If you’re in charge of IP address management (IPAM) and you’re still using Microsoft DNS or BIND, you’re probably looking for an IPAM solution. That’s because Microsoft DNS and BIND don’t provide a centralized repository to view and manage the allocation of IP space. The most common solution out there (if you can really call it an IPAM solution at all) is a spreadsheet – manually keeping track of which IP addresses are assigned and which blocks are still available.
For complex networks spanning multiple geographical regions, hybrid cloud environments, and business units, manual IPAM is a nightmare.
Using an IP address spreadsheet simply isn’t a viable long-term solution. It doesn’t scale. It practically invites manual errors and overlaps which can bring down the network. Accountability is difficult. Role-based access is impossible. Data aggregation and reporting capabilities? Forget it.
Just IPAM or a full DDI solution?
Once you realize that a fully-fledged IP address management tool is necessary, another question naturally arises: Is there a way to avoid the severe challenges of keeping track of IP address space without a full DDI solution?
We get this question a lot. We’ve also seen customers who have tried IPAM on its own and those who decided to go all-in with DDI.
Here’s what we know and what we’ve learned: As we’ve captured in our eBook “The Cost of Free”, IPAM tools on their own can be helpful as a short term band-aid. But they do not solve the underlying problems inherent in decentralized network infrastructure systems such as Microsoft DNS and BIND. Attempting to deal with IPAM without touching DNS or DHCP basically highlights the same problems inherent in so-called “overlay” DDI solutions, where only certain portions of the network infrastructure are truly fixed.
It’s not that IPAM tools are ineffective. It’s that they’re missing the other two-thirds of the equation.
Think of it like what happens when you paint a single room in your house – suddenly all the other rooms look shabby by comparison. When you use IP address management software in isolation, suddenly integration with DNS and DHCP becomes the problem. These three core network functions are inextricably tied together. It only makes sense to tackle them all at the same time.
IPAM tools = half a loaf?
In quite a few network teams, organizational politics are behind the IPAM-only push. DNS, DHCP, and IPAM functions are controlled by separate groups. They compete for resources, prestige, and control over network architectures. Sometimes, their support budgets are separated too – purchasing and implementing a complete DDI solution would require a complicated bureaucratic and financial arrangement which nobody’s willing to broker. In these cases, using just an IPAM product looks like “the best we can do”.
IPAM is usually the first step in a longer journey, whether you realize it up front or not.
We get it: IPAM may be the most glaring problem you face right now. DNS spreadsheets are a terrible way to manage networks. And maybe looping DNS and DHCP into the equation doesn’t seem to make sense right now – for organizational, budgetary, or network architecture reasons.
But trust us, we’ve seen time and time again that customers who deal with IPAM and don’t consider the follow-on effects on DNS and DHCP end up creating more work in the long run. The data from the core DDI elements belong in a single source of truth and should be part of the same workflows, not scattered between different architectures and methodologies.
Tactical and strategic considerations
Dealing with DDI in one motion is partially a matter of tactical efficiency. Maybe tasks like getting rid of the IPAM spreadsheets, managing your IP address usage, and deconflicting your IP address pools are your first priorities. But it makes sense to tackle adjacent best practices such as implementing DNSSEC, creating a system to manage IPv4 and IPv6 addresses, and locking down the security of your DNS servers and DHCP servers at the same time.
Housecleaning is best accomplished across the core infrastructure layer rather than piece by piece.
Yet there’s also a strategic aspect to all of this which can’t be addressed with IPAM on its own. What business goals are you looking to drive through your core network infrastructure? What can you use DDI data to accomplish at a strategic level? How can these systems lay the groundwork for tighter security, more efficient networks, and support for initiatives like cloud, automation, virtualization, and more?
If you play your cards right, rationalizing DDI systems and data can be the first step in a much more profitable journey – one in which DDI powers your business initiatives rather than slowing them down. With a single source of truth for DNS, DHCP, and IPAM – where each element is part of a unified system – you can build the powerful capabilities today’s networks require through automation, DNS security, and higher-level functions such as traffic steering. None of this can happen if IPAM is going one direction but DNS and DHCP are still stuck in the dark ages of decentralized architectures and manual processes.
Making the leap
If you’re trying to make the mental leap from dealing with immediate challenges around planning, tracking, and managing IPAM to thinking about the full DDI solution, you’re certainly not alone. That’s why we’re here to walk you through it. BlueCat has been through this journey with countless of satisfied customers.
Perhaps just as importantly, we’ve seen a lot of customers who are dissatisfied with the IPAM-only approach.
We’ve seen them go from the high point of getting those immediate business challenges taken care of. Then we see them go down to the low point of realizing that the rest of their DNS and DHCP management practices now have to catch up.
Whether you’re considering just an IPAM solution and need some additional data points, or have already gone down the IPAM-only road and need some strategic advice on how to widen your strategic approach, we can certainly help. Our DNS experts can provide examples from our large customer base and talk you through the best practices of core infrastructure management.
If it’s your turn to move from internet protocol address space to something bigger, let us suggest a look at our DNS infrastructure best practices guide. There are some great ideas in there which will get you thinking about the trade-offs associated with different architectures and approaches.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
Cloud DNS: Benefits and obstacles for hybrid networks
Unsure about cloud DNS services and hybrid-cloud enterprises? Learn more with BlueCat, including why it isn’t so simple for managing networks.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
Sync ServiceNow tickets and IPAM with CMDB Plug-In
With BlueCat’s ServiceNow Configuration Management Database, admins can break the silos between ServiceNow and IPAM to improve IT ticket fulfillment.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.