Tech Tip

Tech Tip: ADDM 10.1 – Load Balancing & Dark Space

Written by Colin Vozeh, Director of Sales – Enterprise Services, Datatrend Technologies, Inc.

Load Balancer Discovery

Another new feature in ADDM 10.1 is the ability to discover load balancing devices, like virtual IPs. Until now, ADDM has generally had difficulty with these devices, and they often wreaked havoc with the discovery process in general. The load balancing device would send discovery commands to different target hosts each time, which at best would result in a failed discovery, and a false positive at worst. Worse yet, it was often difficult to tell when this was happening – one had to pay close attention to the discovered hosts and the discovery exceptions to notice it was happening. And the only solution was to exclude those IP addresses – either by removing them from the scan range, or adding them to an exclusion list. Since ADDM exists to tell us as much as possible about our infrastructure, neither solution was ideal.

ADDM can now detect certain load balancing devices via SNMP, and it can see the entire topography of the balanced system. It can see individual load balancing devices, the services they are balancing, the pools to which those load balancers belong, and the hosts connected to those load balancers. This not only solves the above problem of discovery exceptions, but adds a critical piece of information about our applications – where and how they are made more robust. And best of all, it’s a free add-on! Additionally, new visualizations are provided for this information, putting each piece in context for your business services. Last but not least, this information is synchronized directly to Atrium CMDB with a set of included sync patterns.

Here’s another visualization from the webinar, demonstrating the discovery capability for load balancers in ADDM 10.1. It clearly shows how an individual load balancer device provides a specific balanced service to a pool of web servers, and where that balancer resides within a group of similar load balancing devices. Very cool stuff!

Load Balancer

Unfortunately, just like other network devices, ADDM relies upon captured SNMP data to recognize each brand and model, so not all models are discoverable yet. The current TKU has recognition for Cisco, Citrix, and F5 devices, but not A10 – that’s coming in a future TKU package.

Dark Space

Another new feature in ADDM 10.1 is the advanced handling of “dark space” – IP addresses in our scan ranges that never respond to discovery requests. ADDM now includes an adaptive set of logic that learns and remembers where we’ve found hosts in the past, and where we haven’t. This can dramatically improve the performance of discovery runs where the network subnets are sparsely populated.

In the past, it was a good rule of thumb that an individual ADDM appliance could sweep scan about 10,000 target IPs per hour, assuming it did no further discovery. I once had a customer who was a large state agency, with a single class A subnet in scope for discovery – over 16 million IPs – and also a single ADDM appliance. They estimated there were less than 10,000 actual target hosts in that environment. We calculated that it would take over two months to do a simple sweep scan. We weren’t even going to try a full discovery; we would just take the results of the sweep scan and feed those IPs into a full discovery at a later date.

To our surprise, the sweep scan completed in about two weeks – much more quickly than expected. But this is still too long to maintain properly updated discovery data to a CMDB. The full scan, once given a list of specific IP addresses, took only a few hours to complete. In the end, we added a second ADDM appliance, which simply constantly ran sweep scans, and we used an SCP job via CRON to move that result data to the full-scan appliance, which had another scheduled job to input those results to a tw_scan_control job. It worked, but it was far less than ideal. As an aside, this state agency also amazed me by getting over 90% credential success on their first full scan. I’ve not seen that anywhere else.

Today, if ADDM receives no response to any initial interrogation of a specific IP address, it compares that result to past results with that IP address. If it’s known to be “dark space” – that is, historically there’s been nothing at that IP – it simply skips that IP and moves on. No attempts are made to port scan that IP, greatly improving the speed of the discovery process. Clearly, when there are situations with 10,000 hosts somewhere inside of 16 million IP addresses, discovery time can be cut to a very small fraction of what it was before. Nice job, BMC!

For more information on ADDM or other BMC tools, please contact Warner Schlais, President of Technology Services, at