Using IP Address CMDB Class (cmdb_ci_ip_address) as opposed to the IP Address attribute

Go to solution
Jacques Clement
Kilo Sage
Kilo Sage

‎03-01-2021 06:13 AM

Hi Community,

I keep wondering what an interesting use case is for using the cmdb_ci_ip_address CI Class as opposed to just store the IP address as an attribute of e.g. the Server Class?

I suppose there is a valid story behind this, but just can't think of any by myself.

Any thoughts?

Thanks!

 

Labels:
  • 7,286 Views
1 ACCEPTED SOLUTION

Go to solution
CasperJT
Tera Guru

‎03-10-2021 02:22 AM

Hi Jacques,

The IP address table allows you to reference an IP from a network interface card (NIC), which can then reference a computer.

This is especially relevant when you have multiple NIC's on a machine (which is most often the case).

For eaxmple my PC has had 3 IP addresses recently (one from my VPN and two from my internal NIC). This is of course more static for a server, but for PC's it can allow for deeper analysis in case of a security breach (for example).

find_real_file.png

This data is all automatically populated, I would not recommend populating it manually. Currently I have 135K records in this table (cleaned up regularly to avoid stale records).

Hope this helps.

 

Best regards,

Casper

View solution in original post

Preview file
22 KB
9 REPLIES 9

Go to solution
CasperJT
Tera Guru
In response to Anshu10

‎04-27-2023 02:32 AM

Hi Anshu,

 

Multiple IP's can make sense for a few reasons (probably more than I am listing here).

1. The device in question has multiple network adapters such as WIFI and a VPN, meaning the device will have multiple IP addresses

2. The device does not have a static IP, so whenever it gets a new lease it may update its IP address

3. The device moves from place to place. For example from one site to another or to a home office or something else. In these casess the IP will also change

 

Now, a use case for keeping all these various IP addresses, at least for a period of time, could for example be, if there were a security breach detected for a specific IP address, but for whatever reason there was no device name detected (I have seen this particular example). Now you can go back and look at your IP Address table and find any device that had the affected IP Address around the time of the breach and you can begin mitigation steps.

 

I would however look at cleaning up the data more often than only when a device becomes absent. I also see some Data Privacy considerations in keeping IP Addresses indefinitely, since they could be tied to a location and a PC, which can be tied to a person and now we are able to track their movements, which is not necessarily something we can argue that we have an operational use for.

 

Hope this helps.

 

Best regards,

Casper

0 Helpfuls

Go to solution
Anshu10
Tera Contributor
In response to CasperJT

‎04-27-2023 03:14 AM

Hi @CasperJT,

 

Thanks for responding. 

I understood the reasons to keep the ip address in table but i am also of this opinion to keep this data for a specific amount of time. Since within few years, this number is going to shoot at a good pace and we will end up having irrelevant data in this table.

So how do you suggest the logic should be build to remove this data? I know it could requirement specific.

I would like to clean up this ip address data frequently. But as per this kb article- https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0687602

 

We are using ip address table to discover CIs.

 

I am now stuck on building a good logic to proceed so it doesn't affect discovery and that data could be removed frequently.

Hope it makes sense and i aint sounding confusing. 🙂

 

Regards,

Anshu

0 Helpfuls

Go to solution
CasperJT
Tera Guru
In response to Anshu10

‎04-27-2023 03:35 AM

Hi Anshu,

 

I agree that there is certainly a risk that you will have stale data in the long term.

So depending on how long you want to keep the data you could use a logic where you find

'IP Addresses that have not been updated in the last 30 days (or whatever you deem best) AND whose CI is is retired' OR ' 'IP Addresses that have not been updated in the last 30 days (or whatever you deem best) AND CI is empty'.

 

This way you remove IP's that are not associated with an active CI.

 

I would say the logic also depends on your processes and preferences in terms of how the data should be used.

 

Best regards,

Casper

Go to solution
martinaparicio
Tera Contributor
In response to Anshu10

‎05-25-2023 09:22 AM

I use sys_auto_flush, but be very careful. it's not reversible.

0 Helpfuls

Go to solution
Jacques Clement
Kilo Sage
Kilo Sage
In response to martinaparicio

‎06-26-2023 03:06 PM

You can also use CMDB Data Manager to retire, then archive and finally delete those records. This is a less abrupt method of managing staleness and managing life cycle in general.