Please note: For a list of device models currently supported by the Active Advisor scanner, please see What products are supported?

Your computer must be able to directly communicate with the devices on the specified IP range. Before executing the scan, please ensure your computer that will be running the scanner can route and communicate properly with the devices you intend to scan.

Cisco Active Advisor scanner requires at least *one* of the following ports to be available to the supported device, from the scanning computer:

  • SSH      (tcp 22)
  • HTTPS  (tcp 443)
  • HTTP    (tcp 80)
  • Telnet    (tcp 23)

Once the Active Advisor web scanner connects to a device via one of the ports above, and if you have enabled the CDP option in scanner (not on by default), and if the target device supports listing it's CDP neighbors, then scanner will also use the information learned about the neighbors to attempt access to those devices, using the 4 protocols above (each protocol is tried until a successful connection is made). 

CDP is not used directly between scanner and a particular device, it is only used to learn about other CDP connected devices within the network.

If you are experiencing issues with scanner failing to authenticate with devices, please also take a look at the article Why is the scanner not able to log into my devices?


The Cisco Active Advisor Scanner runs locally on a computer via a Java Applet, usually run from the inside of any external firewall. This generally means that no ports need be opened in the external firewall in order for scanner to find Cisco devices on the internal network(s). However, in order for the scanner to discover devices, the computer running scanner and initiating the scan must be able to route to the devices on the subnets that you are scanning, and connections from at least one of the protocols HTTPS / SSH / HTTP / TELNET must be allowed to reach the target device.

Some network administrators may implement access-lists or other forms of firewalling to allow only specific authorized internal IP addresses to connect to devices on their 'management' ports. If scanner is unable to connect to a reachable device using one of the protocols above, please try connecting to the device manually using one or more of the protocols above and verify that connections are allowed from the scanning computer's IP address.

Scans can be performed remotely by either VPN'ing to the remote network and then initiating the scan, or by driving a computer on the local network containing the devices via Remote Desktop or the equivalent. It is not recommended to allow any sort of direct access to the ports above from the external network (usually the internet) based solely on firewall pinholes or access-list rules, as source IP addresses can be spoofed under certain circumstances.