Configuration

nick n edited this page Sep 5, 2018 · 55 revisions

Introduction

The configuration files for Netdisco come with all options set to sensible default values, and just a few that you must initially set yourself.

There are two configuration files: config.yml (which lives inside Netdisco) and deployment.yml (which usually lives in ${HOME}/environments).

The config.yml file includes defaults for every setting, and should be left alone. Any time you want to set an option, use only the deployment.yml file. The two are merged when Netdisco starts, with your settings in deployment.yml overriding the defaults from config.yml.

YAML Guidance

The configuration file format for Netdisco is YAML. This is easy for humans to edit, but you should take care with whitespace and avoid TAB characters. YAML supports several data types:

  • Boolean - True/False value, using 1 and 0 or true and false respectively, e.g.:

check_userlog: true
  • List - Set of things using [a, b, c] on one line or - on separate lines, e.g.:

community: ['public', 'another']

discover_no:
  - 192.0.2.0/24
  - '2001:db8::/32'
  • Dictionary - Key/Value pairs (like Perl Hash) using {key1: val1, key2: val2} on one line or key: value on separate lines, e.g.:

port_control_reasons:
  address:   'Address Allocation Abuse'
  copyright: 'Copyright Violation'
  • String - Optionally quoted, just like in Perl (quotes required if the item contains a colon character). For example:

log: 'debug'
expire_devices: 15

Access Control Lists

Access Control Lists (ACLs) appear in many places in the configuration file, used to select or exclude devices or hosts for certain settings. ACLs are a single item or YAML list of items, which can contain:

  • Hostname, IP address, IP prefix (i.e. subnet), such as:

    - hostname.example.com
    - 192.0.2.1
    - '2001:db8::/32'
  • IP address range, using a hyphen on the last octet/hextet, and no whitespace:

    - 192.0.2.1-10
  • Regular expression in YAML format (no enforced anchors) which will match the device DNS name (using a fresh DNS lookup, so works on new discovery), e.g.:

    - !!perl/regexp ^sep0.*$
  • property:regexp” to match against any device property, such as model or vendor. Devices not yet discovered have only the ip field available, otherwise any field in the database’s device table may be used. For example:

    - 'vendor:cisco'

    Regular expressions must match the complete value (begin/end anchors are enforced and do not need to be included). When matching a device’s interface, “port:regexp” is also an option (see device_identity).

  • group:groupname” to reference the “groupname” group from the host_groups setting. This is a way to either include ACLs in other ACLs, or re-use ACLs.

  • op:and” to require all items to match (or not match) the provided IP or device. Note that this includes IP address version mismatches (v4-v6).

To negate any item in an ACL (except YAML regexp), prefix with “!”, for example “!192.0.2.0/29”. In that case the test will be that the ACL entry does not match the device or IP being assessed. Note, however, that the first match in an ACL wins (because the default mode is "OR"), so take care with the order of items or include “op:and” in the ACL if appropriate.

To match any device, use “any”. To match no devices use “!any”. To match only IPv4 addresses use “0.0.0.0/0”, and for IPv6 addresses “::/0”.

Configuration settings in Netdisco that take an Access Control List (most of the “*_no” and “*_only” settings, and “only” settings) can accept either a YAML list of the above items, or merely a single item. This is useful if you create a host_groups entry and wish to reference that as the ACL:

devices_no: 'group:router_loopbacks'

Supported Settings

Essential Settings

If you followed the installation instructions, then you should have set the database connection parameters to match those of your local system. That is, the database name, host, user and pass.

General Settings

log

Value: debug|warning|error. Default: warning.

The log level used by Netdisco. It’s useful to see warning messages from the backend poller, as this can highlight broken topology.


logger_format

Value: Format String. Default: '[%P] %U %L %m'.

Structure of the log messages. See Dancer::Logger::Abstract for details.


include_paths

Value: List. Default: Empty List.

Additional library paths for the application (both web frontend and backend poller daemons). You can also use a colon-separated list in the “NETDISCO_INC” environment variable which makes code available even earlier in the app startup sequence.


template_paths

Value: List. Default: Empty List.

Additional paths for Template::Toolkit templates. Files in these paths will be loaded before (and hence override) any templates built in to Netdisco.

If you want to copy and override a built in web template, then create the directories necessary (such as "ajax" or "sidebar") in this path. Note that templates may need to have a further “views” subdirectory created.


site_local_files

Value: Boolean. Default: false.

A shortcut for using include_paths and template_paths. Setting this to true will push $ENV{NETDISCO_HOME}/nd-site-local/{lib,share/views} into those settings, respectively. You can then put Perl code in /lib and templates in /share/views within the nd-site-local directory.


external_databases

Value: List of Database Configuration dictionaries. Default: None.

The Plugins and User Reports features of Netdisco can gather data from external databases. You need to install the Perl database driver for the target database platform, and configure this setting appropriately. For example:

external_databases:
  - tag: externaldb
    dsn: 'dbi:Pg:dbname=myexternaldb;host=192.0.2.1'
    user: oliver
    password: letmein
    options:
      pg_enable_utf8: true

Note that tag is required and maps to the database key if you use the Generic Reports feature (see "[reports]", below), or becomes the Dancer database schema name if you program the Plugin directly.

Web Frontend

domain_suffix

Value: String. Default: None.

Set this to your local site’s domain name. This is usually removed from node names in the web interface to make things more readable. Make sure to include the leading dot character.


no_auth

Value: Boolean. Default: false.

Enable this to disable login authentication in the web frontend. The username will be set to guest so if you want to allow extended permissions (admin or port_control), create a dummy user with the appropriate flag in the database:

netdisco=> insert into users (username) values ('guest');
netdisco=> update users set port_control = true where username = 'guest';
netdisco=> update users set admin = true where username = 'guest';

navbar_autocomplete

Value: Boolean. Default: true.

Set this to false to disable the device autocomplete in the main navbar.


suggest_guest

Value: Boolean. Default: false.

Enable this to display a banner suggesting to log in with a guest account. The username and password of this account must both be "guest".


trust_remote_user

Value: Boolean. Default: false.

Enable this if Netdisco is running within another web server such as Apache, and you want that server to handle user authentication. Normally the authenticated username will automatically be set in the REMOTE_USER environment variable. See Dancer::Deployment for further details.


trust_x_remote_user

Value: Boolean. Default: false.

Enable this if you proxy requests to Netdisco via another web server such as Apache, and you want that server to handle user authentication. You need to configure the authorized username to be passed from the frontend environment to Netdisco in the X-REMOTE_USER HTTP Header. For example with Apache:

RequestHeader unset X-REMOTE_USER
RequestHeader set X-REMOTE_USER "%{REMOTE_USER}e" env=REMOTE_USER

When running securely (https), replace "%{REMOTE_USER}e" with "%{REMOTE_USER}s".


validate_remote_user

Value: Boolean. Default: false.

Enable this to check that remote users (usernames that come from a frontend proxy server) also exist in the Netdisco Users database. No password check is made.

This can be useful when you have web login or single sign-on on the frontend web server, but also want to limit to a set of known users in Netdisco. You can still load those users into the database in Netdisco and enable this setting to check any proxied access can be mapped to a known user.


ldap

Value: Settings Tree. Default: None.

If set, and a user has the ldap flag also set on their account, then LDAP authentication will be used for their login.

ldap:
  servers:
    - 'ad.example.com'
  user_string: 'MYDOMAIN\%USER%'
  opts:
    debug: 0

There are several options within this setting:

servers

This must be a list of one or more LDAP servers. If using Active Directory these would be your Domain Controllers.

user_string

String to construct the user portion of the DN. %USER% is a variable which will be replaced at runtime with the logon name entered on the logon page of the application.

Active Directory users may simply use MYDOMAIN\%USER% and skip all other options except servers, as this notation eliminates the need to construct the full distinguished name.

Examples: cn=%USER% or uid=%USER%.

base

Indicates where in the hierarchy to begin searches. If a proxy user is not defined and anonymous binds are not enabled this value will be appended to the user_string to construct the distinguished name for authentication.

proxy_user

User to bind with to perform searches. If defined as anonymous, then anonymous binds will be performed and proxy_pass will be ignored. For organizations with users in multiple OUs this option can be used to search for the user and construct the DN based upon the result.

proxy_pass

Proxy user password. Ignored if proxy user defined as anonymous.

opts

Dictionary of options to add to the connect string. Normally only needed if server does not support LDAPv3, or to enable debugging as in the example above.

tls_opts

A hash which, when defined, causes the connection tol use Transport Layer Security (TLS) which provides an encrypted connection. TLS is the preferred method of encryption, ldaps (port 636) is not supported.

This is only possible if using LDAPv3 and the server supports it. These are the options for the TLS connection. See the Net::LDAP documentation under start_tls for options, but the defaults should work in most cases.


path

Value: String. Default: None.

Mount point for the Netdisco web frontend. This is usually the root of the web server. Set this to the path under which all pages live, e.g. /netdisco2. As an alternative you can use the --path option to netdisco-web.


web_plugins

Value: List of Modules. Default: List of bundled plugin names.

Netdisco’s plugin system allows you to alter, add, or remove, components of the web user interface. Plugins can be distributed independently from Netdisco and are an alternative to source code patches. This setting is the list of Plugins which are used in the default Netdisco distribution.

:bulb:
See the Web Plugins documentation for how to write and install web UI components.

If you only want to add to the default list then use the extra_web_plugins setting, below, which allows the Netdisco developers to update default web_plugins in a future release.

Any change should go into your local deployment.yml configuration file. If you want to view the default settings, see the share/config.yml file in the App::Netdisco distribution.

Entries in the list will by default omit the leading App::Netdisco::Web::Plugin:: from the name. To override this for one entry, prefix it with a + sign. You can also prefix with X:: to signify the alternate App::NetdiscoX::Web::Plugin:: namepsace.


extra_web_plugins

Value: List of Modules. Default: Empty List.

This setting is used if you want to add new plugins but not change the set enabled by default. If you wish to change the built-in default plugins set, then create a version of web_plugins instead.

:bulb:
See the Web Plugins documentation for how to write and install web UI components.

The order of the entries is significant. Unsurprisingly, the modules are loaded in order. Therefore Navigation Bar items appear in the order listed, and Tabs appear on the Search and Device pages in the order listed, and so on.

Netdisco will prepend App::Netdisco::Web::Plugin:: to any entry in the list. For example, "Inventory" will load the App::Netdisco::Web::Plugin::Inventory module. Netdisco uses the standard Perl @INC path searching mechanism to load plugin modules. See the include_paths and site_local_files settings in order to modify @INC for loading local plugins.

If an entry in the list starts with a “+” (plus) sign then Netdisco attemps to load the module as-is, without prepending anything to the name. This allows you to have App::Netdiso web UI plugins in other namespaces.

For your own plugins, use the "Netdisco extension" namespace App::NetdiscoX. You can prefix module names with "X::", and Netdisco will prepend App::NetdiscoX::Web::Plugin:: to the entry. For example, X::Observium will load the App::NetdiscoX::Web::Plugin::Observium module.


reports

Value: List of Reports dictionaries. Default: None.

Use this configuration to add reports to Netdisco without writing any Perl code or HTML templates. For example:

reports:
  - tag: power_inventory
    label: 'Power Supply Inventory'
    category: Device
    columns:
      - {name: 'Name'}
      - {ps1_type: 'PS1 Type'}
      - {ps1_status: 'PS1 Status'}
    query: |
      SELECT d.name, d.ps1_type, d.ps1_status
        FROM device d
      ORDER BY name

The tag of each item in the reports configuration is an alias for the report, and becomes part of the web path.

You can munge the data retrieved from the database by placing a Perl script with the same name as the reports key into the “site_plugins” directory of Netdisco’s home area. The script can access $config for its configuration and @data for the retrieved data. It should return a list of munged data.

Within the tree you can provide each of the keys below:

tag

Alias for the Report, which must be usable in a web path.

label

Title for the Report.

columns

List of single-key dictionaries which map database column (field) name to table heading.

query

SQL which returns the data. Make sure that the columns are named the same as the keys of the columns or query_columns configuration. Note the way the SQL is specified in the example above, using the pipe symbol and then indenting the query text.

category (optional)

Section of the Reports menu where this report will appear. See Writing Web Plugins for the full list. If not supplied, reports appear in a "My Reports" category.

hidden (optional)

Set to true to skip inclusion of this report from the Reports menu.

database (optional)

The database "tag" used in external_databases so that you can query another database (even in another database server) and display the results in a Netdisco report.

query_columns (optional)

If supplying code to munge the data, the columns returned from your database query may not be the same as those in the web report. Set this to a list of the columns in query. The columns setting will then be used for the web report.

bind_params (optional)

You can use placeholders in the SQL query (that is, “?”) to bind user-supplied parameters. This setting should be a list of the parameters to pick out of the URL query string and match to the placeholders in the same order. For example:

query: |
  SELECT ... FROM ... WHERE device = ? AND port = ?
bind-params: ['device', 'port']
# then
http://localhost:5000/report/my_special_report?device=192.0.2.1&port=Vlan142

system_reports

Value: List of Reports dictionaries. Default: Built-in reports.

This is an internal setting containing Netdisco’s built-in reports. Do not touch.


jobqueue_refresh

Value: Integer Number. Default: 10.

Number of seconds between reloads of the Job Queue panel in the web interface.


safe_password_store

Value: Boolean. Default: true.

Set to “false” if you MUST maintain backwards compatibility with the Netdisco 1.x web interface. Strongly recommended that you leave this set to “true”.


table_pagesize

Value: Number. Default: 10.

The default number of rows in a table page.


table_showrecordsmenu

Value: Number. Default:

table_showrecordsmenu:
  - [10, 25, 50, 100, '-1']
  - [10, 25, 50, 100, 'All']

The choices available to users for selecting the number of rows per page. The format is two lists: one of the values and one of the labels in the web interface. You can see in the default that a value of “-1” means Show All Records.


vlanctl

Value: Boolean. Default: true.

Set to false to prevent users from changing the default VLAN on an interface. This setting has no effect when portctl_nameonly below is set to true.


portctl_nameonly

Value: Boolean. Default: false.

Set to true to limit port control action to only changing the interface name (description).


portctl_nophones

Value: Boolean. Default: false.

Set to true to make sure an IP Phone port never can be turned off/on.


portctl_vlans

Value: Boolean. Default: false.

Set to true to allow Netdisco to be able to disable VLAN trunk interfaces.

:fire:
Turning off a VLAN trunk link could take out most of your network.

Value: Boolean. Default: false.

Set to true to allow Netdisco to be able to disable Uplinks. (Router Interfaces too)

:fire:
Turning off uplinks will take out chunks of your network.

port_control_reasons

Value: Dictionary of Strings. Default:

port_control_reasons:
  address:     'Address Allocation Abuse'
  copyright:   'Copyright Violation'
  dos:         'Denial of Service'
  bandwidth:   'Excessive Bandwidth'
  polling:     'Excessive Polling of DNS/DHCP/SNMP'
  noserv:      'Not In Service'
  exploit:     'Remote Exploit Possible'
  compromised: 'System Compromised'
  other:       'Other'
  resolved:    'Issue Resolved'

When a user has Port Control rights and shuts down a port, they are asked for a reason. This configuration lists those reasons, and can be overridden to add or remove any entries.


check_userlog

Value: Boolean. Default: true.

Set to false to disable the periodic AJAX check for completed entries in the job queue for this user. Mainly useful for development to suppress noisy web frontend activity.


devport_vlan_limit

Value: Number. Default: 150.

When showing Device Ports, Netdisco calculates first an average number of VLANs across all device ports. If this is above this configurable threshold, the VLAN Membership is not shown (regardless of Display Columns setting.


login_logo

Value: String. Default: none.

Set to the URL of an image file which will be displayed alongside the Log In form.

Netdisco Core

host_groups

Value: Dictionary of Access Control Lists. Default: None.

Several configuration settings in Netdisco make use of Access Control Lists to identify lists of devices or hosts. Examples are the *_no settings such as discover_no, the *_only settings such as macsuck_no, and some “only” settings which appear in device_auth and dns configuration.

The host_groups setting allows for naming of groups which are then referenced in settings or even within other groups, to include the values. Each item in the dictionary has the name of the group for the key, and the ACL for its value. Note that ACLs may be single items, or lists. For example:

host_groups:
  problem_switches: badhost.example.com
  friendly_devices:
    - 192.0.2.0/24
    - 'group:problem_switches'

macsuck_no: 'group:problem_switches'
discover_only:
  - 'group:friendly_devices'
  - '2001:db8::/32'

As you can see, a host group is referenced by prefixing its name with “group:” and enclosing in quotes (because the colon character is part of YAML syntax too). Host groups may be used in any setting that mentions support for Access Control Lists.


host_group_displaynames

Value: Dictionary of host group to alias name mappings. Default: None.

Some web frontend features of Netdisco can make use of predefined host groups that are configured with the host_groups setting (above). Use this setting to assign the groups friendly names which will be used in the web interface.

The dictionary maps from host group name to friendly alias. For example:

host_group_displaynames:
  backbone_switches: 'Backbone Core'
  backbone_distribution: 'Backbone Edge Routers'
  cpe_devices: 'Customer Premises'

A useful side effect of this configuration setting is that not all host groups configured in the host_groups setting are used by the web frontend. Only those given aliases in host_group_displaynames will be offered to the user.


device_identity

Value: Dictionary of Access Control List mappings. Default: None.

This setting allows you to control the canonical name or identity of devices in Netdisco. For example if Netdisco discovers devices and uses the "wrong" interface to identify them (thereby confusing users) you can correct that here.

The device_identity setting is a dictionary where each key is an Access Control List matching a device and the corresponding value is another Access Control List matching one of the device’s interfaces to use as the device canonical identity. The format of Access Control Lists is described in Access Control Lists.

In general, because the key of a dictionary must be a simple text string, you can use hostname, IP prefix, device properties, and group references to match devices. Regular expressions and combinations of device attributes should be placed in a host_groups entry and referenced by name. For example:

host_groups:
  backbone_devices:
    - 'op:and'
    - 'vendor:arista'
    - 'model:.*(?i:DCS7508).*'

device_identity:
  'group:backbone_devices':
    - !!perl/regexp ^.*\.backbone\.example\.com$
    - '172.16.20.0/24'
  'vendor:cisco': '192.0.2.0/24'

During "discover" jobs, Netdisco will find all entries in device_identity where the key matches the device in some way. For those entries, the device’s interface IPs are put in ascending order, and then tested in turn against the entry’s value. If any interface matches, then the device is renumbered to use that interface as its new identity and the process stops.

When using an Access Control List for the value (interface selection), as well as the options described in Access Control Lists you can use “port:regexp” to match an interface’s port name. For example to renumber any device to the IP and host name of its Mgmt1 interface (if it has one), you could use:

device_identity:
  'any': 'port:(?i)mgmt1'

Once a device is renumbered, its new identity is "sticky". That is, you could remove the device_identity configuration and the next "discover" job will not revert any device’s identity.

Remember that all Access Control Lists have an implicit "OR" condition - any of their entries matching will cause the whole list to match. If you need very specific matching on devices, use a host group of several properties together with the “op:and” modifier to require that all items in the list match the device (as in the example above).

Note also that whatever interface you select as canonical for the device must be reachable by SNMP. Interfaces where an SNMP connection fails are ignored.

The order in which Netdisco evaluates clauses in device_identity is not specified. If you need to control the sequence, pass a list of single-key dictionaries instead of one multi-key dictionary. The above example could then become:

device_identity:
  - 'group:backbone_devices':
      - !!perl/regexp ^.*\.backbone\.example\.com$
      - '172.16.20.0/24'
  - 'vendor:cisco': '192.0.2.0/24'

mibhome

Value: Directory. Default: ${HOME}/netdisco-mibs.

Base directory in which to find mibdirs. This is where netdisco-deploy will drop MIB files.


mibdirs

Value: List of Directories. Default: All subdirectories of mibhome.

A list of subdirectories of mibhome from which to load MIB files. You should always include rfc. For example:

mibdirs:
  - rfc
  - cisco
  - foundry

community

Value: List of Strings. Default: public.

A list of read-only SNMP community strings to try on each device. This is the simplest way to configure your SNMPv1 or SNMPv2 community strings. For example:

community:
  - public
  - anotherstring
  - mycommunity

Each is tried in turn when polling the device, and then the working community string will be cached in the database.

For fine-grained control over which communities are tried for which devices, or to set SNMPv3 authentication, see device_auth, below.


community_rw

Value: List of Strings. Default: private.

A list of read-write SNMP community strings to try on each device. The working community will be cached in the database.

This is the simplest way to configure SNMPv1 or SNMPv2 community strings. Each is tried in turn when writing to the device, and then the working community string will be cached in the database.

For fine-grained control over which communities are tried for which devices, or to set SNMPv3 authentication, see device_auth, below.


device_auth

Value: List of Settings Trees. Default: Empty List.

This setting configures authenticaiton for all polling, and provides an alternative fine-grained control for SNMPv1 and SNMPv2 community strings. You provide a list of authentication "stanza", and Netdisco will try each in turn, then cache the one which works for a device.

Each stanza can be restricted for use only on specific devices, and also limited to read (get) and/or write (set) operations. By default, a stanza is enabled for all device IPs, for read access only. The "tag" of a stanza is simply a friendly name used by Netdisco when referring to the configuration.

device_auth:
  - community: public
  - community: publictwo
  - community: mycommunity
    write: true
  - community: mycommunity2
    read: false
    write: true
  - tag: v3example
    user: netdisco
    auth:
      pass: netdiscokey
      proto: MD5
    priv:
      pass: netdiscokey2
      proto: DES
  - tag: aclexample
    community: s3kr1t
    read: false
    write: true
    only:
      - 192.0.2.0/30
      - 172.20.10.0/24
    no: '172.20.10.1'

For SNMPv1 and SNMPv2, only the community key is required. Unlike the global community/community_rw setting, this is not a list but a single item. Therefore, to configure multiple community strings, have one stanza per community, as in the examples above and below.

For any sanza you can add read and/or write booleans to control whether it is used for get and/or set operations, and IP restrictions using only and no (see Access Control Lists for what you can use here).

For SNMPv3 the tag and user keys are required. Providing an auth section enables the authentication security level, providing a priv section enables the message encryption security level. When configuring multiple SNMPv3 stanza please use only and/or no ACLs for each, otherwise only the first stanza is ever used (this is a limitation in the underlying SNMP library).

The default SNMPv3 authentication security method is MD5, and the default encryption protocol is DES, with AES or AES256 being common alternatives. Note that you cannot have priv without auth.

On some device platforms SNMPv3 contexts are used to macsuck each VLAN. For this you usually configure a common context "prefix", with Netdisco’s default being “vlan-” (i.e. vlan-1, vlan-2, etc). Add the context_prefix key to a stanza to override this default.

For other authentication mechanisms (HTTP, SSH, etc), tag is also required. Each transport will have different settings, but usually a username and password are required, and optionally some other settings. See the transport or driver documentation pages for further details. For example:

device_auth:
  - tag: ye_olde_snmp
    community: public
  - tag: sshcollector
    only: 'group:sshcollectordevices'
    driver: cli
    action: 'arpnip::nodes'
    username: foo
    password: bar
  - tag: netconf_devices
    only: 'vendor:juniper'
    driver: netconf
    username: oliver
    password: letmein

The driver key shown above is used to associate some authentication credentials with certain authentication mechanisms. The action key allows you to restrict credentials to certain actions or even stages of actions on the remote device, such as ARP table gathering in the above example.

Netdisco caches both the successful SNMPv2 read and write community strings, as well as the tag names if available. This allows for faster operations once a connection has previously been made to a device. Tags are recommended.

If you have SNMP connect failures, or notice that devices are not appearing in Netdisco, take a look at the "SNMP Connect Failures" Admin Report, and also the max_deferrals setting, below.

Finally, a reminder that multiple SNMPv2 community strings need to be in separate named stanza, as below. However for simple v2 configurations you can revert to the “community” setting, instead:

device_auth:
  - tag: 'default_v2_readonly1'
    community: 'read1'
  - tag: 'default_v2_readonly2'
    community: 'read2'

# or...
community: ['read1', 'read2']

get_community

Value: String. Default none.

An external program to run to get the community string for a given device. This is useful if, for example, you have you devices already configured in another NMS and you want to use that information instead of configuring device_auth.

The strings “%IP%” and “%HOST%” are replaced by the IP address and the hostname (or IP address if no hostname is known) of the system being contacted. For example:

get_community: '/path/to/my/program %IP%'

The command must return output in the following form:

community=<comma-separated list of readonly-communities>
setCommunity=<comma-separated list of write-communities>

If the community string is not known for the given system, the command should return no output and the community strings configured in device_auth, community, and community_rw will be used instead.


bulkwalk_off

Value: Boolean. Default false.

Set to true to use GETNEXT instead of the standard BULKWALK for every device. This will slow things down, but might be necessary for problem devices. For more fine-grained control see the bulkwalk_no setting.


bulkwalk_no

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

IP addresses in the list will use GETNEXT (and not BULKWALK). See Access Control Lists for what you can use here.


bulkwalk_repeaters

Value: Number. Default: 20.

Sets the Net-SNMP MaxRepeaters value, which is used on BULKWALK operations. See SNMP for more info.


nonincreasing

Value: Boolean. Default: false.

Setting this to true prevents bulkwalk of device tables with non-increasing OIDs throwing an error OID not increasing when encountered. The default is to allow non-increasing OIDs during bulkwalk (which may, in very badly performing SNMP agents, result in a never-ending loop). Requires Net-SNMP 5.3 or higher.


snmpver

Value: 1|2|3. Default: 3.

Highest version of the SNMP protocol used when connecting to devices. Use this setting to disable SNMP v3 globally. Usually you don’t need to configure this.


snmpforce_v1

Value: List of Network Identifiers or Device Properties. Default: Empty List.

Forces matching devices to use SNMPv1.


snmpforce_v2

Value: List of Network Identifiers or Device Properties. Default: Empty List.

Forces matching devices to use SNMPv2c.


snmpforce_v3

Value: List of Network Identifiers or Device Properties. Default: Empty List.

Forces matching devices to use SNMPv3.


snmptimeout

Value: Number. Default: 3000000.

Micro-seconds before connection retry in SNMP::Session. 1000000 micro-seconds = 1 second.


snmpretries

Value: Number. Default: 2.

Number of times to retry connecting to a device before giving up.


snmp_remoteport

Value: Map of UDP port number to list of Device Identifiers. Default: Empty Map.

Use this setting to override the UDP port used for SNMP connections to devices. The key is the port number, and the value is an Access Control Lists entry. For example:

snmp_remoteport:
  1161: 'any'

devices_no

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

The value will be copied into discover_no, macsuck_no, arpnip_no, and nbtstat_no, so is a shorthand way to restrict backend workers to avoid these device targets. See Access Control Lists for what you can use here.


devices_only

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

The value will be copied into discover_only, macsuck_only, arpnip_only, and nbtstat_only, so is a shorthand way to restrict backend workers to only specified device targets. See Access Control Lists for what you can use here.


<actionname>_timeout

Value: number of seconds.

The named action will be aborted if it takes longer than this time. There is no default, meaning that the timeout setting (default 10 minutes) takes prescedence. Set to zero to disable timeout for an action (job type).


discover_no

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

IP addresses in the list will not be visited during device discovery. See Access Control Lists for what you can use here.


discover_only

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

If present, device discovery will be limited to IP addresses matching entries in this list. See Access Control Lists for what you can use here.


discover_no_type

Value: List of Strings. Default: None.

Place regular expression patterns here to exclude the discovery of certain devices based on the CDP/LLDP device type information. Good for excluding a whole device class like lightweight access points or IP phones that have CDP but don’t talk SNMP. For example:

discover_no_type:
  - 'cisco\s+AIR-LAP'
  - '(?i)Cisco\s+IP\s+Phone'

discover_min_age

Value: Number. Default: 0.

Sets the minimum amount of time in seconds which must elapse between any two discover jobs for a device.


macsuck_no

Value: List of Network Identifiers or Device Properties. Default: Empty List.

IP addresses in the list will not be visited for macsuck. See Access Control Lists for what you can use here.


macsuck_only

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

If present, macsuck will be limited to IP addresses matching entries in this list. See Access Control Lists for what you can use here.


macsuck_all_vlans

Value: Boolean. Default: false.

Set to macsuck all VLANs, not just the ones that are being used on ports. This is a debug option. Set this if you think that the option of not macsucking VLANs that aren’t in use on device ports is some how interfering.


macsuck_no_unnamed

Value: Boolean. Default: false.

Set to true to skip macsuck-ing on VLANs which have no name set. This option may be useful on Cisco Catalyst family devices where ports are a member of a VLAN which is not defined in the VLAN database.


macsuck_no_vlan

Value: List of VLAN names or numbers. Default: fddi-default, token-ring-default,fddinet-default,trnet-default.

On some devices, per-VLAN macsuck will timeout with specific VLAN numbers. You can put those numbers (or their names) into this list to have them skipped.


macsuck_no_devicevlan

Value: List of "IP:vlan-number" or "IP:vlan-name". Default: Empty List.

Similar to macsuck_no_vlan, but allows specifying the device root (canonical) IP, in order to restrict VLAN skipping only to some devices.


macsuck_unsupported

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

Similar to macsuck_no, but instead of skipping nodes on this device, they are allowed to gather on the upstream device port. Useful for devices which can be discovered by Netdisco but do not provide a MAC address table via SNMP. See Access Control Lists for what you can use here.


macsuck_unsupported_type

Value: List of Strings. Default: None.

Place regular expression patterns here to skip macsuck of certain devices based on the CDP/LLDP device type information they advertise. MAC addresses will be allowed to gather on the upstream device port, as in the macscuk_unsupported setting. For example:

macsuck_unsupported_type:
  - 'cisco\s+AIR-LAP'
  - '(?i)Cisco\s+IP\s+Phone'

macsuck_bleed

Value: Boolean. Default: false.

Set to true will let nodes accumulate on uplink ports without topology information. This is a debug option to help you figure out your topology and generally should not be set.


macsuck_min_age

Value: Number. Default: 0.

Sets the minimum amount of time in seconds which must elapse between any two macsuck jobs for a device.


arpnip_no

Value: List of Network Identifiers or Device Properties. Default: Empty List.

IP addresses in the list will not be visited for arpnip. See Access Control Lists for what you can use here.


arpnip_only

Value: Single item or list of Network Identifiers or Device Properties. Default: Empty List.

If present, arpnip will be limited to IP addresses matching entries in this list. See Access Control Lists for what you can use here.


arpnip_min_age

Value: Number. Default: 0.

Sets the minimum amount of time in seconds which must elapse between any two arpnip jobs for a device.


nbtstat_no

Value: List of Network Identifiers. Default: Empty List.

IP addresses in the list will not be visited for nbtstat. See Access Control Lists for what you can use here.


nbtstat_only

Value: Single item or list of Network Identifiers. Default: Empty List.

If present, nbtstat will be limited to IP addresses matching entries in this list. See Access Control Lists for what you can use here.


nbtstat_max_age

Value: Number. Default: 7.

The maximum age of a node in days for it to be checked for NetBIOS information.


nbtstat_interval

Value: Number. Default: 0.02.

Interval between nbtstat requests in each poller. Defaults to 0.02 seconds, equating to 50 requests per second per poller.


nbtstat_response_timeout

Value: Number. Default: 1.

Seconds nbtstat will wait for a response before time out. Accepts fractional seconds as well as integers.


node_freshness

Value: Number of Minutes. Default: 0

Controls the behaviour of Netdisco when a node (workstation, printer, etc) has disappeared from the network (device MAC address tables).

If set to 0, the default, nodes will remain on the last-seen switch port until “expire_nodes” days have passed (when they’ll be deleted if you run the Expire job). This is the same behaviour as Netdisco 1.

Set to a number of minutes to enforce some kind of ageing on this data. For example you could set to 60 to match the default macsuck schedule, meaning nodes are archived if they’re not in the device tables at the time of polling.


expire_devices

Value: Number of Days. Default: 60

Devices that have not been refreshed in this number of days will be removed. All nodes connected to this device will be removed as well.


expire_nodes

Value: Number of Days. Default: 90

Nodes that have not been refreshed in this number of days will be removed from the database. Archived and non-archived nodes are removed. This includes SwitchPort/MAC and MAC/IP mappings.


expire_nodes_archive

Value: Number of Days. Default: 60

Archived data for switch-port/MAC and MAC/IP mappings older than this number of days will be removed.


expire_nodeip_freshness

Value: Number of Days. Default: same as expire_nodes or expire_nodes_archive.

Controls the behaviour of Netdisco when expiring IP-MAC entries (from the node_ip table). The default behaviour, as in Netdisco 1, is to remove these entries (when older than expire_nodes or expire_nodes_archive), even if the IP relates to a Node that is not going to be expired.

Alternatively, assign a number of days to this setting and these still-linked IP entries will be kept for that long. Set to zero to keep them indefinitely (that is, for as long as a Node remains which shares the MAC address).

Note that in situations where a Node cycles through many IP addresses in a short time, such as with wireless roaming or IPv6 Privacy Addressing, then setting to zero can massively inflate your Netdisco database.


expire_jobs

Value: Number of Days. Default: 14

Jobs which entered the job queue more than this many days ago will be removed from the queue during the scheduled expiry process (regardless of whether they were ever run).


dns

Value: Settings Tree. Default:

dns:
  max_outstanding: 50
  hosts_file: '/etc/hosts'
  no: ['fe80::/64','169.254.0.0/16']

Controls the asynchronous DNS resolver used to resolve IP addresses to names during arpnip and discovery of device aliases.

max_outstanding sets the maximum number of outstanding requests for asynchronous DNS resolution. This setting overrides the PERL_ANYEVENT_MAX_OUTSTANDING_DNS environment value and the AnyEvent library default of 10.

Similarly, the location of the Hosts file can be overridden in this config, or using the PERL_ANYEVENT_HOSTS environment variable.

no is a single item or list of IP addresses or CIDR ranges to excluded from DNS resolution (see Access Control Lists). Link local addresses are excluded as in the defaults shown above.


store_wireless_clients

Value: Boolean. Default: true.

Set to false to skip the wireless client information gathering. This is captured at macsuck time, so if you aren’t using the information you can skip it.


store_modules

Value: Boolean. Default: true.

Set to false to skip the module inventory on device discovery. On some platforms this can double the discovery time.


ignore_interfaces

Value: List of Strings. Default:

ignore_interfaces:
  - 'EOBC'
  - 'unrouted VLAN(?: \d+)?'
  - 'StackPort'
  - 'Control Plane Interface'
  - 'SPAN (S|R)P Interface'
  - 'StackSub-.*'
  - 'StackPort\d+'
  - 'netflow'
  - 'Vlan\d+-mpls layer'
  - 'BRI\S+-Bearer Channel'
  - 'BRI\S+-Physical'
  - 'BRI\S+-Signalling'
  - 'Embedded-Service-Engine\d+\/\d+'
  - 'Virtual-Template\d+'
  - 'Virtual-Access\d+'
  - '(E|T)\d \d\/\d\/\d'
  - 'InLoopback0'
  - 'NULL\d'
  - 'Register-Tunnel\d'
  - 'Blade-Aggregation\d'
  - 'M-GigabitEthernet\d/\d/\d'

If present, device ports whose names match fully any of the items in this list will be ignored by the discovery process.

Note this may have side effects - connected devices and nodes on those ports will in turn also not be discovered.


ignore_private_nets

Value: Boolean. Default: false.

Set to true to ignore device interfaces that are part of private nets (RFC 1918).


reverse_sysname

Value: Boolean. Default: false.

Turn this on to have Netdisco do a reverse lookup of the device sysName.0 field to use as the management IP address for a device.


phone_capabilities

Value: List of Strings. Default:

phone_capabilities:
  - '(?i:phone)'

Regular expressions to match the Capability field received within neighbor discovery protocols such as CDP/FDP/LLDP. Netdisco uses this to display a "phone" icon alongside devices or nodes in the Device Ports table.

To find the received Capabilities on an upstream device, run this command:

~netdisco/bin/netdisco-do show -d <IP-of-device> -e c_cap

phone_platforms

Value: List of Strings. Default:

phone_platforms:
  - '(?i:mitel.5\d{3})'

Regular expressions to match the Platform field received within neighbor discovery protocols such as CDP/FDP/LLDP. Netdisco uses this to display a "phone" icon alongside devices or nodes in the Device Ports table.

To find the received Platforms on an upstream device, run this command:

~netdisco/bin/netdisco-do show -d <IP-of-device> -e c_platform

wap_capabilities

Value: List of Strings. Default:

wap_capabilities:
  - 'wlanAccessPoint'

Regular expressions to match the Capability field received within neighbor discovery protocols such as CDP/FDP/LLDP. Netdisco uses this to display a "wireless signal" icon alongside devices or nodes in the Device Ports table.

To find the received Capabilities on an upstream device, run this command:

~netdisco/bin/netdisco-do show -d <IP-of-device> -e c_cap

wap_platforms

Value: List of Strings. Default:

wap_platforms:
  - '(?i:\bw?ap\b)'
  - 'cisco\s+AIR-[L|C]?AP'
  - '-K9W8-'

Regular expressions to match the Platform field received within neighbor discovery protocols such as CDP/FDP/LLDP. Netdisco uses this to display a "wireless signal" icon alongside devices or nodes in the Device Ports table.

To find the received Platforms on an upstream device, run this command:

~netdisco/bin/netdisco-do show -d <IP-of-device> -e c_platform

Backend Daemon

workers

Value: Settings Tree. Default:

workers:
  tasks: 'AUTO * 2'
  timeout: 600
  sleep_time: 1
  min_runtime: 0
  max_deferrals: 10
  retry_after: '7 days'

Control the activity of the backend daemon with this configuration setting.

tasks sets how many worker processes are started for interactive jobs (port control) and polling jobs (discover, macsuck, arpnip) on this node. Other nodes can have different settings.

AUTO” is the number of CPU cores. Set tasks to “0” to disable all workers (which allows you to have a scheduler-only node).

timeout is the maximum runtime of any action (job), after which it will be aborted (so the default is 10 minutes). Set to zero to disable such management. You can override the setting per action-type using the “<actionname>_timeout” setting, described above.

sleep_time is the number of seconds between polling the database to find new jobs. This is a balance between responsiveness and database load.

min_runtime allows you to set a time that each worker will sleep before recycling and starting another job. Some users report this needs to be set to avoid a 'runaway worker' bug. It can take a fractional number of seconds.

max_deferrals is the number of times an SNMP connect failure can occur before the device is no longer polled. The setting and counters are local to each poller backend. To disable this feature configure the setting with a value of zero. Restarting the backend poller or making a job request via the web or CLI will cause any job to be tried once again.

retry_after is the time when each job is retried once, even when permanently deferred. The default is each job retried once per week. To disable this feature (that is, never periodically retry) configure the setting with a value of zero.


jobs_stale_after

Value: Integer number of seconds. Default: 3000 (50 minutes).

This is the time after which jobs started will be considered stale by the backend manager process. It allows duplicate jobs to start to run, by assuming that the worker running the job crashed and for some reason the job was not cleaned up correctly.


schedule

Value: Settings Tree. Default:

schedule:
  discoverall:
    when: '5 7 * * *'
  arpwalk:
    when:
      min: 20
  macwalk:
    when:
      min: 50
  nbtwalk:
    when: '0 8,13,21 * * *'
  expire:
    when: '30 23 * * *'

This is the schedule for jobs in the backend daemon when it is running. The keys are any valid action name (see netdisco-do) and the values are an Algorithm::Cron specification. This means if you add your own actions through Backend Plugins, they can also be scheduled for periodic execution.

You can run more than one scheduler for redundancy (on different servers), but make sure they all have good NTP. You can also run scheduler-only nodes (by having tasks: 0 within the workers setting), or worker-only nodes (by unsetting this configuration with schedule: null).

Work can be scheduled using cron style notation (as shown above), or a set of weekday and hour fields (which accept same types as cron notation). For example:

macwalk:
  when:
    min: 50
    hour: '*/2'
    wday: 'mon-fri'

Note that unpecified “when” fields default to "all" (i.e. “*”). See Algorithm::Cron for further details.

The netdisco-do parameters of device, port, and extra may be added to any scheduled action. You can schedule the same action several times by using a different title, and adding the action key. This also allows selection of specific action stages. For example:

schedule:
  # standard schedule
  macsuck:
    when: 20 * * * *
  # duplicate that action for increased frequency for a specific device
  macsuck_specific:
    action: macsuck
    when: 15,45 * * * *
    device: 192.0.2.1
  # run a specific stage of an action
  refresh_neighbors:
    action: 'discover::neighbors'
    when: 20 8,11,14,17 * * *
  # provide additional arguments
  psql:
    when: '5 7 * * *'
    extra: 'COPY (SELECT COUNT (*) FROM user_log) TO STDOUT WITH CSV HEADER'

worker_plugins

Value: List of Modules. Default: List of bundled plugin names.

Netdisco’s worker plugin system allows you to alter, add to, remove, or override, stages of the backend daemon’s activity. Plugins can be distributed independently from Netdisco and are an alternative to source code patches. This setting is the list of Plugins which are used in the default Netdisco distribution.

:bulb:
See the Backend Plugins documentation for how to write and manage backend worker actions.

If you only want to add to the default list then use the extra_worker_plugins setting, below, which allows the Netdisco developers to update default worker_plugins in a future release.

Any change should go into your local deployment.yml configuration file. If you want to view the default settings, see the share/config.yml file in the App::Netdisco distribution.

Entries in the list will by default omit the leading App::Netdisco::Worker::Plugin:: from the name. To override this for one entry, prefix it with a + sign. You can also prefix with X:: to signify the alternate App::NetdiscoX::Worker::Plugin:: namepsace.


extra_worker_plugins

Value: List of Modules. Default: Empty List.

This setting is used if you want to add new plugins but not change the set enabled by default. If you wish to change the built-in default plugins set, then create a version of worker_plugins instead. The order of the entries is not significant.

:bulb:
See the Backend Plugins documentation for how to write and manage backend worker actions.

Netdisco will prepend App::Netdisco::Worker::Plugin:: to any entry in the list. For example, Expire will load the App::Netdisco::Worker::Plugin::Expire module. Netdisco uses the standard Perl @INC path searching mechanism to load plugin modules. See the include_paths and site_local_files settings in order to modify @INC for loading local plugins.

If an entry in the list starts with a “+” (plus) sign then Netdisco attemps to load the module as-is, without prepending anything to the name. This allows you to have App::Netdiso worker plugins in other namespaces.

For your own plugins, use the "Netdisco extension" namespace App::NetdiscoX. You can prefix module names with X::, and Netdisco will prepend App::NetdiscoX::Worker::Plugin:: to the entry. For example, X::ConfigBackup will load the App::NetdiscoX::Worker::Plugin::ConfigBackup module.

driver_priority

Value: Dictionary of driver names and priorities. Default:

restconf: 500
netconf:  400
eapi:     300
cli:      200
snmp:     100

The mapping of driver names to worker priority. When assigning a worker priority yourself, you can choose to make it relative to one of these values. See the Worker Cookbook for further details.

Dancer Internal

charset

Value: String. Default: UTF-8.


warnings

Value: Boolean. Default: false.

Should warnings be considered as critical errors?


show_errors

Value: Boolean. Default: false.

Whether to show a stack trace when an error is caught in the web frontend.


logger

Value: console|file. Default: console.

Destination for log messages. Should usually be console, which does the right thing when running foreground apps, and is also captured to ${HOME}/logs when running daemonized. Only change this if you know what you’re doing.


engines

Value: Settings Tree.

Useful for overriding the Template Toolkit settings, if you want.


layout

Value: String. Default: main.

Don’t touch this.


plugins

Value: Settings Tree.

Useful for overriding the Database configuration, but only if you know what you’re doing.


session

Value: String. Default: cookie.

How to handle web sessions. Default is to store in an encrypted cookie using a key stored in the database by netdisco-deploy.


template

Value: String. Default: template_toolkit.

Which engine to use for templating in the web frontend. Don’t touch this.


route_cache

Value: Boolean. Default: true.

Whether to build a route cache for web requests, for better performance.


appname

Value: String. Default: Netdisco.

Don’t touch this.


behind_proxy

Value: Boolean. Default: false.

There’s no need to touch this. See deployment documentation for how to proxy.

Unsupported

These settings are from Netdisco 1.x but are yet to be supported in Netdisco 2. They are deemed unecessary, although feel free to contact the developer team if you disagree!

  • phone_ouis

  • wap_ouis

  • col_xxx_show

  • port_info

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.