Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IP Addressing Space Management Applications?

Cliff posted more than 8 years ago | from the a-/48-is-a-lot-of-numbers dept.

77

_RiZ_ asks: "I work for a medium sized company and we are looking for a solution to aid in managing the ever complex IP space in use throughout the growing enterprise. We currently use a full class B of public addresses as well as all RFC 1918 ranges. The idea came up to develop this application internally, however this has proven in the past to be more of a headache, especially if the original developer changes roles or moves on from our company. We have looked at IPplan, but have found this program is more intended for an ISP documenting customer ranges rather than an enterprise IT shop. We would like something which is database driven, intuitive to use, and preferably open source, although a good commercial solution is always a viable option. Does anyone have any suggestions?"

cancel ×

77 comments

Keep it simple (2, Funny)

Anonymous Coward | more than 8 years ago | (#15208549)

3x5 cards.

My Opinion (1, Informative)

TheRealMindChild (743925) | more than 8 years ago | (#15208587)

If you need software to track it, your making it too hard.

Re:My Opinion (3, Insightful)

TubeSteak (669689) | more than 8 years ago | (#15208636)

You do realize how many address are in a Class B space, don't you?

A smidgen over 65,000.

So if he needs software to track it, it might be that it is hard.

Re:My Opinion (1)

TheRealMindChild (743925) | more than 8 years ago | (#15209594)

If the system is layed out well, it will pretty much document itself, minus some scribbles on a napkin.

Re:My Opinion (1)

Sique (173459) | more than 8 years ago | (#15210988)

I have worked in an environment where we had lots of customers, and many of them with private IP space for backends. Often the necessary networks are only /28 or /29, for some transfer networks a /30 might be sufficient. But you have to keep track of the networks, because for managing the servers via VPNs or private IP space you should keep track of which network belongs to which customer, and how much IP space is left. And it might be good to note if the DB Primary has the 10.23.34.5 or 10.23.34.6 in the network though.

I was with the firewall group, and we had to manage about 1200 firewall entities. Here you can't go anymore with "pretty much selfdocumenting". All the mappings and forwards and address translations have to be kept track of. And if you get some strange private addresses on your core routers in the data center, you want to know which customer to check for misrouting. This won't work without documentation.

Re:My Opinion (1)

GWSuperfan (939629) | more than 8 years ago | (#15210189)

I respectfully disagree. Where I work, we have 2 full class B allocations. I am never more than two hops away from any internal host. If I need to know where somebody is, I can query the routers and find out which port on which switch the device is plugged into- which gets me at least to the room. And that's only if the machine isn't registered in the DHCP system, and hasn't been logged into the Novell network (either of which get me a username, and therefore, a phone number.

Absolute worst-case scenario is someone who's machine is spewing spam because they clicked on a link in an email that slipped through the virus filters, and for some reason they're plugged into an undocumented port- in which case we either turn off the port, or have the network drop traffic for that MAC address, note the MAC and IP in a ticket, and assign it to the HelpDesk so that when this miscreant calls in, 'cause he can't get to his porn sites anymore, we know who he is and where he is.

Need to register a new machine? No problem. Users just submit the info (MAC, userid, building, room #, phone #) online (or if they have a dedicated "tech person" we give that person access to enter directly into DCHP) and an intern takes the two seconds to verify it and clicks a mouse a couple of times to put in in the queue to be entered into DHCP. (Max. wait time is 1hr.)

If realize it's a big initial investment (need to be able to do layer-2 switching and vlans), and the investment make your network topology needs to be as horizontal (and well documented) as possible, but for the most part, with a good DHCP setup and taking information gathered via other tools, the only thing we need to manage IP addressing is a machine to handle the web interface for DHCP and a spreadsheet of the subnets and where they are (although some even span multiple buildings, and in a couple of cases, across state lines)

Re:My Opinion (1)

meme_police (645420) | more than 8 years ago | (#15217666)

I agree. We have a class A and thousands of internal RFC1918 /28s, and at least on our corner of our network everything is self-documenting. There 20 other divisions so I don't know how they manage their nets.

10/8 includes 16 million private addresses (3, Insightful)

merreborn (853723) | more than 8 years ago | (#15208635)

...That's insufficient?

(10/8 = 10.0.0.0 - 10.255.255.255)

Re:10/8 includes 16 million private addresses (2, Funny)

/dev/trash (182850) | more than 8 years ago | (#15208781)

they can't mean all of rfc1918, that's 10.x.x.x 192.168.x.x and 172.16.x.x Are they giving their IP addresses, IP addresses?

Re:10/8 includes 16 million private addresses (1)

markild (862998) | more than 8 years ago | (#15211046)

...actually, you forgot 975,375 addresses on the 172.16. one, but I'll let it slide ;)

Re:10/8 includes 16 million private addresses (1)

/dev/trash (182850) | more than 8 years ago | (#15213513)

I did????

Re:10/8 includes 16 million private addresses (1)

markild (862998) | more than 8 years ago | (#15216226)

From the RFC document:

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

it's in other words (as the documents states) 16 complete class B networks

Re:10/8 includes 16 million private addresses (0)

Anonymous Coward | more than 8 years ago | (#15219018)

Let me help:

they can't mean all of rfc1918, that's 10.x.x.x 192.168.x.x and 172.16.x.x Are they giving their IP addresses, IP addresses?

No blink tag, so I can't really make it jump out any more...

Re:10/8 includes 16 million private addresses (1)

slasher999 (513533) | more than 8 years ago | (#15209414)

That's what I first thought. With no comments in the OP regarding how they have everything subnetted, saying they have used all of those addresses is meaningless. My guess? Everything is broken out into /24's or worse.

Lucent VitalQIP (3, Informative)

FreeMath (230584) | more than 8 years ago | (#15208646)

Proprietary, but Lucent's VitalQIP [lucent.com] provides several nice functions like automated subnetting, DCHP and DNS integration, along with the ability to scale.

Re:Lucent VitalQIP (1)

Sandman1971 (516283) | more than 8 years ago | (#15209130)

I have to 2nd this recommendation. We use Lucent's VitalQIP as well for IP tracking/delegation (as well as DNS). Very stable and scalable. You can even plug in homegrown scripts if there's something specific you require it to do that it doesn't do out of the box.

Another vote for QIP... (1)

Fallen Kell (165468) | more than 8 years ago | (#15209188)

It is a great program. We use it for DNS services as well, but it is vital in our setting up new subnets and keeping track of routers/subnets/DHCP blocks/servers... basically everything that goes on the network! We have around 8000 systems/devices across many different subnets. Once you get larger then a class A subnet, you truely need an application like this, otherwise you will start screwing things up by taking someone elses IP or forget that you already had another 10.1.12 subnet in existance (which consequently screws up ALL your spanning trees across all your routers...).

Re:Lucent VitalQIP (1)

Pinehill.net (10499) | more than 8 years ago | (#15209453)

We have almost 100,000 active IP addresses managed in QIP, and we're pretty happy with it.

It doesn't suck, which is about the best endorsement I'm willing to give commercial software.

Re:Lucent VitalQIP (1)

bwalling (195998) | more than 8 years ago | (#15210941)

I used to install and consult for QIP. It's a good program, but you need to be pretty large in order to see its real benefit. A class B would certainly qualify for this, but I just wanted to alert other readers that this was major league DNS/DHCP management, not something for a medium sized company.

Re:Lucent VitalQIP (1)

Otis2222222 (581406) | more than 8 years ago | (#15211258)

We use QIP for DNS, and it does an acceptable job for that. It doesn't have a very good method for telling "at a glance" what IP space is available though. It pretty much insists that you carve out everything up front, so you can divide a /16 into 255 /24s or something if you want. But if you don't know what space you are going to need where, it kind of sucks.

ipv6 needed maybe (2, Insightful)

RobertLTux (260313) | more than 8 years ago | (#15208663)

if you have a big enough and recent enough set of clients you may want to think about doing an ipv6 conversion (the way i understand it the last 64 bits of the address can be generated using the MAC of the network card so if you know which nic is on a desk then ..)

Use a wiki to keep track (0)

Anonymous Coward | more than 8 years ago | (#15208670)

Use a wiki to keep track of IP uses.

STFU!!! (0)

Anonymous Coward | more than 8 years ago | (#15216065)

STFU you wiki whacko! Wiki's are not the only solution for everything. In fact, they are nopt the solution for anything. Wiki's are crap! Yes, Wikipedia too!

I would bet that you run Gentoo but, you wouldn't have missed the opportunity to plug it.

DIY (2, Informative)

Anonymous Coward | more than 8 years ago | (#15208691)

http://www.postgresql.org/docs/7.4/interactive/dat atype-net-types.html [postgresql.org]

"PostgreSQL offers data types to store IPv4, IPv6, and MAC addresses, shown in Table 8-17. It is preferable to use these types over plain text types, because these types offer input error checking and several specialized operators and functions."

Re:DIY (1)

dougmc (70836) | more than 8 years ago | (#15209796)

It is preferable to use these types over plain text types, because these types offer input error checking and several specialized operators and functions
Excellent! You've just saved the writer of the application 8 minutes of time in writing code that does the error checking itself and saves it in a more common data type. (Of course, he spent two hours setting up PostgreSQL rather than using his existing Oracle or MySQL server, so maybe it wasn't so great after all.)

In case my sarcasm wasn't quite clear, just because your database has data types designed for holding IP addresses specifically, that doesn't mean it makes your application easier to write in any signifigant way. You're better off just using whatever database you already have and/or are familiar with.

Re:DIY (1)

thrills33ker (740062) | more than 8 years ago | (#15210808)

I wrote an IP assignment script in PHP based on PostgreSQL. I was so pleased with the result, that I wrote an article about it on my blog:

http://blog.wilf.me.uk/articles/2004/11/27/assigni ng-ip-addresses-with-postgresql-and-php [wilf.me.uk]

The basic principle is that you put your "source" IP block(s) in the database, and the script will then assign blocks from them. And if you delete an allocation, it will find that "gap" the next time you need a block that size.

Full source code is available from the link above. This might not be exactly what the original poster needs, but I hope it helps somebody.

Note this relies on PostgreSQL's ability to do operations on IP subnets using its CIDR datatype.

Ipplan (1, Informative)

Anonymous Coward | more than 8 years ago | (#15208711)

Ipplan can be customised to just show you the stuff you need to see. We have about the same sized address space and ipplan works great.

Do you know how to search freshmeat? (4, Informative)

labratuk (204918) | more than 8 years ago | (#15208718)

Have you looked at phpip [phpip.net] or ipspace [null-ptr.net] yet?

I laughed so hard (1)

anomaly (15035) | more than 8 years ago | (#15209027)

when I read the link in your .sig, I laughed so hard I almost wet myself. I don't have any idea where you could have come up with the kind of time it took to make that crap up.

Thanks for a good belly laugh tonight.

Re:I laughed so hard (1)

pjay_dml (710053) | more than 8 years ago | (#15209388)

Thanks for pointing this out. What a great way to start the day :)

IPAM (3, Informative)

forq (133285) | more than 8 years ago | (#15208730)

If you really want to get fancy, and integrate your IP address space management with your DHCP and DNS, take a look at BlueCat Networks [bluecatnetworks.com] . They have a suite of tools, and the one you're looking for is called Proteus [bluecatnetworks.com] . Highly integrated DNS, DHCP, and IP Address Management. It costs money, but it sounds like your shop can afford it. Best of luck.

Re:IPAM (1)

AYJA061 (971117) | more than 8 years ago | (#15209527)

I am heading up a project to look for an cost effective IPAM solution to potentially replace my expensive QIP implementation...and I must say the Bluecat Proteus does look very promising. I've talked to their guys and did a demo with them...they know what they're talking about. And they have this "tag" system which is really cool.

The down side is that Proteus can only controls their Adonis devices (for now) which means I would have to replace all my windows/bind servers...but even with that, the cost would be less then 1/2 of what we're paying now for QIP renewal/maintenance...which is nuts.

Re:IPAM (1)

_RiZ_ (26333) | more than 8 years ago | (#15209921)

I have found some info on these guys and will check them out this week at interop. We too just recently left the QIP world based on licesing costs. DHCP and DNS are being managed by the AD folks so for us network engineers who only care about the break down of subnets and the first 5 ips in each network, its very clunky to use the MSC console crap.

Re:IPAM (1)

AYJA061 (971117) | more than 8 years ago | (#15210038)

Well, I haven't left QIP yet...cause as much as I hate paying high maintenace cost, its still much better than spreadsheet. (yuk)

I suggest you look at all the players. Bluecat, Infoblox, INS seem to be getting the most buzz. Check them all out and judge for yourself.

I don't get what the problem is... (2, Interesting)

MoralHazard (447833) | more than 8 years ago | (#15208733)

Maybe I'm dense, but what, exactly, is the problem the poster is trying to solve?

Why does this need any application more complex than a text file sitting on a file share, somewhere, for people to review or make changes as needed? That's what I do, and it seems to work OK.

Plus, what does it mean to use "all" of the RFC1918 IP ranges? Does that mean they're using every IP in every range, or every prefix in every range, or does it just mean that they don't understand subnetting?

Re:I don't get what the problem is... (2, Informative)

Carnildo (712617) | more than 8 years ago | (#15208844)

You must have a nice, simple setup, then. Where I work, there are seven full-time employees and approximately 22 computers, including three servers. Between the various needs for off-site access, support for earlier mistakes, and stuff that just doesn't work like it should, we have:

One DHCP pool for VPN from Macintosh computers
One DHCP pool for VPN from Windows computers
One DHCP pool for trying to get the VPN support in the Cisco router working
One DHCP pool for office computers
One pool of reserved addresses for the servers
One stray reserved address in the middle of a DHCP pool left over from an accident with the backup software
One (very small) pool of public IP addresses used to provide the public face for the servers
One computer with a single network card and two IP addresses (don't ask)

Re:I don't get what the problem is... (1)

forkazoo (138186) | more than 8 years ago | (#15209558)

One DHCP pool for VPN from Macintosh computers
One DHCP pool for VPN from Windows computers
One DHCP pool for trying to get the VPN support in the Cisco router working
One DHCP pool for office computers
One pool of reserved addresses for the servers
One stray reserved address in the middle of a DHCP pool left over from an accident with the backup software
One (very small) pool of public IP addresses used to provide the public face for the servers
One computer with a single network card and two IP addresses (don't ask)


Well, we have only got a single VPN pool, but this doesn't too radically different from what we have. What do you do in the way of "managing?" That's the part I don't really get. We have a half a dozen or so subnets in the 192.168.96.* to 192.168.135.*. There is a lot of free room in case on of the departments grows radically, so it can get an adjacent block. We don't really need to change very much with any regularity. We have a few dozen devices with static IP's, and that's just because we don't feel like monkeying around with DHCP and DNS so that the printers and whatnot can be accessed by name. Despite having hundreds of machines, we don't have any problems keeping track of our static IP's in a spreadsheet. For what we are doing now, I think we could scale a few thousand machines, with a somewhat larger spreadsheet.

I'm not trying to say that there isn't anything to do that needs management utilities -- I'm genuinely asking, because quite a few people in this thread seem to understand exactly what the poster is asking for. If there is some goodness that makes things better, I'd like to know about it.

Re:I don't get what the problem is... (1)

harryk (17509) | more than 8 years ago | (#15209773)

Sorry... I couldn't help it.. but I kept waiting for ... "And in the darkness bind them"

I feel jipped... :(

YOU ARE SO FIRED!!! (0)

Anonymous Coward | more than 8 years ago | (#15216205)

Your network is an abomination to nature and you not only created it but continue to nurture it. Your network should be taken out side and shot! You should be taken outside and shot!

You and your network could be completely replaced by any <$100 router with no changes to the default configuration!

22 computers? 7 Employees? And you're bragging on Slashdot?

You're Pathetic!

Re:I don't get what the problem is... (1)

Krandor3 (621755) | more than 8 years ago | (#15208924)

Spreadsheets and text files work to a point. However, once you get quite a few VLANs and servers then those methods become very cumbersome to use. Trying to do things like seeing what IP blocks are available for a new /27 you want to add may not be that easy. Also, Excel and text files can (and have a several times in my case) to copy-paste type errors. And if you have servers on multiple VLANs then trying to get a listing of "what are all the IPs of server X" becomes cumbersome as well and if you have to keep track of NATs and/or OSPF area informationa as well then that spreadsheet gets very complicated very quickly and information can get spread out (one page for IPs, another for NATs, another for what IP blocks are assigned/not assigned, etc). For some environments, spreadhseet or text file work fine, but not for all environments.

Re:I don't get what the problem is... (1)

Achromatic1978 (916097) | more than 8 years ago | (#15211117)

Agreed. Some of our major clients are hotels. Providing Digital Video On Demand and Internet Access means 1 VLAN per room (for security and such). Can be fun to do an ifconfig on a Linux server managing this and have it spew forth 600+ VLAN interfaces.

Re:I don't get what the problem is... (1)

Sancho (17056) | more than 8 years ago | (#15208930)

Their network supports 65,534 hosts, not including the RFC1918 addresses. That's a lot for a flat file. Also, a flat file will have no format restrictions (people might not be consistent in their edits) and will not be able to do any error checking (mistype an IP/subnet/whatever and you may not notice for a long time afterward, with potentially cascading effects).

Also, some IP management products integrate with DHCP, DNS, or both, providing automatic updates as they are entered into the management software. Now you only have to make one change which will automatically propagate throughout the system and keep logs of the changes (including which administrator made the change).

Re:I don't get what the problem is... (1)

_RiZ_ (26333) | more than 8 years ago | (#15209903)

It means that in some way or another we use 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/16 as well as our public class B. With sites in 40 countries, internet facing requirements, wireless, wired, vpn, server farms, test, dev, and all the other uses for ip's, we use a whole hell of a lot.

Re:I don't get what the problem is... (1)

drsmithy (35869) | more than 8 years ago | (#15210151)

Why does this need any application more complex than a text file sitting on a file share, somewhere, for people to review or make changes as needed? That's what I do, and it seems to work OK.

How many networks, sites and devices are in your environment ?

Re:I don't get what the problem is... (2, Interesting)

dubl-u (51156) | more than 8 years ago | (#15210305)

Why does this need any application more complex than a text file sitting on a file share, somewhere, for people to review or make changes as needed? That's what I do, and it seems to work OK.

Another reasonable option is a Wiki. Many of them give built-in version control and have full text search. For organizing the data, you can use multiple pages. E.g., one page for the overall breakdown, linked to pages for each regional block, and then pages for each subnet.

If you're reasonably regular with your formatting and naming, Wikis are also easy to use as sources for scripts.

Beware of MediaWiki (1)

Degrees (220395) | more than 8 years ago | (#15215323)

I did an intranet documentation wiki based on MediaWiki, and it was worthless for IP addresses. The basic problem was the MediaWiki used MySQL for searching, and MySQL excludes 'words' that are too short from its indexes - which means no index of IP addresses.

I ended up cobbling together .htdig + MediaWiki - which was a horrible experience.

There was some talk on the MediaWiki list about moving to Lucene for indexing. If that has happened already, MediaWiki might work fine. But before you throw many hours into it, do a simple test first.

Re:I don't get what the problem is... (1)

brewpoo (789171) | more than 8 years ago | (#15211367)

I understand the problem as I am in the same boat. OP is probably using some addresses from each class of 1918 addresses. Using a text file or wiki is not an elegant solution when managing 3000+ hosts where 50% of them are static (for various reasons). I've been using an Access database but I am currently developing a PHP/Postgresql based solution. We have 20+ support staff signing out new addresses every day. The napkin approach sucks and conflicts and mistakes are aplenty...

That's some hard-hitting reporting (1)

Bootle (816136) | more than 8 years ago | (#15208750)

I too want to know, just when will USPTO/RIAA/MPAA address the problems NASA just can't get a grasp on. Someone must back my lunar trademarks!

it all hinges on one word.... (2, Insightful)

Malor (3658) | more than 8 years ago | (#15208752)

The problem is that your question is a bit vague. You want help 'managing' the IP space, but you don't indicate what 'managing' means to you. If you can be clearer about exactly what you want it to do, you'll probably get more useful suggestions.

Re:it all hinges on one word.... (1)

macdaddy (38372) | more than 8 years ago | (#15222386)

His meaning is already quite clear to those of us that manage IP space. Few other people will be able to give him a decent answer on this particular topic.

Re:it all hinges on one word.... (1)

Malor (3658) | more than 8 years ago | (#15223408)

All of us manage IP space, to some degree or another.

Clear description of requirements is always important. He might need something you don't think is important, and you could recommend the wrong package/system. Or, he may not need nearly as much management as you do, and you could recommend a package that's far too expensive or complex.

'Manage', in other words, means different things to different people. Giving advice without a very clear requirement specification is difficult and error-prone.

easy solution (0)

Anonymous Coward | more than 8 years ago | (#15208777)

DHCP

a decent commercial solution (1)

Cybersonic (7113) | more than 8 years ago | (#15208804)

I have to say, Infoblox http://www.infoblox.com/ [infoblox.com] is the best solution for this I have seen yet. It is not free, but gives a company with LOTS of IP addresses a nice way to manage them all.

Most people use either Excel (yuck) or a home grown PHP app they write themselves. (im talking some Fortune 500 companies here as well)

Re:a decent commercial solution (1)

slinkyjim (954237) | more than 8 years ago | (#15209431)

I'll second the suggestion of Infoblox.

I manage DNS for an organization with a class B range and a few thousand more private IP ranges. We've used NetID in the past (originally owned by Optivity, now Nortel). It gets the job done with an Oracle database and a java interface/application server and can manage IP, DHCP and DNS - but is quite expensive. Infoblox is slowly replacing its functions.

I'd say that "IP address management" can include allocating DHCP and static IP ranges, recording information about hosts (hostname, responsible party, etc), and probably includes some DNS record management as well.

And no, for a large and complex organization - a large, flat text file is not a good enough management tool. If multiple parties need access to the data, probably with different permission sets and some type of referential integrity is needed, PHP+text files will get a bit cumbersome.

What? (0)

Anonymous Coward | more than 8 years ago | (#15208816)

You have more than sixteen million computers where you work?

Re:What? (0)

Anonymous Coward | more than 8 years ago | (#15209714)

Hey, get this: A device can have.. *gasp*.. MULTIPLE IP addresses assigned to it!

We've got webservers with over 1000 addresses on one machine.

Re:What? (1)

clydemaxwell (935315) | more than 8 years ago | (#15211366)

Why in God's name would you do that?
Are you doing IP-based virtual hosts? This is ridiculous.

Re:What? (1)

Xaria (630117) | more than 8 years ago | (#15283506)

Because SSL certificates require an IP.

same boat (5, Informative)

aichainz (523314) | more than 8 years ago | (#15208846)

I've reviewed the following:

Bluecat Networks Proteus/Adonis http://www.bluecatnetworks.com/ [bluecatnetworks.com]
Incognito IP/Name/DNS Commander http://www.incognito.com/ [incognito.com]
INS IPControl http://www.ins.com/ [ins.com]
Carnegie Mellon's NetReg http://www.net.cmu.edu/netreg [cmu.edu]
Lucent VitalQIP http://qip.lucent.com/ [lucent.com]
Solarwinds IPAM Pro http://www.solarwinds.net/ [solarwinds.net]
Men & Mice http://www.menandmice.com/ [menandmice.com]
Infoblox http://www.infoblox.com/ [infoblox.com]
IPPlan http://freshmeat.net/projects/ipplan [freshmeat.net]
MetaInfo http://www.metainfo.com/ [metainfo.com]

In hopes of replacing our current in-house developed solution.

I'll be honest, they are for the most part simply 'ok'. I wasn't super-impressed with any of them, and the bottom half of the list were definitely not ready for ISP/ASP/MSP-level use. I've listed them in descending order of my preference. All the useable ones are super-expensive, on the order of 'ok you can afford to pay a decent php/mysql coder to code you something from the ground up', or you can take this out-of-the-box thing, and shoe-horn it into your existing network. Which will in most cases take some weeks of programming anyway...

I had some of what I thought were pretty simple requirements...

- unix/linux based
- no single point of failure (clustering)
- handle forward and reverse dns
- api's (mostly to allow us to present a customer access to their zones)
- web-based gui with tiered user-levels
- pref software-based install rather than appliance, due to the shoe-horn prediction i mentioned above

Those are the highlights off the top of my head. I was surprised how few actually had all those features.

After months of doing webcasts, reading white-papers etc we've come to the conclusion that it's going to be developed in-house from the ground up, using bsd/apache/postgres/php/bind and some soap.

After reviewing these, I'm actually dying to know what large enterprises are using. I'm hoping there's some magic bullet IPAM solution that I missed on google. Please someone tell me about it!

Anyway, hope this helps you in your quest.

Re:same boat (1)

Cybersonic (7113) | more than 8 years ago | (#15208944)

Having worked in most Fortune 500's, unfortunatly, most of them actually just use Microsoft DHCP/DNS and Excel... I think your list pretty much covers every solution I have seen :)

From what I have seen, the best ones were appliance based.

Re:same boat (1)

_RiZ_ (26333) | more than 8 years ago | (#15209944)

That is where we are currently. MS AD for DNS and DHCP with Excel for documentation of all the networks worldwide. The Excel file has been a pain for quite some time. There has been some attempts to import this into Notes to make it more usable, but they have all been just too clunky and have been put together with very little thought.

Re:same boat (1)

vitroth (554381) | more than 8 years ago | (#15214180)

Hey, somebody mentioned NetReg before I could... NetReg is probably way more then the OP wants, but it certainly does do IPAM fairly well. The screenshot on our site of the subnet map [cmu.edu] is a bit out of date, the current version looks slightly different, but you can see the idea.

The rest of this post I grabbed from my own comment on a Ask Slashdot story a few weeks ago about DNS management systems:
Carnegie Mellon's NetReg [cmu.edu] (*) is a DNS & DHCP management system (and much more) that we wrote in house to replace our previous database. We manage DNS & DHCP for 50K machines, and NetReg does it all. It is available under an OSS license and is in use at several other locations. NetReg provides a self service web interface with flexible permissions, privilege delegation, IP address space management, DNS record validation, and more.

As the current primary developer of the system I'm a bit biased, but I think its a great system. It has a steep learning curve, and the documentation leaves something to be desired (like a tech writer...), but once you hit a certain scale the benefits outway the cost. On the site linked above you'll find a working demo with some base data you can experiment with, but obviously the full power of the system isn't utilized until you have lots of data and can see the resulting zones & config files.

There is an active mailing list [cmu.edu] . Feel free to join it and ask questions.

*: Not to be confused with Southwestern University's NetReg, which is a completely different system developed in parallel around the same time. The two systems have some similar features, but SW NetReg doesn't do everything that CMU NetReg does.

State your mission man ... (4, Informative)

zeridon (846747) | more than 8 years ago | (#15208863)

1) Do you need just bookkeeping stuff? - spreadsheet or some homemade app will do it!
2) DHCP/DNS integration management? - Sauron [sauron.jyu.fi] project is my favourite at the moment
3) Something more speciffic ... then go either for something comercial or your developers.

I've written one.. (1)

sirrmt (971078) | more than 8 years ago | (#15208975)

When I was working at an Aussie Telco, I wrote an IP Management Database. It was designed to provide an easy-to-manage overview of the IP space, but allow automated allocation. After I left the company, I wrote a new one from scratch based on the original design.. this isn't complete (lacking some features), but it's quite usable. I was going to market it commercially (and still might) but I got distracted with life, and it's been sitting around doing nothing. I'd like to see it used and further developed, so if you're interested, we can reach an arrangement. http://spinnesoft.com/products/ipdatabase/

You can contact me via jabber at rmt@jabber.freenet.de, or via the email addresses on the website.

Existing solution ... (1)

ubrkl (310861) | more than 8 years ago | (#15209234)

I say move to IPv6. That would solve addressing issues, unless I don't understand the problem :)

Nodes? (2, Interesting)

Ajehals (947354) | more than 8 years ago | (#15209312)

Just how many addressed nodes are we talking about? And how many physical networks?

I would probably start looking at this as a paper project and see if you can't rationalise your network address schemes somewhat, I've used and would recommend IPPlan generally, http://iptrack.sourceforge.net/ [sourceforge.net] but I don't tend to manage networks in any meaningful way, I prefer the networks to manage themselves, getting initial configurations of DHCP and DNS schemas right and then scaling it all up, maintaining documentation of the general topology generally helps too, although actually tracking what IP address is assigned to what isn't generally all that important or at least not for more than about 10% of the addressed nodes (I reserve ranges for static addressing on servers and network devices that require them and issue them sequentially per device, everything else is dynamic).

.However you seem to be talking about more than a few thousand hosts so it will presumably be a bit different, I've never though about scaling a LAN that I have managed beyond 3000 devices, and when looking at WAN its never been a problem to have multiple networks with the same address schemes interconnect, it just involved NAT at each gateway

Just a quick one, if you are using all of the address allocation according to RFC1981 that would mean you have well in excess of 16 Million nodes, or you really need to look at how you have allocated subnets...

Re:Nodes? (1)

_RiZ_ (26333) | more than 8 years ago | (#15209978)

We are not actually using every IP in 1918 space, more like, we have many networks defined across the globe for use by the 40 branch offices for all of their needs. We have broken 1918 space down by major region (America's, Europe, and Asia Pac). Each region is then broken down by country, followed by the city in that country. This makes it quite easy to know by any ip where it is originating. The problem lies when you have multiple network engineers creating and modifying networks across the planet and only have a silly excel file to document what is what. Being able to define the networks, provide FQDN's for the interesting IP's (in our case, its usually only in the first 5 ips - hsrp virtual, hsrp pri, hsrp secondary, and 2 for other network devices), and the ability to export these entries so that the guys who manage the DNS servers can import them would be quite beneficial. I would say we have 6000+ active ports at headquarters and another 6000+ in all the other branch offices combined. Sounds like a lot, but we have many folks with multiple machines. We have an entire building of engineers who get 4 LAN ports on their desks for their labs and what not. I do not think the question lies in how we have addressed our networks, but morelike what is a good application to provide some of the features I have just described.

Re:Nodes? (1)

Ajehals (947354) | more than 8 years ago | (#15210268)

To be blunt, you dont need IP management software, you just need a decent DNS structure and DOCUMENTATION. Everyone doing their own thing is fine as long as you havent got to get anything to work together. If your networks are not interconnected it gets a bit interesting but if you are using interconnected networks just use DNS as normal and propigate down to the various networks, effectivley set up a root server for each network's dns servers to query, you retain control of the root server allowing you to add global resources, and get your net admins in each region manage theirs, put a policy together to say what you and they can and cant do naming and allocation wise and you should be sorted, you still need some communications tool but that could be as simple as a web page that allows you to a) run a DNS query and b) request an IP address for inclusion on the root server...

What DNS server system are you currently using? If your networks are not interconnected then you are going to have to produce whatever cfg is required to simply drop a load of DNS entries into a zone, you can probably get away with a csv and then format it depending on requirement, this can easily be done with a little php (and mysql if you need it to be slick).

Dont look for a technical problem for a management issue and dont try to micromanage, if your documentation, policy, planninig and topology is a mess sort that out first, there is no silver bullet. After all Preperation and Planning Prevents Piss Poor Performance.

Or is that too simplistic and am I missing something (sorry its @0600 here in the UK and Im still working on something I started yesterday morning + excuse any spelling / grammar / structural and logical errors...) - (On that note if anyone can tell me why a w3c compliant page that looks grat in FireFox Opera and Netscape can generate a "errors on this page prevent it from loading error" in IE i'd be grateful, if not Ill just bitch about it on any forums I find in the next 24 hours and then give up, who uses IE anyways...)

Re:Nodes? (1)

Ajehals (947354) | more than 8 years ago | (#15210437)

Ive got a stack of custom scripts and documentation and policy I could dig up if its appropriate and if its useful, too much to post here sadly. Ive spent a good 25% of my working life (well before I became self employed anyway) dealing with network implementations, sadly its 90% Win2k Server (DNS + DHCP + AD) 5% BIND and 5% general theory, get in touch if your interested (that goes for anyone else as well...) slash[removethisbit]dot[at]ictsc[dot]co[dot[uk] and Ill get it to you if it applies.

Maintain from OSU? (2, Informative)

Randle_Revar (229304) | more than 8 years ago | (#15209507)

I am not sure, but Maintain seems like the kind of thing you are looking for: http://osuosl.org/projects/maintain/ [osuosl.org]

Although, looking at it, it seems to be specific to dhcpd3 and djbdns...

Anyway, I thought I would just throw it out here for consideration.

Re:Maintain from OSU? (1)

Grizzletooth (245582) | more than 8 years ago | (#15209974)

Very impressive effort. Looks nice for delegated responsibility. Clean interface.

Even if you don't want to use DJBDNS for all of your services, you can slave BIND 9 servers to the DJBDNS root. But DJBDNS works well too. YMMV.

Rearchitect your IP space. (1)

Zapman (2662) | more than 8 years ago | (#15211016)

You state that you're a midsized company, yet you're using a full internet class b, a private class A (10.*), 16 class b's (172.16.*), and a class B (192.168.*).

That's more IP addresses than a major technical college I know uses. Unless you're a pretty major ISP, that's crazy. MAJOR companies often make due with a decent number of internet routeable IP's, and a lot of NAT.

Lesson one: Learn NAT (aka ipMasqerade)

NAT lets you have 1 firewall that offers internet access to lots of other computers. Thousands of computers sit comfortably behind a single internet gateway.

Lesson two: learn subnetting.

Just because RFC1918 says that 10.x is a class A private range, doesn't mean that you have to route it as a class A... Subnet it. Internally, define 10.1.1.x as a server range. Set up a complex site with several (~5 or so) as 10.0.8.0/29 for example. That would give a site 8 Class C ranges to play with, and it's great for route sumarization... which leads me to:

Lesson three: learn routing.

After you've subnetted the world, you have to route between it. Cisco makes lots of money selling these devices. You probably should have some (or use Juniper... they do the same thing[1]). Use static routes. Use dynamic routes. But set it up. Which leads me to:

Lesson four:

There are reasons that networking geeks are around. Let us deal with these problems. You're world will be much more stable.

Now, I can imagine some reasons that your are validly using that many IP addresses, and utilizing the concepts/technologies I've mentioned above... but they're a bit of a stretch. Most likely, this whole thing has been set up willy-nilly, and is overdue for an overhaul.

--Jason

[1] But you don't have to use true 'routers'... if that term means anything today... If you're routing around a switched environment, most reasonably manageable switches let you configure static and dynamic routing.

Re:Rearchitect your IP space. (1)

Pii (1955) | more than 8 years ago | (#15212836)

Lesson two: learn subnetting.

Danger ahead...

[snip] Set up a complex site with several (~5 or so) as 10.0.8.0/29 for example. That would give a site 8 Class C ranges to play with, and it's great for route sumarization...

Oh dear...

By my math, 10.0.8.0/29 would yield a subnet with a mere 8 addresses (10.0.8.0 - 10.0.8.7, with 6 usable for hosts). A /21 would give the result you were trying to achieve. Your bit-shifting was correct, but you started in the wrong octet. Back to "Lesson Two" with you...

(Yes, you probably know how to subnet, but if you're going to play the haughty networking expert, you'd better have it right before hitting 'submit'.)

Re:Rearchitect your IP space. (1)

Zapman (2662) | more than 8 years ago | (#15220745)

You're right... As you state, that should have been /21.

That's what I get for posting pre-coffee.

I work for a large company... (2, Informative)

Otis2222222 (581406) | more than 8 years ago | (#15211204)

I work for a company with about 70,000 employees. We have a lot of address space. Multiple Class Bs of public IP space not to mention 10.0.0.0/8 and the other RFC 1918 space. Far and away the best tool we have ever used to manage IP space is an Excel spreadsheet located on a network drive. As soon as you're done laughing, read on...

Create a spreadsheet with Column A having the /24s of each block spelled out:
10.0.0.0
10.0.1.0
10.0.2.0
etc.

Colums B through Q should be /28s within each /24. Put the network address of each /28 up there, i.e. 0,16,32,48, etc..

Use the 'Merge Cells' option to block out each subnet that you want to document and then change the background color of that cell to something other than white. White, unmerged cells should always represent available IP space. Put a descriptive text in the cell showing the VLAN, router interface, or firewall that owns that space. If you don't have enough space in the cell, write something very brief and then do an "insert comment" where you can put all the descriptive text you want there.

I use other colors like pink for "reserved" space, i.e. space that I want to use in an upcoming project but it isn't live yet. Try to keep the number of colors you use to a minimum. Ideally you shoudln't need more than two or three colors.

Finally, don't put everything onto one worksheet. Use tabs to break things up into different OSPF areas, or however you want. I have a tab for the DMZ environment, one for the Extranet environment, one for the intranet, etc.. Some of the tabs have address space as small as a /19 defined on them. Most of them are /18s or /17s though.

As long as the file is backed up regularly and all of your network engineers use it religiously, there should be no problems. We have been using this for years now and it has saved our ass on many, many occasions. Only one person can use the file at a time, so conflicts are not an issue.

Using an off the shelf application is asking for trouble, in my opinion. Keep It Simple, Stupid!

Re:I work for a large company... (1)

flyingmike33 (971278) | more than 8 years ago | (#15213175)

Sounds interesting. Would you be willing to share an example of your spreadsheet? If so please send to mikenipp@gmail.com

Proper Planning (2, Informative)

omega9 (138280) | more than 8 years ago | (#15211311)

Our organization has ~13 locations on the east coast. Given any internal IP, I can tell you the site and room number that host is in. And in most cases I can do the same with our external IPs. Each location is standardized on IP block->function assignment, so when a new VPN goes up we already know how to build our tunnels.

Fix the problem, not the symptom. Plan well.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...