Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 First Published: 2022-05-06 Last Modified: 2024-03-05 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 © 2022 –2024 Cisco Systems, Inc. All rights reserved. CONTENTS CHAPTER 1 About this documentation 1 Document purpose 1 Warnings and notices 1 CHAPTER 2 Overview 3 General principles 3 Design considerations 4 Basic configuration workflow 4 CHAPTER 3 Sensor configuration 5 Configure Active Discovery on a Cisco switch or router 5 Configure Active Discovery on a Cisco IC3000 9 CHAPTER 4 Policies configuration 13 Create a policy 13 Set Active Discovery Broadcast 14 Set Active Discovery Unicast 16 Set Active Discovery Unicast BACnet 16 Set Active Discovery Unicast DNP3 17 Set Active Discovery Unicast Ethernet/IP 18 Set Active Discovery Unicast Melsoft 19 Set Active Discovery Unicast Modbus 20 Set Active Discovery Unicast OMRON 21 Set Active Discovery Unicast SiemensS7 21 Set Active Discovery Unicast SiemensS7plus 22 Set Active Discovery Unicast SNMPv2c 23 Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 iii Set Active Discovery Unicast SNMPv3 24 Set Active Discovery Unicast WMI 26 Modify a policy 27 CHAPTER 5 Profiles configuration 31 Set an Active Discovery profile 31 CHAPTER 6 Launch Active Discovery 33 Launch Active Discovery 33 CHAPTER 7 Annex: Active Discovery protocols 37 BACnet 38 DNP3 39 EtherNet/IP 39 EtherNet/IP Broadcast or Unicast 40 Ethernet/IP backplane discovery 42 Melsoft 44 Modbus 45 OMRON 46 Profinet Multicast 46 S7 Broadcast 47 S7 Unicast 48 S7Plus 49 ICMPv6 Multicast 50 SNMP Unicast 50 AD SNMP with Schneider PLC 51 AD SNMP with Siemens PLC 52 AD SNMP with Rockwell PLC 53 AD SNMP with Moxa switches 53 AD SNMP with Siemens Switches 54 AD SNMP with Hirschmann hardware 55 AD SNMP with Cisco hardware 56 AD SNMP with Microsoft Windows OS 57 WMI 58 Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 iv Contents CHAPTER 1 About this documentation • Document purpose, on page 1 • Warnings and notices, on page 1 Document purpose This configuration guide explains how to configure Active Discovery in Cisco Cyber Vision and gives details on expected results. This documentation is applicable to system version 4.3.0. Active Discovery is available on the following devices: • Cisco Catalyst IE3300 10G Rugged Series Switch • Cisco Catalyst IE3400 Rugged Series Switch • Cisco Catalyst IE9300 Rugged Series Switch • Cisco Catalyst 9300 Series Switch • Cisco Catalyst 9400 Series Switch • Cisco IC3000 Industrial Compute Gateway • Cisco IR8340 Integrated Services Router Rugged Warnings and notices This manual contains notices you have to observe to ensure your personal safety as well as to prevent damage to property. The notices referring to your personal safety and to your property damage are highlighted in the manual by a safety alert symbol described below. These notices are graded according to the degree of danger. Indicates risks that involve industrial network safety or production failure that could possibly result in personal injury or severe property damage if proper precautions are not taken. Warning Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 1 Indicatesrisksthat could involve property or equipment damage and minor personal injury if proper precautions are not taken. Important Indicates important information on the product described in the documentation to which attention should be paid. Note Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 2 About this documentation Warnings and notices CHAPTER 2 Overview • General principles, on page 3 • Design considerations, on page 4 • Basic configuration workflow, on page 4 General principles Active Discovery allows the sensor to send packets to the network to discover previously unseen devices and gather additional properties for known devices. There are two different types of Active Discovery operations: • Broadcast The sensor sends Broadcast packets targeting all the devices in the subnet. Devices that support the protocol will give a response back and appear in Cisco Cyber Vision. • Unicast The sensor sends Unicast packets to known components and analyses the responses received. The protocols supported for Active Discovery operations are: • Broadcast: • EtherNet/IP • Profinet • SiemensS7 • ICMPv6 • Unicast: • EtherNet/IP • SiemensS7 • SNMPv2c • SNMPv3 Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 3 • WMI For more information about discoverable properties, refer to Annex: Active Discovery protocols, on page 37. Design considerations Several requirements must be met when deploying and configuring Active Discovery on a sensor: • The sensor must have access to the required subnet: • For Broadcast discovery, the target subnet/VLAN must be directly accessible from the sensor, meaning the sensor must have an IP address set in this subnet. On IOx sensors, the AppGigabit interface must be in trunk mode, and the VLAN must be allowed on this port. On the Cisco IC3000, one of the interfaces must be connected to a port on the VLAN, with no span configured on this port. • For Unicast discovery, the target subnet/VLAN must be either directly accessible from the sensor, or the sensor must have the required gateway or route to reach the targeted devices. • The list of nodes targeted in Unicast discovery comes from the device list of the preset which launch the discovery. A preset configured with sensors in its filter will trigger Active Discovery on these sensors. It means that only the components that have been filtered by this particular preset will be scanned. Basic configuration workflow To configure Active Discovery, you must perform the following steps: • Deploy a sensor with the required configuration: IP address, VLAN, gateway or routes. • Create an Active Discovery policy containing the protocols needed and their respective parameters. • Create an Active Discovery profile with a policy, target IP addresses and and set an execution time or run it once. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 4 Overview Design considerations CHAPTER 3 Sensor configuration The Active Discovery configuration procedure will vary depending on the sensor model, whether it is a switch, a router or a Cisco IC3000. To configure Active Discovery on a switch or a router, the sensors must have been previously deployed using the IOx sensor application file with Active Discovery. In this case, the Active Discovery button should appear in the sensor right side panel in Cisco Cyber Vision's Sensor Explorer page. On a Cisco IC3000, you can configure Active Discovery performing a manual configuration or redeploying the sensor via the sensor extension. • Configure Active Discovery on a Cisco switch or router, on page 5 • Configure Active Discovery on a Cisco IC3000, on page 9 Configure Active Discovery on a Cisco switch or router Before you begin This procedure is applicable to: • Cisco IE3300 10G, Cisco IE3400 and Cisco IE9300. • Cisco Catalyst 9300, Cisco Catalyst 9300X and Cisco Catalyst 9400. • Cisco IR1101 and Cisco IR8340 Integrated Services Router Rugged The sensors must have been deployed using the IOx sensor application file with Active Discovery. Procedure Step 1 Navigate to Admin > Sensors > Sensor Explorer. Step 2 Select a sensor in the list. The sensor right side panel appears. The Active Discovery button is displayed if the sensor is compatible. If there is no Active Discovery button in the panel, you must redeploy the sensor using the IOx application file with Active Discovery. Step 3 Click the Active Discovery button. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 5 The Active Discovery Configuration window pops up: Step 4 If necessary, tick the Use collection interface check box for Active Discovery to use the Collection network interface to do discovery on the same subnet as the sensor IP, or using the sensor Collection gateway. The Collection network interface is added in the list on the right. Step 5 Click + New network interfaces for the sensor to perform Active Discovery on additional subnetworks. Step 6 Fill the following parameters to set dedicated network interfaces: • IP address • Prefix length Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 6 Sensor configuration Configure Active Discovery on a Cisco switch or router • VLAN number Step 7 Click Add. You can add as many network interfaces as needed, like below. Step 8 Click OK. The following schemas show how Active Discovery is created and how packets navigate inside the switch (in red). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 7 Sensor configuration Configure Active Discovery on a Cisco switch or router Figure 1: IE3300 10G and IE3400: Figure 2: Catalyst 9300 and Catalyst 9400: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 8 Sensor configuration Configure Active Discovery on a Cisco switch or router Figure 3: IR8340: What to do next Proceed to Policies configuration, on page 13. Configure Active Discovery on a Cisco IC3000 Before you begin This procedure is applicable to the Cisco IC3000 Industrial Compute Gateway. The sensors must have been deployed using the IOx sensor application file with Active Discovery. Procedure Step 1 Navigate to Admin > Sensors > Sensor Explorer. Step 2 Select a sensor in the list. The sensor right side panel appears. The Active Discovery button is displayed if the sensor is compatible. If there is no Active Discovery button in the panel, you must redeploy the sensor using the IOx application file with Active Discovery. Step 3 Click the Active Discovery button. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 9 Sensor configuration Configure Active Discovery on a Cisco IC3000 The Active Discovery Configuration window pops up: Step 4 If necessary, tick the Use collection interface check box for Active Discovery to use the Collection network interface to do discovery on the same subnet as the sensor IP, or using the sensor Collection gateway. The Collection network interface is added in the list on the right. Step 5 Click + New network interface for the sensor to perform Active Discovery on additional subnetworks. Step 6 Select a physical interface and fill the following parameters to set a dedicated network interface: • IP address Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 10 Sensor configuration Configure Active Discovery on a Cisco IC3000 • Prefix length • VLAN number Step 7 Click Add. The network interfaces appears on the right. You can add as many network interfaces as needed. Step 8 Click Configure. The following schema shows how Active Discovery is created and how packets navigate inside the Cisco IC3000 (in red). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 11 Sensor configuration Configure Active Discovery on a Cisco IC3000 What to do next Proceed to Policies configuration, on page 13. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 12 Sensor configuration Configure Active Discovery on a Cisco IC3000 CHAPTER 4 Policies configuration • Create a policy, on page 13 • Set Active Discovery Broadcast, on page 14 • Set Active Discovery Unicast, on page 16 • Modify a policy, on page 27 Create a policy An Active Discovery policy is a list of settings which define protocols and their parameters that will be used to inspect the industrial network. The policy will be applied to an IP address, an IP range and/or a preset and used on a list of sensors and components. Procedure Step 1 Navigate to Admin > Active Discovery > Policies . Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 13 Step 2 Click + Create policy. A Create an Active Discovery policy overlay appears. What to do next • Set Active Discovery Broadcast, on page 14 • Set Active Discovery Unicast, on page 16 Set Active Discovery Broadcast Before you begin Active Discovery is compatible with the following Broadcast protocols: • EtherNet/IP Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 14 Policies configuration Set Active Discovery Broadcast • Siemens S7 • Profinet • ICMPv6 The sensor will send requests on all defined interfaces. Procedure Step 1 Type a policy name. Step 2 Toggle the Broadcast protocol buttons ON to enable Active Discovery on these protocols. Step 3 Leave the Retry and Timeout settings with the default values (3 and 10). Retry: number of request attempts. Timeout: waiting time in seconds for a response. Step 4 Click Create to finish or add Unicast configurations to the policy. What to do next Set Active Discovery Unicast, on page 16 Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 15 Policies configuration Set Active Discovery Broadcast Set Active Discovery Unicast Before you begin Procedure Step 1 Give the policy a name. Step 2 Under Unicast configuration, click + Add protocol-specific configuration. Step 3 Click the Select protocol dropdown menu and select a protocol. What to do next See herebelow configurations per protocol. Set Active Discovery Unicast BACnet Set Active Discovery Unicast BacNet to search for devices and components with BacNet requests. All components with an IPV4 address will be queried. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 16 Policies configuration Set Active Discovery Unicast Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Step 3 Click Save. The menu closes. Step 4 Click Create. Set Active Discovery Unicast DNP3 Set Active Discovery Unicast DNP3 to search for devices and components with DNP3 requests. All components with an IPV4 address will be queried. Before you begin Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 17 Policies configuration Set Active Discovery Unicast DNP3 Step 3 Leave the Source Address and Max Destination Address with the default values (0 and 16). Step 4 Click Save. The menu closes. Step 5 Click Create. Set Active Discovery Unicast Ethernet/IP Set Active Discovery Unicast Ethernet/IP to search for devices and components with Ethernet/IP requests. All components with an IPV4 address will be queried. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 18 Policies configuration Set Active Discovery Unicast Ethernet/IP Step 3 You can toggle the Backplane discovery button ON. Active Discovery will look for the different module details within the discovered chassis. Step 4 Click Save. The menu closes. Step 5 Click Create. Set Active Discovery Unicast Melsoft Set Active Discovery Unicast Melsoft to search for devices and components with Melsoft requests. All Mitsubitshi components with an IPV4 address will be queried. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 19 Policies configuration Set Active Discovery Unicast Melsoft Step 3 Click Save. The menu closes. Step 4 Click Create. Set Active Discovery Unicast Modbus Set Active Discovery Unicast Modbus to search for devices and components with Modbus requests. All components with an IPV4 address will be queried. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (1 and 5). Step 3 Click Save. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 20 Policies configuration Set Active Discovery Unicast Modbus The menu closes. Step 4 Click Create. Set Active Discovery Unicast OMRON Set Active Discovery Unicast OMRON to search for devices and components with FINS requests. All components with an IPV4 address will be queried. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (1 and 5). Step 3 Click Save. The menu closes. Step 4 Click Create. Set Active Discovery Unicast SiemensS7 Set Active Discovery Unicast SiemensS7 to search for devices and components with SiemensS7 requests. SiemensS7 is a communication protocol used on Siemens PLCs. Siemens PLCs with an IPV4 address will be queried. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 21 Policies configuration Set Active Discovery Unicast OMRON Step 3 Enter a number of racks and slots to be queried. Slot: number of modules to search for within a chassis. Step 4 Click Save. The menu closes. Step 5 Click Create. Set Active Discovery Unicast SiemensS7plus Set Active Discovery Unicast SiemensS7plus to search for devices and components with SiemensS7plus requests. SiemensS7plus is a communication protocol used on the latest Siemens PLCs. Siemens PLCs with an IPV4 address will be queried. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (1 and 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 22 Policies configuration Set Active Discovery Unicast SiemensS7plus Step 3 Click Save. The menu closes. Step 4 Click Create. Set Active Discovery Unicast SNMPv2c Set Active Discovery Unicast SNMPv2c to search for devices and components with SNMPv2c requests. All components with an IPV4 address will be queried. Default OIDs are requested for all devices and some specific OIDs are requested based on the vendor and the type of components. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Step 3 Type a community string for authentication. The community string is defined by IT or network administrators. The value "public" is often used by default. Step 4 You can toggle the Enable SNMPv1 fallback button ON. Active Discovery will look for PLCs and I/O chassis with module details. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 23 Policies configuration Set Active Discovery Unicast SNMPv2c Step 5 Click Save. The menu closes. Step 6 Click Create. Refer to the Annex appended at the end of this document to see examples of Unicast SNMPv2c results and detailed information about packets. Set Active Discovery Unicast SNMPv3 Set Active Discovery Unicast SNMPv3 to search for devices and components with SNMPv3 requests. All components with an IPV4 address will be queried. Default OIDs are requested for all devices and some specific OIDs are requested based on the vendor and the type of components. Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Step 3 Type a community string for authentication. The community string is defined by IT or network administrators. The value "public" is often used by default. Step 4 Select the proper security and privacy level based on the information provided by the IT or network administrators. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 24 Policies configuration Set Active Discovery Unicast SNMPv3 All options available on SNMPv3 are implemented in Cisco Cyber Vision. Three security levels are available: • Disable both authentication and privacy. Only a username is requested for authentication. • Enable authentication and disable privacy. Authentication will be based on HMAC-MD5 or HMAC-SHA algorithms. Select the algorithm to use and provide a username and an authentication password. • Enable both authentication and privacy. In addition to the previous level, a DES or AES encryption of the content is requested. Select the level of encryption to use and provide a username and an authentication password. In addition, you must provide a password used for the encryption. Step 5 Click Save. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 25 Policies configuration Set Active Discovery Unicast SNMPv3 The menu closes. Step 6 Click Create. Refer to the Annex appended at the end of this document to see examples of Unicast SNMPv3 results and detailed information about packets. Set Active Discovery Unicast WMI Set Active Discovery Unicast WMI (Windows Management Instrumentation) to collect Windowsinformation like local-host names and operating system versions. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 26 Policies configuration Set Active Discovery Unicast WMI Procedure Step 1 Toggle the Enable button ON. Step 2 Leave the Retry attempts and Timeout settings with the default values (0 and 5). Step 3 Enter a Windows user account and password with the suitable WMI rights. An Active Directory user account for authentication on multiple hosts with single login credentials can also be used. Step 4 Click Save. The menu closes. Step 5 Click Create. Modify a policy Procedure Step 1 Navigate to Admin > Active Discovery > Policies. Step 2 Click the policy in the list you want to modify. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 27 Policies configuration Modify a policy An overlay appears with the policy's configurations. Step 3 Click Edit, Duplicate or Delete. If you clicked Edit, an Edit policy overlay appears. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 28 Policies configuration Modify a policy Step 4 You can toggle the buttons ON/OFF to enable/disable broadcast protocols. Step 5 Click the pencil button to edit Unicast protocols settings. The Unicast configuration panels appears below the list of Unicast protocols. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 29 Policies configuration Modify a policy Step 6 Make the necessary modifications. Step 7 Click Save. The overlay closes. Step 8 Click Update. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 30 Policies configuration Modify a policy CHAPTER 5 Profiles configuration • Set an Active Discovery profile, on page 31 Set an Active Discovery profile Set an Active Discovery profile by adding a policy, targetting IP addresses and arranging a schedule. Procedure Step 1 On Cisco Cyber Vision, navigate to Admin > Active Discovery > Profiles. Step 2 Click the Create profile button. A form to create an Active Discovery profile pops up. Step 3 Give the profile a name. Step 4 Select a policy to base the profile on. Step 5 Set target IP addresses: different options are available, such as: • selecting a preset: the preset's device list will be used to list the IPaddresses to be queried. In other words, the Active Discovery engine will use the IPv4 inside a component list to build its own list of components to check. You can use default and custom presets. • setting IP targets: you can directly add the IP adresses, IP ranges and subnets you want to be queried. • selecting sensors: all IPadresses detected by a sensor will be queried. You can also tick the Use allsensors available option. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 31 Step 6 Optionally, you can arrange a schedule for Active Discovery to be launched. To do so: a) Toggle ON the Schedule periodic discoveries button. Additional options to setup appear: b) Set a time range by selecting a start and end date and time. The end date and time is optional. If you don't set it, Active Discovery will be launched endlessly. c) Set a frequency. You can set it to hourly, daily, weekly and monthly. Step 7 Click Create. The profile is added to the list and discovery is enabled by default if scheduling is set. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 32 Profiles configuration Set an Active Discovery profile CHAPTER 6 Launch Active Discovery • Launch Active Discovery, on page 33 Launch Active Discovery Enable Active Discovery on the profiles created. You can run it once or launch the scheduling if it's paused. Procedure Step 1 On Cisco Cyber Vision, navigate to Admin > Active Discovery > Profiles. Step 2 Click a profile in the list. Its right side panel opens. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 33 Step 3 You can run the discovery once or resume scheduling. • Click Run once. A message indicating that Active Discovery will be launched soon appears. • Click Resume scheduling. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 34 Launch Active Discovery Launch Active Discovery The scheduling status switches from paused to scheduled. The discovery will be launched as configured. You can change these configurations clicking Edit. Step 4 You can click the link in the last discovery column to see a profile's Active Discovery results. A window opens with the result details. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 35 Launch Active Discovery Launch Active Discovery Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 36 Launch Active Discovery Launch Active Discovery CHAPTER 7 Annex: Active Discovery protocols All protocols implemented in the Active Discovery feature use standard packets commonly used by vendors. The system will never send requests on the network without a clear configuration made by the user. It is possible to schedule requests at a pre-defined frequency. Discovered devices' responses will depend on the protocol implemented by the manufacturer and the user configuration. Except for what is clearly stated in this documentation, no specific configuration is required on discovered devices. Devices may give an answer by default, but it can vary in the field depending on the configuration. This annex gives examples of the packets used by Cisco Cyber Vision to discover devices and of typical answers the user can expect. • BACnet, on page 38 • DNP3, on page 39 • EtherNet/IP, on page 39 • Melsoft, on page 44 • Modbus, on page 45 • OMRON, on page 46 • Profinet Multicast, on page 46 • S7 Broadcast, on page 47 • S7 Unicast, on page 48 • S7Plus, on page 49 • ICMPv6 Multicast, on page 50 • SNMP Unicast, on page 50 • WMI, on page 58 Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 37 BACnet Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 38 Annex: Active Discovery protocols BACnet DNP3 EtherNet/IP Ethernet/IP Active Discovery can be performed by Cisco Cyber Vision using Broadcast or Unicast mode. In any case, requests sent and component properties collected in return will be the same. The main differences will be: • Broadcast will discover all devices in the local LAN. • Unicast will only discover the devices and components which have an IPv4 address. • Unicast will search for, once an EtherNet/IP node is discovered, the devices' content. If a device is a chassis with a backplane, it will be queried and all modules will send their properties. The EtherNet/IP command used is the List Identity request (0x00063). This command will be sent to the IPv4 broadcast address or direclty to an IPv4 address or to a module inside a backplane behind an IPv4 address. The result whether in Broadcast or Unicast will always be the same CIP Identity response (0x000c) with the following properties: # Name Cyber Vision Properties Example Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 39 Annex: Active Discovery protocols DNP3 1 Vendor ID enip-vendor Rockwell Automation/Allen-Bradley 2 Device Type enip-devicetype ProgrammableLogicController 3 Product Code enip-productcode 235 4 Revision enip-version 33.012 AtLeastOneIOConnectionInRunMode, MinorRecoverableFault, ReservedBits12-15:0x3 5 Status enip-status 6 Serial Number enip-serial 01105356 7 Product Name enip-name 1756-L81ES/B EtherNet/IP Broadcast or Unicast A Broadcast Ethernet/IP Active Discovery consists of a packet sent by the sensor which requests EtherNet/IP identities to all devices in the local LAN. For example, a sensor with an Active Discovery IPv4 address 192.168.20.192/24 will send this EtherNet/IP request to the Broadcast address, here 192.168.20.255. All devices in the IPv4 range 192.168.20.0 to 192.168.20.254 will answer with the packet described above (CIP Identity response (0x000c)). A direct Unicast Ethernet/IP(i.e. no backplane) will consist of the same request but sent directly to the device. When a preset is configured to query EtherNet/IP devices, the system will take the list of components of this preset which have an IPv4 address. Then, the Active Discovery engine will try to reach each IPv4 with this EtherNet/IPidentitiesrequest. All reachable EtherNet/IPnodes of thislist will answer with the packet described above (CIP Identity response (0x000c)). In both cases (Broadcast and Unicast), the answer will be sent by the discovered devices to the sensor's Active Discovery network interface. The answer will be a UDP packet for the Broadcast request and some TCP packets for the Unicast request. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 40 Annex: Active Discovery protocols EtherNet/IP Broadcast or Unicast Figure 4: Example of properties received from a Rockwell Automation EtherNet/IP communication adapter (1756-EN2T): Figure 5: Example of properties received from a Rockwell Automation EtherNet/IP safety controller (1756-L81ES): Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 41 Annex: Active Discovery protocols EtherNet/IP Broadcast or Unicast Figure 6: Example of properties received from a Schneider Eletric EtherNet/IP controller (TM221ME16R): Ethernet/IP backplane discovery To browse backplanes, the Active Discovery policy with the Unicast EtherNet/IP protocol enabled needs to have the backplane discovery option set to enabled. In such case, all EtherNet/IP nodes detected by Active Discovery Ethernet/IP Unicast will be queried again by the sensor. The sensor will try to know the backplane size and then send a request to the different modules (link addresses form 0 to the chassis size). All modules will then send their properties such as the product reference and the firmware version. For example, an Ethernet/IP communication adapter with the IPv4 192.168.20.22 was first discovered. Then, all seven slots of the chassis backplane were queried. Four of them have answered back, which allowed Cisco Cyber Vision to build a Controller Rack: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 42 Annex: Active Discovery protocols Ethernet/IP backplane discovery A controller and a firmware version were discovered in the slot 0 of this backplane thanksto Active Discovery: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 43 Annex: Active Discovery protocols Ethernet/IP backplane discovery Melsoft Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 44 Annex: Active Discovery protocols Melsoft Modbus Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 45 Annex: Active Discovery protocols Modbus OMRON Profinet Multicast Cisco Cyber Vision Active Discovery can use a Profinet DCP service called Identify Request. This request will be sent by the sensor interfaces defined for Active Discovery. All Profinet devices will answer with a specific Profinet DCP identify response packet. The request is sent by the sensor MAC address to a specific Ethernet Multicast address: 01:0e:cf:00:00:00. This Profinet DCP Multicast address will allow Cisco Cyber Vision to join all Profinet nodes on the local LAN. The answer of each node will be a specific Profinet DCP packet sent to the sensor MAC address. The information collected are: • The IP address + mask. • The Manufacturer name. • The name of the station. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 46 Annex: Active Discovery protocols OMRON Figure 7: For example, a Siemens S7-1500 controller: S7 Broadcast Cyber Vision Active Discovery can use a request on the protocolS7 discovery with a command: "identification". This request will be sent by the sensor interfaces defined for Active Discovery. All S7 devices will answer with a specific S7 Discovery identification response packet. The request is sent by the sensor MAC address to the Ethernet broadcast address: ff:ff:ff:ff:ff:ff. The answer of each S7 protocol capable node will be a specific S7 discovery packet sent by the device MAC address to the sensor MAC address. The information collected are: • The model name. • The name of the device. Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 47 Annex: Active Discovery protocols S7 Broadcast Figure 8: For example, a Siemens S7-300 controller: S7 Unicast The Active Discovery engine uses a specific S7 Unicast command to request properties from S7-compatible devices, such as: • Hardware reference • Firmware version Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 48 Annex: Active Discovery protocols S7 Unicast S7Plus Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 49 Annex: Active Discovery protocols S7Plus ICMPv6 Multicast For the ICMPv6 Active Discovery protocol, the Cisco Cyber Vision sensor will use an ICMPv6 Echo request (ping) to the all-nodes link-local scope multicast address. The sensor will thus ping all IPv6 nodes on the local link. All reachable nodes will answer back with their link-local IPv6 address and their MAC address. Cisco Cyber Vision sensors use a specific ICMPv6 packet, echo request (type 128) to the address ff02::1 (All nodes on the local network segment) with a hop limit of 1. The different nodes will answer with a ICMPv6 Neighbor solicitation (type 135 ) to the Solicited-Node Multicast address which has the form ff02::1::ff with the least-significant 24 bits of the sensor IPv6 Unicast address. Figure 9: For example, a sensor with IPv6: fe80::d2ec:35ff:feca:962a is requesting ff:02::1. Three different devices are answering back: SNMP Unicast Cisco Cyber Vision sensor can use the SNMP protocol to collect network devices information. SNMP Active Discovery results highly depend on the configuration, type and version of the queried devices. Some devices might respond without any specific configuration, others might need complex configurations, and others not respond at all. While doing SNMP Active Discovery, the sensor will try to read some generic and vendor-specific values. The generic values will be used by the sensor to build extra queries based on vendors and hardware models. Generic values collected are: Property Description snmp-sys-descr Description snmp-sys-name Name The Cisco Cyber Vision sensor Active Discovery supports: • SNMP Version 2c (SNMPv2c) with a fallback in SNMP Version 1 (SNMPv1). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 50 Annex: Active Discovery protocols ICMPv6 Multicast • SNMP Version 3 (SNMPv3). SNMPv3 Active Discovery is able to provide authentication and encryption. All SNMP versions will give the same results in the Cisco Cyber Vision application. They are important regarding data access. The subsequent section describes the SNMP results with different types of network devices. AD SNMP with Schneider PLC The Cisco Cyber Vision SNMP Active Discovery with Schneider Electric PLC requests generic values (snmp-sys-descr and snmp-sys-name). Typcical results with nodes where SNMP is enabled by defaut are: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 51 Annex: Active Discovery protocols AD SNMP with Schneider PLC AD SNMP with Siemens PLC The Cisco Cyber VisionSNMP Active Discovery withSiemensPLC requests generic values(snmp-sys-descr and snmp-sys-name). Typical results with nodes where SNMP is enabled by defaut are: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 52 Annex: Active Discovery protocols AD SNMP with Siemens PLC AD SNMP with Rockwell PLC The Cisco Cyber Vision SNMP Active Discovery with Rockwell Automation PLC requests generic values (snmp-sys-descr and snmp-sys-name). Typical results with nodes where SNMP is enabled by defaut are: AD SNMP with Moxa switches The Cisco Cyber VisionSNMP Active Discovery with Moxa switchesrequests generic values(snmp-sys-descr and snmp-sys-name) with the addition of: Property Description snmp-moxapriv-model-name Model Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 53 Annex: Active Discovery protocols AD SNMP with Rockwell PLC Firmware version snmp-moxapriv-fw-version Typical results with nodes where SNMP is enabled by defaut are: AD SNMP with Siemens Switches The Cisco Cyber Vision SNMP Active Discovery with Siemens switches requests generic values (snmp-sys-descr and snmp-sys-name) with the addition of: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 54 Annex: Active Discovery protocols AD SNMP with Siemens Switches Property Description snmp-siemens-scalence-model-ref Model Firmware version snmp-siemens-scalence-model-version Typical results with nodes where SNMP is enabled by defaut are: AD SNMP with Hirschmann hardware The Cisco Cyber Vision SNMP Active Discovery with Hirschmann switches requests generic values (snmp-sys-descr and snmp-sys-name) with the addition of: Property Description snmp-hmpriv-mgmt-model-ref Model Firmware version snmp-hmpriv-mgmt-fw-version snmp-hm2-indus-model-ref Model Firmware version snmp-hm2-indus-fw-version snmp-hm-disc-fw-version Model Firmware version snmp-hm-disc-model-ref Typical results with nodes where SNMP is enabled by defaut are: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 55 Annex: Active Discovery protocols AD SNMP with Hirschmann hardware AD SNMP with Cisco hardware The Cisco Cyber VisionSNMP Active Discovery with Cisco Hardware demandssome specific configurations on the device side and requests generic values (snmp-sys-descr and snmp-sys-name) with the addition of: Property Description snmp-ent-physical-model-name Model snmp-ent-physical-entry Description snmp-ent-physical-serial-number Serial number Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 56 Annex: Active Discovery protocols AD SNMP with Cisco hardware Firmware version snmp-probe-software-rev Typical results with nodes where SNMP is enabled by defaut are: AD SNMP with Microsoft Windows OS The Cisco Cyber Vision SNMP Active Discovery with Microsoft Windows stations demands a specific operating system configuration and requests generic values (snmp-sys-descr and snmp-sys-name) with the addition of: Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 57 Annex: Active Discovery protocols AD SNMP with Microsoft Windows OS Property Description Domain name of the machine snmp-primary-domain-name Typical results with nodes where SNMP is enabled by defaut are: WMI WMI is used to collect the following Windows hosts' properties. • wmi-caption: operating system's name and version • wmi-kb-list: security updates installed in the host • wmi-last-update: latest update date • wmi-name: host name Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 58 Annex: Active Discovery protocols WMI Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 59 Annex: Active Discovery protocols WMI Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 60 Annex: Active Discovery protocols WMI Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0 First Published: 2022-05-06 Last Modified: 2024-03-05 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883