The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Discovery function scans the devices and hosts in your network and populates the Cisco APIC-EM database with the information that it retrieves. To do this, you need to provide the controller with information about your network so that the Discovery function can reach as many of the devices in your network as possible and gather as much information as it can.
The Discovery function uses the following protocols and methods to retrieve network information, such as hosts IP addresses, MAC addresses, and network attachment points:
Cisco Discovery Protocol (CDP)
Community-based Simple Network Management Protocol Version 2 (SNMPv2c)
Simple Network Management Protocol version 3 (SNMPv3)
Link Layer Discovery Protocol (LLDP)
IP Device Tracking (IPDT) (For Discovery to collect host information, you must manually enable IPDT on devices. After IPDT is enabled, Discovery collects host information on a best-effort basis, because in addition to IPDT, Discovery relies on ARP entries for host information.)
LLDP Media Endpoint Discovery (LLDP-MED) (IP phones and some servers are discovered using LLDP-MED).
For information about the required protocol configuration for your devices, see Required Device Configuration.
The process of finding network devices and hosts is known as discovery. You populate the Cisco APIC-EM database by discovering the devices and hosts in your network. To discover network devices, you need to provide the Cisco APIC-EM with discovery credentials for the devices in your network in the form of SNMP settings and CLI credentials. When you perform a discovery, the Cisco APIC-EM scans the network and attempts to log in to newly found devices by presenting these credentials.
The Cisco APIC-EM uses the CDP, LLDP and wireless controller databases on the network devices to discover hosts, such as wireless laptops, handheld devices, printers, and IP phones. To discover wired laptops, the Cisco APIC-EM uses the IP Device Tracking database, which needs to be enabled on some switches. (This feature is enabled by default on some switches.)
Wireless LAN Controllers (WLCs) have additional setup requirements in order to be discovered. For more information, see Wireless LAN Controller Configuration.
Discovery credentials (global and discovery request-specific) operate under rules as described in the bullet list and table below.
Discovery request-specific credentials rules:
These credentials can be provided when creating a new network discovery, but only a single set of these credentials is allowed per network discovery.
These credentials take precedence over any configured global credentials.
If the discovery request-specific credentials cause an authentication failure, then discovery is attempted a second time with the configured global credentials (if explicitly selected in the Discovery window). If discovery fails with the global credentials then the device discovery status will result in an authentication failure.
If the discovery request-specific credentials (both CLI and SNMP) are not provided as part of network discovery, then the global credentials (both CLI and SNMP) are used to authenticate devices.
Global credentials rules:
Global Credentials |
Discovery Request-Specific Credentials |
Result |
||
---|---|---|---|---|
Not configured |
Not configured |
The default SNMP read community string (public) is used for the discovery scan, but the device discovery will fail since both CLI and SNMP credentials must be configured for a successful device discovery. |
||
Not configured |
Configured |
The specified discovery request-specific credentials will be used for discovery. |
||
Configured |
Not configured |
All the configured global credentials will be used. |
||
Configured but not selected |
Configured |
Only the request-specific credentials will be used. |
||
Configured and selected |
Not configured |
Only selected global credential will be used. |
||
Configured and selected |
Configured |
Both specified credentials (global and discovery request-specific) will be used for discovery. |
||
Configured, but wrong global credential IDs are mentioned in the discovery POST REST API. |
Correct request-specific credentials configured |
Discovery fails.
|
||
Configured, but wrong global credential IDs are mentioned in the discovery POST REST API. |
Not configured |
Discovery fails.
|
The following are caveats for the Cisco APIC-EM discovery credentials:
If a device credential changes in a network device or devices after Cisco APIC-EM discovery is completed for that device or devices, any subsequent polling cycles for that device or devices will fail. To correct this situation, an administrator has following options:
If the ongoing discovery fails due to a device authentication failure (for example, the provided discovery credential is not valid for the devices discovered by current discovery), then the administrator has following options:
Stop or delete the current discovery. Create one or more new network discovery jobs (either a CDP or Range discovery type) with a discovery request-specific credential that matches the device credential.
Create a new global credential or modify one of the global credentials, and execute a new discovery selecting the correct global credential.
Deleting a global credential does not affect already discovered devices. These already discovered devices will not report an authentication failure.
The Cisco APIC-EM provides a REST API which allows the retrieval of the list of managed network devices in the Cisco APIC-EM inventory, including certain administrative credentials (SNMP community strings and CLI usernames). The purpose of this API is to allow an external application to synchronize its own managed device inventory with the devices that have been discovered by the Cisco APIC-EM. For example, for Cisco IWAN scenarios, Prime Infrastructure makes use of this API in order to populate its inventory with the IWAN devices contained in the Cisco APIC-EM inventory in order to provide monitoring of the IWAN solution. Any user account with a ROLE_ADMIN has access to this API.
Note | Only the username is provided in clear text. SNMP community strings and passwords are not provided in cleartext for security reasons. |
To access the Discovery function, from the Navigation pane, click Discovery. The Discovery window opens.
Name |
Description |
---|---|
Discoveries pane |
Lists the names of the discovery scans that have been created, along with the method and IP addresses used for discovery. The list is divided between active and inactive discoveries. A successful scan (one with discovered and authenticated devices) has the number of discovered devices indicated in a box to the right of the discovery name. An unsuccessful scan shows no box or number of devices discovered. From the Discoveries pane, clicking on a discovery name displays the information in the Discovery Details and Device Details panes. |
Discovery Details pane |
Provides detailed information about the discovery parameters that were used to perform the discovery, the state of the discovery, and the number of devices that were discovered. The buttons on this pane allow you to Start, Stop, and Delete discoveries. |
In-tool guide |
Provides guidance about how to configure discovery. |
You can discover devices and hosts using CDP.
You must have administrator (ROLE_ADMIN) permissions to perform this procedure.
CDP must be enabled on the devices in order for them to be discovered.
Your devices must have the required device configurations, as described in Required Device Configuration.
Note | While a discovery job is in progress, you can perform any of the following actions:
|
You must have administrator (ROLE_ADMIN) permissions to perform this procedure.
Your devices must have the required device configurations, as described in Required Device Configuration.
Step 1 | From the
Navigation pane, click
Discovery.
The Discovery window appears. | ||||||||||||||||||||||||||||
Step 2 | If the Discovery Details pane does not appear, click Add New. | ||||||||||||||||||||||||||||
Step 3 | In the Discovery Name field, enter a unique name for this discovery. | ||||||||||||||||||||||||||||
Step 4 | In the
IP
Ranges area, do the following:
| ||||||||||||||||||||||||||||
Step 5 | In the SNMP area, choose one of the previously
configured SNMP settings from the Saved SNMP drop-down
list. If the settings that you need are not available in the list, you can
configure SNMP settings for the current discovery.
Use the following guidelines to help you enter the correct values in the fields:
| ||||||||||||||||||||||||||||
Step 6 | In the CLI Credentials area, enter the username,
password, and enable password in the fields for the devices that you want the
Cisco APIC-EM to discover.
Both the password and enable password are encrypted for security reasons and cannot be seen when viewing the configuration. Discovery credentials are preexisting device credentials used by the Cisco APIC-EM to authenticate and discover the Cisco devices in your network. For host discovery, credentials are not required as hosts are discovered through the devices.
| ||||||||||||||||||||||||||||
Step 7 | (Optional) In the Advanced area, configure the protocols that the
Cisco APIC-EM uses to connect to devices.
Valid protocols are SSH (default) and Telnet. To remove a protocol from the scan, click the protocol name. The checkmark next to the protocol disappears and the protocol fades from the display. To customize the order that protocols are used to connect to devices, drag and drop a selected protocol to the desired location in the list. | ||||||||||||||||||||||||||||
Step 8 | Click Start Discovery.
The Discoveries window displays the results of your scan. The Discovery Details pane shows the status (active or inactive) and the discovery configuration. The Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices for the selected discovery. |
You can copy a discovery job and retain all of the information defined for the job, except the SNMP and CLI credentials. The SNMP and CLI credentials are included in the copy only if you used global credentials (saved in Settings) for the original job. If you defined specific (one-time only) SNMP and CLI credentials for the original job, the credentials are not copied.
You have created at least one discovery scan.
Step 1 | From the Navigation pane, click Discovery. |
Step 2 | From the Discoveries pane, select the discovery job. |
Step 3 | From the Discovery Details pane, click Copy.
The discovery job is copied, and the new job is named Copy of Discovery_Job. |
Step 4 | (Optional)Change the name of the discovery job. |
Step 5 | Define or update the SNMP and CLI credentials and any other parameters for the discovery job. |
You must have administrator (ROLE_ADMIN) permissions to perform this procedure.
You must have administrator (ROLE_ADMIN) permissions to perform this procedure.
The Discovery window provides information about the selected scan. To access the Discovery window, from the Navigation pane, click Discovery. The Discovery Results window has three main panes.
Note | You must have created at least one discovery scan for the Discovery Results window to display. |
Name |
Description |
---|---|
Discoveries pane |
Lists the names of the discovery scans that have been created, along with the method and IP addresses used for discovery. The list is divided between active and inactive discoveries. A successful scan (one with discovered and authenticated devices) has the number of discovered devices indicated in a box to the right of the discovery name. An unsuccessful scan shows no box or number of devices discovered. From the Discoveries pane, clicking on a discovery name displays the information in the Discovery Details and Device Details panes. |
Discovery Details pane |
Provides detailed information about the discovery parameters that were used to perform the discovery, the state of the discovery, and the number of devices that were discovered. The buttons on this pane allow you to Start, Stop, and Delete discoveries. |
Devices pane |
Displays the host name, IP address, and status of the devices found during the scan. Discovery displays devices as discarded if the IP address belongs to an access point (associated with a wireless controller) or the device was filtered based on input given in the Subnet Filter field. |