DHCP vs Static IP

Hi,

I'm questioning one of our basic policies here at our school division: static IP.

(I looked at this post http://www.edugeek.net/forums/networ...tatic-ips.html but didn't really get the answer I was looking for)

We have 4 separate sites and over 2000 PC's, many AP's, switches, networked printers, etc, all manually assigned IP's by the tech staff. I feel DHCP would be a better choice for time management, if nothing else, but I face arguments for static:

1. Security - to prevent "anyone" from bringing in a PC and plugging it in, we have static IP's. (Nothing saying you can't just unplug a PC from the network and use its IP, but hey)

2. We need to know, if a student violates policy on the network, the location (name, IP) of the PC so that we can have documentation of the incident, and are worried DHCP will not give solid enough answers.

I'm looking for others' arguments to refute those above. =) Any thoughts would be appreciated.

I do realize that one way or another, printers, network hardware, etc, would need static in some form or another, whether it would be manually entered or set in DHCP (if I'm understanding that correctly, DHCP can assign by MAC address)

As an aside, we have mainly winXP clients and run a Novell network.

Thanks as always.

Quote:

---

Originally Posted by LCPSWolf

1. Security - to prevent "anyone" from bringing in a PC and plugging it in, we have static IP's. (Nothing saying you can't just unplug a PC from the network and use its IP, but hey)

2. We need to know, if a student violates policy on the network, the location (name, IP) of the PC so that we can have documentation of the incident, and are worried DHCP will not give solid enough answers.

---

There are Network Access Control solutions that can solve these problems and allow you to use DHCP. Obvious ones are 802.1X or Packetfence. Most commerical 'security' vendors have some sort of NAC solution you can look at too.

I would say DHCP all the way, static is far to old school :p IMHO static ip's are no more secure then DHCP at all and with server 2008 you can setup NAC for free like Geoff says helping with security.

There are bound to be logs either in the event viewer or dhcp server about who has what ip I'm sure (Not that I have looked) at the end of the day doing everything static is a nightmare and you can save yourself I lot of time using DHCP.

Point 1 is very much in the "security through obscurity" camp and, as such, just doesn't work. It relies on people not knowing what range of IPs you use - once they know that, they can just make up an IP in the range or just use one that's already in use. That might not let them on the network; it might just mess up the machine that was using the IP but it certainly isn't giving a good outcome.

Not sure that point 2 helps that much either. I presume you're tracking activity by IP address (eg access to internet) but how do you know who was using which IP at which time? I'm not familiar with Netware; does it give you a log which says "user X logged onto IP 1.2.3.4" or is it giving "user X logged onto machine ABCDEF" and then you use the knowledge that machine ABCDEF has IP 1.2.3.4 to link user to IP? If it's the former, then DHCP makes no difference; if it's the latter then set with the lease time at 8 days you've pretty much got static IP addresses (machines always try to keep the same address. Provided you have enough in the pool they will hardly ever change). You could also add something to your login script to just record the username, ip, machine name, date, time to a log.

In my opinion, any benefits of static IPs are massively outweighed by DHCP once you go over about half a dozen machines!

Quote:

---

Originally Posted by LCPSWolf

1. Security - to prevent "anyone" from bringing in a PC and plugging it in, we have static IP's. (Nothing saying you can't just unplug a PC from the network and use its IP, but hey)

---

Can't you run DHCP so it only gives IPs to MAC addresses it knows about?

Plus how about MAC filtering?

Its dead easy to run a utility to pick up all the MAC addresses of your equipment and only let those get an IP from the DHCP server. Anyone bringing in equipment wont get an IP.

EDIT: Ah Steve beat me to it.

angryip scanner to find free ip addresses?

Cant believe ppl are still using static for ips on the network and 2000+ done manually!!! WTF :eek:. I have to extend out range over here over the summer, and if i had to assign the ips manually...:eek: That all i would be doing this summer.

As with what the others have said, technically you have no security on the network as you currently dont have a way to detect whos set themselves up on the network so you could have ppl on your network now and you wouldnt even know.

Steve,

Thanks - this was exactly the sort of response I was looking for. I tend to agree that the considerable issues outweigh the supposed benefits of static IP.

I'm also pretty new to NetWare, but will check into it. Your point about it either way makes sense.

Thanks again.
Damian

The only thing I use static IPs for are servers, printers, access points and admin workstations requiring remote support. Everything else is DHCP.

I also agree that with access points, MAC filtering should be enabled. This is much more secure than giving every machine a static IP. Anyone with a bit of knowledge could work out what the IP information of a network is.

For laptops, it wouldn't work either, because if staff took them home (more than likely) you'll be using a completely different IP range at home.

We have some workstations with static IP numbers (mainly admin ones) so we can use remote desktop on them, and obviously printers, wireless APs and other devices need a static IP so you can manage them, we assign these manually and the first set of addresses in our range are reseved for this purpose. For normal run of the mill workstations DHCP all the way.

The other machines I might consider using a static IP number on is Wireless Laptops, as some wireless systems seem to struggle with DHCP for some reason, and it saves a lot of hassle with them sometimes, as it picks up the network faster when/if the wireless signal drops.

Mike.

The only other argument I can think of, is eventually we'll all be using IPv6. I wouldn't like the job of updating each workstation. I'd go mad!

Quote:

---

Originally Posted by maniac

We have some workstations with static IP numbers (mainly admin ones) so we can use remote desktop on them

---

Sorry to go off topic a bit but why can't you connect by hostame?

To be honest, DHCP can be enabled with no change to the network. You set your scope and everything functions as it has always done.

Manual assigned IP machines can be gradually brought into DHCP via GP, and will not create any extra work by the IT staff. IP's freed up can be added to the scope to eventually bring the whole network gradually and with minimal fuss.

If ever the DC goes down or you have DNS server troubles, it can be much easier to setup a backup DNS server or promote a DC and then you only need to adjust the DHCP settings to make everything work again.

I think once it has been trailed in a few suites, and the staff see the benefits they will soon come round to the idea. It makes having a Ghost server a breeze to image and makes maintenance quicker and easier.

It has to be worth it just for the staff with laptops and the routine "cant see the network or access the internet" on a monday morning.

DCHP all the way. Even when it's for printers or workstations that need a contstant IP address so LA can remote in for MIS support I just use DHCP with reservations based on the MAC address. This means that when the device connects to the DHCP server they always get the same address, no other device gets it as they dont have the same MAC (unless they are cloning). Only time I might consider static is for the DHCP server (i.e. so it has it's ip address before the DHCP service starts) or for key switches (or for Wireless Access Points), which I want to get the correct IP if the server is not available.