Creating and editing IP reconciliation policies - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Create IP reconciliation policies at the configuration (IPv4 only), block, or network level.

Note: BlueCat strongly recommends using SNMP for all discovery operations.
Note: Currently, running Snmp plus Pingsweep won't discover MAC addresses of inactive hosts on the same subnet as Address Manager.

To add or edit an IPv4 reconciliation policy:

  1. Choose where to add the IP reconciliation policy:
    • To set the IP reconciliation policy at the configuration level (IPv4 only), navigate to the configuration’s Details tab. In the IP Reconciliation Policies section, click New > IPv4 Reconciliation Policy.
    • To set the IP reconciliation policy at the block level, navigate to an IP block’s Details tab. In the IP Reconciliation Policy section, click the IPv4/IPv6 Reconciliation Policy link.
    • To set the IP reconciliation policy at the network level, navigate to an IP network’s Details tab. In the IP Reconciliation Policy section, click the IPv4/IPv6 Reconciliation Policy link.
  2. Under Discovery Engine, choose one of the following Discovery Methods.
    • Snmp
    • No discovery
    • Pingsweep only (IPv4 only)
    • SNMP Pingsweep (IPv4 only)

    The options available depend on the type of discovery method that you choose.

  3. Under Network Discovery Criteria, set the following parameters:
    Note: This section is only populated when selecting SNMP and SNMP plus Pingsweep (IPv4) methods.
    • Seed IP Address—enter the IP address of the router or layer 3 switch from which the network discovery operation is to start.
    • Multi-Seed IP Addresses—enter the IP addresses of the routers or layer 3 switches where you want the network discovery operation to start. In the text field, enter an IP address and click Add Another. The IP address appears in a list beneath the text field. To remove the IP address from the list, click Remove beside an IP address. This option appears only when selecting the Snmp method. To minimize heavy traffic and impact on the network, you can add multiple IP addresses.
    • Default Gateway Address—select this option to use the Address Manager’s default gateway address as the starting point for the network discovery.
    • Version—select the SNMP version running on the router or layer 3 switch. Refer to the device’s documentation to determine which SNMP version it's running.
    • Port Number—enter a value to indicate the SNMP port Address Manager uses to communicate with the router or switch. The default port is 161.
    • Community String—type the SNMP Community String used for authentication and click Add. The Community String appears in the list. You can add up to 100 Community Strings to the list. Strings are used in the order presented in the list. To remove a string, select it from the list and click Remove. To change the order of items in the list, select an item in the list and click Move up or Move down.
  4. IPv4 only. Under Network Boundaries, define the range or ranges that you want to search for networks and addresses. In the text field, enter a range in CIDR notation and click Add Another. The range appears in a list beneath the text field. To remove a range from the list, click Remove beside a range. BlueCat strongly recommends not defining a single large boundary in order to avoid a lengthy delay in reconciling discovered addresses. You should strategically define multiple IP reconciliation policies based on your network infrastructure and set the boundary of each policy.
    When creating a policy at the configuration level, you can also add multiple boundaries based on your existing network structure to minimize traffic and impact on the network. For example, if you were using 192.0.2.0/24 for switch/routers and 192.0.3.0/24 for desktops, then you should define two separate network boundaries when creating a policy.
    Note:
    • The Network Boundaries section appears only when creating an IPv4 reconciliation policy at the configuration level.
    • When creating an IPv4 reconciliation policy at the block or network level, the Network Boundaries section appears with the predefined network range under Network Discovery Criteria.
  5. Under Ping Sweep, define the range(s) of IP addresses in CIDR notation for which ping sweep sends ICMP echo request.
    Note: This section is only populated when selecting Pingsweep only method.
    • Network gaps (cidr)—select this option to define the specific range(s) of IP addresses for which ping sweep sends ICMP echo request. In the text field, enter an IPv4 network range in CIDR notation and click Add Another. The IPv4 network range appears in a list beneath the text field. To remove the network range from the list, click Remove beside a network range.
    • Whole network—select this option to send ICMP echo request to the whole network defined in the Network Boundaries section.
      Note: The Whole Network option is available only in IPv4 reconciliation policies with the following defined IPv4 blocks/networks:
      • IPv4 Network must be /22 or smaller
      • IPv4 Block must be /22 or smaller and CIDR aligned*

      *CIDR aligned means the block is defined in CIDR notation <NetworkAddress>/<RoutingPrefix>, not as an arbitrarily ranged segment such as StartAddress—EndAddress.

    If you don't define a range, ping sweep won't perform the network discovery.

    Note: This section is only populated when selecting SNMP and SNMP plus Pingsweep (IPv4) methods.
  6. Under Advanced Parameters, set the following parameters:
    • Skip FQDN/Reverse DNS Resolution—select to skip FQDN and DNS reverse lookups. If this options is selected, Address Manager discovery engine will not perform FQDN and DNS reverse lookups against any DNS resolver and the FQDN column in the IPv4/IPv6 Reconciliation table will display empty.
    • DNS Server—enter a DNS server IP address that the discovery engine will use to perform FQDN and DNS reverse lookups.
      Note:
      • Setting a DNS server in an IP reconciliation policy will override the DNS server setting added in the Reconciliation Settings page at the configuration level.
      • IPv4 only. If you don't set a DNS server either at the global configuration level or specific IP reconciliation policies, the IP reconciliation and discovery engine will use the name server configured from the Address Manager administration console.
    • Black Hole Vlan—enter a VLAN ID for the black hole VLAN. This will be used as a default VLAN for all unused ports. The default value is 1. BlueCat recommends configuring all idle ports of a switch to a different VLAN other than VLAN 1.
    • Trunk Default Vlan—enter an unused VLAN ID to be assigned to a trunk as a native/default VLAN to protect controlled traffic from being spoofed. The default value is 1. BlueCat recommends changing the value to something other than VLAN 1.
  7. Under Scheduled Time, set the time and frequency for the policy:
    • Start Time—enter the start time in these fields and select AM or PM.
    • Start Date—enter a date in the format DD MMM YYYY (for example, type 10 JAN 2012 for January 10 2012), or click the calendar button to select a date.
      Attention: If your preferred browser locale does not match the configured Address Manager system language locale, you may experience issues with the date component within Address Manager. If you cannot configure the date component, you must update the browser locale to match the configured Address Manager system language locale. By default, the Address Manager system language locale is configured to English [en-US].

      For more information on supported Address Manager system languages and configuring the Address Manager locale, refer to Setting system language.

      Note: When viewing IP reconciliation policy details, the Start Time and Start Date indicate the original time and date specified in the reconciliation policy. They don't indicate when the policy was last run.
    • Frequency—to run the policy just once at the specified time and date, select Once. To run the policy at a regular interval, select Every, type a value in the text field, and select a time interval from the drop-down list.
  8. Under Status, select Active to make the policy active. When selected, the policy runs at its scheduled time. You can also run the policy using the Run Now link. When not selected, the policy doesn't run at its scheduled time, but you can run it using the Run Now link.
  9. IPv4 only. Under Acceptance Criteria, select Enable Automated Acceptance to enable the automatic reconciliation process, which places any IP addresses found by the discovery process into the Address Manager database automatically.
    Set the following parameters to reconcile or notify you of IP addresses older than your selected time:
    • Reclaim:, Unknown:, or Mismatch: IP addresses older than—enter a value in the text field, select a time interval from the drop-down list, and then select Reconcile to perform reconciliation, or No Action to receive an email containing reconciliation details of reclaim, unknown, or mismatch IP addresses.
      Note:
      • Reclaimable—(IPv4 only) an address that exists in Address Manager, but isn't found on the physical network. This may represent a device that was turned off at the time of the discovery, or the address may no longer exist on the network.
      • Unknown—an address that exists on the physical network, but that's not in Address Manager. This likely represents an address that has been added to the network after the last discovery.
      • Mismatch—an address that exists in both Address Manager and on the network, but where the MAC address, DNS host name information, VLAN information or connected switch port doesn't match.
    • View for Reconciliation—select DNS Views against which the reconciliation process will be performed, or select Ignore DNS Space then Address Manager will reconcile IP addresses again all DNS Views.
      Note: The available DNS View in Address Manager will be populated in the drop-down menu.

      Automatic reconciliation starts immediately after the discovery process returns all discovered IP addresses. If Reconcile is selected for the type of IP address, and the IP address is older than the time interval selected, the IP address is reconciled. If No Action is selected, an email is sent and the IP address isn't reconciled.

  10. IPv4 only. Under IPv4 Reconciliation Overrides List, specify addresses and ranges that the policy should ignore. Enter a single IP address, a CIDR block (nnn.nnn.nnn.nnn/mm), or an IP address range (nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn) into the field and click Add Another. Repeat this step to add more addresses to the override list. To remove an address, CIDR block, or IP address range, click Remove.
  11. Under Change Control, add comments, if required.
  12. Click Add.