Slashdot Mirror
Managing Lots of IP Addresses?
haggisbrain asks: "I'm a Systems Administrator and I've recently started work with a new company where I'm now helping to support a much larger number of nodes than I've previously supported. We have just over 1000 nodes to support, but no efficient method to manage the IP addresses and subnets used. Previously, an Excel Spreadsheet has been sufficient enough for my needs, but now I need to find a new way. Can someone recommend a piece of software which can help me? Is there a simple way to list and view the IP addresses used on my network?"
Look@Lan It's a great little tool once you have it configured. It even will produce those nifty excel files for you if you wish. But man... I HATE that sonar sound effect. It's worse than the "UH OH!" sound made infamous by ICQ.
What specifically is it about the spreadsheet m0del which is insufficient? I don't manage large blocks of IP addresses and subnets so I'm not familiar with the information which you'll be compiling or how you'll need to manipulate and mine it.
When other people figure out a complex organizational scheme for a spreadsheet they often turn it into a database. If you have kept a spreadsheet for a similar task, on a smaller scale, then you should be able to identify very quickly which axes you need to expand in order to accomodate the larger task.
the NPG electrode was replaced with carbon blac
DHCP, FTW!!!!
Shouldn't your DHCP server have a list of its leases?
First off, just looking at your router configs should tell you what addresses are where.
Then, make sure you're using dhcp to assign the addresses.
Use nmap to check for weirdness.
Hello 30 seconds on google:
http://iptrack.sourceforge.net/
Imagine using spreadsheets these days.
On top of DHCP, add Dynamic DNS and you're almost all set. Just make sure to use a DHCP and DNS server from the same producer, they're generally not 100% compatible with one-another if you don't. They might be 99% but that 1% creates a whole world of trouble.
Deleted
"Hey, Slashdot, I don't know how to do my job.. please help me. I could PROBABLY google around for 30-40 seconds and find a solution, and earning my paycheck by doing so.. but I figure I'll waste everyone's time."
Not a Twitter sockpuppet... but I wish I was.
What's wrong with DHCP and dynamically updated DNS?
You don't want users connecting their own systems onto the network whenever they feel like it. All PC's in our university have static IP's. And an alarm goes off whenever anyone as much as removes a single computer from the network. Even the cables from the router to the wall sockets are manually connected and disconnected. There are however, Wi-Fi areas for anyone who wishes to connect their laptops to the network, and users are free to use USB memory keys, CD/DVD burners and external drives.
Tech-support still have painful memories of when someone tried and failed to smuggle a PC out through the small bathroom windows in the block.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
This question has come up once or twice before.
The usual suspects for answers to this question are as follows:
NorthStar, which is quite feature rich. "NorthStar is a system to help track and allocate blocks in an IP Network"
IPplan which is another open source product.
And PHPip
If you want to go commercial VitalQIP Enterprise could suit your needs quite well.
Berny
Curiosity was framed; ignorance killed the cat. -- Author unknown
Deleted
NAT! Oh wait, never mind :(
My company has been using Ubersmith Datacenter Edition (Uber DE, for those in the know) for a few months now - the IP management stuff they've integrated into the device manager is pretty slick to say the least. We've done the spreadsheet before, as well as North*, but neither of those options mesh well with any external systems. If you've got hardware/network stuff to manage as well (which I assume you do) give the Ubersmith guys a call. I don't think there's an online demo of DE yet (lame) but when we were interested in the system we called up and one of the developers gave us a walkthrough of a live build, explaining what was going on. http://www.ubersmith.com/
It is pretty much what it was designed to do (i.e. manage all your IP addresses to Names). As a result, a good DNS application will manage ALL your subnets, virtual lans, static addresses, and DHCP addresses.
Personally I like Lucent's VitalQIP.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Sounds like a task for shell scripts to manipulate an ASCII file and grep | cut | sed or maybe awk if the plain ASCII file is formatted correctly. I don't want to be drawn into UUOC.
Sure you could do it in C if you're familiar with the IO and text manipulations in that language--I always wanted to learn C but never devoted enough free time to it. The largest motivator to write the system from scratch in C is if the list becomes long enough that grep and awk can't process it quickly enough to keep up with incoming requests or if requests come through so often that beating up the disk platters is a consideration.
One IP address per line with twenty or thirty well planned fields, comma separated, should be good for the task. How many functions do you suppose you'd need to manipulate it properly? A well thought out system of functions could probably be reduced to ten or twelve basic functions which could be combined to do nearly anything.
The largest motivator that I find for using someone else's software is that someone else usually has more time to dress it up to look nice and neat on the display. I just make it work.
the NPG electrode was replaced with carbon blac
You only need 2 tools for managing your address space.
Nmap - To see which addresses are in use and what the servers are doing.
Traceroute - To see where in your network the IP address is.
Also make sure your reverse DNS is updated when you assign an address to something important.
A decent DHCP server can easily be configured not to hand out addresses to anything. It can be configured to only hand out an address (dynamic or static, take your pick) to only a specific MAC address (or addresses).
>And an alarm goes off whenever anyone as much as removes a single computer from the network.
That'd be quite a bit of overhead, what with pinging every single machine constantly to check it's state. No DHCP server I've seen would do that, but with the open source DHCP servers, it wouldn't be too tough to implement.
>Even the cables from the router to the wall sockets are manually connected and disconnected.
That's not at the layer DHCP operates at, so yeah, that's a problem only the switch it's connected to can handle.
>There are however, Wi-Fi areas for anyone who wishes to connect their laptops to the network, and users are free to use USB memory keys, CD/DVD burners and external drives.
Something else, obviously, DHCP is designed for.
Really, it's a great tool. I'd still recommend setting up DHCP to hand out addresses to machines that aren't listed in the MAC address database, but they should be handed out an address on a network that isn't reachable by anything but the DHCP server. Lets you know that the machine is connecting OK, and, if you have the machine configured to allow you to push software on to it (to lock it down / whatever) you'll still be able to do that.
I like Cheops-ng, though I'm not sure if that's exactly what you're looking for. Also, I wouldn't run it during peak business hours -- don't wanna clog those tubes ;)
Maybe you can find some useful info here, this topic came up about a year ago:2 51224
http://ask.slashdot.org/article.pl?sid=06/04/26/2
sig? uhh, umm, ok
User may just turn the computer off before unplugging it. Assign its former Ip address and MAC address to their personal computer's network interface, and plug it back into the network. It doesn't matter whether you run DHCP service or not, you are just as vulnerable to attack. (Presumably if you DO run DHCP service on all your systems, you use static assignments, and if the MAC address is not registered, and assigned an address, the system does not get an IP.)
Your choice of network protocols CAN'T stop just whoever wants to from unplugging a standard network cable from one computer and plugging it into theirs, without physically blocking their access to the back of the computer, to all switches/switch ports, and not exposing any network line at an insecure spot (someone who truly wanted to, would physically be able to cut the cable, splice a junction, and slip a hub in, at any place where a network wire is exposed).
To make it impossible to plug in an unauthorized machine, you need physical barriers, or the switch needs to authenticate the computer -- using something like EAP/PEAP and a machine key, or require end nodes use VPN software to get anywhere. (You still rely on a perp not being able to gain administrative access over the domain/legitimate network member machine.)
We designed some software that we use to manage our IP network, called Ganymede. It's designed to track data in a transactional object store, then turn around and re-build BIND files, NIS maps, and whatever other directory services data you care to manage with it. It's a bit unconventional, but if you need to be able to have full scripting control over your environment, it's really very powerful.
Drop me an email if you're interested in talking about it.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
And an alarm goes off whenever anyone as much as removes a single computer from the network.
So, if a computer crashes hard or is turned off, you get paged? That's got to be very annoying when the number of systems is greater than 100.
Even the cables from the router to the wall sockets are manually connected and disconnected.
I've never seen an automatic cat5 cable connecting/disconnecting machine. Where can I buy one?
Assign fixed addresses based on the MACs. Don't have a free pool.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
For the IP part, postgresql has network operators and functions that can come in very useful.
c tions-net.html
;).
http://www.postgresql.org/docs/current/static/fun
So in theory you could have a script for "A" and "B" to automatically free up and find blocks.
And a script for "C" to actually allocate a manually decided block and set up the delegation etc.
Doesn't actually seem too hard if you start with a decent database schema, and are using sane DNS software
Of course there are super expensive off the shelf solutions to do all sorts of stuff, but funny thing is you'd probably have to spend about the same amount of time and effort integrating them with your DNS, routers etc.
Awesome. By using a spreadsheet, you can "what if?" and see what would happen if you were to change a certain node's address, as the change instantly propogates through various calculations, ultimately altering that final cell either subtly, or drastically. You can even make a pie chart that shows the addresses!
But best of all, since it's not just a spreadsheet -- it's an Excel(TM) spreadsheet! -- you have the advantage of Microsoft's advanced proprietary technology. Pity the fool who has to settle for Lotus 1-2-3 to .. um .. record a list.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Seriously. You have "just over 1000 nodes" to manage. Odds are, the vast majority of those are dynamically assigned (or they should be, so if they aren't, that's your first job). Of the ones that are left, I would venture to guess that the number is much smaller than 1000, and could probably be even smaller than you think given the availability of modern protocols like Zeroconf. After that, you need to consider how often those statically assigned devices are going to change, which is probably not very often at all, if ever.
/16 subnets (because we're in the process of migrating to a completely new AD system and we were running out of easily rememberable addresses in the one /24 we were using). Out of those two /16's, about 18 /24's are actually being used. The "0" subnet in each /16 goes to routers, the "1" subnet goes to managable switches and other Layer 2 devices, the "2" subnet goes to servers, the "3" subnet goes to printers, the "4" subnet to the few statically assigned workstations, and the "10" through "13" subnets go to two different DHCP server pools, for redundancy.
If you're using DHCP and DDNS like you oughter, the few times you might need to look up one of the dynaically assigned numbers will take a very short period of time.
As an example, one of my clients right now has about 150-200 nodes on the network in two locations, approximately 50% Windows and 50% Mac OS X, with a couple of Linux machines scattered around, mostly for my benefit. Between the two sites, we're using two
All the DHCP and DDNS is handled by Windows Server 2003, simply because Windows is happier if it gets its own way for those purposes in an Active Directory environment, and its a hell of a lot easier than setting up BIND, etc., to do what Windows wants done. Apple's Open Directory doesn't care, as long as the DNS servers are up and properly configured before you configure OD. The second site gets it's DHCP from the local router, because the site only supports about eight users with no server. Microsoft's DDNS server doesn't mind.
The DHCP pools can be looked up at will in one Windows application (or through VNC back to my management station from any of the Macs), so they don't need to be tracked. Even the statically assigned devices which report properly to the DDNS can be looked up at will. The routers, switches, and infrastructure servers don't change, and there's few enough of them (eight or so switches and access points, ten or so servers, and this is overkill to a certain extent--the system we've built could easily handle your 1000 nodes) that anyone can remember them all, even with multiple interfaces. The printers will eventually be moved to dynamic addresses as they are replaced with Zeroconf capable units. In fact, even some of the servers could be moved to the DHCP pool if all their services and clients support Zeroconf. The only serious problem we have is keeping track of which ports are in which VLAN as we migrate from one system to the other, but eventually we'll collapse the VLANs, because they're really not needed. Perhaps you might find VLANs more useful in your larger network, but that's another topic... There's a small possibility we may use VLANs at some point to decrease the size of the broadcast domains, but its not really an issue, yet.
All of this is tracked in spreadsheets, and one of the really neat things about spreadsheets is that they're really easy to convert into databases at some point if that's what you decide to do. It's a simple matter to update them every so often. Sometimes computers aren't the right answer.
Precisely. Suddenly your dhcp server config == your ip list, and you get an audit of all mac addresses on the system for free out of the deal ;)
That same list allows you to firewall out clients who've not yet registered for a "dynamic" ip. It also allows you to actually use dhcp for dynamic assignment of ip's for classes of clients who don't actually need "static" addresses.
Ammon Lauritzen http://simud.org/
I work for a large IT company managing well over 50,000 IP addresses. We looked at several off the shelf products, including VitalIP, but as we have a dynamic mix of DNS, DHCP, and hosts files, we could not reliably manage that many IPs in Access, Excel, or any off the shelf product (that we reviewed at the time; 2003). We already had an in-house developed app doing the job, so we just decided to modify it. Honestly, a few hours of Oracle development to create the tables, a week of VB.NET programming, and we had a fully functional IP management tool complete with business rules for assigning IPs based on a schema. While is it was fairly easy as we knew very intimiately our needs, it may not be as easy for you. I'd suggest starting a list of requirements and the moment you feel overwhelmed you know you're on to something. Use that to determine whether you need off the shelf or develop (re-develop, or OSS).
... there is nothing that has not already been thought
Exactly, 4*250 = 1000 and 250254 thus you should only have to count each finger 250 times to remember where you left off /sarcasm
2^3 * 31 * 647
That works fine if you only have small systems where every box has one IP. What about the webservers where you are running 20-30 websites on a single box, or application servers with a similar number of unique IPs?
We've been dealing with spreadsheet hell at the company where I work for years now, and it is only getting worse. We've got huge multi-page spreadsheets with hundreds of nonroutable network subnets in them. Worst thing about this is that ultimately, the spreadsheets cannot really be trusted because there is no way to verify that each IP in the sheet is live, or even desired to still be reserved for a specific purpose, because over time, people leave, projects come and go, and networks change through mergers/acquisitions.
You also have the little fiefdoms to worry about where group X has control over a big bunch of IP address space, but because it is managed through MS-AD, it doesn't communicate with anything to help you to manage it, or at least the controlling organizations won't let you manage it from a global perspective.
Of the packages I've looked at in the open source world, IPPlan and Sauron seem to be just about good enough for the task, but neither one seems to be actively developed anymore.
This is an ex-parrot!
Rather then just repeating what I said the last time the subject of IP Address Management came up on slashdot, I'll just link to it.
The subject is slightly below the charter, but many great links get posted.
http://www.nanog.org/mailinglist.html
There are 1.1... kinds of people.
IPPlan is what we use. It is by far not perfect, and we have basically switched to doing most modifications directly into the (Postgres) database. IPPlan was developed for MySQL, so it doesn't use the IP address features of Postgres. We have added a few stored procedures which keep an extra column in ip4r format, for easier manipulation by other tools.
Why IPPlan? Because the other free alternatives are even worse.
Finally! A year of moderation! Ready for 2019?
I think a good solution to be is make one database with many queries and if you keep updating the main table the queries will change with it. You can use Between This Number and That Number so that only those IP Address would show up if this was me i'd set it up either by network node or Workstation Name.
At Rutgers University, we have a home grown tool called NetDB that we use to manage IP allocations, assignment of networks to individual departments, corresponding DNS, and custom Access Control Lists. It works rather well. Network Operations allocates a network for a department and assigns it to the appropriate Network Contact Group (NCG). From that point, the people who have certain privileges on that NCG have the ability to add/remove DNS for it and create custom access lists. The tool knows what OSPF areas to allocate addresses from based on zones, and all in all is pretty neat. Here is some documentation (including screenshots) for ideas should you decide to ever work on your own tool.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
the NPG electrode was replaced with carbon blac
I used to work at a certain large business machine company with their own class A. There was an internal website one could go to, "iptools". You entered info on who you were, your dept, type of machine, physical location, etc. and it would assign you an IP. It had tools for when you moved a machine from one subnet to another (like when moving buildings) as well.
There were monitoring machines that could tell when IPs were being used. If you didn't use a machine for a while (months?) you'd get an email from the "IP Police" telling you to re-register or the IP would go back in the pool.
To view and manage the IP addresses/subnets and IP space, I would recommend looking into an IP Address Management solution that would eliminate spreadsheet data entry. Address Commander by Incognito is one solution. It tracks organization-wide IP address space; links all IP addresses with business units and, regional offices, subscribers or other entities; centralizes address allocation policies; and automates the reporting and receipt of IP address space from RIR (ARIN/RIPE). Would that serve your purpose? Are you a Sys-Admin in Cable/DSL service provider or in an Enterprise? Also, another thing to consider, if you wanted to also manage DHCP services on your network, you could also look into Broadband Command Center, which would work together with Address Commander as a complete DHCP and IP Management solution.
I should have added more detail - in the case of our room, we have medium sized locked cabinet mounted about 12 foor above the floor. Inside are there are couple of Nortel Network Baystack switches. Whenever a machine is added or removed from the room, the technicians come in, unlock the cabinet and connect a cable from the switches to the distributor box. We don't have the alarm system in our room, but the public computer rooms do... people get confused between the fire alarm and the 'someone's unplugged a computer from the network' alarm.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Geesh.. that is nothing. try more like 100000 nodes like some of us..
You could manage 1000 on the back of a napkin almost.
---- Booth was a patriot ----
Part of the point is that these days, if the person asking a question like this does absolutely no research via a search engine, then they're really wasting everyone's time, and all they deserve is a link to www.justfuckinggoogleit.com. If you want to ask the question more seriously, then you look around for what you can find, and post a question that indicates that you've done some minimal amount of research before throwing yourself on the mercy of a random group of strangers.
Just a tangential point, if you have 20-30 websites on a single box, you don't need more than 1 IP address unless you're either trying to pretend they're different machines for anyone who investigates, or are hosting for multiple customers and have agreed to give them each their own IP.
You could always try OpenOffice Calc.
Flexible bare-metal recovery for Linux/UNIX