Layer 2 Discovery

Discovery can detect the physical connections, known as Layer 2, between network devices and between network devices and other components, such a servers.

Discovery uses multiple probes to gather information about network adapters and their Layer 2 connections. For example, if Discovery finds a switch in a network, it triggers the SNMP - Switch - Vlan probe and the SNMP - Network - ARPTable probe. For every Vlan Discovery finds, it triggers the switch probes. If the switch has routing capabilities, Discovery triggers the SNMP - Routing probe to collect network adapter information. If Discovery finds a server, it triggers the appropriate Address Resolution Protocol (ARP) probe for that operating system.

During the discovery of a network device, the system creates records in the Router Interface [discovery_router_interface] table containing adapter information for that device. For SNMP-enabled devices, the information is gathered from a routing probe during the exploration phase. The Layer 2 protocol cache probe runs next to collect neighbor data from the device.

As Discovery gathers network information from the probes on a device, it populates the Device Neighbors [discovery_device_neighbors] table. In some cases, the neighbors of this device might not yet be known to the instance. The neighbor's interface cannot be resolved to a record until Discovery eventually finds the neighbor's side of the relationship. When Discovery runs on the neighboring device, Discovery completes the information for the neighbor's interface for the original reporting device.

Discovery can retrieve neighbor data from these caches on a network device:
  • Cisco Discovery Protocol (CDP) : Cache on Cisco devices that contains device neighbor information in the form of a protocol specific neighbor ID.
  • Link Layer Discovery Protocol (LLDP): Generic cache that contains device neighbor information in the form of a protocol specific neighbor ID.
  • Address Resolution Protocol (ARP): Cache that contains the IP and MAC addresses of all connecting devices and servers.
Note: Discovery collects Layer 2 data, but does not currently consume that data itself.

Address Resolution Protocol in Layer 2 Discovery

The Discovery probes for Address Resolution Protocol (ARP) map the IP address of a computer or network device to a MAC address.

Devices that support SNMP, such as Linux computers and network devices, cache two types of address information in the Network ARP Table [discovery_net_arp_table] table:
  • Static: Manually added address resolutions.
  • Dynamic: Hardware name and IP address pairs added to the cache by previous, successful ARP resolutions.
When the ARP table Discovery completes, the system collects all static and dynamic table entries from devices via SNMP. If a new ARP entry is available, it is added to the ARP table in the CMDB. If any previously discovered ARP entries are no longer cached in the device’s ARP table, the system removes the corresponding records from the CMDB using the reconciliation process.
Note: If new ARP entries are created after Discovery runs, they are not discovered until the next Discovery schedule. If ARP entries are removed from the device after Discovery runs, the CMDB ARP table is not updated until Discovery runs again.

ARP probes

Discovery uses probes for the Address Resolution Protocol (ARP) that retrieve the IP address and MAC address for a configuration item (CI) from the Network Infrastructure Item [discovery_net_base ] table and store the results in the Network ARP Table [discovery_net_arp_table].

Discovery provides these probes for extracting IP and MAC address resolution information:
Probe ECC queue topic Command Description
Linux - Network ARP Tables SSHCommand arp -n SSH command probe that retrieves the network information from the ARP table on a Linux server.
Solaris - Network ARP Tables SSHCommand arp -an SNMP probe that collects information from the ARP table on a switch or router.
Windows - Network ARP Table Powershell arp -a SSH command probe that retrieves the network information from the ARP table on a Solaris server.
SNMP - Network - ArpTable SNMP Table

The SNMP probe uses this OID first: ipNetToMediaPhysAddress,ipNetToMediaNetAddress.

If the probe fails to return results, it uses this OID: ipNetToPhysicalNetAddress,ipNetToPhysicalPhysAddress.

Powershell probe that retrieves the network information from the ARP table on a Windows server.

SNMP switch probes

These probes return bridging information from VLANs connected across network switches, including port selection, forwarding tables, and the use of the spanning tree protocol.

SNMP - Switch - BridgePortTable
This probe returns all the ports from a switch that are used to create a bridge between network segments.
Table 1. Bridging data returned
Table Switch Bridge Port Table [discovery_switch_bridge_port_table]
OID dot1dBasePort,dot1dBasePortIfIndex
Fields populated
  • cmdb_ci
  • port
  • interface_index
SNMP - Switch - SpanningTreeTable
This probe returns the active path between any two network nodes bridged by a switch.
Table 2. Spanning tree data returned
Table Switch Spanning Tree Table [discovery_switch_spanning_tree_table]
OID dot1dStpPort,dot1dStpPortState,dot1dStpPortEnable,dot1dStpPortDesignatedRoot,dot1dStpPortDesignatedBridge
Fields populated
  • cmdb_ci
  • port
  • port_state
  • port_enable
  • designated_root
  • designated_bridge_mac
SNMP - Switch - ForwardingTable

This probe returns information from a switch's forwarding table.

Table 3. Forwarding table data returned
Table Switch Forwarding Table [discovery_switch_fwd_table]
OIDs These OIDs are built as needed by the DiscoveryVlanSwitchProcessor script include.
  • Non-Cisco:
    • Q-BRIDGE MIB: oid_spec_list = 'table dot1qTpFdbAddress.' + vlanIndex + ',dot1qTpFdbPort.' + vlanIndex + ',dot1qTpFdbStatus.' + vlanIndex;
    • BRIDGE MIB: oid_spec_list = 'table dot1dTpFdbAddress,dot1dTpFdbPort,dot1dTpFdbStatus’;
  • Cisco BRIDGE MIB: oid_spec_list = 'table dot1dTpFdbAddress,dot1dTpFdbPort,dot1dTpFdbStatus’;
Additional probe called Switch - MAC Table called by DiscoveryVlanSwitchProcessor script include, if needed.

show mac address-table

Fields populated
  • cmdb_ci
  • vlan_id
  • port
  • status
  • mac_address (from the cmdb_ci field in the Network Infrastructure Item [discovery_net_base] table)
SNMP - Switch - Vlan
This probe returns VLAN IDs from a network switch.
Table 4. VLAN data returned
  • vtpVlanState
  • vmMembershipSummaryVlanIndex,vmMembershipSummaryMemberPorts,vmMembershipSummaryMember2kPorts
  • jnxExVlanTag

Other switch types are not supported.