Add Network Devices and Assets

Note: Only SEA System Admin role can access this interface in IoT OD.

Use System Management to provide secure remote communication with IoT network devices and assets. The asset can either be a network device or the subtended devices attached to that network device.

Note: Cisco also provides a guided, new user workflow and quick wizard designed to help a first-time a SEA System Admin to access a remote OT Asset in a few steps. For more information, see SEA: New User Workflow. For a more efficient means of installing and updating network devices or assets see SEA Quick Wizard.

Summary steps

  1. Add Network Devices that were previously onboarded and configured.
  2. Add Network Devices in the SEA Service installs the SEA Agent on that device.
  3. Add the Asset attached to the network devices that users can access.
  4. Configure SEA Plus protocols for network devices and Assets.

Note: On Cisco IR devices running IOS or IOS-XE, the SEA Agent is automatically installed and configured on the network device.

Add network devices

  1. From the Services pane, choose Secure Equipment Access > System Management.
  2. From the Network Devices tab, click Add Network Device. A list of possible network devices opens.

System Management

  1. Choose a network device from the list or search for it in the Search field. Click Next.
  2. Enter a network device description, if needed, and click Add Network Device. This command starts the installation of the SEA Service on the device.

Note: At this step, if you are installing a switch, you can configure the switch for HTTP(S) proxy support. Click here for directions on configuring for HTTP(S) proxy support. To configure switch with multi-VLAN configuration, see click here.

  1. Click Next. A confirmation box opens.

  2. Check the SEA Agent state of deployment associated with the network device.

    • The SEA Agent deployment state changes to Installed. If the status does not change to Installed, go to the network device listing and hover over the 3 dots in the Actions column and choose Install SEA Agent.

    Install SEA Agent

Manually Add Assets

Note: Use the Quick Wizard screen to add Assets. Follow the steps from the Quick Wizard menu option.

To manually add an Asset for a device:

Note: These devices can be subtended devices, or the network device itself.

Add IoT devices

  1. From the System Management screen, choose a Network Device.
  2. From the Network Device details screen, click Add Asset.
  3. In the Add Asset screen, you have these two options:
    • If Assets were manually added in EDM, they are listed and you can choose them from the list.
    • If Assets have not been added in EDM, they must be manually added in SEA.
  4. After you choose or add an Asset, click Add. The Asset is associated with the network device.

Using the network device as an Asset for configuration or troubleshooting

Use the network device itself as an Asset to configure or troubleshoot the device. However, you must use the proper IP Address, which is the default-router in the ip dhcp pool ioxpool configuration section. That information is in the Current Configuration screen (below). The default-router IP Address allows you to access the CLI of the network device (using the SSH access method) or the Web GUI (using the Web App access method). 

To locate the default-router IP Address

  1. Log in to IoT OD and choose Edge Device Manager Service
  2. Click Inventory > choose the Network device > Device Configuration tab.
  3. Scroll down to find Current Configuration (default choice). Click Show
  4. In the configuration screen, scroll down to the ip dhcp pool ioxpool section.
  5. Choose the default-router IP Address (format equals xx.x.xx.xxx). Using this IP Address you can then access the CLI (using the SSH access method) or Web GUI (using the Web App access method).

 

Current Configuration Screen: default-router

Configure SEA Plus protocol definitions

Note:

  • The SEA Agent must be downloaded (minimum version is 0.70).
  • There is an existing Network Device and Asset configured for remote access.

To configure an SEA Plus protocol:

  1. From the Services panel, choose Secure Equipment Access > System Management.

  2. Choose the SEA Plus Protocols tab. This screen has three SEA Plus Protocol Definition setting filters.

    • All (Default): Choose this filter to list all the definitions created (custom and predefined).
    • Custom: Choose this filter to list all the custom definitions created.
    • Predefined: Choose this filter for a list of "out of the box" protocol definitions that can help you get started.

 

Note:

  • The three predefined definitions: Allow all Protocols, TCP All Ports+ICMP, and UDP All Ports+ICMP should be used with caution. Cisco does not recommend using them because they offer less protection. Once you are familiar with setting up the SEA Plus Definitions, we recommend configuring your own protocols and ports to fit your needs and security requirements. 
  • You cannot add SEA Plus Protocol Definitions from the Predefined filter.

SEA Plus Protocols

The SEA Protocols screen lists the following:

  • Name: Protocol Definition Name.
  • Tag (optional): Used for grouping definitions.
  • Description: Description of the protocol definition.
  • Last modified: Protocol definition was last modified.
  • Actions: Clone or Delete.

 

The SEA Plus Protocols screen also includes a Search Table field and a filter icon (right side of the screen) for searching through long lists of protocol definitions. 

Note: If you clone a protocol definition, the definition has the same name with a number in parenthesis. For example, Protocol (1), Protocol (2), etc. 

  1. To add a Custom Protocol Definition, click Add Protocol Definition.

Protocol Definition Definition

  1. Make sure you are in the SEA Plus Protocols tab. Then enter:

    a. (Required) Type in a protocol definition name

    b. (Optional) Type in an identifying tag (for grouping).

    c. (Optional) Type in a useful description.

  2. Click Add Protocol.

Add Protocol

  1. In the Add Protocol screen choose one of the following protocols:
  • (Not recommended) TCP All Ports
  • (Not recommended) UDP All Ports
  • TCP
  • UDP
  • ICMP
  1. For UDP and TCP, specify a single Port (or Port Range, for example 85-110) for that protocol.
  2. Click Add Protocol. The protocol is added to the protocol list.
  3. To add additional protocols, repeat step 6-9.
  4. Click Save Protocol Definition. The custom protocol definition is added to the SEA Plus Protocol Definitions list.

Once the definitions are created they can be used when you create the access methods for SEA Plus. (See SEA Plus Access Method.)

Note: To configure an IE3x00 switch or IR18xx device in SEA, refer to the appropriate section below.

SEA: Proxy support for switches

To configure an SEA agent with proxy support on an externally-managed device (such as a IE3x00 switch), see SEA: HTTP(S) proxy support

Sea: Muli-VLAN support

To configure an SEA agent with VLAN or Static IP support on an externally-managed device (such as an IR1101 or IR1800 router), see SEA: Muli-VLAN and Static IP support.