cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Need for Role Delegation in IP Administration – Part 1

Level 12

In a network, whether small or large, spread over one location or manythere are network administrators, system administrators, or network engineers who frequently access the IP address store. While many organizations still use spreadsheets, database programs, and other manual methods for IP address management, the same document/software is accessed and updated by multiple people. Network administrators take on the role of assigning IPs in small networks, as well as when they add new network devices or reconfigure existing ones.  The system administrator takes care of assigning IPs to new users that join the network and adding new devices like printers, servers, VMs, DHCP & DNS services, etc. Larger networks that are spread over multiple locations sometimes have a dedicated person assigned to specifically manage planning, provisioning and allocation of IP space for the organization. They also take care of research, design and deployment of IPv6 in the network. Delegating IP management tasks to specific groups’ based on expertise or operations (network & systems team) allows teams to work independent of each other and meet IP requirements faster.

Again, if the central IP address repository is maintained by a single person, then the problem lies in the delay of meeting these IP address requests. Furthermore, they could run into human-errors and grievances stemming from teams experiencing downtime -- waiting to complete their tasks.

What Could Go Wrong When Multiple Users Access the Same Spreadsheet?


Spreadsheets are an easily available and less-expensive option to maintain IP address data. But, it does come with its own downsides when multiple users access the same spreadsheet. Typically, users tend to save a copy to their local drive and then finding the most recently updated version becomes another task! You end up with multiple worksheets with different data on each of them. There is no way to track who changed what. Ultimately, this leads to no accountability for misassignments or IP changes made.

In short, this method is bound to have errors, obsolete data and lacks security controls. There could be situations when an administrator makes a change in the status of an IP address, but forgets to communicate the same to the team/person that handles DHCP or DNS services. In turn, chances are higher that duplicate IP addresses are assigned to a large group of users causing IP conflicts and downtime.

With all that said, the questions that remain are: Can organizations afford the network downtime? And are the dollars saved from not investing in a good IP address management solution more than those lost due to loss in productivity? This post discusses the problems of using manual methods for IP address management. In my next blog we  look at associated issues and the best practices of roles and permissions enabling task delegation across teams.

Do you face similar difficulties with your IP administration? If yes, how are you tackling them?

21 Comments
MVP
MVP

The biggest problem with multiple people updating a spreadsheet is that the last one who saves wins.  All other changes others have made in the mean time are wiped out.  That opens the potential for problems down the road.  This builds the case for a IP management DB with record level locked so multiple people can update what they need to update without stepping on the toes of others.

Level 14

It took some effort, and a lot of talks, but we finally got everyone off the spreadsheets a couple of years ago.  Using IPAM, we're handling all of IP address management and everyone seems quite happy.  Of course, there a a few things we'd like to see improved in IPAM (i.e. mandatory Custom Properties).  But we're hooked and we are not going back.  Also, we've setup a pretty good delegation system, granting Read Only rights to most, and Power, Operator or Admin rights to a few. This has worked quite well for us..  Thanks, SolarWinds!!! 

71294.strip.sunday.gif

Level 15

Strange the more I read the more I thought, Geez, this is my organization to a T.  Yes the last one does win.  We at least do not have local copies but rather all access the same share to the file.  If some has left it open, we get the read-only prompt.  One of my projects for next fiscal year is to put in an IP management system.  Currently, evaluating IPAM solutions from Solarwinds and Microsoft.

MVP
MVP

We are still in the spreadsheet zone... We were, at one time, considering buying into the SolarWinds IPAM module, however, all of our DHCP servers are linux, and I think IPAM was windows. (or something like that)

It sure would be nice to have a more efficient way to do things. We are constantly running out of IPs and manually tracking/updating them.

Someday... someday...

Level 13

Glad to hear you were successful in getting buy-in on this. The multiple copies issue can be mitigated somewhat by keeping the spreadsheet on a shared resource like Sharepoint, but regardless, spreadsheets are a nightmare for this purpose.

Level 15

the manual tracking is probably the most time consuming.  You see an IP address suddenly show up in the SIEM and then spend the next hour tracking it down, figuring out why it was assigned that IP address, what project was it for, and who was the engineer who assigned.  Then, back to the spreadsheet find an appropriate address and record it.  Then, remember to go update the DNS records appropriately.

Looking for a better way............... 

Level 13

We were once a spreadsheet passing company.  "Who has the most up to date IP address list?" was the norm.  But now we have been using SolarWinds IPAM for over 5 years and the spreadsheets are a distant "bad" memory.  Automate I say.

Level 9

We are using a login-script (VBS) to fix the IP address of the user's PC (the address issued by DHCP-server) in the attributes of MS AD (in the objects of the user account and the computer). So we always have the latest information about the address of the user's PC in MS AD. From MS AD you can always save it in XLS or even customize the view to get all attributes of objects on MSSQL-server

Level 14

That's quite a novel idea, kudos!!! 

Level 13

That's pretty creative, I like it!

This actually takes me back to my Novell Netware admin days. We had an application that required that each computer have a the F: drive mapped to a specific, unique folder which contained its terminal ID information for that application. The terminal ID needed to stay with the computer, not follow the user. For security reasons we didn't want the terminal ID to be stored locally on the computer, and if we did the drive mappings manually at the PC, users would end up manually deleting them. I ended up writing an NDS login script that did the mapping of the F drive based on MAC addresses. It required touching the login script any time we replaced a PC, but we were a relatively small shop so that didn't happen that often.

Level 15

Wow, that takes me back.  Funny how necessity makes for interesting solutions. 

Level 17

Even with an IPAM solution you have to admin, and get technicians to input the requests... if no one uses the tool after an engineer sets up and builds out the structure your back to square one.

Level 17

Even in analog mode the tickets just get pushed around until dropped.. lol

Level 9

I agree, if the information is not updated, the system itself dies

Level 14

I also wholeheartedly agree.  IPAM has helped us a lot,  but there will always be need for someone (or many someone's ) to key in data about some (or many ) of the the IP addresses. I think the same can be said of any other solution used. 

Level 17

I must concur.

Level 14

We use the great spreadsheet method on a Sharepoint server.  So only one person at a time gets to update.  If they leave it open, we get to wait until they are there to check it back in.  We just love it.  We are trying to go to IPAM though.  Hopefully they will fund it soon.

Level 17

Not even SP 2010/2013 so you can have multiple editors? And no admin - if you have to wait for them to get back to check it back in...Okay, I could see how that could be fun.

Level 13

Word 2016 will support real time collaboration, not sure about excel. So just be patient spreadsheet folks there may be light at the end of the tunnel! Or you will crash. At least we know something will happen.

Also, if your networking team will not get onboard with your newly implemented IPAM tool, start running continuous network maps/switch-port map/ network sweeps. After a few hours/days/weeks of complaints regarding network congestion you can explain to them that it could all go away if they do as you ask you wont have to continue running all of these scans

Level 14

I think that spreadsheets are fine for static IP addresses.  However, spreadsheets cannot help much w/the dynamic IPs.  That's one of the benefits of having a solution like IPAM, since it will scan the defined subnets.  IPAM can also tell you if specific subnets are about to run out of dynamic IPs.

Look at me?  I almost sound like a SolarWinds salesperson.  So, SW folks...  If I persuade a few folks to buy IPAM, what's my cut? 

Level 14

sell57.gif