cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DonMario73
Engaged Sweeper III

Hi, we have a customer that has dozens of vlans.  It won't be practical to install a scanning server in each one.   Has anybody implemented an additional scanning server that will be used to capture the traffic from other vlans using RSPAN or ERSPAN mirror ports?

Thanks for you comments

1 ACCEPTED SOLUTION
Gilian
Product Team
Product Team

@DonMario73 yes, using port spanning will help you to gather info from other vlan's without having to install a scanning server in them.

Asset radar mainly uses ARP, DHCP, UDP and UDPv6 packets for recognition, so you could focus to forward only those to a network interface where asset radar is active.

If available, ERSPAN is recommended: SPAN is however limited to one switch, RSPAN is able to send traffic between switches but this traffic can't be routed. ERSPAN (Encapsulated Remote Switched Port Analyzer) solves this issue! It uses GRE encapsulation, this allows us to route SPAN traffic from a source to a destination.

View solution in original post

4 REPLIES 4
Gilian
Product Team
Product Team

@DonMario73 yes, using port spanning will help you to gather info from other vlan's without having to install a scanning server in them.

Asset radar mainly uses ARP, DHCP, UDP and UDPv6 packets for recognition, so you could focus to forward only those to a network interface where asset radar is active.

If available, ERSPAN is recommended: SPAN is however limited to one switch, RSPAN is able to send traffic between switches but this traffic can't be routed. ERSPAN (Encapsulated Remote Switched Port Analyzer) solves this issue! It uses GRE encapsulation, this allows us to route SPAN traffic from a source to a destination.

DonMario73
Engaged Sweeper III

Hi Gillian, I found the following reply in the forum that explains some details about asset radar logs and seems like the use of SPAN, RSPAN and ERSPAN will work only for asset radar visibility.  Not for appending additional asset details like Vendor, Model and Operating System unless there is a scanning server in each subnet:

 

Packets (IP/MAC combinations) captured via Asset Radar don't always necessarily generate new assets or link to existing assets. The asset radar packet capturing isn't fully integrated into asset scanning. When asset radar is enabled (not set to logging only), IP addresses found by capturing packets are sent to the scanning queue, and this IP then runs through the regular IP scanning logic. 

It's important to note that only the IP address is sent to the queue, the scanning queue currently cannot handle IP/MAC address combinations. This may result in the IP scan not finding a MAC address, while asset radar did. The asset radar logs are joined on asset tables based on the MAC address. If no asset with the same MAC address is found, a question mark will be shown, as no asset was found that with a high degree of certainty is related to that specific log entry.

Lansweeper can retrieve MAC addresses from assets through regular scanning in the following ways:

  1. By authenticating successfully via a protocol that will return a MAC address, e.g. WMI (Windows), SNMP, SSH (Linux/Mac), etc.
  2. By performing an ARP lookup (locally on the scanning server). This will only return a MAC address for assets in the same subnet as your scanning server.

If you're capturing packets from outside of the subnet of your scanning server, you may end up with a situation where your asset radar log entry for a specific IP address is more detailed than the asset that was generated for the same IP address, most notably the log having a MAC address while the asset does not. In this case, a link cannot be made.

Lansweeper uses the network interface that's highest in the binding order for IP scans, which may not be the interface that is in the same subnet as the captured packet. To ensure that the resulting assets from captured packets always have a MAC address, you'd need to use multiple scanning servers and limit yourself to an interface per server.

Kindly request your help to clarify this.

Regards

Hi Gilian, can you pls clarify the the previous post?.

Thks!

Hi @DonMario73 ,

That's right, thanks to any SPAN method, you'll get an entry inside the asset radar logs for new mac and/or IP addresses found for assets which aren't located inside of the subnet where the scan server (with asset radar) is located.

Once these are picked up, they get sent to the IP queue of that scan server where the scanner will try to ping the device and depending on a successful connection get more details from the asset.

In the background it uses "Save pinged IP" as mentioned here: "if checked, asset pages will be generated for all IP addresses that respond to a ping request, even if no data can be pulled from any of the following protocols"

So if you want assets to be created for them as well, you could configure your network access to allow ping requests from your scan server in his subnet to all other devices in the other subnets. In this way, assets will be created/updated for the asset radar log entries.