Data Collection

Information about devices that exist on the network can be retrieved from the data collected from the devices that are already discovered.

Network Insight collects data from the following sources:

ARP Table—Discovered from collected ARP data.
ACI—Discovered fabric nodes from configured APIC controller.
Call Server—Discovered IP phone and VoIP devices from call server data.
CDP—Discovered from CDP neighbor data.
HSRP—Discovered from HSRP data.
IP Phone—Discovered call server from IP phone.
LLDP—Discovered from LLDP neighbor data.
Route Table—Discovered as a route next hop or /32 or /128 route destination.
VPN Table—Netscreen nsVPNMonTable and nsAddrStatusTable data.
VRRP—Discovered from VRRP data.
Wireless AP—Wireless forwarding data where IP address information is included.
Wireless Controller—Discovered Wireless AP from wireless controller data.

After Network Insight identifies the address by which the device can be found using the above means, it performs the following steps to collect all required information from the device:

Reachability Check

It indicates the reachability of the discovered device. Typically, devices are reported Passed for Reached Status if they are reachable through SNMP, CLI, a path trace through ICMP, or UDPbased
path tracing for an IPv6 address. If a value of Failed appears, you will likely see a Last Action reading of Reachable: Failed to Reach.

You may see a Reached Status of Passed and still receive an Overall Status of Failed. This often occurs because either the CLI credentials or SNMP credentials provided for discovering the device do not work, or another problem occurs in some part of the discovery process.

You can enable the SNMP or CLI collection in the Infoblox (Grid Discovery Properties) dialog box.

Port Scanning

You can enable port scanning in the Infoblox (Grid Discovery Properties) dialog box.

If enabled, Network Insight probes the TCP and UDP ports on the device to determine if they are open (listed in Grid Discovery Properties > Polling > Advanced).

Note

Advanced SNMP polling settings consist of choosing the TCP Scan Technique along with a number of specialized settings for Ping Sweeps and other operations.

In the TCP Scan Technique menu, choose the TCP technique you want to use for the discovery:

— SYN: Select this to quickly perform scans on thousands of TCP ports per system, never completing connections across any well-known port. SYN packets are sent and the poller waits for a response while continuing to scan other ports. A SYN/ACK response indicates the protocol port is listening while an RST indicates it is not listening. The SYN option presents less impact on the network.

— CONNECT: Select this to scan IPv6 networks. Unlike the SYN option, complete connections are attempted on the scanned system and each successive TCP protocol port being scanned. In the port table, select the checkboxes of the TCP ports you want to discover. You can select all ports by clicking the checkbox in the header. To add a new port to the list, click the Add icon and then enter the port number and the name of the service. In the Port field, enter a number between 1 and 65535. You can also delete a specific TCP port in the list, or select multiple ports for deletion.

Fingerprinting/Profile Device

If enabled, Network Insight attempts to identify each network device based on the response characteristics of its TCP stack. This information is used to determine the device type. In the absence of SNMP access, fingerprinting is usually the only way to identify non-network devices. If disabled, devices accessible via SNMP are identified correctly; all other devices are assigned the Unknown device type.

Credential guessing

Network Insight goes through credentials provided by the user to find the right ones for each device.

Credentials can be overridden at the device level. This option is available when the IP address is converted to a managed object such as a host, record, PTR record, or fixed address.

To override SNMP or CLI credentials, select the corresponding checkboxes.

Collection

Data is collected from devices using SNMP and CLI.

NetBIOS Scanning

Collect the NetBIOS name for endpoint devices in the network.

Clarification on discovery parameters:

ARP Aggregate Limit. Defines the maximum number of ARP records per one MAC address. If there are more, it is considered to be an invalid configuration and all records for this MAC address are discarded.
ARP Cache Refresh. Defines the time period between ARP refreshes by Network Insight across all switch ports. ARP Cache refreshes are used to improve the accuracy of end-device discovery.
Disable discovery for networks not in IPAM. Prevents Network Insight from executing discovery on any infrastructure networks that are not present in the Infoblox IPAM, and prevents it from creating unmanaged networks found in devices.

For information on other discovery settings, see NIOS Documentation.

When multiple IP addresses exist on a device, Network Insight picks one of those IP addresses to be the management IP address of the device. Network Insight only chooses IP addresses that are in defined networks. Network Insight picks the management IP address based on the following priority:

User-specified management IP address (available since 8.3).
IP address matching an IP address of a seed router configured during setup.
IP address of an interface with the “softwareLoopback” port type and with the lowest ifIndex value (it is an interface property collected by SNMP; check SNMP documentation for details). If multiple IPs are on the same ifIndex, the lowest numerical value IP address is chosen.
Any interface named "mgmt" or "management" with the lowest ifIndex value. If multiple IPs are on the same ifIndex, the lowest numerical value IP address is chosen.
IP address of an interface with the “ethernet-csmacd” port type and with the lowest ifIndex value. If multiple IPs are on the same ifIndex, the lowest numerical value IP address is chosen.
Interface with the lowest ifIndex value. If multiple IPs are on the same ifIndex, the lowest numerical value IP address is chosen.

The same device can be discovered from different sources and with different addresses. To ensure there are no multiple records for the same device, the discovery engine performs deduplication. A specific property called snmpEngineID is generated for each device. The snmpEngineID is an MD5 sum of the following SNMP data (check SNMP documentation for details on each item):

sysDescr
sysLocation
sysName
sysObjectID
sysServices
ipForwarding
ifAddrCheckSum—MD5 sum of interface information (interface index, address, and network mask).

If two devices with the same snmpEngineID are discovered, the last one is removed as a duplicate.

If a device is an end host, e.g. a Linux workstation, but with several network adapters, each address is discovered as a separate device. Network Insight does not try to deduplicate end hosts.

The table below presents information collected, frequency, and source.

Information type	Frequency	Available sources
Device chassis information	1 hour	SNMP/CLI
Device environment information: fan speed, temperature, and power supply	1 hour	SNMP
Information of CPU, memory, and disk usage on the device	10 min	SNMP
Information about interfaces, their configuration, addresses, and performance	1.5 hours	SNMP/CLI
Forwarding tables	Configurable in Switch Port Data Collection in Grid Discovery Settings	SNMP/CLI
Switch port information		SNMP
VLAN information		SNMP/CLI
ARP tables		SNMP/CLI
Route table	2 hours	SNMP/CLI
Routing Protocol information	2 hours	SNMP
Routing Counter information	2 hours	SNMP
VRF information	2 hours	CLI only for Juniper, Cisco, Arista SNMP only for Fortinet
Firewall statistics	1 hour	SNMP/CLI
Wireless information	1 hour	SNMP
Cisco ACI fabric information and each data category from this table which applies	1 hour	HTTP (is controlled by the SNMP Collection setting)
Port scan	24 hours	nmap

Note

These are the most common data types with the most common intervals for reference. Devices for some vendors may have a different polling frequency.