Deploying sensor applications

Updated: June 23, 2026

Want to summarize with AI?

Guides you through deploying Cyber Vision sensor applications across supported switches and routers, detailing automated and manual installation methods, provisioning, optional Active Discovery, and sensor management to enable real-time threat detection and network visibility.

When deployed in your network, the Cyber Vision sensor application enables real-time threat detection. It also provides ongoing visibility into industrial network assets and traffic patterns to support security and compliance objectives.

You can deploy sensors on multiple network devices to expand coverage as needed.

There are multiple ways of deploying the sensor application on the supported switches and routers:

(Recommended) Using the sensor management extension in the Cyber Vision Center
Using the device CLI
Using the device Web UI
Bulk deployment

The sensor management extension is recommended because it offers these advantages:

Simple deployment: Automates installation and device configuration steps, reducing complexity for IT/OT teams.
Consistency: Sensors can be deployed in a standardized, repeatable manner.

Note

FIPS-compliant Cisco Cyber Vision does not support the sensor management extension.

Manual installation using the device’s Web UI or CLI is required when the Center cannot connect to the target device because of network design or temporary issues.

This guide details the sensor extension deployment method. To deploy the sensor application using the device CLI or Web UI, see the guide for the specific device and IOS XE release:

Deploying Cisco IOx Applications, Cisco Catalyst IE3400 Rugged, IE3400 Heavy Duty, and IE3300 Rugged Series Switches
Chapter IOx Applications Deployment on the Switch, Cisco IE3500 Series Switch Software Configuration Guide
Chapter IOx Application Hosting, Cisco Catalyst IR8340 Rugged Series Router Software Configuration Guide
Chapter IOx Application Hosting, Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide
Chapter IOx Application Hosting, Cisco Catalyst IR1800 Rugged Series Router Software Configuration Guide

Summary

After you complete initial configurations and traffic monitoring settings, you can prepare the network device and provision sensor applications for deployment. Use the sensor management extension in the Cyber Vision Center for efficient sensor deployment and management.

Workflow

The sensor provisioning process involves these stages. Each stage is executed separately when you choose manual deployment methods. With a sensor extension, all the stages are executed automatically using the configuration taskflow wizard.

Define sensor provisioning in the Center The taskflow wizard for sensor provisioning involves defining these details:
- (If you don't use the sensor management extension) Device serial number.
- Device address and access credentials. The user must have Level 15 privilege access, with web UI access to deploy sensors using the sensor management extension.
- Collection and management VLANs, ports, gateway and interfaces configured on the device for Cyber Vision.
- Define the capture mode by selecting the type of traffic you want the sensor to analyze.
Activate the provisioning file in the device If you use the sensor management extension, you can deploy the sensor provisioning from the Center. If you use the device Web UI or CLI, you must download the provisioning package from the Center and upload it to the device.
(Optional) Enable Active Discovery To periodically monitor a specific set of protocols on devices, enable active discovery on the sensor. Define the ports that must be monitored for each protocol for best results. Cisco IR1101 and IR1800 routers do not support Active Discovery.
Note

To use Active Discovery, you must download and install the Cyber Vision sensor package that includes the feature. The name of the sensor package on Cisco Software Downloads indicates if Active Discovery is available in the package. If you have already installed a sensor with a package that doesn't include Active Discovery and wish to use this feature, you must reinstall the sensor with the correct software.
Manage sensor application Deployed sensors are listed in the Admin > Sensors > Sensor Explorer page of the Center. You can monitor their status and manage the sensors from the Center.

Result

When the sensor application is successfully configurred and deployed, the sensor captures and analyses network traffic in real-time. The sensor extracts and forwards security and operational insights to the Cyber Vision Center, enabling alerting, troubleshooting, and security management.

Bulk host onboarding and sensor deployment

Bulk host onboarding and sensor deployment allows you to onboard multiple hosts (switches and routers) to Cisco Cyber Vision in a single operation. It also enables you to deploy sensor applications to the onboarded hosts using a streamlined, wizard-based workflow.

It offers the following advantages:

Streamlines the onboarding of multiple hosts and deployment of sensor applications.
Minimizes manual effort for network administrators and IT operations engineers.
Improves operational efficiency through automated checks and simultaneous deployment.

Bulk host onboarding and sensor deployment is especially useful for large-scale deployments that require simultaneous onboarding of multiple hosts and deployment of sensor applications.

This process involves two key steps:

Onboard hosts to Cisco Cyber Vision
Deploy sensors to the hosts that have been successfully onboarded.

Table 1. Feature History Table
Feature	Release Information	Feature Description
Bulk host onboarding and sensor deployment on switches	Release 5.5.x	Enables you to onboard multiple switches and deploy sensor applications using a guided, wizard-based workflow. Supported switches: Cisco Catalyst IE3x00 switches Cisco Catalyst 9x00 switches Cisco Catalyst IE9300 Rugged Series Switches
Bulk host onboarding and sensor deployment on routers	Release 5.4.x	Bulk host onboarding and sensor deployment in Cisco Cyber Vision lets you add multiple routers at once and deploy sensor applications using a guided, wizard-based workflow. It automates reachability and readiness checks, reduces manual effort, and accelerates large-scale rollouts.

Bulk onboarding and sensor deployment capabilities

The bulk onboarding and sensor deployment feature provides these capabilities:

Adding multiple hosts simultaneously using a CSV file or manual entry.
Instantly verifying, along with other technical checks, that each host is reachable, has IOX enabled, and possesses adequate storage for sensor deployment.
Rapidly identifying devices that are ready for deployment, eliminating manual verification.
Enabling sensor deployment to ready hosts with a streamlined, wizard-based workflow.
Pre-selecting default settings for typical deployment scenarios, minimizing configuration overhead.
Offering retry options for deployment failures to maximize successful sensor rollout.

Supported devices

The bulk onboarding and sensor deployment feature currently supports the following devices:

Cisco IR1800 routers
Cisco IR1101 routers
Cisco Catalyst IE3x00 switches
Cisco Catalyst 9x00 switches
Cisco Catalyst IE9300 Rugged Series Switches

Note

Other platforms will be supported in the future.

Onboard hosts to Cisco Cyber Vision

Add new hosts to Cisco Cyber Vision to enable automated sensor deployment and monitoring.

Onboarding hosts prepares network devices for sensor application deployment. The CSV file can include both switch and router IP addresses and credentials.

Before you begin

Ensure these requirements are met:

IOS XE version 17.9 or higher is installed on the target hosts.
IOx services are enabled and running on the target hosts.
Web server is enabled on the target host.
NAT rules are set up to access the Cisco Cyber Vision collection interface.
Encapsulated Remote SPAN (ERSPAN) interfaces are set up for remote monitoring.
The hosts' time is synchronized with the Center or a valid NTP server.

Cisco Cyber Vision runs readiness checks to determine whether each host is ready for sensor deployment. If a host is not yet ready, you can use the More Actions > Verify readiness menu for that host to run the checks again after correcting any issues.

For more details, review the Initial configuration.

Follow these steps to onboard hosts:

Procedure

	1.	Go to Cyber Vision New UI > Configuration > Sensor Management. This section is divided into two tabs: Hosts and Sensors. The Hosts tab lists all onboarded platforms, while the Sensors tab displays your deployed sensor apps. The Sensors view also includes apps deployed via the Sensor Management extension from the Classic UI.
	2.	Click Start onboarding.
	3.	Choose an onboarding method. To onboard multiple hosts, choose Use CSV file (recommended) or Input details manually to type them individually.
	4.	If using a CSV file: Click the Use .CSV file (recommended) radio button. (Optional) Click the Download sample link to get a template for the CSV file. Upload your CSV file by clicking within the Click or drag file to this area to upload box.
	5.	If manually inputting host details (limited to a maximum of 10 hosts): Click Input details manually. Enter the required host details in the fields that appear.
	6.	(Optional) Enter the global credentials that are common to all hosts in the Global Credentials section. If you have not entered the credentials in the .CSV file, then the global credentials will be used.
	7.	To complete the onboarding process, click Onboard.

The hosts are added to Cisco Cyber Vision. If you want to add more hosts, click Onboard host.

What to do next

Deploy sensor apps on the ready hosts.

Deploy sensor apps to hosts

Install sensor applications on the hosts that have been successfully onboarded and validated.

You can deploy sensor applications only on hosts marked Ready after onboarding. For switches, choose between two configuration types:

Simple: Uses default network settings.
Advanced: Uses custom values provided via a CSV file.

Before you begin

Ensure that the target hosts are successfully onboarded.
Ensure that the host can reach Cisco Cyber Vision Center through the interface configuration used for sensor deployment. In particular, the collection interface, and any other interface specified in the deployment configuration, must be connected to the correct network and have valid addressing and routing. If an interface is configured on the wrong network or with incorrect parameters, the sensor will not be able to connect to the Center.
If you plan to use the advanced workflow for switches, ensure your CSV file is ready. The file must include the host list and collection interface parameters. Capture interface parameters are optional; if omitted, default values will be used.
Ensure that you deploy sensor apps to only one host type—routers or switches—at a time.

Follow these steps to deploy sensor apps:

Procedure

Go to the Cyber Vision New UI > Configuration > Sensor Management.

Select the target hosts for sensor application installation, then click Deploy sensor.

For routers:

Select Simple on the Choose deployment mode screen, and then click Continue.
On the Simple Deployment screen, either keep the default values or enter the required details.

For switches, do one of the following:

To use the default configuration settings, select Simple on the Choose deployment mode screen, and then click Continue. On the Simple Deployment screen, enter the required details.

Table 2. Simple Deployment fields
Field	Description
Use default values	When checked, the system automatically applies standard network configurations and bypasses the need for manual entry.
Collection Interface	Specifies the network parameters for the collection interface, including IP address, Prefix, Gateway, and virtual port group number.
Capture Interface	Specifies the network parameters for the capture interface, including IP address, Prefix, and virtual port group number.
Sensor Template	Selects the configuration profile to be applied to the sensor.
Capture Mode	Sets the performance profile (e.g., Optimal) for data traffic capture.

To provide custom configuration values through a CSV file, select Advanced on the Choose deployment mode screen and upload your CSV file.

Click Deploy.

When the deployment is successful, the details of the sensor applications are displayed on the Sensor Management > Sensors page. To uninstall or retry sensor installation, use the Sensors page. These operations are unavailable for sensors deployed using the Classic UI or other methods.

What to do next

Review deployment status and troubleshoot any failed installations as needed. To retry the deployment, select hosts from the list and click Retry Deployment.

Provision sensors using sensor management extension

Procedure

	1.	Install sensor management extension.
	2.	Add global device credentials.
	3.	Install sensors using sensor management extension

Install sensor management extension

Procedure

	1.	From the Cisco Cyber Vision Center menu, choose Admin > Extensions.
	2.	Click Import a new extension file.
	3.	Choose the extension file from your local system.

What to do next

After you upload an extension file, from the Actions column, you can:

Update the extension to a different release.
Remove the extension.

Add global device credentials

Define the default credentials to be used for device access. The global credentials are used for all devices by default for sensor management workflows. When you update the credentials, the latest credentials are used to access deployed sensors as well.

The user credentials must have Level 15 access privilege, and have access to the device Web UI.

Procedure

	1.	From the Cisco Cyber Vision Center menu, choose Admin > Sensors > Sensor Explorer.
	2.	Choose Manage Cisco devices > Manage credentials.
	3.	To save the credentials, click Update.

Install sensors using sensor management extension

Before you begin

Install sensor management extension.
Add global device credentials.
Define capture and collection details for network . For instructions, see Setting up OT traffic monitoring. Capture IP and VLAN form the internal connection between the device and the sensor application. Collection IP and VLAN form the connection between the sensor application and the Cyber Vision Center.
Device must have Web UI set up.
A configuration template allows you to define the ports and protocols that the Cyber Vision sensor must monitor. While a default template is available for use, you can also create your own template.
Cisco IR1101 and IR1800 routers do not support Active Discovery.
To use Active Discovery, you must download and install the Cyber Vision sensor package that includes the feature. The name of the sensor package on Cisco Software Downloads indicates if Active Discovery is available in the package. If you have already installed a sensor with a package that doesn't include Active Discovery and wish to use this feature, you must reinstall the sensor with the correct software.

Procedure

From the Cisco Cyber Vision Center menu, choose Admin > Sensors > Sensor Explorer.

Click New sensor > Install via extension to initate the installation wizard.

In the Reach Cisco device page, fill out the following details to allow the Cyber Vision Center to identify and reach the device on which you want to install the sensor application:

(Mandatory) IP address
(Mandatory) Port: Typically, port 443 is the standard port for secure HTTPS traffic. However, you can choose to use a different port.
Center collection IP: To use the Center's current collection IP, leave the field empty. To use a different collection IP, especially in case of NAT configurations, enter the reachable IP address.
Sensor label: Enter a easily identifiable label for the sensor.
Configuration template: From the configuration template drop-down list, choose the template to apply.
Credentials: Choose to use global or custom credentials to reach the device.
Capture Mode: Choose the data you want the Cyber Vision sensor to inspect.

Click Connect.

In the Configure Cyber Vision IOx sensor app page, define the monitor sessions on the device by providing the required details. The fields that you see in this page change based on the device have connected to.

Configuration field	Device this field applies to
Capture (mirroring) and collection IP addresses. Capture (mirroring) and collection prefix lengths. (Optional) Collection gateway, if the Center and the sensor application are in different subnets.	All switches and routers Note RSPAN configuration on Catalyst 9300.
Capture (mirroring) and collection VLAN numbers. Disk size.	Swiches only.
SPAN type	Catalyst 9x00 switches only. We recommend ERSPAN sessions for optimal traffic monitoring across purdue levels.
Extra capture IP address, prefix length, and VLAN number.	IR8340 routers only. The extra capture details define the connection between sensor and the AppGig virtual interface for capturing switched traffic.

In the Configure Active Discovery page, choose between:

Passive only
Passive and Active Discovery and SEA

Packages that include SEA are available for Cisco Cyber Vision Sensors Release 5.3.0 and later.

(If you use the Active Discovery sensor package) To use active discovery, provide the following details:

Collection interface
IP address
Prefix length
VLAN number

Click Deploy.

What to do next

Sensor deployment can take up to 15 minutes to complete. You can track the progress of the deployment in the Admin > Sensors > Management jobs page.

Create sensor configuration template

Procedure

	1.	From the Cisco Cyber Vision Center menu, choose Admin > Sensors > Templates.
	2.	Click Add sensor template to initiate the template configuration wizard.
	3.	In the Basic information step, add a name and description for the template.
	4.	In the Protocol configuration step, in the displayed table: Choose the protocols you want to monitor by enabling or disabling the protocol entry. Where applicable, enter the port assigned for the protocol traffic.
	5.	(Optional) In the Select sensors step, choose any existing sensors you want to apply the template to.
	6.	In the Summary step, review your template configuration.
	7.	To create the template, click Confirm.

Manual sensor deployment

To manually deploy Cyber Vision sensors on supported devices, carry out these tasks.

Install and activate the sensor application.
Create sensor provisioning package.
Import sensor provisioning package into device.
If you have installed the sensor application that includes Active Discovery, Enable Active Discovery on sensors.

Install and activate the sensor application

Before you begin

To use Active Discovery, you must download and install the Cyber Vision sensor package that includes the feature. The name of the sensor package on Cisco Software Downloads indicates if Active Discovery is available in the package.

Procedure

Install and activate the sensor application on the device.

Method

Steps to follow

Using device CLI

Copy the downloaded application package to the device internal memory.
copy scp://<username>@<scp-server-ip>/<path-to-file>/ccvsensor.tar bootflash:
Install the application.
device#app-hosting install appid <sensor-name> package bootflash:ccvsensor.tar
Activate the application.
device#app-hosting activate appid <sensor-name>
Start the application.
device#app-hosting start appid <sensor-name>
Configure the resource profile for the application on the device.

Using device Web UI

Log into the device Web UI.
Choose Configuration > Services > IOx.
Log into the IOx local manager using the device credentials.
In the Applications tab, choose Add New.
Enter a name for the sensor application.
Click Choose File to select and add the sensor application file.
After a few minutes, the sensor application entry is visibile in the Applications tab. Click Activate.
To activate the application, you must enter configure the resource profile for the application on the device.

When the import is successful, in the Cyber Vision Center Sensor Explorer page, the sensor's health status updates to Connected.

Create sensor provisioning package

In this task, you create a provisoning package. Here, you define the device and the sensor that you want to connect to the Center and identify the traffic you want to monitor. After you create the package, you can deploy it in the target device using the Cyber Vision Center or the device CLI.

Before you begin

Configure traffic monitoring in the device you want to deploy the sensor on.
Gather the device details required in step 3 to complete this task.

Procedure

	1.	In the Cyber Vision Center, go to Admin > Sensor > Sensor Explorer.
	2.	Click New sensor > Manual Install.
	3.	In the Configure provisioning package page, enter the following device details: Serial number. Center collection IP, if you wish to use a different collection IP than what is already configured on the Center. Gateway address. An easily identifiable sensor label. Define the capture mode by choosing the type of traffic you want the sensor to analyse. Choose ERSPAN or RSPAN for traffic monitoring.
	4.	In the next page, click Download package. The package is downloaded to your local system, and the sensor is added to the Sensor Explorer page.

What to do next

Import the provisioning package on the target device, using the device Web UI or CLI.

Import sensor provisioning package into device

Procedure

Import the sensor provisioning package that you downloaded into the device.

Method	Steps to follow
Using device CLI	In the device CLI, use the conf t command to enter the global configuration mode. Copy the provisioning package from the USB key to the application. `app-hosting data appid <sensor-app-name> copy usbflash0:sbs-sensor-config-<serialnumber>.zip sbs-sensor-config-<serialnumber>.zip`
Using device Web UI	Log into the device's Web UI. Choose Configuration > Services > IOx. Log into the Cisco IOx Local Manager by entering your device credentials. For the sensor application, click Manage. Choose App-DataDir. Click Upload to select and upload the provisioning file you downloaded.

When the import is successful, in the Cyber Vision Center Sensor Explorer page, the sensor's health status updates to Connected.

Enable Active Discovery on sensors

Before you begin

Cisco IR1101 and IR1800 routers do not support Active Discovery.
To use Active Discovery, you must download and install the Cyber Vision sensor package that includes the feature. The name of the sensor package on Cisco Software Downloads indicates if Active Discovery is available in the package. If you have already installed a sensor with a package that doesn't include Active Discovery and wish to use this feature, you must reinstall the sensor with the correct software.

Procedure

	1.	To enable Active Discovery on the sensor, go to Admin > Active Discovery > Profiles..
	2.	Click the profile you want to apply to the sensor, and click Edit.
	3.	From the Sensors drop-down menu, choose the sensor you just enrolled to the Center.
	4.	Click Update.

The profile runs on the sensor according to a configured schedule. To run the profile immediately, click the profile and click Run Once.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.