-
Notifications
You must be signed in to change notification settings - Fork 1
Why NetBox Doesn't Scan IPs
People often ask why NetBox doesn't scan IP address for automatic import. This is an intentional decision relating to the scope of NetBox's functionality. Here are several reasons supporting the decision.
There are myriad standalone IP scanning tools available. nmap is arguably the most popular, though many others exist. We could not begin to match the maturity and efficiency of these tools by writing our own from scratch. Users are much better served by using these tools directly and then, after careful review of the results, importing data into NetBox manually.
Let's assume we implemented some form of wrapper around nmap or another tool so that it could be used directly from NetBox. This means that everything you want to scan must be reachable by the server(s) on which NetBox is installed. It's very likely that your security policy may not allow NetBox to talk directly with every node on the network.
And even if it does, you might not want it to. For example, suppose you have NetBox running in the United States and need to scan a /16 of IPv4 space in China. Rather than transmitting 65,000 probes across the Pacific, it would be much more efficient to scan the network from a bastion host in the same country.
But suppose your network is entirely constrained to a single geographic region and NetBox can talk to everything. Now you have to deal with the reality that scanning isn't going to be 100% correct. Scanning can't tell you for certain whether an IP is in use; only whether it is responsive at a given moment.
For example, suppose a host is temporarily offline, or has been configured to block ICMP requests. These won't show up in your scan. If you import the scan data directly into NetBox, you've now corrupted your source of truth.
What happens when a previously defined IP stops showing up in a scan? Should we delete it? The host might actually still exist, though. Maybe we should mark it as "previously used" somehow. But then we're still using a database record to track an IP that might not even exist. And should we automatically add new IPs that pop up? What if they're not supposed to be there?
All this boils down to a single concept: NetBox is intended to represent the intended state of the network, as defined by humans, whereas scanning a live network reflects only its actual state at that moment. When you attempt to define the correct state by referencing the actual state with no intermediate process of validation, bad things happen.