether certain protocols (like OSPF, EIGRP, or BGP) are available in advanced feature sets. For example, on a switch, IP Base license supports static routing and RIP, while IP Services license enables OSPF and EIGRP. On the exam, you might see a question where a router cannot run EIGRP because it only has an IP Base license. You would need to install the appropriate technology package license.
Common Exam Scenarios
Troubleshooting a missing feature: A candidate notices that 'router eigrp' command is not recognized. The cause is likely an insufficient license. Use 'show version' to see the current license level.
Evaluation period: A network engineer enables a security feature and it works for 60 days, then stops. They need to purchase and install a permanent license.
License transfer: When replacing a router, the license can be transferred by deactivating it on the old router (using 'license save' and 'license clear') and activating on the new one.
Important Notes for the Exam
The 'license install' command is used to install a license file from flash or a URL.
The 'license accept end user agreement' command is sometimes required before installation.
The 'show version' command displays the current license level (e.g., 'cisco ISR4331/K9' with 'Technology Package License Level: ipbasek9').
Licenses are tied to the UDI, so swapping hardware requires license transfer.
Check current license status
First, determine what licenses are already installed and their status. Use 'show license' to see all licenses. Look for the feature name, period left, license type (Permanent, Evaluation, Subscription), and state (Active, Inactive, Expired). Also use 'show license feature' to see which features are enabled and whether they require a license. This baseline helps you know if you need to install a new license or if an evaluation is in progress.
Identify the required license
Based on the feature you need (e.g., IPsec VPN, OSPF, MPLS), identify the corresponding license name. For example, on ISR routers, 'securityk9' enables VPN and firewall features; 'datak9' enables MPLS and BFD. On Catalyst switches, 'ipservicesk9' enables advanced routing. Check Cisco documentation or the 'show license feature' output to match features to license names. The exam may ask which license is needed for a specific feature.
Obtain the license file
To get a permanent license, you need the device's UDI (Product ID and Serial Number). Use 'show license udi' to display it. Then go to Cisco's Software Central licensing portal, enter the UDI, and generate a license file. The file is typically emailed or downloadable. Save it to a TFTP server or directly to the router's flash memory. For exam purposes, you only need to know the process conceptually.
Install the license
Use the 'license install' command to install the license file. For example: 'license install flash:license.lic'. You may need to accept the end user license agreement first with 'license accept end user agreement'. After installation, the license becomes active. Verify with 'show license' that the license type is now 'Permanent' and the period left is 'Life time'. If the license is for a technology package, you might need to reload the device to activate it.
Activate the license (if required)
Some licenses, especially technology package licenses, require a reload to take effect. Use 'reload' to restart the device. After reload, the feature becomes available. For evaluation licenses, no reload is needed; they activate immediately. Always check 'show version' after reload to confirm the new license level is active. For example, the output should show 'Technology Package License Level: securityk9'.
Verify feature availability
Finally, ensure the desired feature is now usable. For example, if you installed a security license, try configuring a crypto map or an IPsec profile. Use 'show running-config | include crypto' to see if the commands are accepted. Also use 'show license feature' to confirm the feature is enabled. If the feature still doesn't work, check for evaluation expiration or incorrect license file.
In a typical enterprise, you might purchase a Cisco ISR 4331 router with an IP Base license for basic routing. Later, the business decides to implement site-to-site VPNs, which require the securityk9 license. As the network engineer, you would log into the Cisco licensing portal, generate a license file using the router's UDI, and install it. No hardware upgrade needed—just a software unlock. This modular approach saves costs because you only pay for features when needed.
Another scenario: a company deploys a Catalyst 9300 switch with IP Base license, but later needs OSPF for dynamic routing. They must upgrade to IP Services license. The process is similar: purchase the license, install it, and reload. However, if the switch is in a critical path, you might plan a maintenance window. Misconfiguration happens when an engineer tries to enable OSPF without the license—the command is rejected, causing confusion. A quick 'show version' reveals the current license level, saving hours of troubleshooting.
A common pitfall is the evaluation period. A network admin enables a feature like 'zone-based firewall' on a router without a license. It works for 60 days, then suddenly stops. The admin might think the router is faulty, but checking 'show license' shows the evaluation expired. The fix is to purchase and install a permanent license. In production, always track evaluation expiration dates to avoid service disruption. Also, when replacing a failed router, remember that licenses are tied to the UDI. You need to deactivate the license on the old router (if still accessible) and reactivate on the new one. Cisco's licensing portal allows license transfer, but it requires the old device's UDI and sometimes a support contract.
Scale considerations: In large networks with hundreds of devices, manually installing licenses is impractical. Cisco offers Smart Licensing, where devices communicate with a central Cisco server to check license entitlement. Smart Licensing is beyond CCNA scope, but you should know it exists. For the exam, focus on traditional licensing with 'license install' and evaluation periods.
The CCNA 200-301 exam tests Cisco IOS licensing under the 'Network Fundamentals' domain, specifically the objective 'Describe the licensing mechanism for Cisco IOS devices'. You will not be asked to install a license in a simulation, but you will see multiple-choice questions about license types, evaluation periods, and the effect of licensing on feature availability.
Most Common Wrong Answers: 1. 'All features are available without a license.' – Wrong. Only base features are included; advanced features require a license. 2. 'Licenses are tied to the IOS version.' – Wrong. Licenses are tied to the device UDI, not the software version. 3. 'Evaluation licenses last 30 days.' – Wrong. The standard evaluation period is 60 days. 4. 'You can use a license from one router on another router.' – Wrong. Licenses are device-specific.
Specific Values and Commands to Memorize: - Evaluation period: 60 days. - Command to view licenses: 'show license'. - Command to view UDI: 'show license udi'. - Command to install license: 'license install <url>'. - Technology package license names: ipbasek9, securityk9, datak9, ipservicesk9.
Elimination Strategy: When you see a question about a missing feature (e.g., EIGRP not available), immediately think licensing. Check if the switch or router has the appropriate license level. If the question mentions a 60-day trial, it's about evaluation license. If it mentions transferring a license to a new device, it's about UDI binding. Eliminate answers that suggest global commands or IOS upgrade—those are not the primary fix for licensing issues.
Calculation Traps: There are no calculations, but you may need to interpret 'show license' output. For example, 'Period left: 59 days 23 hours' indicates evaluation mode. 'License Type: Permanent' means it's purchased. 'License State: Expired' means the evaluation ended and the feature is disabled.
Decision Rule for Scenario Questions: - If the feature worked before but stopped after 60 days → evaluation expired. - If the feature never worked → missing license. - If a new device cannot use a license from an old device → license is UDI-bound, need transfer. - If 'show version' shows 'ipbasek9' but you need 'securityk9' → install security license.
Cisco IOS licenses are tied to the device's unique device identifier (UDI), not the IOS version.
The default evaluation period for unlicensed features is 60 days.
Use 'show license' to view license status and 'show license udi' to view the device UDI.
Use 'license install <url>' to install a permanent license file.
Technology package licenses on routers include ipbasek9 (default), securityk9, and datak9.
On switches, IP Base license supports static routing; IP Services license adds OSPF and EIGRP.
A reload may be required to activate a new technology package license.
These come up on the exam all the time. Here's how to tell them apart.
Evaluation License
Time-limited (60 days default)
No cost; used for trial
Automatically activates when feature is configured without a license
State changes to 'Expired' after period ends
No reload required to activate
Permanent License
No time limit (Life time)
Purchased from Cisco
Must be installed via 'license install' command
State is 'Active, In use' permanently
May require reload for technology package licenses
Mistake
All IOS features are available without a license.
Correct
Only base features (e.g., basic switching, static routing) are included. Advanced features like VPN, OSPF, or MPLS require a separate license.
Candidates often assume IOS is monolithic; they don't realize features are locked until licensed.
Mistake
Licenses are tied to the IOS version or image file.
Correct
Licenses are tied to the device's UDI (PID + serial number). Changing IOS version does not affect licenses, but moving the license to another device requires a transfer.
People confuse software licensing (like Windows) with hardware-bound Cisco licensing.
Mistake
The evaluation period for a license is 30 days.
Correct
The standard evaluation period is 60 days. This is a fixed value in Cisco IOS.
30 days is a common trial period in other software, so candidates guess incorrectly.
Mistake
You can use the same license file on multiple devices.
Correct
Each license file is generated for a specific UDI and cannot be used on another device without deactivating and transferring.
Candidates think of 'volume licensing' like in Microsoft; Cisco licensing is per-device.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The evaluation period is 60 days by default. During this time, the feature works fully. After 60 days, the feature stops working unless a permanent license is installed. You can check the remaining time with 'show license'. The exam often tests this specific number, so remember 60 days.
No, licenses are tied to the device's UDI (PID + serial number). To use a license on a different device, you must deactivate it on the original device (via 'license clear' or Cisco portal) and generate a new license file for the new device. This process is called license transfer.
'ipbasek9' is the base license that includes basic routing and IP services. 'securityk9' adds VPN, firewall, and other security features. On ISR routers, you typically start with ipbasek9 and add securityk9 for VPNs. The 'k9' indicates cryptographic features.
Use 'show license' to see all licenses with their type (Permanent, Evaluation), period left, and state. Use 'show license feature' to see which features are enabled and their licensing status. 'show version' also shows the current technology package license level.
The feature will stop working. The license state changes to 'Expired', and the device will not allow the feature to operate. You will need to install a permanent license to restore functionality. There is no grace period beyond the 60 days.
No, basic routing protocols like RIP and static routing are included in the base license (ipbasek9 on routers, IP Base on switches). However, advanced protocols like OSPF, EIGRP, and BGP may require higher license levels (e.g., IP Services on switches).
The command is 'license install flash:license.lic' (replace 'license.lic' with the actual filename). You may need to first accept the end user license agreement with 'license accept end user agreement'. After installation, verify with 'show license'.
You've just covered Cisco IOS Licensing Overview — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?