netdisco-users Digest, Vol 230, Issue 3

[netdisco-users-request]

Send netdisco-users mailing list submissions to
        netdisco-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/netdisco-users
or, via email, send a message with subject or body 'help' to
        netdisco-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
        netdisco-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of netdisco-users digest..."

Today's Topics:

   1. Discovery, ARP and MAC issues after update (DeSantos, Matthew)
   2. Re: Discovery, ARP and MAC issues after update (Oliver Gorwits)

--- Begin Message ---

Hello,

I'm pulling my hair out trying to get netdisco to work again. It's been a great 
tool for years now, but I recently updated and can't seem to get anything to 
work anymore. I always had an overlap with the YAML config meaning our 
switches/firewalls use the same mgmt subnet, but I would use host_group to 
match the individual firewall IP and a subnet to match the remaining switches. 
I tried various configurations but each time I failed.

Can someone please review my device_auth, host_group, and discover_only stanza 
and let me know what I'm missing here. I commented out the SNMP stanza to test 
SSH/CLI for the firewalls. The debug output returns 'discovery skipped: 
10.10.200.220 is not discoverable.

device_auth:
  # - tag: 'Extreme'
  #   version: '3'
  #   user: 'redacted'
  #   auth:
  #     pass: 'redacted'
  #     proto: 'SHA'
  #   priv:
  #     pass: 'redacted'
  #     proto: 'AES'  # Changed from DES to AES for compatibility

  - tag: 'Firewalls'
    driver: 'cli'
    platform: 'PaloAlto'
    only:
      - 'group:paloalto-firewalls'
    username: 'redacted'
    password: 'redacted'
    ssh_master_opts:
      - "-o"
      - "StrictHostKeyChecking=no"

# Host groups for access control
host_groups:
  paloalto-firewalls:
    - 'ip:^10\.(1|3|4|5|6|7|8|9|10|24|42|200)\.200\.210$'
    - 'ip:^10\.(1|3|4|5|6|7|8|9|10|24|42|200)\.200\.220$'

# Discovery targets
discover_only:
  - group: 'extreme-switches'
    device_auth: 'Extreme'
    subnet:
      - 10.1.200.0/24
      - 10.3.200.0/24
      - 10.4.200.0/24
      - 10.5.200.0/24
      - 10.6.200.0/24
      - 10.7.200.0/24
      - 10.8.200.0/24
      - 10.9.200.0/24
      - 10.10.200.0/24

  - group: 'paloalto-firewalls'
    device_auth: 'Firewalls'
    hosts:
      - 10.10.200.210
      - 10.10.200.220

--
Thanks,
Matt

--- End Message ---

--- Begin Message ---

Hi Matt, and thanks for using Netdisco!

OK I see an issue in your config. The discover_only setting doesn't have
any subkeys like device_auth, subnet, or hosts. It's just a plain list of
IPs or other groups can be contained.

So you possibly want something like this: https://nopaste.net/iKjFX8bBGN

The wiki docs I guess you have seen, but in case not:
https://github.com/netdisco/netdisco/wiki/Configuration#access-control-lists
https://github.com/netdisco/netdisco/wiki/Configuration#host_groups

Finally there's a good way to troubleshoot by asking Netdisco to dump the
config:

~netdisco/bin/netdisco-do dumpconfig -e host_groups
~netdisco/bin/netdisco-do dumpconfig -e device_auth

Hope this helps!

oliver.


On Wed, 5 Nov 2025 at 00:33, DeSantos, Matthew via netdisco-users <
netdisco-users@lists.sourceforge.net> wrote:

> Hello,
>
> I'm pulling my hair out trying to get netdisco to work again. It's been a
> great tool for years now, but I recently updated and can't seem to get
> anything to work anymore. I always had an overlap with the YAML config
> meaning our switches/firewalls use the same mgmt subnet, but I would use
> host_group to match the individual firewall IP and a subnet to match the
> remaining switches. I tried various configurations but each time I failed.
>
> Can someone please review my device_auth, host_group, and discover_only
> stanza and let me know what I'm missing here. I commented out the SNMP
> stanza to test SSH/CLI for the firewalls. The debug output returns
> 'discovery skipped: 10.10.200.220 is not discoverable.
>
> device_auth:
>   # - tag: 'Extreme'
>   #   version: '3'
>   #   user: 'redacted'
>   #   auth:
>   #     pass: 'redacted'
>   #     proto: 'SHA'
>   #   priv:
>   #     pass: 'redacted'
>   #     proto: 'AES'  # Changed from DES to AES for compatibility
>
>   - tag: 'Firewalls'
>     driver: 'cli'
>     platform: 'PaloAlto'
>     only:
>       - 'group:paloalto-firewalls'
>     username: 'redacted'
>     password: 'redacted'
>     ssh_master_opts:
>       - "-o"
>       - "StrictHostKeyChecking=no"
>
> # Host groups for access control
> host_groups:
>   paloalto-firewalls:
>     - 'ip:^10\.(1|3|4|5|6|7|8|9|10|24|42|200)\.200\.210$'
>     - 'ip:^10\.(1|3|4|5|6|7|8|9|10|24|42|200)\.200\.220$'
>
> # Discovery targets
> discover_only:
>   - group: 'extreme-switches'
>     device_auth: 'Extreme'
>     subnet:
>       - 10.1.200.0/24
>       - 10.3.200.0/24
>       - 10.4.200.0/24
>       - 10.5.200.0/24
>       - 10.6.200.0/24
>       - 10.7.200.0/24
>       - 10.8.200.0/24
>       - 10.9.200.0/24
>       - 10.10.200.0/24
>
>   - group: 'paloalto-firewalls'
>     device_auth: 'Firewalls'
>     hosts:
>       - 10.10.200.210
>       - 10.10.200.220
>
> --
> Thanks,
> Matt
> _______________________________________________
> Netdisco mailing list
> netdisco-users@lists.sourceforge.net
> https://sourceforge.net/p/netdisco/mailman/netdisco-users/
>

--- End Message ---

_______________________________________________
Netdisco mailing list - Digest Mode
netdisco-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netdisco-users