Overlapping IP addresses

Many devices have the same IP addresses, particularly in virtualized and cloud environments. In earlier releases BMC Helix Discovery treated the IP addresses space as flat, so duplicate IPs could cause problems such as hosts linked to the wrong subnets, and incorrect communication links. 

Scope

BMC Helix Discovery uses an identity scope to distinguish between overlapping address spaces. The scope forms a constraint on an IP address that enables duplicate IP addresses to be distinguished. The scope is a simple string with specific meanings for some values that are used by default. For example:

  • The empty string means the "global" or "default" scope. In the absence of any other scope, addresses are assumed to be in the global scope.
  • The "internet" scope means addresses which are public on the internet, for example, the public IP address of an EC2 instance.
  • For endpoints scanned through Amazon Web Services Systems Manager (SSM), the scope is set as the AWS VPC identifier (vpc-xxxxxxxxxx).
  • For endpoints scanned through the Google Cloud Platform (GCP) Identity Aware Proxy (IAP), the scope is set as the default network.

Scope is used in exactly the same manner for IPv4 and IPv6 addresses.

Scope not supported with BMC Helix Operations Management

Where your instance of BMC Helix Discovery is integrated with BMC Helix Operations Management, the scope feature is not supported and should not be used. 

A scope is applied to an endpoint at the time of discovery by the BMC Discovery Outpost used to perform the discovery. When you configure a BMC Discovery Outpost with a default scope (Manage > Configuration), then all endpoints discovered directly from that BMC Discovery Outpost are assigned its scope.

In some cases, currently for endpoints scanned through AWS SSM or GCP using IAP, a scope is set by the discovery calls. For AWS this is the AWS VPC identifier, and for GCP this is the default network. The BMC Discovery Outpost performing the discovery does not overwrite an existing scope applied to an endpoint.

You only need to set a scope on your BMC Discovery Outpost if you are scanning overlapping IP addresses. However, if you do set a scope on one BMC Discovery Outpost, then you should set a scope (appropriate to the targets that each BMC Discovery Outpost is discovering) on all of your other BMC Discovery Outposts.

If the only overlapping IP addresses you are scanning are scanned through AWS Systems Manager or GCP Identity Aware Proxy (IAP) , then you do not need to set a scope manually, as the scope is set automatically to the AWS VPC identifier or the GCP default network by the discovery calls.

Change of scope of existing scanned endpoint is not supported

Change of scope of an existing host is not supported. Scope distinguishes between endpoints in different address spaces. Once you have scanned an endpoint using a scope (including the global scope), you should not scan the same endpoint using a different scope. Doing so creates a duplicate for that endpoint in the other scope, and does not update the existing host with the new scope.

For example, if you have scanned host using an incorrect scope, you should delete the resulting host node, and rescan the host using the correct scope.

Deletion of a single duplicate is simple, but scanning using a different scope could create very many duplicate hosts, the removal of which would be a large task.

Illustration

The following diagram shows the flow of information from endpoints to the user for BMC Discovery and BMC Helix Discovery.

OverlappingIPsAndScope


Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Brandon Dias

    So, this feature will only work where a customer is scanning AWS?

    For example, if I have a customer with a worldwide network, and they have the possibility of duplicate IP addresses between some of their Datacentres, this feature will work or not?

    Sep 25, 2020 09:32
    1. Duncan Tweed

      No. Scope is not tied to AWS scanning. If you have duplicate IPs and scan them using different scopes (configured on each Outpost and selected for each scan), they will be treated as different IP addresses.

       AWS SSM is mentioned because we set the scope to be the AWS VPC identifier.  

      Oct 02, 2020 02:56