cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 10

How does Neighbor Scanning work?

IPAM 4.9

The IPAM documentation is pretty lightweight, so I thought I turn to the community. There are two settings in IPAM called Neighbor Scanning. It is not clear what each do.

Doc: Neighbor scanning

1. Admin > IPAM Settings > Subnet Scan Settings > SNMP Scanning

Enable SNMP scanning (dependent on ICMP scanning)

Enable SNMP neighbor scanning What is neighbor scanning?

2. Manage Subnets & IP Addresses > Edit Subnet Properties > Neighbor Scanning (...What is neighbor scanning?)

Disable Neighbor Scanning

IP Address: 10.10.10.254

Scan Interval: 4 Hours

TEST

I thought that a device's MAC was contained in the switch it is connected to, and therefore, the router ARP would only have the MAC of the downstream switch, not the MAC of the end-point client device? So how can neighbor scanning provide any useful information unless you know what the upstream switch is for each subnet (and there are usually more than one switch, but IPAM only allows for one entry to do a Neighbor Scan)? This is a puzzler to me and I'd like to understand better.

0 Kudos
9 Replies
Level 7

This still doesn't explain what each of the individual options do:

Enable SNMP scanning (dependent on ICMP scanning) <-- does this need to be enabled for "Enable SNMP neighbor scanning" to work or does it do something different? 

Enable SNMP neighbor scanning <-- Is this the only other way to gather MAC/IP pairs if you are not running DHCP in your subnet?

0 Kudos

squeeb, I agree, some more explanation would be helpful. (The documentation for neighbor scanning is slim to none and needs more explanation; a good answer here would be the basis of a enhancement request to improve the documentation). I don't know who marked Steffen's post as the answer to this thread, although helpful, I've unmarked it as the answer; hopefully someone internal to SolarWinds IPAM development can comment and give the full explanation.

0 Kudos

I've got a ticket open with them at the moment, more in relation to how the neighbor scanning mechanism works.

So I'll update here if I get a decent answer.

In my scenario, we have subnets that don't use DHCP, but where the hosts in the subnet do respond to ICMP pings.

The missing info is the MAC address. So in the absence of DHCP and with Neighbor scanning disabled, how would IPAM be able to collect the MAC addresses?

0 Kudos

Do you have SNMP enabled on the devices themselves and turned on in IPAM?  If so then that would populate them, otherwise it won't.

- Marc Netterfield, Github
0 Kudos

Yes SNMP is enabled on the devices, assuming you mean the network devices that the hosts are attached to?

Not sure what you mean by "turned on in IPAM".

Are you referring to the Neighbor Scanning option for each subnet?

Or do you mean does SNMP run on the devices in the subnet (the hosts connected to the switch) themselves? In which case no, these are workstations so do not run any snmp service.

0 Kudos

Right the endpoints need to provide the SNMP data, if its configured on the endpoint you can scan for the SNMP namespaces in addition to ICMP. Other ways to get the MAC addresses are not part of IPAM, just DHCP and SNMP.

pastedImage_0.png

0 Kudos

When you say endpoint, you mean the hosts connected to the switch?

I have two cases here, one where the endpoints are client machines such as workstations, laptops, phones, watches etc. which all get their addresses from DHCP, and the other case is tons of servers which all have statically assigned IP addresses (configured via CloudInit / Puppet).

For the statically assigned hosts, are you suggesting that I should just run snmpd on them and as long as IPAM has a valid SNMP credential for those hosts, it will collect the MAC/IP combinations appropriately?

Is it then intelligent enough to figure out which port on the switches they are connected to?

0 Kudos

Hello.

From what I understand is that IPAM can read the ARP table (or more precisely the ARP cache) which should have the MAC address and the corresponding IP address of every device / endpoint that has sent data through this router.

Since ARP cache is unreliable and can even be totally empty, the use of Neighbor Scans is disabled by default.

Best regards,

Steffen

0 Kudos

Adding on to this,

The main purpose I find for neighbor scanning is when you have nodes that do not respond to ping your gateway router will still know that they are out there so checking with the router is a good way to double check that open IP's really are open.  The trouble is that hitting a router and asking it about all the subnets it has interfaces on can be taxing on the router, less so with new hardware but 5-10 years ago it was pretty easy to lock up a router with just SNMP requests asking it what all it was set up to do.

-Marc Netterfield

    Loop1 Systems: SolarWinds Training and Professional Services

- Marc Netterfield, Github