So, both Thwackcamp and TinyElvis got me thinking about IPAM again and how much I want to use it but don't because it just doesn't do what I want.
This product IMHO needs a TON of work. Some parts of it are really nice, but I find it difficult to manage, and maybe that could partially be due to our server team not wanting to integrate it into their DHCP/DNS servers fully. We can read data from it, but not write to them. They tend to be a bit messy for me to, shown by the fact that we have over 1000 empty DHCP scopes.
Of course I would love for IPAM to not be dependent on how the DHCP or DNS servers are managed. I would LOVE for it to replace my IP spreadsheets, but it’s not flexible enough to do that. Why? I think a lot of that has to do with how it handles subnets and supernets and such, it tends to do so with little or no intelligence about the subnets.
My first thing on my wish list is to have different “Views”. Why? Because different people or group of people might want to view this data differently, so maybe a network engineer wants things broken down in a way that makes sense to them, maybe by supernets, while a manager might want to view things by business unit. So, at the top of the “tree” you might have a number of different views each of which can display data in a different fashion. Right now there is “IP Networks” at the top of the tree and if you add a new group, it gets put under “IP Networks”. Instead I’d like these to be different views, and I’d like the ability to restrict people to see specific views just like we can restrict them to see certain nodes and such. I think this relates to exactly what TinyElvis said the other day in his post.
I’d like the ability to be able to add subnets to a group based on criteria that I specify. Maybe it would be based on the name of the subnet, the description, or some custom field. But if I say that I want all the subnets that have the custom field “Site_Type” set to “Datacenter” to belong to this group, it should do that. Thinking some sort of compound statement where you can have multiple criteria would be good.
Dynamic Supernet Grouping
Right now you can add a supernet and what happens? Nothing. Let’s say you have 100 /24 subnets in the 10.35 range, if you add the supernet 10.35.0.0/16, none of those 100 subnets will automatically be added in to this group, you have to go and manually add them to that supernet. I’d like for them to be “auto-added”. AND, I’d like the ability to “stack” them, which by that I mean if I go and put in a “10.0.0.0/8” supernet and I also have a “10.35.0.0/16” supernet, that it would be smart enough to put the 10.35/16 subnet into the 10.0/8 subnet and then automatically add the 10.35.X subnets into the 10.35/16 subnet. And, in thinking about it, it might be nice for these supernets either be “local” to a view, or global for all views. So if it was local it would only apply to that one view, but if it was global it would be in every view.
When looking at a given subnet, you should be able to see the different group(s) and view(s) that it belongs to. I don’t think a subnet should be restrained to being a member of a single group or view.
I think this will go a LONG way to making things more useful. One thing I HATE HATE HATE about IPAM is when you’re looking through subnets in “Manage Subnets and IP Addresses” and it says “XXX items reached”. I know you can change this in System Settings under Tree Max Items, but setting this really high can make things run slower. Making it easier on us to group things in a way that we want to view them should make things easier on us!!
First off, there should be a max amount of time that it can spend on scanning any subnet. Not sure if you want a hard limit like 5 minutes, or base it off the size of the subnet, like maybe 3 seconds per IP or something, but I am always finding a bunch of subnets stuck in here that have started hundreds or thousands of minutes ago. Which will result in having thousands of subnets waiting to be scanned too!
The “Scan Job Status” needs some better controls too. Ie: if there are hundreds of devices in the queue, you should be able to find one and promote it to be one of the next ones scanned, so there needs to be a “search” function. Also, instead of being able to “Cancel” or “Edit” one at a time, you should be able to select any number of them, like all on the page or all of the jobs… ie: Better job control!! Similar interface to “Configuration Management” or “Transfer Status” page in NCM maybe?
Would also be nice to have some sort of dynamic subnet scanning. Let’s say a scope is pretty static, if from scan to scan there aren’t any changes, maybe throttle back the scans to 1 or 2x the scan interval, and throttle it back and forth based on whether changes are seen or not. And in the case of the empty DHCP scopes, if the DHCP scope is empty and the subnet scan is pretty empty too, maybe throttle it back even further? Even better yet, if the subnet is not in any routing tables and you don’t get a response, throttle it back quite a bit?
Does the scan pay attention to the ICMP responses at all, or how the subnet is configured in the routing tables? What I’m getting at is if a ping request is sent to a host on a given subnet and a ICMP unreachable comes back for instance, does it keep scanning that subnet? What if the subnet isn’t in any routing tables? Some intelligence might be good here.
Manage Subnets & IP Addresses page
I’d love to be able to control what fields I see in the “IP Address View” and what order I see them in. I hate having to scroll over all the time to see stuff that I want to see. This page in general gets confusing to work with. The search is great to have, but you can't control it. You should be able to use regular expressions for one. I'd like to be able to search for ^10.35 and have it show IP addresses that start with 10.35. Instead I get stuff like 10.2.10.35 showing up!
Maybe if another module (like NTA) sees an IP being active that wasn’t before, maybe IPAM can do a mini scan of that IP alone? Or maybe figure out a way to just mark it as “active” on maybe an hourly schedule or something? I’d probably envision a huge bitmap of sorts where each IP address that is seen just flips a bit, which IPAM could then use to compare against what IP’s it considers to be active and produce a list of IP’s to be scanned? Just a thought, could allow us to cut back on scanning for some subnets and such.
Anyone else have thoughts?
I'm curious how many people have IPAM and don't use it (much) also because it doesn't work the way you want it to?