[Fedora] Re: DHCP with static nodes

Scot L. Harris webid at cfl.rr.com
Mon Jul 25 12:33:16 UTC 2005


On Mon, 2005-07-25 at 01:10, Ashley M. Kirchner wrote:
> Scot L. Harris wrote:
> 
> >The easiest thing to do is to allocate a portion of your address space
> >on the LAN for static addressed devices.
> >
>     That is no longer an option.  Many of our devices in the building 
> were installed and are supported by third party vendors who have, at 
> time of installation, configured their applications to work based on 
> those IPs.  Consequently, we have devices with static IPs that are 
> scattered all over the spectrum.  I can't change them and clump them all 
> together in a range without going through some serious pain, contacting 
> each vendor and have them send a technician to come "fix" the issue.  I 
> need to work with what's currently there.
> 

To bad.  Sounds like some prior planning would have made this so much
easier to maintain and keep secure.  

> >You can configure DHCP to allocate specific addresses based on the MAC
> >address of the device.  But why bother?  IMHO it just makes more work to
> >use DHCP for devices that really should be statically defined in the
> >first place.
> >

Read Markku Kolkka's message with the details on how to allocate an IP
address to a specific MAC address.  

>     We go through client computers faster than we do our larger 
> equipment.  We have clients who walk in the building wanting to get onto 
> our network.  I'm not there every time, and without me in the building, 
> it's a guessing game for them to figure out what IP they can use to get 
> on.  Let alone having to figure out how to even set a static IP and 
> proper routing on our network.  Most laptops you buy nowadays are, by 
> default, configured for DHCP.  Most routers you buy, is configured for 
> DHCP, so most people don't bother with any networking, or to figure out 
> how to actually change their settings.  So, it makes more sense, for us, 
> a service bureau, to convert part of our network to DHCP for our 
> clients.  I just need to figure out how to do it while retaining the 
> static IPs that are required, and converting everything else to DHCP and 
> call it a day.

I was not saying to do away with DHCP entirely.  It just makes more
sense to statically assign IP addresses to infrastructure devices like
printers/servers that don't have a need to get their addresses
dynamically.  IMHO using DHCP for such devices leaves you open to a
variety of problems, the least of which is when the lease expires that
device not getting the same IP.  The worst case is someone plugging into
your network and some how forcing a take over of one of your server IP
addresses then sitting there collecting login attempts to get passwords
and other data. Or just passing out invalid data.

If I was in your position I would have a separate firewalled LAN segment
for walk in clients which used DHCP.  The firewall would be used to
monitor activity and limit what services/devices they could access on
the internal LAN used for such devices.  

I would also be using statically assigned IP addresses on the
servers/printers so my monitoring tools could keep track of those
devices.  I would be using something like opennms, nagios, or big
brother as well as mrtg or cacti to monitor all infrastructure devices. 
This would include routers, firewalls, printers, servers, and even some
clients that are always on the network. I would also be using something
like arpwatch or arpsnmp to monitor what devices connected to the LAN.

By doing some planning up front all of this can be so much easier to
maintain and trouble shoot when there are problems.  And setting up a
few tools to automatically monitor most things on your network make the
job a whole lot easier. 

 
-- 
Scot L. Harris
webid at cfl.rr.com

Blessed is he who expects nothing, for he shall never be disappointed.
		-- Alexander Pope 




More information about the fedora-list mailing list