3 Replies Latest reply on Nov 26, 2017 1:25 PM by maryan.dmytriv

    IPAM polling specific subnets

    bmallon

      So this morning I had an engineer come to me saying they were getting alerts about a scan from our remote data center. He was speculating that it was IPAM doing subnet scans from the remote poller out there.

       

      I immediately went into IPAM and disabled automatic scanning on each subnet I have created for that data center and vlan's associated with it.

       

      My question is... is there a way to simply disable all IPAM scanning from an individual poller? I would have liked to just shut the IPAM scanning off on that poller itself to verify it was the culprit.

      As the alerts continued, I went in and just shutdown all of the SW services on that poller, and then even shutting the server completely down. Instead of using a scalpel here, I was using a chainsaw.

       

      I would have loved to be able to be confident that all IPAM scanning from that individual poller was disabled with some specific service to shut down or something.

       

      Can anyone direct me to a poller's IPAM easy button?

        • Re: IPAM polling specific subnets
          CourtesyIT

          I take it the Engineer did not like you scanning his subnets?  Were the scans to frequent?  What is the policy concerns scans? 

           

          I would ask more questions before revving up the chainsaw. I am sure there is always a way to get to "Yes".

           

          Thanks,

          CourtesyIT

            • Re: IPAM polling specific subnets
              bmallon

              Well, there were actually lots of questions. The ASA at that site and Lancope were both seeing the traffic at exactly the same time, so they lined up perfectly, but the source IP's were different on each. The ASA at that site showed the source IP as my SW poller. Soooo... he was making assumptions that IPAM on my poller was attempting to scan subnets.

              Now, we have since gotten to the culprit, and it wasn't my poller, but I would have like to be able to just shutdown IPAM scanning specifically from that remote poller for a few minutes to clear it's name. Eventually I shut all the services down, and even turned the box off to get my SW server out of the hot seat.

            • Re: IPAM polling specific subnets
              maryan.dmytriv

              The only way for now is to disabled ICMP and SNMP scanning for all pollers in Admin -> IPAM Settings  -> Subnet Scan Settings