3 Replies Latest reply on Dec 7, 2012 7:01 AM by michal.hrncirik

    Network Sonar Whitepaper / Technical information on how it works

    schnarked

      Hi Guys,

       

      I'm doing the planning for a NPM deployment and after reading the NPM Administrators Guide / Evaluation Guide, i'm just a bit confused as to how the Sonar system works.

       

      If there is a whitepaper I can read, happy to go through that, otherwise, grateful if someone could answer the following questions:

      • What's the difference between discovering for an IP range or a subnet - am I missing something obvious here?
      • If I turn off ICMP discovery, how then does SNMP discovery work within the IP range / subnet - will it do a SNMP equivalent of a ICMP sweep or does it just discover devices that are connected to the Seed router and then work out from there?
      • How does the scheduled discovery work as compared to the initial discovery, is it the same method?
      • If I disable ICMP discovery and instead rely on SNMP, will I still be able to ICMP poll devices for availability data?
      • If I put in a bunch of seed routers for sites and set the hop count to 2, is this how the discovery will occur?
        • The seed router will be polled and the ARP table interrogated
        • The addresses in the arp table will be polled via SNMP (hop 1) and devices that respond to SNMP strings will be added
        • Those addresses will then have their ARP tables interrogated
        • The addresses in the 2nd ARP table will be polled via SNMP (hop 2) and devices that respond to SNMP strings will be added
        • The next time that discovery is scheduled, the same process will then happen for all existing devices in the database?
      • What does this statement mean in the Admin guide "Networks connected through the seed router are NOT automatically selected for discovery"
        • Is it trying to imply that networks (e.g. IP / subnet ranges) that are not defined in the discovery scope will not be automatically added to be scanned - this would seem to make sense
        • What about devices that are within the (already configured) discovery scope, will they still be discovered if the SNMP strings work as long as they're within the configured hop count?
        • What about devices that are within the hop count that are in the ARP table, but are in a different network range - will these still be scanned and added?
      • Once a device is discovered and in the system, if a SNMP discovery happens again, will Solarwinds attempt to connect to the device again with the already known SNMP string or will it try to discover it again with all of the SNMP strings in the configured discovery settings

       

      Appologies for all of the questions - we're on a network where we dont have access to all of the Windows servers and other devices so we need to make sure that we understand the impact of deploying the system and we minimise the impact of doing a discovery on other IP devices.

       

      Cheers,

       

      Kieran

        • Re: Network Sonar Whitepaper / Technical information on how it works
          michal.hrncirik

          Hi Kieran,

           

          here come answers:

           

          • What's the difference between discovering for an IP range or a subnet - am I missing something obvious here?

          A:Specifying subnet, which means network address and mask, is just a different way how user can specify an IP range. NPM generates IP range for the whole subnet automatically.

          • If I turn off ICMP discovery, how then does SNMP discovery work within the IP range / subnet - will it do a SNMP equivalent of a ICMP sweep or does it just discover devices that are connected to the Seed router and then work out from there?

          A:I assume you are referring to “Ignore nodes that only respond to ICMP (ping). Nodes must respond to SNMP, WMI.” checkbox. Checking it informs Orion that it should filter all discovered nodes and remove all, which have responded to ICMP only. Such nodes won’t make it into result. NPM always scans all IPs one by one and tries to ping device using ICMP. In case it gets no response on ICMP, but gets response on SNMP, it is still able to add the node, but such node remains in down state.

           

          • How does the scheduled discovery work as compared to the initial discovery, is it the same method?

          A: Discovery scanning process is the same. The only difference is, that scheduled profile is executed automatically according to specified scheduling settings. All nodes discovered by scheduled discovery profiles might be found at Scheduled Discovery Results page. This page allows you to import or ignore nodes found by multiple scheduled discovery profiles at once (no need to select each profile and click on Import New Results button from list of profiles). NPM also notifies user about found nodes each time when scheduled scan finishes

          • If I disable ICMP discovery and instead rely on SNMP, will I still be able to ICMP poll devices for availability data?

          A: NPM automatically polls for response time and availability statistics, if nodes are able to respond to ICMP ping requests. NPM is not able to utilize any other communication protocol than ICMP to collect these stats. Disabling ICMP just removes all nodes, which were unable to respond on SNMP or WMI from discovery result.

           

          • If I put in a bunch of seed routers for sites and set the hop count to 2, is this how the discovery will occur?
            • The seed router will be polled and the ARP table interrogated

          A:NPM polls information about connected subnets from router’s routing table. It does not use ARP cache table.

            • The addresses in the arp table will be polled via SNMP (hop 1) and devices that respond to SNMP strings will be added

          A:List of subnets is collected from discovered seed routers and IP range is generated for obtained subnets. In hop 2 NPM performs scan over all those IP addresses it found in hop 1.

            • Those addresses will then have their ARP tables interrogated

          A:No, those devices will have their routing tables interrogated

            • The addresses in the 2nd ARP table will be polled via SNMP (hop 2) and devices that respond to SNMP strings will be added
            • The next time that discovery is scheduled, the same process will then happen for all existing devices in the database?

          A:No, next time the process is the same. Discovery always gets initial set of nodes from profile definition. It uses all those IPs in hop 1 and if any device is recognized as router, its list of subnets is collected and generated IP ranges are used for hop 2 scanning. Discovery is not loading list of previously discovered IPs from database. Each execution works identically to the first execution. As network may change, it may return different nodes in result, but the algorithm is the same (stateless).

           

          • What does this statement mean in the Admin guide "Networks connected through the seed router are NOT automatically selected for discovery"
            • Is it trying to imply that networks (e.g. IP / subnet ranges) that are not defined in the discovery scope will not be automatically added to be scanned - this would seem to make sense

          A:Yes, list of subnets is collected from device once, when profile is being created or edited. User can choose which subnets should be included. NPM stores selected subnets into discovery profile configuration and won’t touch it unless user decides to manually edit the profile.

            • What about devices that are within the (already configured) discovery scope, will they still be discovered if the SNMP strings work as long as they're within the configured hop count?

          A: YES

            • What about devices that are within the hop count that are in the ARP table, but are in a different network range - will these still be scanned and added?

          A:NPM works with Routing tables only.

          • Once a device is discovered and in the system, if a SNMP discovery happens again, will Solarwinds attempt to connect to the device again with the already known SNMP string or will it try to discover it again with all of the SNMP strings in the configured discovery settings

          A:Discovery always uses credentials defined in discovery profile. It is not loading or using any information about existing nodes during network scan. So if you specify two community strings in profile, those two strings will be always used for scanning.

           

          thanks,

          Michal

          1 of 1 people found this helpful
            • Re: Network Sonar Whitepaper / Technical information on how it works
              schnarked

              Hi Michal,

               

              Thanks for getting back to me and the detailed answers - it relaly helps understand how the system works.

               

              A couple of follow-up questions if I may:

              - If i'm running an extremely large network say 3 distinct class B addresses, does this mean that its going to hit every single IP address with an ICMP (and then a SNMP request if it responds) as part of the discovery unless I limit it down to exactly the subnets only that I want to poll. Even if I do the latter, it will still hit every IP address in that range with a ICMP then a SNMP request correct?

              - How do you handle nodes that don't respond to ICMP or SNMP polls, but send SNMP traps such as secure proxy servers?

              - So just to confirm, every discovery, all of the devices that Solarwinds already knows about will be re-discovered again using the SNMP strings in the discovery settings section?

              - Thanks for clarifying that its using the routing table not the ARP table. I'm assuming it also doesn't using the CDP/LLDP info?

               

              The reasoning behind some of these questions is that for some devices, if you hit them with the wrong SNMP string, they'll send an failed auth SNMP trap which from experience, can really quickly fill up SNMP trap systems. It also tends to make security teams running IDS systems slightly unhappy as well if they're not aware its happening.....

               

              Cheers,

               

              Kieran

                • Re: Network Sonar Whitepaper / Technical information on how it works
                  michal.hrncirik

                  Hi Kieran,

                   

                  here are responses for your additional questions:

                   

                  1) yes, we will ping every single IP that falls into given subnet (with ICMP and SNMP).

                  2) you may add that node and it will act as "down" in NPM. but you will still see traps in message center if you configure that node properly so it will send traps to NPM server

                  3) yes that's correct. NPM takes subnet (IP range) you defined and poll for each node again. NPM tries to use all available SNMP credentials until node would respond to SNMP query

                  4) you are right, there is no support fir CDP/LDDP now.

                   

                  For the case you mentioned - problem with SNMP strings and traps messages - could be few possible solutions.

                  - define multiple discovery, where each discovery use just one SNMP credentials and it corresponds to the given IP range (or group of devices with the same SNMP string).

                  - unify SNMP credentials so there won't be too many different SNMP strings.

                   

                  feel free to ask for more.

                   

                  thanks,

                  Michal