IP Addressing Space Management Applications?

_RiZ_ asks: "I work for a medium sized company and we are looking for a solution to aid in managing the ever complex IP space in use throughout the growing enterprise. We currently use a full class B of public addresses as well as all RFC 1918 ranges. The idea came up to develop this application internally, however this has proven in the past to be more of a headache, especially if the original developer changes roles or moves on from our company. We have looked at IPplan, but have found this program is more intended for an ISP documenting customer ranges rather than an enterprise IT shop. We would like something which is database driven, intuitive to use, and preferably open source, although a good commercial solution is always a viable option. Does anyone have any suggestions?"

Keep it simple

3x5 cards.

My Opinion

If you need software to track it, your making it too hard.

Re:My Opinion

You do realize how many address are in a Class B space, don't you?

A smidgen over 65,000.

So if he needs software to track it, it might be that it is hard.

10/8 includes 16 million private addresses

...That's insufficient?

(10/8 = 10.0.0.0 - 10.255.255.255)

Lucent VitalQIP

Proprietary, but Lucent's VitalQIP [lucent.com] provides several nice functions like automated subnetting, DCHP and DNS integration, along with the ability to scale.

ipv6 needed maybe

if you have a big enough and recent enough set of clients you may want to think about doing an ipv6 conversion (the way i understand it the last 64 bits of the address can be generated using the MAC of the network card so if you know which nic is on a desk then ..)

DIY

http://www.postgresql.org/docs/7.4/interactive/dat atype-net-types.html [postgresql.org]

"PostgreSQL offers data types to store IPv4, IPv6, and MAC addresses, shown in Table 8-17. It is preferable to use these types over plain text types, because these types offer input error checking and several specialized operators and functions."

Ipplan

Ipplan can be customised to just show you the stuff you need to see. We have about the same sized address space and ipplan works great.

Do you know how to search freshmeat?

Have you looked at phpip [phpip.net] or ipspace [null-ptr.net] yet?

IPAM

If you really want to get fancy, and integrate your IP address space management with your DHCP and DNS, take a look at BlueCat Networks [bluecatnetworks.com]. They have a suite of tools, and the one you're looking for is called Proteus [bluecatnetworks.com]. Highly integrated DNS, DHCP, and IP Address Management. It costs money, but it sounds like your shop can afford it. Best of luck.

I don't get what the problem is...

Maybe I'm dense, but what, exactly, is the problem the poster is trying to solve?

Why does this need any application more complex than a text file sitting on a file share, somewhere, for people to review or make changes as needed? That's what I do, and it seems to work OK.

Plus, what does it mean to use "all" of the RFC1918 IP ranges? Does that mean they're using every IP in every range, or every prefix in every range, or does it just mean that they don't understand subnetting?

That's some hard-hitting reporting

I too want to know, just when will USPTO/RIAA/MPAA address the problems NASA just can't get a grasp on. Someone must back my lunar trademarks!

it all hinges on one word....

The problem is that your question is a bit vague. You want help 'managing' the IP space, but you don't indicate what 'managing' means to you. If you can be clearer about exactly what you want it to do, you'll probably get more useful suggestions.

a decent commercial solution

I have to say, Infoblox http://www.infoblox.com/ [infoblox.com] is the best solution for this I have seen yet. It is not free, but gives a company with LOTS of IP addresses a nice way to manage them all.

Most people use either Excel (yuck) or a home grown PHP app they write themselves. (im talking some Fortune 500 companies here as well)

same boat

I've reviewed the following:

Bluecat Networks Proteus/Adonis http://www.bluecatnetworks.com/ [bluecatnetworks.com]
Incognito IP/Name/DNS Commander http://www.incognito.com/ [incognito.com]
INS IPControl http://www.ins.com/ [ins.com]
Carnegie Mellon's NetReg http://www.net.cmu.edu/netreg [cmu.edu]
Lucent VitalQIP http://qip.lucent.com/ [lucent.com]
Solarwinds IPAM Pro http://www.solarwinds.net/ [solarwinds.net]
Men & Mice http://www.menandmice.com/ [menandmice.com]
Infoblox http://www.infoblox.com/ [infoblox.com]
IPPlan http://freshmeat.net/projects/ipplan [freshmeat.net]
MetaInfo http://www.metainfo.com/ [metainfo.com]

In hopes of replacing our current in-house developed solution.

I'll be honest, they are for the most part simply 'ok'. I wasn't super-impressed with any of them, and the bottom half of the list were definitely not ready for ISP/ASP/MSP-level use. I've listed them in descending order of my preference. All the useable ones are super-expensive, on the order of 'ok you can afford to pay a decent php/mysql coder to code you something from the ground up', or you can take this out-of-the-box thing, and shoe-horn it into your existing network. Which will in most cases take some weeks of programming anyway...

I had some of what I thought were pretty simple requirements...

- unix/linux based
- no single point of failure (clustering)
- handle forward and reverse dns
- api's (mostly to allow us to present a customer access to their zones)
- web-based gui with tiered user-levels
- pref software-based install rather than appliance, due to the shoe-horn prediction i mentioned above

Those are the highlights off the top of my head. I was surprised how few actually had all those features.

After months of doing webcasts, reading white-papers etc we've come to the conclusion that it's going to be developed in-house from the ground up, using bsd/apache/postgres/php/bind and some soap.

After reviewing these, I'm actually dying to know what large enterprises are using. I'm hoping there's some magic bullet IPAM solution that I missed on google. Please someone tell me about it!

Anyway, hope this helps you in your quest.

State your mission man ...

1) Do you need just bookkeeping stuff? - spreadsheet or some homemade app will do it!
2) DHCP/DNS integration management? - Sauron [sauron.jyu.fi] project is my favourite at the moment
3) Something more speciffic ... then go either for something comercial or your developers.

I've written one..

When I was working at an Aussie Telco, I wrote an IP Management Database. It was designed to provide an easy-to-manage overview of the IP space, but allow automated allocation. After I left the company, I wrote a new one from scratch based on the original design.. this isn't complete (lacking some features), but it's quite usable. I was going to market it commercially (and still might) but I got distracted with life, and it's been sitting around doing nothing. I'd like to see it used and further developed, so if you're interested, we can reach an arrangement. http://spinnesoft.com/products/ipdatabase/

You can contact me via jabber at rmt@jabber.freenet.de, or via the email addresses on the website.

Existing solution ...

I say move to IPv6. That would solve addressing issues, unless I don't understand the problem :)

Nodes?

Just how many addressed nodes are we talking about? And how many physical networks?

I would probably start looking at this as a paper project and see if you can't rationalise your network address schemes somewhat, I've used and would recommend IPPlan generally, http://iptrack.sourceforge.net/ [sourceforge.net] but I don't tend to manage networks in any meaningful way, I prefer the networks to manage themselves, getting initial configurations of DHCP and DNS schemas right and then scaling it all up, maintaining documentation of the general topology generally helps too, although actually tracking what IP address is assigned to what isn't generally all that important or at least not for more than about 10% of the addressed nodes (I reserve ranges for static addressing on servers and network devices that require them and issue them sequentially per device, everything else is dynamic).

.However you seem to be talking about more than a few thousand hosts so it will presumably be a bit different, I've never though about scaling a LAN that I have managed beyond 3000 devices, and when looking at WAN its never been a problem to have multiple networks with the same address schemes interconnect, it just involved NAT at each gateway

Just a quick one, if you are using all of the address allocation according to RFC1981 that would mean you have well in excess of 16 Million nodes, or you really need to look at how you have allocated subnets...

Maintain from OSU?

I am not sure, but Maintain seems like the kind of thing you are looking for: http://osuosl.org/projects/maintain/ [osuosl.org]

Although, looking at it, it seems to be specific to dhcpd3 and djbdns...

Anyway, I thought I would just throw it out here for consideration.

Rearchitect your IP space.

You state that you're a midsized company, yet you're using a full internet class b, a private class A (10.*), 16 class b's (172.16.*), and a class B (192.168.*).

That's more IP addresses than a major technical college I know uses. Unless you're a pretty major ISP, that's crazy. MAJOR companies often make due with a decent number of internet routeable IP's, and a lot of NAT.

Lesson one: Learn NAT (aka ipMasqerade)

NAT lets you have 1 firewall that offers internet access to lots of other computers. Thousands of computers sit comfortably behind a single internet gateway.

Lesson two: learn subnetting.

Just because RFC1918 says that 10.x is a class A private range, doesn't mean that you have to route it as a class A... Subnet it. Internally, define 10.1.1.x as a server range. Set up a complex site with several (~5 or so) as 10.0.8.0/29 for example. That would give a site 8 Class C ranges to play with, and it's great for route sumarization... which leads me to:

Lesson three: learn routing.

After you've subnetted the world, you have to route between it. Cisco makes lots of money selling these devices. You probably should have some (or use Juniper... they do the same thing[1]). Use static routes. Use dynamic routes. But set it up. Which leads me to:

Lesson four:

There are reasons that networking geeks are around. Let us deal with these problems. You're world will be much more stable.

Now, I can imagine some reasons that your are validly using that many IP addresses, and utilizing the concepts/technologies I've mentioned above... but they're a bit of a stretch. Most likely, this whole thing has been set up willy-nilly, and is overdue for an overhaul.

--Jason

[1] But you don't have to use true 'routers'... if that term means anything today... If you're routing around a switched environment, most reasonably manageable switches let you configure static and dynamic routing.

I work for a large company...

I work for a company with about 70,000 employees. We have a lot of address space. Multiple Class Bs of public IP space not to mention 10.0.0.0/8 and the other RFC 1918 space. Far and away the best tool we have ever used to manage IP space is an Excel spreadsheet located on a network drive. As soon as you're done laughing, read on...

Create a spreadsheet with Column A having the /24s of each block spelled out:
10.0.0.0
10.0.1.0
10.0.2.0
etc.

Colums B through Q should be /28s within each /24. Put the network address of each /28 up there, i.e. 0,16,32,48, etc..

Use the 'Merge Cells' option to block out each subnet that you want to document and then change the background color of that cell to something other than white. White, unmerged cells should always represent available IP space. Put a descriptive text in the cell showing the VLAN, router interface, or firewall that owns that space. If you don't have enough space in the cell, write something very brief and then do an "insert comment" where you can put all the descriptive text you want there.

I use other colors like pink for "reserved" space, i.e. space that I want to use in an upcoming project but it isn't live yet. Try to keep the number of colors you use to a minimum. Ideally you shoudln't need more than two or three colors.

Finally, don't put everything onto one worksheet. Use tabs to break things up into different OSPF areas, or however you want. I have a tab for the DMZ environment, one for the Extranet environment, one for the intranet, etc.. Some of the tabs have address space as small as a /19 defined on them. Most of them are /18s or /17s though.

As long as the file is backed up regularly and all of your network engineers use it religiously, there should be no problems. We have been using this for years now and it has saved our ass on many, many occasions. Only one person can use the file at a time, so conflicts are not an issue.

Using an off the shelf application is asking for trouble, in my opinion. Keep It Simple, Stupid!

Proper Planning

Our organization has ~13 locations on the east coast. Given any internal IP, I can tell you the site and room number that host is in. And in most cases I can do the same with our external IPs. Each location is standardized on IP block->function assignment, so when a new VPN goes up we already know how to build our tunnels.

Fix the problem, not the symptom. Plan well.

Re:What?

Why in God's name would you do that?
Are you doing IP-based virtual hosts? This is ridiculous.