Cisco Cyber Vision Network Sensor Installation Guide for ......no shutdown destination erspan-id 1 mtu 1464 ip address 169.254.1.2 origin ip address 169.254.1.1 end Rev. 0.0.2 Cisco

Cisco Cyber Vision Network SensorInstallation Guide for Cisco IR1101

Cisco Systems, Inc.Rev. 0.0.2, 17 September 2020

Cisco Cyber Vision Network Sensor Installation Guide for Cisco IR1101

Rev. 0.0.2, 17 September 2020

Owner: Cisco IoT

Author: Juliette Maffet

Cisco Systems, Inc.

Trademark Acknowledgments

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Ciscotrademarks, go to this URL: www.cisco.com/go/trademarks.

Third party trademarks mentioned are the property of their respective owners.

The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Publication Disclaimer

Cisco Systems, Inc. assumes no responsibility for errors or omissions that may appear in this publication. We reserve the right to change this publication atany time without notice. This document is not to be construed as conferring by implication, estoppel, or otherwise any license or right under any copyright orpatent, whether or not the use of any information in this document employs an invention claimed in any existing or later issued patent. A printed copy of thisdocument is considered uncontrolled. Refer to the online version for the latest revision.

Copyright

© 2020 Cisco and/or its affiliates. All rights reserved.

Information in this publication is subject to change without notice. No part of this publication may be reproduced or transmitted in any form, by photocopy,microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, for any purpose, without theexpress permission of Cisco Systems, Inc.

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV AmsterdamThe Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Total pages: 30

Contents1 About this documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1 Document purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Warnings and notices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Hardware front view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Initial configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5.1 Check the Hardware version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.2 Check date and time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95.3 Enable IOx. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105.4 Setup ERSPAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115.5 Setup NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

6 Procedure with the Local Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136.1 Access the Local Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136.2 Install the sensor virtual application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156.3 Configure the sensor virtual application. . . . . . . . . . . . . . . . . . . . . . . . . . . . 166.4 Generate the provisioning package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216.5 Import the provisioning package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7 Procedure with the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257.1 Configure the sensor application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257.2 Install the sensor application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257.3 Copy the sensor application's provisioning package. . . . . . . . . . . . . . . . . . . 26

8 Procedure with the CLI and the Cyber Vision sensor management extension. . 288.1 IOx APP IR1101 sensor creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288.2 IOx APP sensor configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Cisco Cyber Vision Network Sensor Installation Guide for Cisco IR1101Rev. 0.0.2

Page 3Contents

1.1

1.2

1 About this documentation

Document purposeThis installation guide describes how to perform a clean installation of Cisco Cyber Visionon a IR1101.This documentation is applicable to system version 3.1.1.

Note

To be able to use the Cisco Cyber Vision sensor management extension, an IP addressreachable by the Center Collection interface must be set on the Collection VLAN.

Warnings and noticesThis manual contains notices you have to observe to ensure your personal safety as wellas to prevent damage to property.The notices referring to your personal safety and to your property damage arehighlighted in the manual by a safety alert symbol described below. These notices aregraded according to the degree of danger.

WARNING

Indicates risks that involve industrial network safety or production failure that could possiblyresult in personal injury or severe property damage if proper precautions are not taken.

IMPORTANT

Indicates risks that could involve property or Cisco equipment damage and minor personalinjury if proper precautions are not taken.

Note

Indicates important information on the product described in the documentation to whichattention should be paid.


Page 4About thisdocumentation

■

■

2 OverviewProposed architecture:The architecture proposed and described in this document is for demonstration. Thelocal network engineer should be consulted before applying the parameters used in thisdocument. IP addresses, port numbers and VLAN IDs used should be verified beforehandas wrong configurations could stop normal exchanges and stop the process.The schema below explains the architecture virtually deployed in the router to embedthe sensor application. VLAN and physical ports configuration will allow OT traffic to becopied and communication with the Cisco Cyber Vision Center to be established.The communication between the Cisco Cyber Vision Center and the sensor isrepresented in black on the schema. Mirrored OT traffic is represented in yellow.The architecture in this document is meant for a router with an embedded sensorconnected to the Cisco Cyber Vision Center via a VLAN. The schema presents two typesof architecture:

one with a connection to the Center via a VLAN.the other with a NAT configuration to the Center.

Any port of the router can be used for the communication with the Center.Only the routed traffic to the port gi0/0/0 can be spanned to the sensor.Cisco IR1101 Integrated Services Router Rugged:


Page 5Overview


Page 6Overview

■

■

■

3 RequirementsThe IR1101 needs to be configured with access to the Local Manager and to the CLI (sshor console port).Elements to collect

The Cisco Cyber Vision Sensor application to collect from Cisco.com, ie:CiscoCyberVision-sensor-IOx-aarch64-3.1.0.tar.A console cable, for the connection to the IR1101 console port.ORAn Ethernet cable for the connection to the GigE WAN Port IR1101 port.


Page 7Requirements

■

■

■

■

4 Hardware front viewBefore starting, take a moment to note the following parts you're going to use during theprocedure.Cisco IR1101 Integrated Services Router Rugged:

1x RJ45 10/100/1000 BaseT connector (the one on the left) (1)4x RJ45 10/100 BaseT connector (the ones on the right) (1)SFP fiber port (2)mini-USB console connector (3)


Page 8Hardware frontview

5.1■

5.2

5 Initial configuration

Check the Hardware versionCheck the hardware version using the following command in the hardware's CLI:Show version

The displayed version must be 17.02.01 or higher to be compatible with the CCVSensor Application.

Check date and timeThe internal clock of the switch must be synchronized and configured properly.

1. Check the date and time using the following command:Show clock

2. If needed, adjust the time using the following command:clock set [hh:mm:ss] [month] [day] [year]

Or access the Local Manager > Configuration > Time.


Page 9Initialconfiguration

5.3 Enable IOxBefore installing the Cisco Cyber Vision sensor on the hardware, you must enable IOx.

1. Enable IOx using the following command:configure terminaliox

2. Check the IOx service status using the following command:exitshow iox



5.4

■

■

■

Setup ERSPANIn order to receive traffic inside the Cisco Cyber Vision Sensor IOx application, theapplication:

must be connected to a VirtualPortGroup,must have the correct IP address assigned,must have a monitor session created.

1. Connect the application to a VirtualPortGroup and set an IP addres using thefollowing commands:Configure terminalip routinginterface virtualportgroup 0ip address 169.254.1.1 255.255.255.252exit

2. Create the monitor session using the following commands:monitor session 1 type erspan-sourcesource interface Gi0/0/0no shutdowndestinationerspan-id 1mtu 1464ip address 169.254.1.2origin ip address 169.254.1.1end



5.5 Setup NATYou must add NAT rules so that the container can ping the outside. This will be on adifferent virtual port group than the ERSPAN to separate the traffic.

1. Type the following command to achieve this configuration:Configure terminalinterface GigabitEthernet 0/0/0ip nat outsidemedia-type rj45exitinterface VirtualPortGroup 1ip address 169.254.0.1 255.255.255.252ip nat insideexitip nat inside source list NAT_ACL interface GigabitEthernet 0/0/0 overloadip access-list standard NAT_ACL10 permit 169.254.0.0 0.0.0.3exit

2. Save the configuration:exitwrite mem



6.1

6 Procedure with the Local ManagerAfter the Initial configuration (page 9), proceed to the steps described in this section.

Access the Local Manager1. Open a browser and navigate to the IP address you configured on the interface you

are connected to.2. Log in using the Local Manager user account and password.


Page 13Procedure with the LocalManager

3. Once logged into the Local Manager, navigate to Configuration > Services > IOx.

4. Log in using the user account and password.



6.2 Install the sensor virtual applicationOnce logged in, the following menu appears:

1. Click Add New.2. Select the application archive file (i.e. "CiscoCyberVision-IOx-aarch64-xxx.tar").3. Add an Application id name (e.g. CCVSensor).

The installation takes a few minutes.



6.3

When the application is installed, the following message is displayed:

Configure the sensor virtual application1. Click Activate to launch the configuration of the sensor application.

2. Change the disk size to 128 MB. The disk size must not be larger than this.



3. In Advanced Settings, configure tmpfs by filling the text area with the following text:--tmpfs /tmp:rw,size=128m

4. Bind the interfaces in the container to an interface on the host in NetworkConfiguration. Start with eth0 by clicking edit in the eth0 line.

5. Select the VPG1 interface.



♦♦♦

6. Click Interface setting.

7. Apply the following configurations:Select StaticIP/Mask: 169.254.0.2 / 30Default gateway: 169.254.0.1

8. Click OK twice.

9. Click OK again on the popup.



♦

♦♦

10. Then, apply the following configurations to eth1:Select VPG0.

Select Static.IP/Mask: 169.254.1.2 / 30.

11. Click OK.12. Click the Activate App button.

The operation takes several seconds.



13. Click Applications to display the application's status:

The application is activated and needs to be started.14. Click the Start button.

The operation takes several seconds.



6.4

The application's status changes to "RUNNING".

Generate the provisioning package1. In Cisco Cyber Vision, navigate to Admin > Sensors > Management and click INSTALL

SENSOR MANUALLY.

2. Select Cisco IOx Application sensor.

3. Fill the Manual sensor information form:



♦♦♦♦

6.5

The serial number of the hardware.Center IP: leave blank.Gateway: add if necessary.Optionally, select a capture mode.

4. Click the Create Sensor button.

At this point, you should have a new entry for the sensor in Cisco Cyber Vision'ssensors management page.

5. Click the entry, then click on the Get Provisioning Package button to download theprovisioning package.

This will download the provisioning package which is a zip archive file with thefollowing name structure: <sbs-sensor-config-IR1101SN>.zip (e.g. "sbs-sensor-configFCW23500HDC.zip").

Import the provisioning package1. In the Local Manager, in the IOx configuration menu, click Manage.



2. Navigate to App_DataDir.

3. Click Upload.

4. Choose the provisioning package downloaded (i.e. "sbs-sensor-config-FCW23500HDC.zip"), and add the exact file name in the Path field (i.e. "sbs-sensor-config-FCW23500HDC.zip").

5. Click OK.



6. After a few seconds, the sensor appears as connected in Cisco Cyber Vision.

7. In the IR1101's CLI, save the product configuration by typing the following command:write mem



7.1

7.2

7 Procedure with the CLIAfter step 5 of the IR1101 Local Manager procedure, proceed to the following steps.

Configure the sensor applicationNote

In this section, "CCVSensor" is used as the appid.

1. Connect to the IR1101 through SSH or a console.2. Configure the application payload by typing the following commands:

enableconfigure terminalapp-hosting appid CCVSensorapp-vnic gateway0 virtualportgroup 1 guest-interface 0guest-ipaddress 169.254.0.2 netmask 255.255.255.252app-vnic gateway1 virtualportgroup 0 guest-interface 1guest-ipaddress 169.254.1.2 netmask 255.255.255.252app-default-gateway 169.254.0.1 guest-interface 0app-resource dockerrun-opts 1 "--tmpfs /tmp:rw,size=128m"end

Install the sensor applicationThe sensor package needs to be collected from cisco.com. The file has the followingname structure: CiscoCyberVision-IOx-aarch64-<version>.tar.

1. Copy the package to a USB key or in the flash memory.2. Type the following commands on the IR1101's CLI:

app-hosting install appid CCVSensor package usbflash0:CiscoCyberVision-IOx-aarch64-3.1.0-RC4.tar


Page 25Procedure with theCLI

7.3■

Note

Adjust "usbflash0:" in accordance with the sensor package's localization (USB port or flashmemory).

Replace "CiscoCyberVision-IOx-aarch64-3.1.0-RC4.tar" with the right filename.

3. Check that the application is in "DEPLOYED" state:show app-hosting list

4. Activate the application using the following command:app-hosting activate appid CCVSensor

5. Start the application using the following command:app-hosting start appid CCVSensor

Copy the sensor application's provisioning packageCopy the provisioning package from the USB key to the application by typing thefollowing command:app-hosting data appid CCVSensor copy usbflash0:sbs-sensor-config-FCW23500HDC.zip sbs-sensor-config-FCW23500HDC.zip



The sensor will appear as connected in Cisco Cyber Vision's sensor administrationpage.



8.1

♦♦♦♦♦

8.2

8 Procedure with the CLI and the Cyber Visionsensor management extensionAfter step 5 of the IR1101 Local Manager procedure, proceed to the following steps.

IOx APP IR1101 sensor creation1. In Cisco Cyber Vision, navigate to Admin > Sensors > Management and click DEPLOY

IOX APP.

2. Fill the requested fields so Cisco Cyber Vision can reach the equipment:IP Address: admin address of the equipmentPort: management portUser: user with the admin rights of the equipmentPassword: password of the admin userCapture Mode: Optionally, select a capture mode.

3. Click the Deploy button.The Center will join the equipment and display the second parameter list. For this step tosucceed, the equipment needs to be reachable by the Center on its eth1 connection.

IOx APP sensor configurationIf the Center can join the equipment, the following window appears:


Page 28Procedure with the CLI and the Cyber Visionsensor management extension

♦

♦♦♦♦

While some parameters are filled automatically, you can still change them if necessary.1. Fill the following parameters for the Collection interface:

Capture IP address: IP address destination of the monitor session inthe IR1101Capture subnet mask: mask of the capture IP addressCollection IP address: IP address of the sensor in the IR1101Collection subnet mask: mask of the Collection IP addressCollection gateway: gateway of the Collection IP address

2. Click the Deploy button.The Center starts deploying the sensor application on the target equipment. This cantake a few minutes.Once the deployment is finished, a new sensor appears in the sensors list.



The sensor's status will eventually turn to connected.



Documents

Cisco Cyber Vision Network Sensor Installation Guide for ......no shutdown destination erspan-id 1 mtu 1464 ip address 169.254.1.2 origin ip address 169.254.1.1 end Rev. 0.0.2 Cisco