When NetMRI performs Discovery on devices in the network for the first time, they are organized into Device Groups and Interface Groups, using common-sense networking terms.

Device Groups and Interface Groups are the primary organizational units in NetMRI. You can create device groups in a nested structure, with some device groups subordinate to other device groups. You can apply device group membership criteria in the same ways with nested device groups as for device groups from earlier releases of NetMRI, which used a flat data structure and enforced all device groups as existing on the same peer level. You can now create a hierarchical list of device groups, comprised of top-level groups, with child device groups subordinate to them, and with child device groups further subordinate to their parent groups. 

NetMRI uses device groups to organize device discovery results, generate separate scorecards, filter issues, and manage polling and processing for each device in the network. Device groups also offer control of Switch Port Management processes, including the ability to immediately carry out Switch Port polling in a device group.

Device groups can also be used for suppression of Issue reporting across sets of devices, and to modify the thresholds used by NetMRI for raising chosen issues. The use of Device Group suppression removes the need for manually suppressing undesirable issue instances and allows for instances that have yet to be raised to be suppressed before they are raised.

You can create device groups to organize devices according to business needs. Devices can belong to more than one group, and different sets of groups can be used for different purposes.

For example, you might create a collection of groups named North, South, East, and West that organize devices geographically, while creating another set of groups named Accounting, Sales, and Engineering that organize devices along departmental lines. This allows you to manage devices across different dimensions, using similar mechanisms. With the groups described above, for instance, you can generate separate scorecards for all devices in the West or all devices used by Engineering. You decide on the organization, and NetMRI properly sorts everything.

The Device Shortcut Menu

Anywhere an IP address appears as a hyperlink in the NetMRI appliance, you can right-click that hyperlink to open a useful shortcut menu.

• Device Viewer: Opens the Device Viewer for the selected device associated with the hyperlink.
• Config Explorer: Opens the Config Explorer for the device associated with the hyperlink.
• View Running Config: Queries the chosen device and displays the contents of its currently running configuration file.
• Changes: Displays the device's Network Analysis > Changes page in the Device Viewer.
• Issue List: Displays the chosen device's Network Analysis > Issues page in the Device Viewer. 
• Policy Compliance: Opens the chosen device's Network Analysis > Policy Compliance page in the Device Viewer, which shows the status of any Policies deployed against the chosen device.
• Topology Viewer: Opens the NetMRI Topology Viewer with the selected device as the central device shown in the map.
• Schedule Job: Opens the Job Details window, to set up a job script to run against the chosen device. 
• Execute Command: Similar to Schedule Job, this option opens an Ad Hoc Command function to allow entry of a single command string to the chosen device. The command syntax needs to be compatible with the selected device like JunOS for Juniper, IOS or CatOS for Cisco, and so on.
• Open Telnet Session: Activates the Telnet/SSH proxy to start a new Telnet session with the chosen device.
• Open SSH Session: Activates the Telnet/SSH proxy to start a new SSH session with the chosen device.

Telnet and SSH Proxy Operation

The NetMRI appliance functions as a Telnet and SSH session proxy for users to communicate by command line with devices on the network, including devices that the system sees and can reach, but does not manage. This functionality extends to Telnet or SSH sessions with NetMRI devices themselves.

The Telnet/SSH proxy also provides full VT100 emulation for systems and devices that need it. NetMRI provides a hard limit of ten concurrent SSH or Telnet sessions from any NetMRI instance to other devices. For example, if one user has seven Telnet sessions open on a NetMRI instance, all other users are limited to a total of three additional terminal sessions.

For any Telnet or SSH session, administrative users can define user CLI credentials for other NetMRI user accounts. The location for configuring is Settings icon –> User Admin –> edit User –> CLI Credentials tab. Accounts that can modify CLI credentials for themselves and other users include SysAdmin, UserAdmin and ChangeEngineer High. Without User CLI credentials, other users can still log in to devices using their own device-specific credentials. This is particularly handy for devices that are not directly managed by NetMRI, such as Linux systems, but for which a user has a specific account. Some devices that are detected and/or managed by NetMRI may not provide the same level of Telnet or SSH as NetMRI. This is an advantage of the Telnet/SSH proxy.

Some NetMRI user accounts, such as ChangeEngineer Low, will not be able to start terminal configuration sessions using the Telnet/SSH proxy. System credentials can also be used for Telnet/SSH sessions. For more information, see Creating Admin and User Accounts.

All session activity is logged. 

To open a Telnet or SSH session with a device, perform the following:

1. Right-click on the IP address hyperlink for a device. The shortcut menu appears.
2. From the menu, select Telnet Session or SSH session based on your preferences.

Using CLI Proxy

In addition to using Telnet and SSH sessions as proxies, you can connect to network devices using the CLI proxy. This feature allows users with valid privileges to proxy a connection to network devices through NetMRI. Superusers can grant the following privileges to control user access to the CLI proxy feature:

• Terminal: Open Session: This permits users to connect to network devices.
• Terminal: User System Creds: This permits users to use the credentials stored on NetMRI to access network devices.

To connect to specific devices, users must also have permissions to the corresponding device groups to which the devices belong. Authorized users can use any SSH client to gain proxy connection using their NetMRI credentials, without the need to acquire the credentials for individual devices. With valid privileges, users can use the Connect command to connect to the devices from any SSH client. The CLI proxy feature connects only through the management interface on the NetMRI appliance. This helps eliminate the need to gain access to the user's computer through various networks, VRFs, and VLANs. Note that all connections and commands issued to any network devices through the CLI proxy are audited and logged. 

Using the Connect Command

Use the Connect command to connect to network devices from any SSH client. Users only need a connection to the NetMRI Management interface to connect to any managed devices. Users can connect to devices in groups to which they have valid permissions. You can view the audit logs for all events when the users use the Connect command to access network devices.

Example

Netmriuser > connect {device ip | device name} <Network View>

where <Network View> is the name of the network view.

Connecting to Managed Devices through the CLI Proxy

To connect to a managed device via the CLI proxy, complete the following:

1. Connect to the NetMRI Management IP address using an SSH client of your choice.
2. Log in using the same username and password you would use to log in to the NetMRI Web interface.
3. Connect to a device using the Connect command. Example: connect 10.0.1.24. If there are multi-network deployments, you must specify the name of the network view in the Connect command. Example: Connect 10.0.1.24 "Network 1".

Connecting Automatically to Managed Devices

You can configure an SSH connection to automatically connect to a managed device using SSH environment variables. Using this feature, you can save shortcuts to the devices to which you frequently connect.

You can use the following environment variables to set up the automatic connection:

• CLI_PROXY_HOST: The IP address or hostname of the device you want to automatically connect to after you log in to NetMRI.
• CLI_PROXY_NET: The name of the network view in which the device resides. This is required only for multiple network deployments.

The following example illustrates how to use these environment variables through PuTTy:

1. Start a PuTTy session.
2. In the PuTTy Configuration window, go to the Connection –> Data –> Category section.
3. As illustrated below, perform the following in the Environment variables section: enter CLI_PROXY_HOST 210.20.20.5.
4. Click Open.

Figure 14.1 Configuring Environment Variables in PuTTy Session

User Audit Logs

Audit logs are an important tool for tracking the following event types:

• Configuration collection logging after discovery.
• CLI Credential guessing and CLI sessions through the Telnet/SSH proxy.
• Connections and commands issued to devices through the CLI proxy.

When you display a single audit log entry, a complete screen dump of the entire session is shown in text format. Session audit logs are kept by the appliance for a rolling 30-day time window. Audit logs are available at two levels: system-wide (under Settings), and for individual devices (in the Device Viewer). Error events you see here are normally associated with credential guessing operations by NetMRI and user-initiated SSH/Telnet sessions to individual devices.

For CLI Credential guessing and Telnet/SSH session attempts, you will see messages for the following phenomena:

• Invalid Credentials: In which a connection attempt is made through Telnet/SSH, and the login tuple is used but the distant end rejects it. This occurs after NetMRI successfully communicates with the device, and the initial attempts with username/password combinations fail.
• Connection Closed by Foreign Host: This is usually due to enforced telnet or SSH session timeout on the device.
• Timeout Waiting for Device: NetMRI's discovery polling or data collection timed out due to lack of response from the device.
• *No Route to Host: The device is now not reachable.
• Bad Secrets for Enable Mode: An incorrect Enable password was sent by NetMRI and the device rejects the attempt to enter Enable mode.

For configuration collection logging, you may see messages of the following types:

• Config collection disabled globally: The current instance of NetMRI has disabled all Config Collection features (go to the Settings icon –> Setup –> Collection and Groups –> Config Management side tab to check and enable collection settings).
• Config collection disabled globally for all protocols: The current instance of NetMRI has enabled Config Collection but none of the protocols for gathering data (telnet, SSH, HTTP) are enabled (go to Settings icon –> Setup –> Collection and Groups –> Config Management side tab to check and enable collection settings).
• Not Included by Discovery Settings: The device in question is not part of any IP range, is not specified as a static IP, and does not match any device Hints and is not a seed router. (go to Settings icon –> Setup –> Discovery Settings to check values for each of the four setting types. This message appears only for attempts to get configurations from the device.
• Not Licensed: Device is not licensed under NetMRI. This message appears only for attempts to get configurations from the device.
• Config collection disabled at device group level: NetMRI has disabled Config Collection features for a specific Device Group (go to Settings icon –> Setup –> Collection and Groups –> Groups –> Device Groups side tab to check and enable collection settings for a Device Group).
• History Indicates Config not Changed: No configuration changes have occurred since the previous fetching of configuration data. This message appears only for regular device polling operations on managed devices.
• CLI credentials unknown: All attempts at guessing or logging in to a device after discovery are unsuccessful.

To view a device's user audit log, go to Device Viewer –> Settings & Status –> User Audit Log. The audit log appears as a cumulative list for all Telnet/SSH sessions for the individual network device or end host for the last 30 days.

Using the Device Audit Log

The Device Audit Log (Device Viewer –> Settings & Status –> Device Audit Log) provides a device-specific list of events related to the device's management by NetMRI. You can expect to see messages such as LicenseAdd, indicating when the device was added to NetMRI management into a Device Group for purposes of Switch Port Management or other licensing requirements. You may see DiscoveryDelete in a case where a device with a particular management port IP address was removed from NetMRI management due to another device being managed through the same IP.

A second Device Audit Log, in Settings icon –> Notifications –> Device Audit Log, provides a listing for all Discovery and Licensing messages for all devices managed by NetMRI.

When devices are removed from the license count for NetMRI or ACM, related event messages will appear.

Introducing Device Groups

Device groups are a fundamental organizing tool in NetMRI. You use device groups to gather devices with similar attributes and similar categories together, to perform device management tasks, or because you want to organize a set of devices into a group to perform specific processing tasks, or to prevent processing tasks from being performed.

NetMRI ships with pre-defined device groups. Discovered devices are grouped based on their types and assurance levels. 

All device groups are divided into two types:

• Basic device groups, which provide only basic categorization and processing features to limit processing loads on member devices. They are most useful for large collections of network devices that you know will not be actively managed, such as end-user network segments at the terminating end of Ethernet circuits.
• Extended device groups, which provide the full set of NetMRI device processing features on member devices. They provide network scores for the NetMRI Dashboard and enable management through user Roles and Privileges. Extended device groups also may impose a higher computation load on the appliance.

Default Device Groups

Default device groups serve as good examples of how selection criteria and process settings can be defined to organize your network devices, but you should learn how to create your own device groups to gain all of the benefits of the device groups feature.

The default set of device groups in NetMRI appears as a hierarchical list and includes the following:

• Network Management: Any devices, including NetMRI appliances, that perform network management tasks.
• Security Control: All firewall, VPN concentrator, and security management devices.
• Network w/o SNMP: Devices that are discovered, but also discovered to lack support for SNMP protocols. This device group is required for NetMRI operation and cannot be deleted by the administrator.
• NIOS: Device group that contains Infoblox NIOS appliances supporting the Grid Manager environment for DNS, DHCP, IPAM, and other features, if any are present in the network.
• Routing: L3 routing devices that perform no switching or VLAN support.
• Switch-Routers: L2/L3 switches that support routing protocols and VLANs.
• Switches: L2 switches that do not support VLANs.
• UNKNOWN: Includes devices that are not identified, perhaps because NetMRI does not provide device support for the devices. Newly found devices first appear in the UNKNOWN group, with SNMP collection and port scanning enabled to learn more about them. If more is learned, devices disappear from this group and appear in higher-level groups, where their process settings change accordingly. This device group is required for NetMRI operation and cannot be deleted by the administrator.
• Network Management: All NetMRI appliances and other devices used for network management tasks.
• Network Pending: All devices discovered and in processing by NetMRI, but not yet managed by NetMRI. This device group is required for NetMRI operation and cannot be deleted by the administrator.
• NAME ONLY: All discovered devices for which only their name is determined by NetMRI's discovery feature based on DNS. If more is learned, such as their SNMP community, devices disappear from this group and appear in higher-level groups, where their process settings change accordingly. This device group is required for NetMRI operation and cannot be deleted by the administrator.

Default device groups can be used as-is, edited to suit your needs, or removed completely if you have admin rights to do so.

Using the Device Group Selector

The main Dashboard, Network Analysis, and Network Explorer pages show the Device Group Selector control on the right. Simply click a device group name in the selector to filter the contents of the main display pane. To edit a device group, right-click any device group name and select Edit Device Group, or click the Edit Device Group icon.

All top-level device groups can act as top-level device groups for nested device groups. Nested device groups can only contain devices from the parent device group. You can nest child device groups up to five levels deep in the tree. By default, child device groups automatically appear in the tree but can be hidden by clicking the (-) symbol next to the parent group.

Controlling NetMRI with Device Groups

Basic device groups limit their processing options to a minimum. Basic device groups do not contribute to NetMRI Network Scorecard calculations and significantly reduce back-end processing. You can define group membership criteria. 

Extended device groups provide a substantial collection of settings to determine how an extended device group processes its information. Along with defining group membership criteria, a number of options help determine the level and types of processing performed by an extended device group:

• Include non-network devices: Enables collecting end-host network segments into a basic device group to avoid expanding system processing cycles on network devices that do not require them.
• Rank: For more information, see Ranking Device Groups.
• Polling Frequency: Allows you to modify the default polling frequency for all devices or for specific device groups. 
• Switch Port data collection: Enable this only for device groups with L2/L3 Ethernet switching devices as members. This allows you to enforce custom periodic or scheduled polling settings for specific groups. 
• Collect performance and environmental data: Enable or disable device performance and environmental information. 
• Probe for open ports: Allows NetMRI to probe for open TCP/UDP ports on member devices.
• Identify device using fingerprinting: For more information, see Data Collection Techniques.
• Probe for NetBIOS name: For more information, see Data Collection Techniques.
• Analyze for Issues: For more information, see Evaluating Issues in NetMRI and Inspecting Devices in the Network.
• Test for default credentials: Allows NetMRI to test all devices in the group for the presence of vendor default SNMP credentials, which are a potential element for security breaches, but are also used for assistance in collecting device configurations. Credential default testing is also a compliance measure.
• Collect config files: For more information, see beginning with Configuration Management.
• Regard configurations as 'Locked': Disallows editing of any collection configuration files for members of the device group.
• Allow script execution: Allows the execution of Perl and CCS scripts on group member devices.
• Enable Discovery Blackout: Define time periods when NetMRI will not communicate with devices or networks for discovery.
• Enable Change Blackout: Define blackouts for CLI interaction, scheduled or run-now job executions, Telnet/SSH proxy, and port control UI features for all devices in the group. For more information, see Defining Blackout Periods.

You can convert basic device groups to extended device groups, and also the reverse, at any time.

Some types of network devices warrant more processing by NetMRI, such as the collection of performance and environmental data, open ports probing, NetBIOS name probing, collecting of configuration files, analyzing for issues, and other device processing features. Some device types can be quickly excluded from complex processing tasks by simply assigning them to a basic device group. Many end-host networks may fall into this category.

Device Groups and Switch Port Management

Through device groups, switch port management enables you to monitor and analyze the complement of Ethernet trunks and switch ports in their network. Switch port information gathering, or polling, is the key tool for doing this. Device groups can specify unique switch port management polling settings. Polling settings that are located under Settings icon –> Setup –> Collection and Groups –> Groups tab take precedence over the global settings defined in Settings icon –> Setup –> Collection and Groups –> Global –> Switch Port Management.

To poll a device group or create custom settings for polling, perform the following:

1. In the Device Group Selector, right-click the Switching device group and select Edit Device Group. The Edit Device Group dialog opens. The Switching device group is an extended device group that provides several features designed for Ethernet switching devices management.
2. Open the Switch port data Collection dropdown. Select from the following options:
   • Use Global Settings: Enforces the use of global periodic or scheduled polling settings for the current device group. For more information see Data Collection Techniques.
   • Specify polling Interval: Defines custom regular polling time periods for the group. Choose a polling interval of 1 or more Minutes or Hours, or click Poll Now to poll all devices that are members of the device droup.
   • Specify schedule: Select an existing custom group schedule or click Add New Schedule to create a new custom schedule for recurrent polling of the group. Select a Recurrence Pattern of Once, Hourly, Daily, Weekly, or Monthly. In all cases, you must choose an Execution Time. Click Add when finished defining the new schedule. To delete a schedule from the list, click the trashcan icon in the Actions column.
   • Disable: Disables device switch port data collection for the selected device group. Disabling switch port data collection prevents NetMRI from collecting VLAN and switch forwarding data. This can affect neighbor topology for the switch and any connected devices to the switch possibly resulting in NetMRI not being able to accurately locate devices on the network. Disabling switch port data collection also prevents analysis of any VLAN-related issues for a disabled switch.

3. Click Save & Close or Save & New.

The settings you define here apply only to the chosen device group.

Ranking Device Groups

For device groups, NetMRI uses the Rank setting to determine how and when each device is processed after it is discovered on the network. Also, device groups use Rank as a way of determining the actions to take on a device that is a member of more than one group. If a device is a member of two groups, one that is enabled for config collection, and in another that is not, the group with the highest rank determines if the configs should be collected for that device. Ranking for child device groups in the device group tree is hierarchical. Child groups ranking is always higher than the ranking of its parent. Group Ranking is also used as the default sort order for all group-related tables, with the highest rank shown first.

The default groups organize devices essentially into "network" and "non-network" devices, based on their type and assurance level. Network devices usually have SNMP and Config collection and analysis enabled, while non-network devices do not. This reduces unnecessary data collection and processing loads, allowing the appliance to work more efficiently for devices that matter most.

By selectively enabling and disabling data collection, you can fine-tune NetMRI performance, or ensure that NetMRI processes the most important devices when a Device Limit or Interface Limit, based on licensing, is exceeded. In such cases, the Rank associated with each group is used to determine which devices are within the limits (devices with the highest rank) and which are outside the limits (devices with a lower rank). In this way, the most important devices, as indicated by the group rank, are processed while others are not.

The Group Processing Hierarchy

NetMRI controls processing within device groups by a hierarchical collection of settings in the following order:

• Global settings for network polling and configuration management
• Device group settings
• Device settings
• Interface group settings

If you disable a specific process (such as SNMP collection) at a higher level, then all lower level settings are ignored. This allows administrators to quickly disable all processing of a given type, such as SNMP, without being forced to change individual settings.

Filtering by Device Group

When the Select Device Group panel is available (in the right panel), you can filter the contents of the center panel by device group.

• To filter by device group, within the Select Device Groups panel, click the desired device group.
• To remove device group filtering, within the Select Device Groups panel, click All Devices.
• To edit device groups, click the Edit Device Groups button to the right of the Select Device Group heading.

The Collection and Groups page opens, showing the Groups –> Device Groups tab (also reachable by Settings icon –> Setup –> Collection and Groups –> Groups tab).

Creating Device Groups

To create and manage device groups, click the Settings icon > Setup > Collection and Groups > Groups > Device Groups side tab.

Both Basic and Extended groups can be created as either top-level, sibling, or child groups. NetMRI automatically assigns a parent group ID to the group you create. You can drag and drop a group in the tree for the desired position. 

The table in the Device Groups side tab lists all device groups, with default sorting by Rank. Each row shows group configuration settings. Parent groups appear as folder icons indicating that child device groups exist beneath them in the tree. The device groups table provides a series of columns showing the status of various discovery and monitoring features that are enabled or disabled for each group.

When you hover over an icon or column heading in the table, a tooltip appears. For example, when you hover over an information icon in the MC (Membership criteria) column, it displays the complete text of the membership criteria regular expression. Any feature column that is cleared, without a checkmark, indicates that the given feature is not enabled for the device group.

Individual devices of certain types can override group-level settings. For information about device-level settings, see Interpreting Discovery Table Data.

The complete list of data points provided for every device group at all nested levels includes the following:

Creating a Top-Level or Sibling Device Group

By default, a new top-level device group is inserted at the bottom of the list, denoting a lower ranking. Creating a sibling group allows you to insert a device group into a specific position in the list of device groups, defining different ranking for the new group. You can insert the new sibling group immediately above or below the selected upper-level group.

To create a top-level device group, complete the following:

1. Open the Settings icon > Setup > Collection and Groups > Groups.
2. Do one of the following:
   • To add a top-level device group, click Add in the bottom-right corner of the groups window.
   • To add a sibling group, right-click a top-level group and select Add > Sibling Above or Sibling Below from the shortcut menu.
     The Add Device Group dialog appears.
3. In the Parent ID field, NetMRI automatically sets the ID of the parent group. It is "0" for a top-level or sibling group.
4. Enter a Name for the new group. The group name is shown in all group-related displays and reports, so the group name should be meaningful without being too long.
5. Enter a Membership Criteria regular expression. 
6. For Type, select either Basic or Extended. By default, Basic is selected. 
7. Click Save & Close or Save & New.

Creating a Child Device Group

Child device groups should only contain devices belonging to their parent group. Creating a child device group of the top-level group “Routing” and using a device group criteria regular expression to filter other devices (e.g., firewalls) will result in an empty device group.

The group membership criteria statements built into each device group, respectively:

$Assurance > 75 and $vendor eq "Cisco" and $type in ["Router","Switch-Router"]

$Assurance > 75 and $vendor eq "Juniper" and $type in ["Router","Switch-Router"]

To create a new child device group, complete the following:

1. Click the Settings icon > Setup > Collection and Groups > Groups.
2. Right-click a device group and select Add > Child from the shortcut menu.
   The Add Device Group dialog appears.
3. Select either Basic or Extended. By default, Basic is selected. 
4. In the Parent ID field, NetMRI automatically sets the ID of the parent group.
5. Enter a Name for the new child group. The group name is shown in all group-related displays and reports, so the group name should be meaningful without being too long.
6. Enter a Membership Criteria regular expression. 
7. Click Save & Close or Save & New.

Creating Extended Device Groups

To create an Extended device group, complete the following:

1. Click the Settings icon > Setup > Collection and Groups > Groups.
2. Click Add to create a top-level, sibling, or child extended group.
3. In the Parent ID field, NetMRI automatically sets the ID of the parent group. It is "0" for a top-level or sibling group.
4. Enter a Name for the group. The group name is shown in all group-related displays and reports, so the group name should be meaningful without being too long.

5. Define a Membership Criteria regular expression.

   Note

   Infoblox recommends using regular expressions for refining the membership in device groups. 

6. If you want the device group to include collections of discovered non-network devices, select Include non-network devices. Leaving this setting unselected prevents non-network devices from occupying valuable licensing space.
7. Next to Type, click Extended.
8. Rank: Displays the Ranking value as the default sort order. Ranking value is used as the default sort order for all group-related tables, with the highest rank shown first. Rank is also used to determine the individual device settings controlling processing for each device.

9. Polling Frequency: Allows you to slow down or speed up the device polling frequency.

10. For Switch Port data Collection, choose from the following:

    • Use Global Settings: Select this to enable the device group to inherit global settings for switch port data collections. To find the global settings, click the Settings icon > Setup > Collection and Groups > Global > Switch Port Management.
    • Specify Polling Interval: Overrides the global polling interval with a custom polling interval for the current device group. You can define an interval of 1-60 Minutes or 1-24 Hours in the fields that appear.
    • Specify Schedule: Overrides the global scheduled polling setting with a custom schedule for the current device group. Existing schedules may appear in the list or, click Add New Schedule to create a new polling schedule instance. Choose a Recurrence Pattern of Once, Hourly, Daily, Weekly, or Monthly. In all cases, you must choose an Execution Time and select at least one day of the week check box.
    • Poll Now: Click to execute switch port polling on the device group right after it is created.

    • Disable: Completely disables switch port polling for the device group. The polling frequency modifier described in the previous step does not affect settings for switch port data collection frequency.

11. Activate the processing options for the new extended group:
    • Collect performance and environmental data Enable or disable device performance and environmental information for all member devices in the group. 
    • CLI polling in privileged mode: Enable or disable CLI polling in privileged exec mode for the device group. You can override this setting for individual devices in the Device Viewer.
    • Probe for open ports: If enabled, TCP and UDP ports listed at Settings icon > Setup section > Port List are probed to determine whether they are open.
    • Analyze device using fingerprinting: If enabled, fingerprinting attempts to identify each device based on the response characteristics of the TCP stack being used.
    • Probe for NetBIOS name: Setting to enable NetMRI to collect the NetBIOS names for endpoint device members in the device group. It is globally disabled by default to prevent unexpected scanning of the network by a new Operations Center Collector.
    • Analyze for Issues: NetMRI evaluates over 250 discrete Issues, plus custom Issues defined by the admin user. Issues are discovered and reported by NetMRI based on globally set schedules. Disabling this feature for a device group disallows the group from being selectable in the Device Group Selector panel in the main Network Analysis –> Issues page. 
    • Test for default credentials: Allows NetMRI to test all devices in the group for the presence of vendor default SNMP credentials, which are a potential element for security breaches, but are also used for assistance in collecting device configurations. Credential default testing is also a compliance measure.
    • Collect config files: When enabled, this check box allows NetMRI to collect all present configuration files for devices in the device group. To participate in the Configuration Management feature set, which allows you to view and compare differences between running-config and saved-config configuration files, edit, and manage config files on devices. 
    • Regard configurations as 'Locked': Disallows editing of any collection configuration files for members of the device group.
    • Allow script execution: Allows the execution of Perl and CCS scripts on member devices.
    • Refresh device caches before collecting switch port data: Check box to enable refreshing of ARP caches on switches and switch-routers in the managed network before NetMRI performs polling of switch ports.
      Enabling this feature will not produce an automatic ping sweep of the managed network. The benefit of this feature is that it enables more accurate detection of all endpoint devices on switches. Without ARP refresh, some endpoint devices may not be detected. This feature is globally disabled by default. With this setting globally enabled, individual device groups can also be set to enable or disable this feature.
      For more detailed descriptions of these options, see Global –> Network Polling and Config Management.
12. Select the Enable Discovery Blackout check box and click its Scheduling icon. The scheduling options appear:
    1. In the Recurrence Pattern dropdown, choose how often you want to execute the blackout period. You can select Once, Daily, Weekly, or Monthly.
    2. Based on the duration you select, choose an Execution Time from the drop-down list.
    3. Enter the date of the blackout, in the Day_of_ field.
    4.  Specify the Duration: 10 or more minutes, hours, or days.
    5. Check the check boxes for one or more days from Sunday through Saturday. (If you choose Weekly)
    6. Schedule the day of the month: A discovery blackout can be executed monthly on a specific day, or blackout instances can be executed more than one month apart on a specific day, in the Day of every month(s) field. (If you choose Monthly)

13. If necessary, select the Enable Change Blackout check box and click its Scheduling icon. The scheduling options appear. Follow steps 12a through 12e to define the change blackout schedule.

14. Click Save & Close or Save & New.

Some devices in your network may have a locked Config Change setting (Device Viewer –> Settings & Status –> General Settings), which means that NetMRI will be disallowed from changing configurations on the device. In these cases, a device-level Enable Change Blackout setting is unnecessary. Similarly, each NetMRI device group has a Regard configurations as 'locked' setting. If a device group uses this setting, the Enable Change Blackout setting is unnecessary. If a device group does not enforce a change blackout, but a device in that group enables the Regard configurations as 'locked' setting, the device setting takes precedence.

Setting Polling Frequency for a Device Group

You can set global or individual polling frequency for an extended device group. You do so by specifying a polling frequency modifier. This is a coefficient by which the default NetMRI setting is multiplied. The higher the coefficient, the more frequently devices in the current group are polled.

The default NetMRI polling frequency is located in Settings icon > Setup > Device Collection Status. The global polling frequency modifier is located in Settings icon > General Settings > Advanced Settings – Data Collection > Polling Frequency Modifier.

You can set values between 0.5 and 2 for the global or group-level polling frequency modifier. Interpret the values as follows:

• 0.5: Makes polling twice slower.
• 1: Means same polling frequency as the default setting.
• 2: Makes polling twice faster.

As NetMRI recalculates polling frequency every 10 minutes, the new polling frequency is applied to the group not later than 10 minutes after you specified it.

The polling frequency modifier affects SNMP credentials guessing. For example, by default it happens once a day. With the polling frequency modifier, you can make it happen twice a day or once in two days. This setting does not affect the frequency of CLI credentials guessing or config collection.

To set polling frequency for a device group, complete the following:

1. Click the Settings icon > Setup > Collection and Groups > Groups.
2. Click Add for a new group or open an existing extended device group for editing.
3. In Polling Frequency, select one of the following:
   • Use Global Settings: Select this to enable the device group to inherit the global polling frequency modifier setting.

   • Specify Polling Frequency: Allows you to set individual polling frequency for the current device group. 
     If you select Specify Polling Frequency, the Polling Frequency Modifier field appears.

4. In the Polling Frequency Modifier field, specify the coefficient that modifies the device group polling frequency relative to the default NetMRI setting.
   
   

Additional Device Group Operations

To view a list of device group members (devices that are included in the device group), complete the following:

1.   Right-click the Action icon for the group and choose View Members from the shortcut menu. A new browser popup window appears, displaying the list of member devices. Clicking the IP address for any device brings up the Device Viewer.

To copy a group (to use as the basis for a new group), complete the following:

1. Right-click the Action icon for the group and choose Copy from the shortcut menu. The new group is initially named "Copy x of <original name>".
2. Edit the new group's name and settings.

To delete a group, complete the following:

1. Right-click the Action icon for the group and choose Delete from the shortcut menu.
2. Confirm the deletion.

Use caution when deleting a system group, because deleting such a group can negatively affect the discovery process. When you attempt to delete a system group, a warning is displayed. If you rename a system group, the group is no longer considered as system-created after an upgrade.

Device Groups Action Menu

The Device Groups page provides the complete list of top-level device groups, populated with a series of gear icons. Clicking each icon displays a shortcut Actions menu offering group editing features: for device groups, features include the following:

• Add: This option enables the creation of new device groups at the same level in the group hierarchy as the current group (Sibling Above and Sibling Below) and provides the Child Below option, which allows you to create a nested device group that is subordinate to the group you've currently selected.
• View Members: Lists the devices within the group, displaying the list in a separate window.
• Copy, Edit, and Delete: These perform their respective functions on the selected device group. The Edit feature provides all the standard device group editing capabilities, including changing blackout periods, data collection settings, membership criteria, and Rank settings.

NetMRI ships with pre-defined device group definitions. These groups are based on device types and assurance levels (the probability that from the same has correctly identified a given device) and are primarily used to see what has been discovered on the network. Default device groups can be used as-is, edited to suit your needs, or removed completely (provided you have admin rights to do so.

Use caution when deleting device groups. The Routing, Switching, NIOS, Optimizers, Security, and many other groups are groups built-in with NetMRI and should never be removed without first having developed new groups with the desired functionality to take their place.

Default device groups serve as good examples of how selection criteria and process settings can be defined to organize your network devices, but you should learn how to create your own device groups to gain all of the benefits of the device groups feature.

Understanding Device Group Membership Criteria

Group membership criteria expressions are simple logical expressions used to determine if a given device or interface should be included in a Device Group or Interface Group based on the properties associated with that device or interface. In other NetMRI contexts, such as Security Management, this process is also called filtering. A device group uses its filtering settings, called membership criteria, to determine which devices discovered by NetMRI will belong to that group.

If the device matches more than one group criteria, it is assigned the rank of the highest matching group and all of the settings for that group.

Device Groups also determine how its member devices will be interacted with by NetMRI. For example, if SNMP Collection or Config Collection are disabled for the highest ranking group containing a given device, then no SNMP data collection or Configuration file collection is performed for that device (beyond the initial collection needed to detect its existence). You use the same processes and settings to define Interface Groups. The process for Device Groups is straightforward.

An example of a regular expression comprising the membership criteria for a Device Group:

$Assurance > 75 and $Type in ["Router","Switch-Router"]

This regular expression is used to define the Routing device group. Note the use of Boolean logic and the enclosure of two NetMRI device group types (Router and Switch-Router) in square brackets. Two unique NetMRI variables, $Assurance and $Type, are used as the filtering criteria to define what belongs in the group. Typically, at least two variables must be used to create accurate filtering for a Device Group definition. The $Assurance value is the value attached to every device by NetMRI after it is discovered, to certify the device type is determined correctly. Consider an expression for a custom Device Group definition:

$Assurance > 75 and $vendor eq "Juniper" and $type eq "Firewall" and $Access eq "on"

The more specific the expression, the more effective and specific that membership can be in the Device Group. The values to be matched against must, of course, be recognized by NetMRI.

Group membership criteria are also used to define the Device-Filter and Section-Filter directives in Configuration Policy Definition (CPD) files, and Script-Filter directives in Configuration Command Script (CCS) automation scripts. In these cases, if a device matches, then the CPD file or CCS script is used to analyze that device. You can create custom files or scripts to define new criteria. You do not need to use CPD files or CCS scripts to create new Device Groups or Interface Groups.

For Interface Groups, the processes are similar, with some useful differences in how the regular expressions are defined to filter out interfaces reported in the device configuration.

$Type in ["Switch","Switch-Router"] and $ifType like /ether/ and $ifAdminStatus eq "up"

The Switch Port interface group uses the same variables to filter member ship. The $ifType like /ether/ variable expression indicates how an expression can be interpreted to add Ethernet ports of varying types to the Group. the argument like allows a loose match against any port with the partial phrase ether in its identification. Considering the possibility of separating only 10/100 interfaces into a distinct group, you would use a more-specific expression such as:

$ifType like /FastEthernet/

Device Group Criteria and Device Custom Fields

Device Groups offer the flexibility to specify custom fields data as matching information against custom fields identification values defined on individual devices. You specify custom fields information in device groups through the Device Group Criteria. Doing so, you can craft device groups that match specific types of information, such as Business Units, operational function, and so on. You can create device custom fields (“device” is a specific type of custom field that you can create and use for data matching) that are referenced by specific device groups for collection of devices into logically-named groups in NetMRI for asset manageability.

Supporting custom fields in device groups requires some specific Device Group Criteria syntax. Because a custom field can use the same nomenclature as a standard device attribute (for example, the Custom Fields feature does not prevent you from creating a custom field named “Type,” “Vendor” or “Model”), the device group criteria uses a convention to prevent conflicts. To do so, you prefix every Device Group Criteria reference to a device custom field with a syntax constant:

$custom_

Consider the creation of a device custom field called “business_unit.” For information on how to create custom fields in NetMRI, see Extending Network Device & Data Support. Editing the Device Group Criteria field for a device group called “Consumer Banking Group” to support a device custom field, the typical syntax is as follows:

$Assurance > 65 and $Type in ["Router","Switch-Router",”Switch”,”Firewall”] and $custom_business_unit = "Consumer Banking"

You prepend the constant $custom_ to the value “business_unit” to create the expression $custom_business_unit = “Consumer Banking”. Doing so in the Device Group Criteria ensures that any device that possesses a matching field value will match the “Consumer Banking Group” device group.

Device Group and Interface Group Criteria for Networks

Because devices are managed as part of one or more network views, you can define device groups or interface groups with criteria based on network membership.

• You use the $Network variable in both Device Groups and Interface Groups:
  • If the variable is applied to a device, it returns the name of the network view to which the device's Management IP belongs.
  • If the variable applies to a device's interface, it returns the name of the network view to which the interface IP address belongs.

Example: $Network = "blue"

• The hasnetwork operator returns a value of true if at least one device interface is part of the specified network views list:

  • Syntax example: hasnetwork[”blue”,”red”,”green”]

Device Group/Interface Group Membership and Issue Suppression

To change issue thresholds and suppress issues for device groups, click the Settings icon > Issue Analysis > Issue Group Settings icon > by Device Groups and by Interface Groups side tabs. After selecting a group in the left panel, the Issue Settings for Group table lists all issues for the group and shows the current thresholds (if any) in the Criteria column, and whether any listed issue is suppressed.

Creating Interface Groups

After Discovery, you can organize all interfaces discovered on the network into collections of named groups. Similar to device groups, interface groups can be used to organize interfaces for results analysis, troubleshooting or to manage interface data collection. Interface group membership is determined periodically and stored in the database. Interface Groups have considerably narrower use in NetMRI compared to Device Groups.

NetMRI ships with a set of common-sense default interface groups that automatically organize common interfaces, such as switched Ethernet ports, VLANs and Ethernet trunk interfaces. Interface groups can be modified or copied, pasted and edited to create new ones, or you can create entirely new groups (provided you have admin rights to do so).

Interface Groups Action Menu

The Interface Groups page provides an Actions column, populated with a series of gear icons. Clicking each icon displays a shortcut Actions menu offering group editing features: for interface groups, View Members lists the interfaces within the group. Copy, Edit, and Delete perform their respective functions on the selected group.

Use caution when deleting interface groups; the Admin Down, Trunk Ports, Active Router Interfaces, and Switch Ports groups are built-in groups with NetMRI and should not be removed without first having developed new groups with the desired functionality to take their place.

You create and configure interface groups in the Interface Groups page (settings icon –> Setup –> Collection and Groups –> Groups tab –> Interface Groups side tab). The benefits of using interface groups include the following:

• Collect performance data at specific time intervals for particular port types (trunk ports, VLANs of a specific switch, router interfaces of a specific type, or any other arbitrary designation).
• Use regular expressions to strictly define the interfaces that qualify to be part of the group, ensuring accurate group membership.
• Obtain flow connection information.

The table in the Interface Groups side tab lists all interface groups, with default sorting by Rank. Each row shows group configuration settings, with a green check indicating that the option is enabled, and a red X indicating that the option is disabled.

Rank determines the process settings for individual interfaces that belong to multiple interface groups. An interface is assigned the process setting associated with the highest ranking group that includes the interface as a member.

To create an interface group, perform the following:

1. Go to Settings icon –> Setup –> Collection & Groups –> Interface Groups side tab.
2. Click the Add Group button (below the Interface Groups table). The Add Interface Group dialog appears.
3. Type a Name for the interface group. The group name is shown in all group-related displays and reports, so it should be meaningful without being too long.
4. Enter a Rank for the interface group. 
5. Type a Membership Criteria expression. 
6. Activate the processing options for the group.
   Performance Statistics Collection: If enabled, NetMRI collects performance data for interfaces in the group. If disabled, the appliance gathers minimal data for interfaces in the group. This setting can be overridden for an individual interface in the Interface Viewer –> Settings icon –> General Settings page.
   Frequency: Select the performance statistics collection interval. The default is set as Daily.

7. Click the Save & Close button.

or

Click the Save & New button to save/close the current group definition and start a new group definition.

• • To view a list of group members, click the View Members button for the group.
  • To edit a group, click the Edit button for the group.

To view a list of interface group members, complete the following:

1. Click the Action icon for the group, and choose View Members from the shortcut menu. A new browser popup window appears, displaying the list of member interfaces. Clicking the Device IP for any device brings up the Device Viewer. Each interface listing provides a link for its respective Interface Viewer and its VLAN Viewer, where applicable.

To copy a group (to use as the basis for a new group), complete the following:

1. Click the Action icon for the group, and choose Copy from the shortcut menu. The new group is initially named "Copy x of <original name".
2. Edit the new group's name and settings.

To delete a group, complete the following:

1. Click the Action icon for the group, and choose Delete from the shortcut menu.
2. Confirm the deletion.

Exercise caution when deleting groups, because any associated group settings such as filtering and other attributes will also be deleted. 

Gathering Performance Data from Interface Groups

Performance data consists of utilization rates, error rates and broadcast levels for the interfaces that are gathered into an interface group. You can also view the same performance data for each interface in the interface viewer.

Performance data includes configured speed, throughput, percent utilization, percent errors, percent broadcasts, and percent discards. Additional information can be displayed through selections from the Columns drop-down list available via column header menus.

By default, performance data collection is disabled for most interface groups. NetMRI provides two ways to enable performance data collection:

• To enable performance data collection for an interface group: In the Settings icon –> Setup section –> Collection and Groups page –> Groups tab –> Interface Groups side tab, hover the mouse over the Action icon and choose Edit, and activate the Performance Statistics Collection checkbox.

By default, collection takes place daily. For some interfaces, you may need to collect performance data more frequently. To do so, select a different setting from the Frequency dropdown. Values include Daily (the default), and incremental values from 15 minutes to 2 minutes.

You can use more-frequent data collection only on a select number of interfaces. Up to 10% of the total interfaces up to the Interface Limit in the managed network, based on the NetMRI license.

• To enable performance data collection for a specific interface: Open the interface in the Interface Viewer. In the Settings section –> General Settings page, enable Performance Statistics Collection by selecting Enabled from the dropdown menu and clicking Update. This setting overrides the parent interface group's setting.

Performance data collection uses interface groups to determine the data types to be collected and stored for each monitored interface. Because collection runs continuously, it needs to be informed when interface group definitions have been changed. Notification is done automatically if one or more group definitions have been changed since the last group generation process was performed (either scheduled or manual). If a definition changes while collection is taking place, the changes will not take effect until the next collection run.

At that point, interface data collection resumes collecting limited data for all interfaces to determine which should be further processed, based on the new definitions.

Use interface groups for suppression of certain interface related issues and to modify thresholds for their appearance. Interface group issue suppression removes the need to manually suppress undesirable issue instances and allows for instances that have yet to be raised — and to be suppressed — to be suppressed before they are even raised. You can review interface group issue suppression settings at the Settings icon –> Issue Analysis section –> Issue Group Settings page.

Expressions in Group Definitions

Group membership expressions consist of one or more logical sub-expressions (e.g., equals, like, in), acting on a set of variables (e.g., $Name, $Type) evaluated by boolean operators (e.g., and, or, =>, <=). You can specify any logical membership criteria using sub-expression combinations. Some variables are defined only for certain types of criteria expressions.

Device Variables

NetMRI defines the following device variables that are usable in Device Group, Interface Group, Device-Filter, and Section-Filter criteria expressions:

$ID unique NetMRI ID for device
$IPAddress IP address of the device (e.g., 192.168.1.33)
$Name name of the device (e.g., rtr1.netcodia.com)
$Network name of the Network View for the device's management IP address
$Type type of the device (e.g., Router, Switch, etc.)
$Assurance assurance level for the device type
$Vendor vendor of the device (e.g., Cisco)
$Model model of the device
$Version software version of the device
$Community SNMP community of the device
$sysName SNMP system name (CPD only)
$sysDescr SNMP system description (CPD only)
$sysLocation SNMP system location
$sysName SNMP system name
$sysDescr SNMP system description
$sysContact SNMP system contact

Interface Variables

The following variables are defined for interfaces and supported in Interface Group criteria expressions:

$ifIndex unique SNMP numeric index for the interface
$ifDescr interface description defined by user
$ifName interface name
$ifType interface type defined by SNMP
$ifMtu interface MTU
$ifPhysAddress interface MAC address (if any)
$ifSpeed interface speed
$ifAdminStatus interface administrative status ("up"/"down")
$ifOperStatus interface operational status ("up"/"down")
$ifTrunkStatus interface trunk status ("on"/"off")
$Network returns the name of the network view to which the interface IP address belongs.

Comparison Operators

The following comparison operators are supported in all criteria expressions:

=, ==, !=, <, , <=, =

numeric comparison (The value on either side of the operator should be an integer, float or IP address.)

eq, ne, gt, lt, ge, le

string comparison (The value on either side of the operator should be a string.)

=~, !~, like, not like

regular expression (A non-string value on the left side of operator is converted to a string before comparison.)

in, not in

determines if a given value is contained in a list of values (The values inside of the list should be the same type as the value on the left side of the operator.)

memberOf, not memberOf

determines if the device or interface is a member of one or more other Device Groups and/or Interface Groups.

hasnetwork

determines if the device or interface is a member of a specific Network View.

Examples:

$ID = 30

$Vendor eq "Cisco"

$Version like /^12.1.*/

$Model in ["cat4506", "3725"]

$IPAddress in [10.1.3.56, 10.2.0.0/16]

memberOf ["Router Group", "Switch Group"]

$Vendor eq "Cisco" and ($Model eq "catalyst2912XL" or $Model eq "cat3548XL")

To perform a case-insensitive match, use the regular expression modifier /i.

Example:

$Name like /core/i

The $Model and $IPAddress values work for creating device groups but cannot be used for building Rules with device attributes under Configuration Management –> Policy Design Center –> Rule.

$Model in ["cat4506", "3725"]

$IPAddress in [10.1.3.56, 10.2.0.0/16]

For Rules in the Policy Design Center, simply use a comma-separated format.

Logical Operators

The following logical operators can be used to combine sub-expressions:

and, &, && boolean AND     or, |, || boolean OR          (, ) grouping

Examples:

$Vendor eq "Cisco" and $Type eq "Router"

($Vendor eq "Juniper" and $Type eq "Router")

or ($Vendor eq "Cisco" and $Type in ["Router", "Switch"])

memberOf ["Routing Group”"] and $IPAddress in [10.1.0.0/16, 10.2.3.45]

Regular Expressions Usage

NetMRI uses regular expressions similar to those supported by Cisco, JavaScript and UNIX programming languages. Regular expressions supported for table filtering consist of a sequence of special symbols, modifiers and normal characters. NetMRI interprets the following single characters and expressions as follows:

^ Matches the beginning of the string

$ Matches the end of the string

. Matches any single character

[...] A set of matching characters such as [aeiouA-Z]

[^...] A set of non-matching characters

(...) A sub-pattern to be modified or remembered

(...|...) A set of alternate sub-patterns

\w Matches any word character; same as [a-zA-Z0-9]

\W Matches any non-word character; same as [^a-zA-Z0-9_]

\s Matches any whitespace character; same as [ \t\n\r\f\v]

\S Matches any non-whitespace character; same as [^ \t\n\r\f\v]

\d Matches any digit; same as [0-9]

\D Matches any non-digit; same as [^0-9]

To match any of the special characters above, enter the backslash (\) escape character immediately before them. Avoid spurious or excessive matches. To match all IP addresses starting with an initial octet of 10, use /10\./ as the pattern, not /10./ which matches 10., 100, 101, 102, etc. (remember, dot is a special symbol).

Examples:

$Vendor like /Cis.*/

$Type like /.*Switch.*/

$IPAddress like /10\.*[/]16/

Using Expression Modifiers

With the special symbols above, the following characters are treated as modifiers that can be used to match against a previous sub-pattern zero, one, or more times:

{N} Match the sub-pattern exactly N times

{N,} Match the sub-pattern N or more times

{N,M} Match at least N times and no more than M times

? Match the sub-pattern 0 or 1 times; same as {0,1}

* Match the sub-pattern 0 or more times; same as {0,}

+ Match the sub-pattern 1 or more times; same as {1,}

Modifiers can be used to reduce the size of the expression and to specify optional parts of the expression. They are useful when combined with parentheses to designate sub-patterns.

The pattern

/Se(rial)?\d+/\d+/

matches any serial interface designator, either in the short form (Se0/0) or the long form (Serial12/45).

Examples:

$Vendor like /Cis(co)?/ $

ifType like /Se(rial)?\d+[/]\d+/

You use regular expressions to match values selected from a larger database of values. For economy of effort, it is sometimes easier to specify “just enough” of a pattern to obtain the match. For example, though a valid IPv4 address is formatted as “A.B.C.D” where A, B, C, and D range from 0 to 255, an expression:

/^(\d{1-3}\.){3}254$/

ensures that the first three octets are in fact defined as numbers with dots in between, but is unnecessary to find all addresses ending with “.254” when a simpler expression

/\.254$/

which checks for the desired suffix will succeed.