Overlapping IP addresses

Scope

BMC Discovery uses an identity scope to distinguish between overlapping address spaces. The scope forms a constraint on an IP address that enables duplicate IP addresses to be distinguished. The scope is a simple string with specific meanings for some values that are used by default. For example:

• The empty string means the "global" or "default" scope. In the absence of any other scope, addresses are assumed to be in the global scope.
• The "internet" scope means addresses which are public on the internet, for example, the public IP address of an EC2 instance.
• For endpoints scanned through Amazon Web Services Systems Manager (SSM), the scope is set as the AWS VPC identifier (vpc-xxxxxxxxxx).
• For endpoints scanned through the Google Cloud Platform (GCP) Identity Aware Proxy (IAP), the scope is set as the default network.

Scope is used in exactly the same manner for IPv4 and IPv6 addresses.

On upgrade to BMC Discovery from versions before 20.08, all existing discovered devices are considered to be in the default scope. In an upgraded system where you have not previously used scope, you should read this information on scope transition mode.

A scope is assigned to an endpoint at the time of discovery by the BMC Discovery appliance or cluster, or BMC Discovery Outpost used to perform the discovery. When you configure a BMC Discovery appliance with a default scope (Administration > Discovery Configuration), then all endpoints discovered directly from that appliance are assigned the appliance's scope. Setting the scope from any cluster member sets the scope for the cluster.

When you configure a BMC Discovery Outpost with a default scope (Manage > Configuration), then all endpoints discovered directly from that BMC Discovery Outpost are assigned its scope.

In some cases, currently for endpoints scanned through AWS SSM or GCP using IAP, a scope is set by the discovery calls. For AWS this is the AWS VPC identifier, and for GCP this is the default network. TheBMC Discovery appliance or  BMC Discovery Outpost performing the discovery does not overwrite an existing scope applied to an endpoint.

You only need to set a scope on your BMC Discovery appliance, cluster, or Outposts if you are scanning overlapping IP addresses. However, if you do set a scope on one, then you should set a scope (appropriate to the targets that each is discovering) on all of your BMC Discovery appliances, clusters, or Outposts.

If the only overlapping IP addresses you are scanning are scanned through AWS Systems Manager or GCP Identity Aware Proxy (IAP) , then you do not need to set a scope manually, as the scope is set automatically to the AWS VPC identifier or the GCP default network by the discovery calls.

Change of scope of existing scanned endpoint is not supported

Change of scope of an existing host is not supported. Scope distinguishes between endpoints in different address spaces. Once you have scanned an endpoint using a scope (including the global scope), you should not scan the same endpoint using a different scope. Doing so creates a duplicate for that endpoint in the other scope, and does not update the existing host with the new scope.

For example, if you have scanned host using an incorrect scope, you should delete the resulting host node, and rescan the host using the correct scope.

Deletion of a single duplicate is simple, but scanning using a different scope could create very many duplicate hosts, the removal of which would be a large task.

Illustration

The following diagram shows the flow of information from endpoints to the user for BMC Discovery and BMC Helix Discovery.