Configuring Auto-Discovery Based on SNMP Polling
The Auto-Discovery based on SNMP Polling feature in NetFlow Optimizer (NFO) simplifies the process of adding new devices for SNMP polling by automating the device discovery process. With auto-discovery, administrators can effortlessly identify and onboard SNMP-enabled devices, enhancing network monitoring and management efficiency.
Auto-discovery allows users to define a range of IP addresses or subnets to scan for SNMP-enabled devices. Discovered devices are automatically identified and added to the monitoring system, eliminating the need for manual configuration.
To configure auto-discovery, on the left navigation bar select SNMP Managemnt, and click on > Auto-discovery.
EDFN Agent Configurations
You will be presented with the following configuration screen.
Settings tab
On this screen you can configure the following parameters:
Cron Schedule
Set this parameter to define when to run auto-discovery.
IPv4 devices URL
For IPv4 devices, this optional parameter points to a CSV file containing a list that will be merged with auto-discovered devices. Entries in this list take precedence over any conflicting auto-discovered devices.
For example: file:/opt/flowintegrator/snmp/snmp_devices.csv
Contains:
"### Exporter IPv4","### SNMP Management IPv4","### SNMP Port","### SNMP Credentials ID","### Group","### Comment"
10.1.1.5,10.1.1.5,161,v2c-public,Juniper,"From CSV file"
10.1.1.6,10.1.1.6,161,v2c-public,Cisco,"From CSV file"
IPv6 devices URL
This optional parameter is for IPv6 devices with the same functionality as the IPv4 device list.
Discovery type
This setting determines how devices are discovered:
- Full Scan: This method checks every IP address within the defined networks (subnets/ranges) using the provided SNMP credentials. LLDP/CDP seed network configurations are disregarded, and the watch list is populated based on successful SNMP responses.
- LLDP/CDP: This method begins by checking IP addresses within the designated LLDP/CDP seed networks. By leveraging the LLDP and CDP MIBs, it identifies neighboring network devices, whose IP addresses are then also checked for SNMP availability.
For example, if the following networks are defined (duplicates and intersections are allowed):
The agent follows these steps:
- It begins by scanning 10.0.1.0/24, discovering all devices and their LLDP/CDP neighbors.
- If a neighbor's IP address is within the 10.0.2.0/24 network (for which "v3-core-switches" credentials are defined), the agent will attempt to poll the device using the "v3-core-switches" and then "v2c-public" credentials. Than most secured credentials are taken first (v2c < v3 noAuthNoPriv < v3 authNoPriv < v3 authPriv).
- If a neighbor's IP address is within the 10.0.3.0/24 network, the agent polls the device using only “v2c-public” credentials.
- The agent then proceeds to discover neighbors of the devices at 10.0.2.x (using "v3-core-switches" and "v2c-public") and 10.0.3.y (using "v2c-public"), continuing the traversal.
- This process continues until all nodes in the network graph are traversed.
- If a neighbor’s IP address falls outside the 10.0.0.0/8 subnet, the agent skips polling it.
The LLDP/CDP discovery method might fail if any intermediate devices within the network path do not support the necessary LLDP and CDP MIBs. This method requires all devices in the network path to support LLDP/CDP, with the exception of terminal devices, which may lack support without hindering the discovery of other connected devices.
Regardless of the chosen discovery type, device and device connection information (displayed in the "Devices" and "Device connections" tabs) are always built using LLDP, CDP, BRIDGE, and IP-FORWARDING information (MIBs).
Scan concurrency
Number of devices to scan simultaneously.
SNMP GET retries
Number of times to retry an SNMP GET request in case of initial failure. Setting a higher value might improve success rates, but can slow down discovery.
SNMP GET timeout, msec
Maximum waiting time (milliseconds) for a response to an SNMP GET request. Adjust based on network latency and expected device response times.
Ignore duplicate SNMP agents
Enable/disable deduplication of discovered SNMP agents. This prevents duplicate entries if multiple SNMP versions/communities identify the same device, or if an SNMP agent is accessible through multiple interfaces.
Force include all devices (SNMP troubleshooting)
This option is intended for troubleshooting SNMP credential or configuration issues. Enabling it forces the inclusion of all discovered devices in the list, even if they fail to respond with essential information (sysName, sysObjectID, sysLocation) due to potential SNMP errors. This can help identify devices with invalid credentials or missing OIDs.
Auto-discovery networks tab
On this screen you can configure the following parameters:
Subnet or IP ranges
Enter the subnets or IP address ranges you want to scan for SNMP devices. You can separate them using commas:
- Subnets: Use CIDR notation (e.g., 10.0.0.0/24).
- IP Ranges: Specify a range using a hyphen (e.g., 192.168.1.100 - 192.168.1.200).
- Individual IPs: List individual IP addresses separated by commas.
Port
Define the port number used for SNMP polling (defaults to 161).
Credentials
From a drop-down select the name of credential configured in SNMP Services.
Group (Optional)
Assigning devices to groups enables efficient management and optimized polling. By grouping devices based on specific criteria, you can apply tailored OID sets, reducing unnecessary polling requests and improving system performance.
You can assign device group here for the entire IP range. Or you can leave it blank and assign device group on Group mapping tab (see below).
Notes
This field is for your reference only and will not be used during processing. Use it for any additional comments or observations.
LLDP/CDP seed
If checked, the EDFN agent will initiate a scan of the network. It is designed to utilize LLDP and CDP MIBs to traverse and identify neighboring devices within specified networks.
Disable
You can suspend auto-discovery on specific subnets or IP ranges by clicking on Disable checkbox.
Group mapping tab
By default, groups are assigned to devices based on their IANA Organization mapping for the associated Provider Enterprise Number (PEN) (https://www.iana.org/assignments/enterprise-numbers/). This tab allows you to override these default assignments for specific PENs. You can define arbitrary expressions to match groups and devices, like pen=11 or sysObjectID = "1.3.6.1.4.1.9.1.1326".
Additionally, by selecting Skip checkbox, you can exclude devices mathing this expression from auto-discovery results.
Group Mapping Expressions
Group mapping functionality supports arbitrary expressions. Expressions are checked according to their order in the configuration list. When first match is detected, a group is assigned.
Expressions may check the following fields:
- PEN: Private Enterprise Number, for example, pen = 9
- sysDescr: OID 1.3.6.1.2.1.1.1 value. A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software. Usage: sysDescr matches "ASA"
- sysObjectID: OID 1.3.6.1.2.1.1.2 value, the vendor's authoritative identification of the network management subsystem contained in the entity. Usage: sysObjectID = "1.3.6.1.4.1.9.1.1407"
- sysName: OID 1.3.6.1.2.1.1.5 value. An administratively-assigned name for this managed node. By convention, this is the node's fully-qualified domain name. Usage: sysName = "TEST" or sysName matches "^TEST"
- sysLocation: OID 1.3.6.1.2.1.1.6 value. The physical location of this node. Usage: sysLocation = "office-1" or sysLocation matches "office-\d+"
- capabilities: OID 1.0.8802.1.1.2.1.3.6. Possible values: other, repeater, bridge, wlanAccessPoint, router, telephone, docsisCableDevice, stationOnly. These values represent distinct device capabilities. Each value is case-sensitive and must match the exact spelling provided. If a device supports multiple capabilities, they are listed in a comma-separated format with a fixed order. Usage: capabilities matches "repeater,.*telephone"
- credentials: credentials name which is used for device polling
- snmpVersion: 1 (v2c) or 3 (v3). For example, snmpVersion = 3
- securityLevel: 0 (undefined), 1 (noAuthNoPriv), 2 (authNoPriv), 3 (authPriv). For example, securityLevel = 1
- port: port number. For example, port = 161
Expressions are defined using the following operators:
- Test operators: "=", "!=" (alternative "<>"), "MATCHES", where the left-hand side is always a field name, and the right-hand side is a string or a number
- Logical operators: AND (alternative "&"), OR ("|"), NOT ("!")
- Group: expressions maybe be grouped using parentheses, for example, (pen = 9 and sysLocation = "public") or (sysDescr matches "ASA")
Strings values must be double quoted. If a string value already contains double quotes, use the backslash ("\") as an escape character. For instance, "\"My quoted string\"".
MATCHES must be a double quoted regular expression. See for details: https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html.
During the matching process, the EDFN agent tries to find any sub-string matching the regular expression. If the full string matching is required, use boundary matches "^" or "\A", and "$" or "\z", like "^prefix.*suffix$"
Examples:
| Expression | Description |
|---|---|
| pen = 9 | Assign the specified group if PEN value is 9 (Cisco devices) |
| sysObjectID = "1.3.6.1.4.1.9.1.1407" | Assign the group by sysObjectID |
| snmpVersion != 3 | Check if SNMP version is not v3 |
| snmpVersion = 2 | Check if SNMP version is v2c |
| capabilities matches "router" | Check if SNMP device has the "router" capability |
| capabilities matches "bridge,.*router" | SNMP device has bridge and router capabilities |
| sysDescr matches "^Cisco" | sysDescr starts with "Cisco" |
| sysDescr matches "suffix$" | sysDescr ends with "suffix" |
| sysDescr matches "^prefix.*suffix$" | sysDescr starts with "prefix" and ends with "suffix" |
| pen = 11 or sysDescr matches "^HP.*$" | Check if PEN value is 11 or sysDescription starts with "HP" |
| Empty expression - match all. |
Summary of regular expressions:
| Construct | Matches |
|---|---|
| x | The character x |
| . | Any character, except line terminators. To enable line terminators matching, use (?s) flag. |
| \ | The backslash character |
| [abc] | One character from the options between the brackets |
| [^abc] | One character NOT between the brackets |
| [a-zA-Z] | a through z or A through Z |
| \d | A digit character, [0-9] |
| \D | A non-digit character, [^0-9] |
| \s | A whitespace character |
| \S | A not-whitespace character |
| ^ | The beginning of a line. By default it matches the beginning of the entire input, until "multiline" mode is not enabled. To enable "multiline" mode, use flag (?m) |
| $ | The end of a line. By default it matches the end of the entire input, until "multiline" mode is not enabled. |
| \A | The beginning of the input |
| \z | The end of the input |
| x? | x, one or not at all |
| x* | x, zero or more times |
| x+ | x, one or more times |
| x{n} | x, exact ntimes |
| x{n,m} | x, at leastntimes but not more thatm times |
| | | Logical OR, like A|B |
| (A) | Capturing group |
| (?:A) | Non-capturing group |
| (?i) | Enables case-insensitive matching. It may be applied to the entire input or to a particular group: (?i:A). |
Language description (BNF notation):
EXPRESSION ::= EXPRESSION <OR> EXPRESSION
| EXPRESSION <AND> EXPRESSION
| '(' EXPRESSION ')'
| <NOT> EXPRESSION
| IDENTIFIER_TEST
IDENTIFIER_TEST ::= <IDENTIFIER> (<EQ> | <NEQ>) <LITERAL>
| <IDENTIFIER> <MATCHES> <STRING_LITERAL>
<IDENTIFIER> ::= 'PEN' | 'sysName' | 'sysDescr' | 'sysLocation'
| 'sysObjectID' | 'capabilities' | 'credentials'
| 'snmpVersion' | 'securityLevel' | 'port'
<LITERAL> ::= <DECIMAL_LITERAL> | <STRING_LITERAL>
<DECIMAL_LITERAL> ::= (['0'-'9'])+
<STRING_LITERAL> ::= <QUOTE> (~['"'] | '\"')* <QUOTE>
<AND> ::= 'AND' | '&'
<OR> ::= 'OR' | '|'
<NOT> ::= 'NOT' | '!'>
<MATCHES> ::= 'matches'
<EQ> ::= '='
<NEQ> ::= '!=' | '<>'
<QUOTE> ::= '"'
Preview sysObjectIDs tab
Click the Dry run button to execute auto-discovery and view the sysObjectIDs, vendors, and Private Enterprise Numbers (PENs) of the discovered devices. This information can then be used to create expressions for automatic group assignments within the Group mapping tab.
Preview devices tab
This tab shows the devices discovered during the SNMP auto-discovery process. This table displays key information such as IP address, SNMP credentials used, status, vendor details (PEN), device identification (sysObjectID, sysDescr), hostname (sysName), location (sysLocation), and reported network capabilities. Review this information and if some groups are assigned incorrectly, modify group mapping expressions and press Dry run again. Most columns (port, credentials, sysDescr, PEN, sysObjectID, sysName, sysLocation, capabilities) in this table may be used to assign groups more accurate.
Exporter IP override tab
This tab allows you to manually override the exporter IP address for specific devices. By default, the exporter IP is automatically determined based on the device's management IP.
Fields:
- Exporter IP address: Specify the desired exporter IP address for the device.
- SNMP Management IP address: Enter the device's SNMP management IP address.
- Notes: Add any additional notes or explanations for the override.
This override is only necessary if the exporter IP address differs from the device's management IP. If both IPs are the same, the default automatic assignment will suffice.
Verifying Configuration
Once you've completed configuration, go to Settings tab and press green Run now button.
You should see the device list and timestamp updated. This indicates successful configuration. The updated list will show newly discovered devices, and the timestamp will reflect the latest discovery run:
If the device list needs to be updated regularly, enable "Auto-discovery" by pressing the 
button. Without this, watchlists will only be updated manually by pressing the "Run now" button. To set a different update schedule, adjust the cron expression (default is every 12 hours). Additionally, ensure that agents linked to watchlists are enabled. Check the icon to the left of the agent name: a green calendar icon indicates auto-update is enabled, while a grey calendar icon indicates auto-update is disabled.
Devices list
Click on Devices list.The pop-up screen contains the discovered devices with additional information, such as IP address, Group (Vendor), sysName, and sysLocation as shown below:
You can download this CSV file by clicking on the Download in the upper left corner.
Device connections list
Select the Device connections list. It contains device connections based on LLDP/CDP/BRIDGE/IP_FORWARDING data obtained from the corresponding MIBs.
You can download this CSV file by clicking on the Download in the upper left corner.
Device list for SNMP polling
Device list for SNMP polling is a combined list of devices consisting from auto-discovered devices and manually configured in CSV file.
Click on IPv4 device list to view the list. This list is going to be used for SNMP polling. You can download the list by clicking on Download link in the upper right corner:
Reporting Auto-discovery Topology
To send auto-discovery results as events via NFO outputs, click on the Configure auto-discovery reporting button.
This will open the Auto-discovery Reporter Module configuration page. Default reporting time interval is 1 hour (3600 secs). Make sure the Module is enabled.