If both are blocked by firewall, then you could manually manage the IP if you wish. If only SNMP is blocked, we could tell you something resides at that IP, but none of the system details.
Need help. I can't seem to get the netflow info from my router behind the firewall. The router at the back of NTU is Cisco 2800 and at the back of router is ASA firewall.
I have checked security configurations of the ASA firewall that would allow 2055 and still nothing.
I have scanned the loggings of both firewalls and no 2055 or anything that would pick up the Netflow from 2800. thanks in advance.
afraid not its the wild west EDU world. What would be nice and I have yet found what I am looking
for is a product to pull the arp info out of a router mac table. then log it to a data base. Which would give
the most accurate info then trying to poll or scan a network.
?? Do you mean switch ??
Routers arp table is only going have entries for a connected networks. The rest relies on routing updates or statics when forwarding packets.
Switch will only have L3 arp entries if it's a layer 3 switch configured with an SVi for the segment you wish to pull info from. Otherwise a layer 2 switch arp table is null but it's mac-address table is stuffed (obviously).
In our environment I would say Router . We are only looking in a few area's
say 3 or 4 routers. We have a 1/2 a class B from there divided into may vlans. You should be able to filter out all the networks that don't care about.
We do not have Layer 3 switches on all of our networks.
Even with a layer 3 switch you would still need a subnet interface on that switch.
If you have many different vlans I would believe you would need a routed IP interface to get the information you would need for each vlan.
We have almost 200 vlans.
If it was a smaller environment a Layer 3 switch will work fine as long as the subnet you are looking has a routed interface on that switch. I could see it would be nice in a Layer 3 switch also.
Sincerest apologies for hijacking this thread further, as it relates to the IPAM app, I just dont see how the app scaning a routers or switches arp table is the right direction to go. ICMP, SNMP are much more appropriate.
"Even with a layer 3 switch you would still need a subnet interface on that switch."
If you have many different vlans I would believe you would need a routed IP interface to get the information you would need for each vlan."
You don't. Switches not cofigured to route packets, broadcast to forward packets off a particular broadcast domain. This is basic function of a switch - packet forwarding.
Brford, the moment you put an IP address (svi- a.k.a. subnet interface other a management IP) on a switch, enable it, ip routing and then pass traffic to it as end point it becomes a layer 3 switch. For no other fact than than the switch is now dealing with information at the IP layer. It is no longer broadcasting to resolve traffic to a L3 device for routing off a particular broadcast domain, it is now routing packets because it is functioing at layer 3. It will forward packets as needed to another layer 3 device based on the routing tables installed on the switch via IGP, or static entries.
Layer two switches with L3 management IP's will still perfrom the layer 2 funtion of forwarding packets outside a particular broadcast domain without ever having made an arp entry because they are not functioning at the IP layer, they are functioning at the data-link layer. A layer 2 switch will perform no routing what so ever. A layer 2 switch will have an ip-default gateway configured to reach it's management interface - ortherwise, it simply broadcasts out each of it's configured interfaces looking for where to forward a packet.
Routers only have arp tables for connected networks.
Unless - Im completely confused, I would humbly disagree with the suggestion that IPAM pulling arp tables is more accurate than ICMP/SNMP scan of a given subnet.
thanks for your post. Could you explain how a end user running a personal (pc) firewall that you have no
control over will reply to any ICMP or SNMP scan ?
sadly, short of what was said above about implementing pulling arp tables i cant think of another way
we have some newer printers that also dont respond to icmp and rarely setup snmp on end user equipment so i too hope a feature is added to fix this
I suppose there no easy answers Our networks are getting more complex every day.
Between Nat, IPV6, Multi tier firewalls , wireless, authentication, load balancers, DNS, and future eq .
I guess it's job security.
Beyond our perimter FW's, we use a centrally managed policy based desktop firewall. As such, we don't suffer that issue.
I suppose if I found myself in that situation, I would see if there's any way to permit such traffic.
Surely there must be some form of central management to the FW piece.
An explicit policy for a management network doesn't seem out of the question audit wise.
Tough one mate... may I ask what you use ?
The EDU world is way more screwed up then the real world. There is no Policys and almost impossiable
to mandate anything. Every dept is almost free to do what ever with No big foot to stop them. Also
if there is any bad blood from any dept. cooperation is gone.
Thanks again enjoyed your thoughts
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.