Multi-VLAN Deployment
Deploying Scanopy daemons across multiple VLANs and network segments.
Scanopy uses daemons to discover hosts and services. For best results with isolated VLANs, you'll need additional daemons deployed on each network segment.
┌─────────────────────────────────────────────────────────────┐
│ Scanopy Server │
│ (Cloud or Self-Hosted) │
└─────────────────────────┬───────────────────────────────────┘
│
┌─────────────────┼─────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ VLAN 1 │ │ VLAN 2 │ │ VLAN 3 │
│ Production │ │ IoT │ │ Guest │
│ 192.168.1.0/24│ │ 192.168.2.0/24│ │ 192.168.3.0/24│
│ [Daemon 1] │ │ [Daemon 2] │ │ [Daemon 3] │
└───────────────┘ └───────────────┘ └───────────────┘Refer to Layer 2 vs Layer 3 for details on what the daemon will be able to discover on a given VLAN based on whether or not it has an interface with the VLAN.
When You Need Multiple Daemons
One Daemon is Enough When:
- All hosts are on the same subnet as the daemon
- You have a management host with routes to all VLANs
- Your firewall allows the daemon to reach all subnets
- You don't need MAC addresses from isolated networks
- You are ok with the daemon not discovering all hosts on any non-interfaced VLAN it scans
You Need Multiple Daemons When:
- VLANs are isolated by firewall rules
- You need accurate MAC address collection (requires Layer 2 access)
- Different networks have different security requirements
- You want the daemon to discover all hosts on VLANs that it scans
Deployment Strategies
Strategy 1: Daemon Per VLAN (Recommended)
Deploy a lightweight daemon on each VLAN.
Pros: Full Layer 2 access (MAC addresses, ARP), no inter-VLAN firewall rules needed, best discovery accuracy
Cons: More daemons to manage, requires a host on each VLAN
Best for: Production environments, security-conscious deployments
Strategy 2: Central Daemon with Routing
Use a single daemon on a host that can route to all VLANs.
Pros: Single daemon to manage
Cons: No MAC addresses for remote subnets, requires firewall rules, can't discover hosts without open ports
Best for: Small networks, lab environments, quick setup
Strategy 3: Hybrid Approach
Central daemon for routable networks, dedicated daemons for isolated segments.
Step-by-Step Setup
Step 1: Plan Your Deployment
| VLAN | Subnet | Purpose | Daemon Location |
|---|---|---|---|
| 1 | 192.168.1.0/24 | Production | Server host |
| 10 | 192.168.10.0/24 | IoT | IoT management VM |
| 20 | 192.168.20.0/24 | Guest | Guest network AP |
Step 2: Create Daemon in Scanopy UI and Deploy Daemon
Follow the installation instructions in Installing a Daemon.
For Docker container discovery on the daemon host, see Docker Socket Proxy.
Step 3: Observer Discovery Results
The Daemon will automatically begin discovery after it successfully registers with the server. Simply let it do its thing and watch the results come in.
- Check Manage > Hosts for discovered devices
- Verify Topology shows hosts from all VLANs
For consolidating hosts that appear on multiple VLANs, see Consolidating Duplicate Hosts.
Network Requirements
Firewall Rules for Pull Mode (Recommended)
Daemon initiates all connections. Minimal firewall changes needed.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Daemon | Server | 60072 | TCP | API communication |
| Daemon | Local subnet | * | TCP | Network scanning |
Firewall Rules for Push Mode
Server initiates scan requests. Daemon must be reachable.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Server | Daemon | 60073 | TCP | Push scan requests |
| Daemon | Server | 60072 | TCP | Report results |
| Daemon | Local subnet | * | TCP | Network scanning |