Send netdisco-users mailing list submissions to
netdisco-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
netdisco-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
netdisco-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."
Today's Topics:
1. Re: Reading ARP from Cisco FTD (Michael Butash)
--- Begin Message ---
This is a common nuisance that cisco has had since they bought pix is that
they do not handle the management interface separation very well is an
understatement. My best solution since pix/asa and now ftd's was just not
use a separate management, rather just the active/standby data-plane
interface (whatever faced the management server(s), and only see each
firewall as only one single ip address for both ssh and snmp methods.
Because they do no route separation for management ala vrf or, ahem, how
PAN does with a proper separate control-plane, it's difficult or impossible
to control routing and management access from various places on multiple
interfaces.
They're also bad enough in this way that like their crappy snmp
implementation requires /32 hosts defined, it's best to use /32 routes back
to any pollers if you must use a /32 interface, and hope your traffic never
otherwise needs reachable from that management server through the firewall
on another interface as normal forwarding, again because of no
control-plane separation between management and data-plane traffic
functions.
I have struggled with managing Cisco firewalls with netdisco and others for
decades now, and mostly solved that by stoping buying, recommending, or
help sell Cisco firewalls for something more rationally sane like PAN or
Fortinet. If you must, re-read above.
If you had to merge multiple devices and yet still see them separately, it
becomes a parent/child relation like old lwapp or phones where you discover
the ap/phone via cdp/lldp, but need to direct snmp/ssh polling at some
parent node. This is never fun, ND at one time did this at least for AP's,
but fell unsupported eventually I think. Not easy to accomplish I would
say.
-mb
On Fri, Mar 17, 2023 at 3:55 AM Nikolaos Milas via netdisco-users <
netdisco-users@lists.sourceforge.net> wrote:
> On 17/3/2023 12:10 π.μ., Christian Ramseyer wrote:
>
> ...
> It's unfortunately very hard to help with these modules without having
> access to a device. But you can run the process manually from the terminal
> like so:
>
> netdisco-do arpnip -DISQ -d <ip>
> ...
>
> Hi Christian,
>
> Thanks for your guidance.
>
> I have tried:
>
> $ ~/bin/netdisco-do arpnip -DISQ -d 10.10.10.100
>
> ...
> [17325] 2023-03-17 09:48:52 info arpnip: error - Don't know device:
> 10.10.10.100
>
> I guess this happens because our firewall is in fact an HA pair of two FTD
> 2130 devices, each of which has a dedicated management IP Address
> (10.10.10.100 and 10.10.10.101 respectively), but the management /
> administration is carried out from another IP Address (10.10.10.102) which
> belongs to the FMCv (Firepower Management Center - running as a virtual
> machine on ESXi) and serves as the HA-Pair management address.
>
> The pair behaves as a single Firewall device on the network (with
> 10.10.10.102), but cli (LINA) connection via ssh has to be done to each
> particular device. In this case, 10.10.10.100 is the master (of the HA
> pair).
>
> Consequently, discover / snmpwalk works with the main management IP
> (10.10.10.102) of the pair (the FMCv), but not with the IP Address of each
> separate device.
>
> Yet, we cannot use the cli over the main management IP Address
> (10.10.10.102).
>
> I assume that the same situation would most probably also occur if it was
> a standalone FTD device, with FMCv running as a VM (at another IP Address).
>
> How do we resolve this situation in netdisco configuration?
>
> Cheers,
> Nick
>
>
> _______________________________________________
> Netdisco mailing list
> netdisco-users@lists.sourceforge.net
> https://sourceforge.net/p/netdisco/mailman/netdisco-users/
--- End Message ---
_______________________________________________
Netdisco mailing list - Digest Mode
netdisco-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netdisco-users
