Creating IP reconciliation policies - BlueCat Integrity - 26.1.0

Create IP reconciliation policies at the configuration (IPv4 only), block, or network level.

1. Choose where to add the IP reconciliation policy:
   • IPv4 only: To setup an IPv4 reconciliation policy at the configuration level, navigate to the IPv4 reconciliation management page (IPAM > IPv4 reconciliation). Select New.
   • To setup an IPv4/IPv6 reconciliation policy at the block/network level, navigate to the parent block of the IPv4/IPv6 block or network. Select the row actions button (⋮) for the block or network, then select Define reconciliation policy. The Network boundaries portion of the the Create IPv4 reconcilition policy form will be automatically populated with the boundary of the IPv4/IPv6 block or network.
2. Under General, select a Discovery method from the following options:
   • SNMP
   • SNMP plus pingsweep (IPv4 only)
   • Pingsweep (IPv4 only)
   • No discovery

   The options available depend on the type of discovery method that you choose.

3. On the Discovery scope tab, set the following parameters:
   • Select a Seed router option:
     • Default gateway address—select this option to use the Address Manager’s default gateway address as the starting point for the network discovery.
     • Seed IP addresses—enter the IP address of one or more routers or layer 3 switches from which the network discovery operation is to start. To minimize heavy traffic and impact on the network, you can add multiple IP addresses.
   • SNMP version(SNMP only)—select the SNMP version running on the router or layer 3 switch. Refer to the device’s documentation to determine which SNMP version it's running.
   • Port(SNMP only)—enter a value to indicate the SNMP port Address Manager uses to communicate with the router or switch. The default port is 161.
   • Community strings(SNMP only)—enter one or more SNMP community strings used for authentication. You can add up to 100 community strings to the list. Strings are used in the order presented in the list.
   • Network boundaries—define the range or ranges that you want to search for networks and addresses. If setting up an IPv4/IPv6 reconciliation policy at the block/network level, the field will be automatically populated with the boundary of the IPv4/IPv6 block or network. When creating an IPv4 policy at the configuration level, you can add multiple boundaries based on your existing network structure to minimize traffic and impact on the network. For configuration level IPv4 reconciliation policies, enter a range in CIDR notation and select the add (+) button to add the range to the network boundary list. BlueCat strongly recommends not defining a single large boundary in order to avoid a lengthy delay in reconciling discovered addresses. You should strategically define multiple IP reconciliation policies based on your network infrastructure and set the boundary of each policy. For example, if you were using 192.0.2.0/24 for switch/routers and 192.0.3.0/24 for desktops, then you should define two separate network boundaries when creating a policy.
   • Ping sweep network gaps(Ping sweep only)—enter the specific range(s) of IP addresses for which ping sweep sends ICMP echo request.
4. On the Optimization parameters tab (SNMP and ping sweep only), set the following parameters:
   • Skip FQDN lookup and reverse DNS resolution—select to skip FQDN and DNS reverse lookups. If this options is selected, Address Manager discovery engine will not perform FQDN and DNS reverse lookups against any DNS resolver and the FQDN column in the IPv4/IPv6 Reconciliation table will display empty.
   • DNS servers—enter one or more DNS server IP addresses that the discovery engine will use to perform FQDN and DNS reverse lookups.
     Note:

     • Setting a DNS server in an IP reconciliation policy will override the DNS server setting added in the Reconciliation Settings page at the configuration level.
     • IPv4 only: If you don't set a DNS server at the reconciliation policy level, the IP reconciliation and discovery engine will use the name server configured from the Address Manager Administration Console.
   • Black-hole VLAN(SNMP only)—enter a VLAN ID for the black hole VLAN. This will be used as a default VLAN for all unused ports. The default value is 1. BlueCat recommends configuring all idle ports of a switch to a different VLAN other than VLAN 1.
   • Trunk default VLAN(SNMP only)—enter an unused VLAN ID to be assigned to a trunk as a native/default VLAN to protect controlled traffic from being spoofed. The default value is 1. BlueCat recommends changing the value to something other than VLAN 1.
5. On the Scheduled time tab, set the time and frequency for the policy:
   • Start time—enter a start time and date in the format MMM DD, YYYY HH:MM:SS AM/PM (for example Jan 1, 2025 12:00:00 AM), or select the calendar button to choose a start time in the calendar widget.
     Note: When viewing IP reconciliation policy details, the Start time indicates the original time and date specified in the reconciliation policy. They don't indicate when the policy was last run.
   • Frequency—to run the policy just once at the specified time and date, select Once. To run the policy at a regular interval, select Recurring, and enter a time Interval period and Unit.
   • Active—select the checkbox to activate the policy. When selected, the policy runs at its scheduled time.
6. On the Acceptance criteria tab (IPv4 only), select Enable automated acceptance to enable the automatic reconciliation process, which places any IP addresses found by the discovery process into the Address Manager database automatically.
   Set the following parameters to reconcile or notify you of IP addresses older than your selected time:

   Note:

   • Reclaimable—(IPv4 only) an address that exists in Address Manager, but isn't found on the physical network. This may represent a device that was turned off at the time of the discovery, or the address may no longer exist on the network.
   • Unknown—an address that exists on the physical network, but that's not in Address Manager. This likely represents an address that has been added to the network after the last discovery.
   • Mismatch—an address that exists in both Address Manager and on the network, but where the MAC address, DNS host name information, VLAN information or connected switch port doesn't match.

   • Reconcile reclaimable addresses—select this checkbox and enter a time interval to reconcile reclaimable IP addresses older than the designated time.
   • Reconcile unknown addresses—select this checkbox and enter a time interval to reconcile unknown IP addresses older than the designated time.
   • Reconcile mismatched addresses—select this checkbox and enter a time interval to reconcile mismatched IP addresses older than the designated time.
   • View for reconciliation—select a DNS view against which the reconciliation process will be performed, or leave this field empty for Address Manager to reconcile IP addresses against all DNS views.
     Note: Available DNS views in Address Manager will be populated in the drop-down menu.

     Automatic reconciliation starts immediately after the discovery process returns all discovered IP addresses. If Reconcile is selected for the type of IP address, and the IP address is older than the time interval selected, the IP address is reconciled. If Reconcile options are not selected, the IP address isn't reconciled.

7. On the Override list tab, specify addresses and ranges that the policy should ignore. Enter a single IP address, CIDR block (nnn.nnn.nnn.nnn/mm), or IP address range (nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn) into the field and select the add (+) button to add the item to the overrides list.
8. In the Change control section, add comments if required.
9. Select Create or Create and add another.