Whats best, Fixed or Dynamic IP?

[ninjabeaver]

Hi,

I'm just wondering whats best to use. Fixed IP addresses for the school client PC's or dynamic addresses.

I'm using Norton Ghost and Webmarshal (like censornet).

Just after opinions.

[tarquel]

Well what I've started to do, is use the reservations in the DHCP system.

Of course, this does mean having to get all the MAC addresses (various tools for that) and then adding them to DHCP.

In case you dont know, this means you still can leave the client pc's set to automatically obtain their IP address, but then the DHCP server gives them the same IP address each time

It seems to me a good way to organise things but the snag is freeing them all up to do this and having 98 pc's causes me a few probs with this lol

(nothing major, its just a bit o' manual processing )

In my mind, its better than fixed IP addresses and exclusions in the DHCP range(s) and you can even do it with Print Servers - the ones that support DHCP o' course lol Havent changed them yet but I will. Of course this will rely on the DHCP server a bit more but I've found it not to trip up at all yet

Cheers,
N

[StewartKnight]

I have the server dishing out via DHCP for when I ghost, then, when the machine is a happy bunny, I assign it a static IP. I find static much easier, because at a glance I know which room a computer is in.

[mark]

Funny I'm doing EXACTLY the same thing Nath!!! The aim is to eventually completely lock down the network so that nothing can get on without me setting it up first.

That's the issue for me with DHCP - security.

[StewartKnight]

I've got it dishing out DHCP, on a slightly different range (i.e. I don't point it to the switch or the server), so any new device can't access the server, and if you don't know the proxy address (only I do) then you can't even access the internet.

[tarquel]

I have the server dishing out via DHCP for when I ghost, then, when the machine is a happy bunny, I assign it a static IP. I find static much easier, because at a glance I know which room a computer is in.

This is the same principal as what I mean Stewart

I didnt think ninjabeaver was refering to ghost primarily (were you? lol doh!) but now I guess, when I use ghostcasting (or whenever/whatever requests a IP from a client) due to the reservations, it will always assign the right IP address to the right computer.

Handy when doing anythin' I wud have thought

if you don't know the proxy address (only I do) then you can't even access the internet

I wouldnt rely on this fact btw lol proxy addy's can be found out lol

Cheers
Nath

[Geoff]

I've always found static ip's to be a nightmare to manage. If I was at all worried about network access I'd use 802.1X or IPSEC. If your thinking about this you might want to read the whitepapers on the microsoft w2k3 server site about network access protection.

http://www.microsoft.com/windowsserv...p/default.mspx

[tarquel]

Agreed Geoff (and ta for the link)

I used to have to manually setup client's on the admin network with specific manual ip's - a nightmare indeed (wasnt in control of the DHCP either if your wondering why).

But DHCP reservations are easy and useful too

I shall not rant further on this....

...well....

N.

[ChrisH]

Just use hostnames according to location to determine where they are ie :
IT30-1, IT30-2, LIB-10, Tech-23 etc.

My log in script also uses these names to determine which printers to add. Easy.

[Ric_]

I use DHCP for all clients (with sensible names as Chris mentioned, so that printers can be added easily).

Print servers, WiFi APs, etc. are then given reservations so that I know 'where' they are.

I also use authentication on my proxy and I tend to air on the side of paranoia with permissions.

[browolf]

I use static for classrooms, e.g. 192.168.12.x would be a classroom 2 in building #1

we use dynamic for staff laptops and random single machines. It's fortunate we didnt roll out dhcp for classrooms like we wanted to since ISA 2004 needs static to be able to control the internet properly. with over 500 machines it would be a big job to convert to mac reservations.

[KeithFermor]

Naming PCs with sensible room/location conventions works well, I then use IPSCAN to grab a list of all PCs on sub-net to show IP/name/MAC/User. DHCP provides all my student PC IPs... and most importantly... with scopes set up correctly a ton of administration is removed.

Static IPs are fine when you want to lock down, but like most things they be prone to finger trouble... it only takes a moment in a busy environment to err, and then lots of time to diagnose and track.

So, its up to you to decide when the situation demands a specific solution and then how to distribute that to potentially many disparate systems!

[tarquel]

...ok I shall rant a "tad" more...

Just to expand a bit further, I use both reserved IP's and naming the computers with "some" order too.

The reason for the reserved ip's are not mainly for organisation - as you say, why bother when you can use a decent hostname stategy.

The reason is primarily if I install XP from a custom unattended cd quickly (for those odd machines that are dotted around the place), install a few apps, but then forget to change the hostname, at least I'll know what and where it is as the IP addy will be the same as it was before the "wipe" of the machine.

Also, if a user "does" manage to be able to attempt a change of ip, tho I havent tried it - I would have thought it wont work and then it'll only conflict with the IP they change it to (the one that already exists) which I'll know what and where it is (probably too tired to properly make sense there lol)

I'd imagine that once I've locked down and reserved the lot - I should be able to deny any people trying to "add their machine" to the network also i.e. wont assign them a IP. I imagine there is some sort of option for this somewhere only allow mac reservations - like WAP's have

Cheers,
N.

[unedugeek]

Has anyone experienced 'Bad Address' issues with DHCP reservations?

[oldbaritone]

Two tricks I've used -

Reserve a block of IP addresses in DHCP, and then exclude the lot of 'em.
Then only the MACs with reservations get in.

The alternative I've also done is to exclude all but one or two IP's from DHCP, and then monitor them for activity. It gives me a "generic" address to bring the new machine up online before I enter a reservation for it - especially true with a laptop/notebook with a dock that has both a wired and a wireless connection.

It also allows an exec to "play" with a "new toy" and get onto the intranet but not the internet. They're happier that way, and then I go over and tell them "you're supposed to bring new toys to us first..." and ipsec blocks against anything important for the "generic" address.

But troubleshooting if you need to go to a sniffer (wireshark) is a lot easier if you have addresses in zones like classrooms or buildings. It also makes it easier to manage restrictions - IP blocks assigned to student areas, IP blocks assigned to teacher/professors, which may be in an office attached to a classroom, and IP blocks assigned to administration, even if the total-network topology is "flat."

Of course, IP by userid (802.1x) works well for that, too.