How does Neighbor Scanning work?

Hello.

From what I understand is that IPAM can read the ARP table (or more precisely the ARP cache) which should have the MAC address and the corresponding IP address of every device / endpoint that has sent data through this router.

Since ARP cache is unreliable and can even be totally empty, the use of Neighbor Scans is disabled by default.

Best regards,

Steffen

Adding on to this,

The main purpose I find for neighbor scanning is when you have nodes that do not respond to ping your gateway router will still know that they are out there so checking with the router is a good way to double check that open IP's really are open.  The trouble is that hitting a router and asking it about all the subnets it has interfaces on can be taxing on the router, less so with new hardware but 5-10 years ago it was pretty easy to lock up a router with just SNMP requests asking it what all it was set up to do.

-Marc Netterfield

    Loop1 Systems: SolarWinds Training and Professional Services

•                 LinkedIN: Loop1 Systems
•                 Facebook: Loop1 Systems
•                 Twitter: @Loop1Systems

This still doesn't explain what each of the individual options do:

Enable SNMP scanning (dependent on ICMP scanning) <-- does this need to be enabled for "Enable SNMP neighbor scanning" to work or does it do something different? 

Enable SNMP neighbor scanning <-- Is this the only other way to gather MAC/IP pairs if you are not running DHCP in your subnet?

squeeb, I agree, some more explanation would be helpful. (The documentation for neighbor scanning is slim to none and needs more explanation; a good answer here would be the basis of a enhancement request to improve the documentation). I don't know who marked Steffen's post as the answer to this thread, although helpful, I've unmarked it as the answer; hopefully someone internal to SolarWinds IPAM development can comment and give the full explanation.

I've got a ticket open with them at the moment, more in relation to how the neighbor scanning mechanism works.

So I'll update here if I get a decent answer.

In my scenario, we have subnets that don't use DHCP, but where the hosts in the subnet do respond to ICMP pings.

The missing info is the MAC address. So in the absence of DHCP and with Neighbor scanning disabled, how would IPAM be able to collect the MAC addresses?

Do you have SNMP enabled on the devices themselves and turned on in IPAM?  If so then that would populate them, otherwise it won't.

Yes SNMP is enabled on the devices, assuming you mean the network devices that the hosts are attached to?

Not sure what you mean by "turned on in IPAM".

Are you referring to the Neighbor Scanning option for each subnet?

Or do you mean does SNMP run on the devices in the subnet (the hosts connected to the switch) themselves? In which case no, these are workstations so do not run any snmp service.

Right the endpoints need to provide the SNMP data, if its configured on the endpoint you can scan for the SNMP namespaces in addition to ICMP. Other ways to get the MAC addresses are not part of IPAM, just DHCP and SNMP.

When you say endpoint, you mean the hosts connected to the switch?

I have two cases here, one where the endpoints are client machines such as workstations, laptops, phones, watches etc. which all get their addresses from DHCP, and the other case is tons of servers which all have statically assigned IP addresses (configured via CloudInit / Puppet).

For the statically assigned hosts, are you suggesting that I should just run snmpd on them and as long as IPAM has a valid SNMP credential for those hosts, it will collect the MAC/IP combinations appropriately?

Is it then intelligent enough to figure out which port on the switches they are connected to?