What are the benefits of Static IP addresses?

[KevWCFE]

Hi all,

From previous help you have given me I see that some people start off by saying "if you have static IP addresses on all the PCs in the computer labs then....". I was just wondering what the advantages to having static IP addresses are and are there any drawbacks to setting the PCs to have the same IP address all the time.

Being a self taught server maintenance guy I only have experience of Group Policy when I've needed to do something specific rather than having trained in it and knowing it in a general sense but I would imagine it would make things easier in relation to GP? Am I right in that assumption?

I had the MAC addresses for 90% of the PCs in the college from another project last year so I set about creating reservations in the DHCP management console. I have done this for 180 of the 240 PCs so far and I've tested a couple of labs and they all take the IP address I set up for them.

The VP here in the college wants me to set up VPNs which I have no experience of but will research over the coming months. Would static IP addresses be beneficial here too?

Basically, what are the pros and cons of Static IP addresses through DHCP reservations?

Thanks for any insight.

K

[plexer]

TBH I would never suggest static ip's on lab computers only servers, routers, printers , waps and even then I use DHCP reservations for most of those.

Ben

[ZeroHour]

I personally dont see the point of static ip's for most client/desktop scenarios. If you use a good machine name policy its easy to use and GP has nothing to do with IP so being static or dynamic should make no difference.
Servers should be static obviously but thats all unless the client has a specific need that machine name doesnt meet.

[chazzy2501]

I use only static IPs for specific devices, Servers and Switches really. This is so most things run smoothly if there is a DHCP / networking anomaly.

In a lab I usually don't have a DHCP server setup so have to manually assign addresses.

Thats all.

[SimpleSi]

Static helps fault finding - you know what the IP is supposed to be - if its not pinging - its bust or disconnected or switched off - doesn't rely on anything else working.

I don't think anyone would recommend reserving IPs for normal client computers - I use them for servers,Access Points (I only usually have about 8 at most) and printers - I give the printer a static ip (See above as too why) and I also reserve it in case the printer forgets its static IP - so its a backup ploy

The APs can then be simply accessed on their web admin pages via their known static IP - no reliance on local DNS lookups.

Si

[ZeroHour]

Static helps fault finding - you know what the IP is supposed to be - if its not pinging - its bust or disconnected or switched off - doesn't rely on anything else working.

In a smaller none AD scenario yes but if DNS is not working to resolve client names to IP's then nothing is working really anyway with AD

I give the printer a static ip (See above as too why) and I also reserve it in case the printer forgets its static IP - so its a backup ploy

HP had several models that forgot their static ip settings and reverted, doing that saved lots of hassle.

[GrumbleDook]

Static for key infrastructure devices ... DCs, core servers, core and essential switches ... For all other devices I recommend DHCP reservations.

Not only is this a good thing for fault finding but also essential when completing audits of activity. Depending on your setup, your ISP might identify an IP which needs investigating ... and then you try to track this down to the locally assigned IP. Some systems in place might log the authenticated user but other systems might not ... especially if you have a rogue / dirty device on your network which is not part of your domain.

By having an assigned IP it makes this a heap easier to deal with.

Looking at worst case scenario, if a legal investigation is required (i.e. police or other authority come in) then they might be looking back at logs from months earlier ... and with DHCP release set at 8 days ... that is useless.

[ZeroHour]

Not only is this a good thing for fault finding but also essential when completing audits of activity. Depending on your setup, your ISP might identify an IP which needs investigating ... and then you try to track this down to the locally assigned IP. Some systems in place might log the authenticated user but other systems might not ... especially if you have a rogue / dirty device on your network which is not part of your domain.

By having an assigned IP it makes this a heap easier to deal with.

Looking at worst case scenario, if a legal investigation is required (i.e. police or other authority come in) then they might be looking back at logs from months earlier ... and with DHCP release set at 8 days ... that is useless.

From a client perspective thats basically the same as saying if you give any device direct access to the net without authentication (or logging the user) then you would have to fall back on static ip's which dont prove the user just the device?
From a legal perspective I would be surprised they could hold anyone but the school to task for not logging appropriately as a device != person even if it is their own. Also this precludes the fact that the machine name/device name may not have changed and before we get to spoofing mac addresses which all throws out the whole ip = person. I am not sure how *essential* static ip is, authentication logging is and should be account based, anything else makes the case to link the traffic to the user much much harder without account logging.
For guest access devices (aka visiting person) ip/devices logs could be enough if you can say you saw the device in the possession of the person when the offence happened.

[Michael]

Hi all,

From previous help you have given me I see that some people start off by saying "if you have static IP addresses on all the PCs in the computer labs then....". I was just wondering what the advantages to having static IP addresses are and are there any drawbacks to setting the PCs to have the same IP address all the time.

Being a self taught server maintenance guy I only have experience of Group Policy when I've needed to do something specific rather than having trained in it and knowing it in a general sense but I would imagine it would make things easier in relation to GP? Am I right in that assumption?

I had the MAC addresses for 90% of the PCs in the college from another project last year so I set about creating reservations in the DHCP management console. I have done this for 180 of the 240 PCs so far and I've tested a couple of labs and they all take the IP address I set up for them.

The VP here in the college wants me to set up VPNs which I have no experience of but will research over the coming months. Would static IP addresses be beneficial here too?

Basically, what are the pros and cons of Static IP addresses through DHCP reservations?

Thanks for any insight.

K

There are no real advantages to setting up all PCs with a static IP. I only set static IPs when necessary, such as servers, printers and WAPs. I suppose the disadvantages are that it's incredibly time consuming and it's something that DHCP Server just takes care of (when setup correctly).

Servers need a static IP as this typically where DNS, DHCP and other services are hosted. Printers and WAPs can be used on a static or dynamic IP, but for ease of management, static IPs are the way forward.

The advantages of DHCP Server is that it's comparatively quick to setup and there are a whole array of DHCP options you can figure, such as a time server. Keeping everything in sync time wise is very important.

You could also argue (for example) if you change your IP scope from a Class C to a Class A or IPv6, or changed your DNS/Gateway it would simply be a case of updating DHCP Server (a 5 minute job) instead of going round manually updating each device.

Setting up a static IP on a notebook, tablet or phone isn't really an option. If the user is expected to use their notebook, tablet or phone at home or on the move, the odds are that their IP range is totally different. The router at home or in public (typically a DHCP Server) would dish out IPs here too. The point is it's all dynamic and the only people that care are us guys (so long as it's working).

[MatthewL]

Static's should only be used on servers I think. If you DNS works printers do not need them is my view. Client PC's if you use them it causes a nightmare, only use if you have to.

[mac_shinobi]

When any of you are stating 'you use a dhcp reservation' does that mean

1. You set the dhcp reservation in DHCP via the mac address of said device and then on the actual device you

A - Still program or manually set the ip address info ( ip address, subnet mask, default gateway, dns servers ) statically
B - Leave said device to DHCP as it will pick up the dhcp reservation anyway

2. When Switches, Servers or other devices that need Static IP Addresses I presume you just manually and statically assign them the said network address info ( so IP Address, subnet mask and any other relevant info that you need to assign them )

[SimpleSi]

For all other devices I recommend DHCP reservations. ... but also essential when completing audits of activity.

I'm with ZH on not being essential at all
Si

[SimpleSi]

When any of you are stating 'you use a dhcp reservation' does that mean

1. You set the dhcp reservation in DHCP via the mac address of said device and then on the actual device you

A - Still program or manually set the ip address info ( ip address, subnet mask, default gateway, dns servers ) statically
B - Leave said device to DHCP as it will pick up the dhcp reservation anyway

A (and then B when A fails) - its a defensive HP Printer strategy - they can forget their static settings so its a backup strategy for when that happens

2. When Switches, Servers or other devices that need Static IP Addresses I presume you just manually and statically assign them the said network address info ( so IP Address, subnet mask and any other relevant info that you need to assign them )

yep
Si

[SimpleSi]

In a smaller none AD scenario yes but if DNS is not working to resolve client names to IP's then nothing is working really anyway with AD

Another reason to not use AD
Si
HOME - One workgroup to rule them all

[ZeroHour]

Another reason to not use AD
Si
HOME - One workgroup to rule them all

Dont you mean WORKGROUP

RE: Tony's points, actually a really really good policy could make ip logs enforceable along with the requirement to prevent unauthorised access to the device with a non shared password (aka getting around account logged)