In my last post I put forward some hypothetical arguments against using an IP Address Management solution. The comments and feedback were really great, so thank you! I loved hearing so many viewpoints, and hearing what is important to each of you when it comes to IP management. I promised that in this post I'd give you a few of my own thoughts, but I'm going to include some of yours too.
"IPAM" is Misleading
When I talk about IP Address Management solutions I'm not just referring to the Solarwinds IPAM product but about the wider field of IPAM tools. The one thing most of these products have in common is that they typically do much more than just manage your IP address space. So what might a typical IPAM product do for you?
- IP Address Management - track your available and assigned subnets and IPs
- DNS Management - control DNS records and servers (and map the assigned IPs to DNS entries)
- DHCP Management - control DHCP scopes and servers
These three things make up what is known as DDI (DNS, DHCP and IPAM), and this is perhaps a much better name for most of the products out there. To just call them IPAM solutions severely undersells what they are capable of doing for you. They may also have other handy features:
- Automatic IP discovery and validation
- Utilization reporting (per subnet, of overall space, of DHCP scopes)
How Do You Use IPAM?
In the responses to my last post, the common theme across many comments was that you love the automated discovery of IP addresses in use - configure a subnet, then let the IPAM tool poll that range so you can see what's out there and track utilization. This to me is more like monitoring than management, but it's useful, without question. For me though, this barely scratches the surface of the benefits of a comprehensive IPAM (well, DDI) solution.
In my eyes, managing IP addresses should be a proactive task. You have IP supernets available; you assign subnets as they are required (preferably maintaining a nice sumamrizable allocation scheme); you use the IPAM system to define DHCP scopes within those subnets; you manage host naming so that you can then maintain DNS records too. And then yes, you run validation to make sure things are as you expect them to be, and to keep an eye on utilization.
The One True Source
The point of this is that I believe that IPAM should be the one, and only, source for your IP information. The best way to ensure that an active DHCP scope matches what is allocated is to have the allocating system itself manage the DHCP scope. Similarly the best way to ensure that the hostname in your IPAM matches the hostname in DNS is to let the IPAM system manage your DNS. Immediately you remove the opportunity for discrepancies between IPAM, DNS and DHCP. Any time you run parallel systems that can have the same information in it, you increase the chances that at some point (undoubtedly due to process failure and/or human error) you will end up with two systems saying different things.
A unified system also has a side benefit, which is that you can now have a single team managing IP, DNS and DHCP, and there's one interface to learn, not three. Imagine you want to set up a manual DHCP entry (a static mapping of MAC to IP). In a DDI system, you go in and add the mapping and give it a hostname. Once done, the DNS server knows about the new host (and the reverse zone is updated too), the DHCP server is configured with the new manual configuration, and the IP is flagging your IPAM as being reserved. Without DDI, you may have three different teams needing to make changes to achieve the same thing.
The trick for any IPAM solution is to make that process as simple as possible. If I configure an IP address with a hostname, I want to be able to select a domain name and check a box to add it to DNS. Another checkbox should confirm if I want to add it to a reverse zone as well. Make it easy, and people will use it!
Integration
One more hurdle that DDI solutions face is integration. For example, the IPAM solution itself doesn't act as a DNS or DHCP server; rather, it needs to be able to configure your existing DNS or DHCP servers - maybe Microsoft DNS/DHCP or ISC BIND/DHCP for example. Typically, DDI systems support configuration of their own DNS/DHCP appliances, and some other standards (Microsoft and ISC services are common). Integration beyond that can be quite limited, and can be a barrier to adoption. The thing is, if you skip integrating DHCP, say, because you don't have compatible DHCP servers, you're not really getting your full ROI out of your DDI solution.
TMTOWTUI
Ultimately, you can use IPAM any way you like. You've heard how I think it should be used; am I wrong? Based on how you manage your IP, DNS and DHCP now, can you go further to integrate and automate that process? Did you know that IPAM could do all that for you? Or perhaps you already manage DNS, DHCP and IPAM in one place; if so, are you gaining the benefits you thought you would?
John.