Hi everyone! I'm running Spectrum 22.214.171.124 and I have a question about modelling connections.
When performing Discover Connections on a device, the function models each and every subnet connected to that device and not just the pipes to adjacent devices. This simply complicates the container since instead of showing me a pipe between each two devices on the connected interfaces, I am flooded with new objects in the container. For example I have a router which connects to other routers by GRE tunnel. I'd expect Discover Connections to add pipes between these GREs, but that's not the case. If the GRE is on the subnet of 10.0.0.0/32 then I'd see a pipe between the first router to a model of the subnet of 10.0.0.0/32, and then a pipe from the second router to that same model.
Is it possible to map the connections automatically so that the pipes are directly between the devices? I'd imagine that the connections can be inferred by ARP tables and interface addresses.
Thanks in advance!
The answer I received from the support engineer is that since the firewall is using the same MAC for each subinterface, the only way to correctly map the topology would be a discovery protocol such as CDP or LLDP.
Since these protocols aren't secure, that's not much help.
I believe that mapping should be possible based on more than ARP tables and insecure discovery protocols. I think an RFE is in order, to allow the creation of complex connectivity policies.
After all, I can't be the only customer using trunks from Firewalls or connecting GRE Tunnels to one another
Yes, you can have connections automatically created between devices. If you're seeing network (LAN) containers or Wide Area Link models appearing, then it sounds like you have these options either enabled on your VNM:
or in the modeling options of your discovery console
The difference between the two is that the VNM settings will control the normal default behavior. If you create a model by IP or otherwise add them to the topology map outside of the Discovery console, the VNM settings are used. In the Discovery console, you can override those settings by the modeling options shown above.
Does that make sense?
Thanks for the quick reply Robert, it does make sense. To accomplish the result I was looking for I should simply uncheck the four checkboxes under the VNM settings? If so I'll give it a shot tomorrow.
Great. Yes, but remember, it depends on how you're doing discovery. If you're using the Discovery Console, you only need to make sure the boxes are unchecked in the modeling options. It doesn't hurt to make sure they're unchecked in both places though.
While it did help to reduce unwanted models such as LANs and WA-Links, for some reason some interfaces aren't recognized as connected. For example, a Checkpoint firewall is correctly mapped to a router (I suppose it's because the router is a L3 interface), but it isn't correctly mapped to a switch (the port connecting the firewall is a trunk and not L3). I've tried a manual discovery allowing all possible discovery protocols for each subnet, no dice. It's important to note that switches are directly mapped to one another correctly, it's just the combination of a firewall with a switch which doesn't seem to work.
Firewall to router -> Good
Switch to switch -> Good
Firewall to switch -> Bad
Can any Spectrum experts help lilah with this issue?
Connectivity is based on layer 2 and 3 information read from the devices. It would take enabling AutoDiscovery debugging and then an analysis of the debig to determine why Spectrum was not creating the connection between the firewall and the switch. I recomment opening a case with Spectrum Support to work with a Support Engineer on enabling and analyzing the AutoDiscovery debug.