On Mon, 2005-07-25 at 01:10, Ashley M. Kirchner wrote: > Scot L. Harris wrote: > > >The easiest thing to do is to allocate a portion of your address space > >on the LAN for static addressed devices. > > > That is no longer an option. Many of our devices in the building > were installed and are supported by third party vendors who have, at > time of installation, configured their applications to work based on > those IPs. Consequently, we have devices with static IPs that are > scattered all over the spectrum. I can't change them and clump them all > together in a range without going through some serious pain, contacting > each vendor and have them send a technician to come "fix" the issue. I > need to work with what's currently there. > To bad. Sounds like some prior planning would have made this so much easier to maintain and keep secure. > >You can configure DHCP to allocate specific addresses based on the MAC > >address of the device. But why bother? IMHO it just makes more work to > >use DHCP for devices that really should be statically defined in the > >first place. > > Read Markku Kolkka's message with the details on how to allocate an IP address to a specific MAC address. > We go through client computers faster than we do our larger > equipment. We have clients who walk in the building wanting to get onto > our network. I'm not there every time, and without me in the building, > it's a guessing game for them to figure out what IP they can use to get > on. Let alone having to figure out how to even set a static IP and > proper routing on our network. Most laptops you buy nowadays are, by > default, configured for DHCP. Most routers you buy, is configured for > DHCP, so most people don't bother with any networking, or to figure out > how to actually change their settings. So, it makes more sense, for us, > a service bureau, to convert part of our network to DHCP for our > clients. I just need to figure out how to do it while retaining the > static IPs that are required, and converting everything else to DHCP and > call it a day. I was not saying to do away with DHCP entirely. It just makes more sense to statically assign IP addresses to infrastructure devices like printers/servers that don't have a need to get their addresses dynamically. IMHO using DHCP for such devices leaves you open to a variety of problems, the least of which is when the lease expires that device not getting the same IP. The worst case is someone plugging into your network and some how forcing a take over of one of your server IP addresses then sitting there collecting login attempts to get passwords and other data. Or just passing out invalid data. If I was in your position I would have a separate firewalled LAN segment for walk in clients which used DHCP. The firewall would be used to monitor activity and limit what services/devices they could access on the internal LAN used for such devices. I would also be using statically assigned IP addresses on the servers/printers so my monitoring tools could keep track of those devices. I would be using something like opennms, nagios, or big brother as well as mrtg or cacti to monitor all infrastructure devices. This would include routers, firewalls, printers, servers, and even some clients that are always on the network. I would also be using something like arpwatch or arpsnmp to monitor what devices connected to the LAN. By doing some planning up front all of this can be so much easier to maintain and trouble shoot when there are problems. And setting up a few tools to automatically monitor most things on your network make the job a whole lot easier. -- Scot L. Harris webid@xxxxxxxxxx Blessed is he who expects nothing, for he shall never be disappointed. -- Alexander Pope