96 Replies Latest reply: Feb 1, 2014 5:18 AM by mraky RSS

    I Don't See the Point of IPAM

    jgherbert

      "So I get that IPAM is a cool idea, but really what's the point of putting all my data into some tool that doesn't do anything more than I already have?

       

       

      I have six spreadsheets right now that represent our IP address space; one of them has all our public IPs in it, then there's one for each of four data centers (each team looks after their own IP space), and the last one is used by the internal IT team for their addressing needs. It works pretty well - each team gets to manage the spreadsheet in the way they like. For a few years we stored the data center addressing sheets in a network file share, and had a few problems with various people overwriting the spreadsheets but we probably only find 1 or 2 duplicate assignments each month now, so we just reassign as required.

       

      For a while we tried tracking individual host assignments in the spreadsheets too, but the files started getting big; so now we - or at least two of the data center teams - just track which subnets are in use, and we check the BIND zone file when we need to give an IP address out - if the IP we want is free in the appropriate file, we tell the requester the IP we're giving them, then send an email over to the DNS team to update the files.

       

      So really, why would I bother spending money on something that's just a fancy spreadsheet?"

       

      Ok, let's be clear - that's not me speaking. But I'll bet that either you know somebody who has made some of those arguments, or perhaps you feel that way too?

       

      So let's take a straw poll: Be honest, do you (or your company) manage your IPs in a spreadsheet? If so, how is that working out for you? Do you know why you choose spreadsheets rather than an IPAM solution?

       

      I'm looking forward to hearing your opinions. In my next post I'll share some of mine!

      John.

        • Re: I Don't See the Point of IPAM
          jeffreyc


          We used to use spreadsheets no we use IPAM. To me the value of IPAM is that it dynamically updates and also integrates with UDT

            • Re: I Don't See the Point of IPAM
              jgherbert

              Hi @jeffreyc. Integration with UDT is definitely a bonus. I spoke to somebody once about IPAM and they insisted that by having a spreadsheet where they tracked their IP addresses, they were "doing IP Address Management". I guess on one level they were, but they really were missing the bigger picture.

            • Re: I Don't See the Point of IPAM
              dcal

              Just like @jeffreyc said it dynamically and most importantly automatically updates.  You don't have to think about managing a spreadsheet, it does it for you.

                • Re: I Don't See the Point of IPAM
                  jgherbert

                  Hi @dcal. Agreed about the dynamic nature of IPAM; it's a tool just like a spreadsheet though, so it still needs managing (in some sense of the word) and has to be treated seriously as part of the business processes. IPAM isn't, sadly, fully automatic!

                  • Re: I Don't See the Point of IPAM
                    ElevenB2003

                    It also removes the "Did you update the spreadsheet with the new IP info?" or "Who is going to update all of the spreadsheets with the new IP info?" or "Wow, I didn't realize that DHCP scope was almost out of addresses!" - I could go on

                      • Re: I Don't See the Point of IPAM
                        jgherbert

                        *grins* Well, @Jon Scheler, I'd argue that it moves the problem from the spreadsheet to the IPAM system. It's a bit like getting a dishwasher - yes, it's all automatic and you don't have to wear rubber gloves any more, but it doesn't remove the requirement that somebody actually fills the dishwasher, puts detergent in, and presses the start button!

                         

                        You're definitely right about scope utilization monitoring. Thanks!

                          • Re: I Don't See the Point of IPAM
                            ElevenB2003

                            As long as the subnets are pre-configured, scanning of the subnets will automatically find and populate any new devices added with static addresses.  So I guess, the only "manual" intervention from an admin or engineer would be to add any new subnets into IPAM.  I would guess that happens a lot less often than spinning up new VM's or assigning static addresses to devices.  Way easier than a dishwasher!

                              • Re: I Don't See the Point of IPAM
                                jgherbert

                                *nod* I think it just depends how much you manage directly versus simply observing what's out there. e.g. It's one thing to see how busy a dynamic DHCP pool is, but when you start making manual DHCP entries or other static assignments within a subnet, the involvement grows, and the same risk exists as with spreadsheets, that somebody won't get round to updating it.

                                 

                                Perhaps it's like a semi-automatic dishwasher?

                                  • Re: I Don't See the Point of IPAM
                                    ElevenB2003

                                    I agree!! Something like this! Panasonic IRT dishwasher - YouTube

                                    • Re: I Don't See the Point of IPAM
                                      dcal

                                      jgherbert what are you manually updating?  Once the subnets are entered in, and everything is setup to be auto scanned, I guess I am missing what needs to be manually updated.  Ratatouille "Highly Suspect!" - YouTube

                                        • Re: I Don't See the Point of IPAM
                                          jeffreyc

                                          I concur dcal It seems pretty simple to me!

                                          • Re: I Don't See the Point of IPAM
                                            jgherbert

                                            dcal - the answer to that depends somewhat on your environment's needs, which IPAM product you are using (there's more than one, right? ;-) and somewhat on how you choose to use your IPAM product.

                                             

                                            If one uses use IPAM simply to track IP addresses, then automatic scanning is good at finding utilized IP addresses, especially where DHCP scopes are involved. However, many companies integrate IPAM into their DNS and DHCP systems too, using manual DHCP entries (e.g. static DHCP mappings) to fix DHCP IP address assignments for key devices, and manually allocating IP addresses and DNS hostnames on request. At that point, you are assigning IPs, assigning hostnames / domain names, and so on - all of which typically takes place in the IPAM system. You may also be managing virtual assignments - e.g. mapping external IP to service addresses (e.g. www.yourcompany.com) where you don't necessarily want an attempted automatic hostname->IP mapping to take place.

                                             

                                            That isn't to say that's how you /have/ to use IPAM, but I'll argue in a future post (in so many words) that to only use the "I" in "DDI" (DNS/DHCP/IPAM), is to miss out.

                                              • Re: I Don't See the Point of IPAM
                                                dcal

                                                So jgherbert, you are talking about using IPAM to actually make your DNS and DHCP assignments?  If so then you aren't JUST replacing your spreadsheets, you are also replacing your DNS and DHCP management tool.  In that case it isn't an apples to apples comparison because we don't use a spreadsheet to control our DNS or DHCP and I would assume others don't have the DNS and DHCP plugins for Excel

                                                  • Re: I Don't See the Point of IPAM
                                                    jgherbert

                                                    Absolutely agreed - there's no comparison between what you can do in a spreadsheet and what you can do in a competent IPAM tool precisely because most IPAM products do way more than just track your IP addresses. And yet, I still see companies where both the hostname and IP address management are tracked in a spreadsheet, then requests are sent to whoever manages DNS or DHCP to make the necessary changes to those systems; but it's all off the back of the spreadsheet. The DNS folks can make changes to existing hostnames, but could never add a new host/IP assignment without it going through the spreadsheet to get the IP assigned in the first place. The question is, then, why run three separate systems with all the risk of inconsistencies, when you can run a single system that does more?

                                                     

                                                    In that respect, most "IPAM" tools totally undersell themselves by calling themselves "IPAM" when in fact they are DDI solutions.

                                                • Re: I Don't See the Point of IPAM
                                                  mvann

                                                  When IPAM scans does it scan via ICMP or is it checking ARP tables, or some combination of both to improve accuracy?

                                      • Re: I Don't See the Point of IPAM
                                        ElevenB2003

                                        I agree on both sides! It's extremely easy and automated but even "automated" systems require maintenance and management.

                                        • Re: I Don't See the Point of IPAM
                                          fitzy141

                                          I wish it my IPAM had better adoption here .. its a terrific tool but like any tool it needs to be used and have process around it .

                                            • Re: I Don't See the Point of IPAM
                                              ElevenB2003

                                              Fitzy141, I've found in the past that you really have to advocate the product or solution to your colleagues and management to help with its adoption.  Many times people just don't know how great a product or solution is and don't have the time to go out of their way to dig into it deeper and so they brush it aside and say "Well, we've always been using this or doing it this way and it works fine.".  You can help your cause by offering to do training or user sessions with them if they are available or even leverage the Solarwinds youtube channel and they can watch some quick 5-10 minute demos of the products in action.  The first step is always to get everyone on board and passionate about the new product or solution.

                                                • Re: I Don't See the Point of IPAM
                                                  fitzy141

                                                  100 % agree with you Jon ,

                                                   

                                                  When i started here it was a firedrill atmosphere with no process or standerds for anything from adding a device to monitoring or even across the board solution for monitoring , no best of practices for managing DHCP or DNS - from spreadsheets to home grown tools was a cluster.

                                                   

                                                  I got NPM , NTA and IPAM up and running in short time and now a small SAM footprint ( hoping to expand that ) - We still have IPAM and I am trying to get the network team and systems team to fall in love with it , i fault myself for the lack of adoption and not having my managers above help with that process... lesson learned

                                                    • Re: I Don't See the Point of IPAM
                                                      jgherbert

                                                      Great discussion, fitzy141 and ElevenB2003!  Solid process is key to a successful IPAM implementation - I'll be covering that an upcoming post too. Especially where DHCP and DNS get involved, it's critical to have the right process hooks in place.

                                                       

                                                      And while there's no such thing as an easy sell, usually the business benefit of a DDI solution is strong - the time saved by having a single product that can automate DNS/DHCP changes (and reduce errors) can be significant in many cases.

                                                • Re: I Don't See the Point of IPAM
                                                  foonly

                                                  It really depends on how disciplined your IT staff is, how much turnover in staff you have, how well you bring new staff up to speed, and how well your DHCP devices register with DNS. If you've had a long history of good management, and have well behaved devices, you could live without a product. I haven't seen many sites that had all of that, though.

                                                   

                                                  Plus, a lot depends on security policies, and whether your IT staf is segmented into separate security teams, who may have their own appliances scanning for rogues. Such appliances themselves do not function as IPAM, though they do keep lists of addresses. IPAM also gives an interface for reserving space, naming, describing, and easy querying to see if a segment is being exhausted. A spreadsheet or scripts with flat files can do all that, too. But the spreadsheet doesn't discover anything.

                                                    • Re: I Don't See the Point of IPAM
                                                      jgherbert

                                                      Good points, foonly. I agree that in an environment that doesn't change much (other than DHCP hosts coming and going), it's certainly possible to manage without a tool in place. Your comments about staffing - both for training and discipline - are very relevant, as whatever system you have in place has to be used consistently or it's going to fail. This relates to the 'process' comments a little earlier on. Thanks for your reply!

                                                    • Re: I Don't See the Point of IPAM
                                                      pandom_

                                                      Nice post John. I like the comments your post has generated. It is something for a while a spreadsheet worked for but with virtualization, the explosive nature of IP address consumption has made it hard.

                                                      • Re: I Don't See the Point of IPAM
                                                        byrona

                                                        To me using IPAM in place of a spreadsheet is all about automation and integration; make the systems do the work to free up people resources and improve accuracy.

                                                        • Re: I Don't See the Point of IPAM
                                                          William Vitalec

                                                          I was able to to pull a listing of external DNS entries which I used to query each one on port 443 to grab any configured certs.  This was much better than trying to hunt down this information individually or even in AD.  IPAM gives all information in a single location.  Seems pretty obvious to me.

                                                          • Re: I Don't See the Point of IPAM
                                                            rfletcher

                                                            We still use spreadsheets currently, but in the past year our with the virtualization of our work place the idea of IPAM for dynamically updating is something that we are currently budgeting for and personally i can't wait.

                                                              • Re: I Don't See the Point of IPAM
                                                                jgherbert

                                                                rfletcher you make an interesting point, which is that there is probably a crossover point somewhere between spreadsheets and IPAM. If you have a sufficiently unchanging environment or you have relatively few subnets to manage, IPAM may be overkill. As you scale, there's going to be a point at which IPAM really makes sense.

                                                              • Re: I Don't See the Point of IPAM
                                                                wluther

                                                                jgherbert we still use spreadsheets.  Mainly because it has been there for many years, and has little to no cost to upgrade/use.  If it were a feature of NPM the guys here might use it, but sometimes it is hard to get people to change something that works... Even if it is a better way to do things.

                                                                  • Re: I Don't See the Point of IPAM
                                                                    jgherbert

                                                                    Thanks for sharing, wluou ther. I've used spreadsheet too, by the way - and they are indeed low cost if nothing else. The problem I found was that we had to implement controls to limit concurrent access (in that case we used SharePoint with version control to enforce checkout/checkin of the sheet). Prior to that, there were multiple problems with updates being overwritten by users, and data thus being lost. And then there were the corruptions that Excel threw at us occasionally - that's where the versioning came in, because we could back up the changes to the last known good; and with a checkin comment explaining what allocations were made (or referencing the work ticket number) for the corrupted versions, we could recreate the changes. It still sucked a bit though, and left us open to problems that you'd think shouldn't exist - like making a series of allocations that blew past the end of a subnet, or otherwise allocating overlapping subnets because of errors in mask calculations :-/ You can probably see why I lean towards IPAM!

                                                                  • Re: I Don't See the Point of IPAM
                                                                    RandyBrown

                                                                    Central repository and dynamically updated.  That's where the value comes in for us.  All too often someone would forget to update the spreadsheet and people would rely solely on the spreadsheet and not ping first to see if the address is already in use.

                                                                     

                                                                    Beyond that ... management of and integration with DNS and DHCP is also very nice!

                                                                    • Re: I Don't See the Point of IPAM
                                                                      superfly99

                                                                      We're in the process of moving to IPAM from spreadsheets. I've been using IPAM for years but getting everyone else around the country to do the same, is not easy. Most of the issue are around the layout of IPAM folders. I've setup folder with our few /16 ranges and under that I have /24 so that every single IP address in the /16 is checked. This is the same way the spreadsheets were set up (a tab for each /24).

                                                                       

                                                                      But the issue is that some only want to see what they're responsible whether it's a /23, /24, /28 etc. And currently there are some IPAM folders with this kind of info in it for them but management of this is painful. So hopefully everything bar the /16's I setup will be deleted so that everyone is using the same view.

                                                                       

                                                                      I like IPAM cause it populates itself but even so I still do a ping check before using an IP address just in case.

                                                                        • Re: I Don't See the Point of IPAM
                                                                          jgherbert

                                                                          You raise some good points, superfly99 - administrative views and control can be very important not just because people only want to see their own subnets, but also because you often want to make sure that a regional admin, say, can only edit their own region's entries and cannot interfere elsewhere (granular access control).

                                                                        • Re: I Don't See the Point of IPAM
                                                                          Aforsythe

                                                                          Too many subnets, not enough people. Some of the spreadsheets are not being maintained consistently or even by the right people and that's led to numerous problems. I've had a chance to play around with IPAM and it's something we're considering.

                                                                          • Re: I Don't See the Point of IPAM
                                                                            Kurt H

                                                                            We had a bunch of spreadsheets trying to track IP addresses. This became a nightmare, because it was all about human error not updating the spreadsheet like it should have been. Now we are using IPAM which is all automated. It makes life so much simpler. I wish Solarwinds would come out with some kind of inventory tracking tool, or similar database. Where we can not only automate the inventory aspect of equipment on the network, but manually add additional equipment that is in stock also. I know NPM gives you an inventory of equipment, but there is nothing for items that are in stock as pre-deployment equipment.

                                                                              • Re: I Don't See the Point of IPAM
                                                                                jgherbert

                                                                                Using spreadsheets can work, but you have to be very careful about ensuring only one person can update at a time, and that you have some kind of version control in place because inevitably, at some point, somebody deletes something by mistake (in one case I can recall, multiple tabs of data!) or the spreadsheet gets corrupted. Being able to roll back to a previous version may be critical. A good IPAM system is so much nicer to work with though!

                                                                              • Re: I Don't See the Point of IPAM
                                                                                wbrown

                                                                                For us IPAM has been helpful to see which subnets are really in use and which aren't.

                                                                                We use InfoBlox for our DHCP services.  This product has an IPAM function built in but it doesn't automatically scan subnets and it only knows about addressing that it handed out.  My initial belief was this was the correct place to implement and use IPAM functionality as that's where the addressing services are located.

                                                                                 

                                                                                Orion IPAM has converted me because of it's automated scanning.

                                                                                First, I can get a view of how many clients are really in each subnet whether the DHCP server knows of them or not.

                                                                                Second, not all subnets are DHCP assigned.  Due to various reasons (political mostly) not all my subnets are centrally assigned by DHCP.  IPAM gives me the visibility that the lack of DHCP would otherwise take away.

                                                                                Another benefit has been with address migration.  I can occasionally look through the views under "Manage Subnets" and see when all clients have been migrated away from subnets I'm trying to decom.

                                                                                 

                                                                                As for spreadsheets, we only use a spreadsheet for a handfull of /24 subnets assigned to firewalls as scanning products wouldn't be able to discover those.  These subnets are not dynamic so the administrative workload is minimal.

                                                                                Our internal network is way too large to even think of tracking in spreadsheets.  Some of our facilities require an entire /13 address space while others simply need a /16.

                                                                                  • Re: I Don't See the Point of IPAM
                                                                                    ajurado

                                                                                    I used Infoblox as well, but IPAM doesn't have integration with to read Infoblox DHCP scope. This is very frustrating to keep track on description or documentation on both places; therefore, I agree with  the original posting. Very littly value on this product.

                                                                                      • Re: I Don't See the Point of IPAM
                                                                                        wbrown

                                                                                        I agree the lack of integration between products is a pain and for the most part we don't bother putting descriptions into IPAM.  However I still get value from having a product give me visibility into what is really out there.

                                                                                        • Re: I Don't See the Point of IPAM
                                                                                          michal.hrncirik

                                                                                          just curious, what is the primary reason to use Infoblox without IPAM (DHCP, DNS) why not to use BIND & ISC on dedicated HW and you may get the same performance?

                                                                                          thanks,

                                                                                          Michal

                                                                                            • Re: I Don't See the Point of IPAM
                                                                                              wbrown

                                                                                              I can't speak to the reason InfoBlox was put in this environment, nor can I speak to the management of DHCP and DNS on current versions of Windows as I stopped doing Windows admin years ago.

                                                                                              We use InfoBlox for Internet-facing DNS and internal DHCP.  Having the single admin interface for these services is more convenient that having to manually modify a zone file correctly (i.e. w/o typos, remember to update serial num, ..), or to manually split DHCP scopes between servers or globally update scope options.

                                                                                               

                                                                                              A dedicated appliance for these functions streamlines the support of the service.  We contact Data Center Services to get the appliance physically installed, cabled, and powered up.  We have responsibility for the box and everything it does from that point forward.  Loading another application, such as BIND or ISC, on top of a general server would require adding the server admin team for the relevant OS, Storage team for storage, and more time for troubleshooting and fault isolation.  Appliance solutions streamline support down to a single phone call if the application stops working as expected.

                                                                                          • Re: I Don't See the Point of IPAM
                                                                                            jgherbert

                                                                                            wbrown I'll keep this fairly short as I'm almost done with my lunch break! This may simply be a case of using the products' capabilities appropriately. I don't want to get bogged down arguing for one product over another, but Infoblox is one of a number of DDI (DNS/DHCP/IPAM) solutions out there. If I read your comment correctly, your complaint is that you are using Infoblox only for DHCP, but you're not really using it for DNS or IPAM. You like Orion IPAM because of the scanning, and are frustrated that Orion and Infoblox don't integrate - but honestly, why would Infoblox integrate a competitor's product when they have an IPAM solution themselves? By the way, Infoblox NetMRI can do automated discovery / scanning for you I believe.

                                                                                             

                                                                                            Subnets don't need to be DHCP assigned to justify being in IP Address Management solution either; whether you are assigning DMZ subnets or non-DHCP subnets, if you have an IPAM solution I believe there's benefit in using it. Start using it to drive your DNS as well, and the benefits are even greater.

                                                                                             

                                                                                            I agree with you that scanning is very useful though - it really is helpful to have validation of what's out there compared to what's in the system.

                                                                                              • Re: I Don't See the Point of IPAM
                                                                                                wbrown

                                                                                                John -

                                                                                                I completely agree that IPAM is helpful for non-DHCP subnets.

                                                                                                Whether to use IPAM or a spreadsheet for non-scannable DMZ subnets I don't really see a compelling argument for one versus the other, other than to be consistent as to where the data is being stored.

                                                                                                 

                                                                                                Using InfoBlox/NetMRI is a possiblity but that's another product that would have to be purchased in order to get that full functionality.  Orion IPAM is already in the door while NetMRI is not. 

                                                                                                The functionality I would like to see is for Orion IPAM to be able to query the InfoBlox appliances, just as it can for Microsoft or Cisco DHCP servers, for retrieval of the info contained therein.  This would allow our numerous Orion logins, which are validated via AD, to retrieve various info. Our InfoBlox logins are not authenticated via AD and we have no desire to do so nor do we wish to grant login to as wide an audience.

                                                                                                • Re: I Don't See the Point of IPAM
                                                                                                  ajurado

                                                                                                  Jgherbert,

                                                                                                   

                                                                                                  I agree with your point, but each one of us who made the investment had individual criteria as to why we chose Solarwinds IPAM. For most of us, we did not only purchased Solarwinds IPAM, in my case I have NPM,NCM,APM,NAT and IPAM. What we were trying to solved was to have different teams in the  I.T department  to be able to have their own view (read-only) on the IP addresses and the information needed to be updated twice a week for certain team (subnet). IPAM solved our main problem. Yet we also had a need on auto notification on subnet that were about to be fulll ( we have guest network that at time was running out of IP addresses and we didn't know )

                                                                                                   

                                                                                                  • The problem with this investment is the lack of integration. we don't expect Infoblox to provide the integration, Solarwindsshould do it. Solarwind provide integration MS why not Infoblox?
                                                                                                  • IPAM doesn't integrate with their other modules. I should be able to add a node to NPM and automatically have the same data into IPAM, but is not the case.
                                                                                                  • We bough infoblox DNS and DHCP (grid) and we could have bough IPAM from Infoblox, but we already had made the investment on Solarwinds IPAM and we had the knowledge and the maintenace support and it was hard to justify buying another IPAM solution.

                                                                                                   

                                                                                                  There are many more disappointments that at the end of the day the price we paid is too much for what we got.

                                                                                                    • Re: I Don't See the Point of IPAM
                                                                                                      jgherbert

                                                                                                      Hi ajurado. I'm not criticizing you for any decisions you made. The case with pretty much every DDI solution is that they are compatible with their own family of products and with a couple of standard offerings (e.g. MS DHCP/DNS and ISC BIND/DHCP). Beyond that, integration can be pretty limited, or will require manual (scripted) effort to make integration work. I don't know if Solarwinds should develop a module for Infoblox DHCP - Infoblox and Solarwinds are competitors in the IPAM space after all - but I'd certainly be be curious to hear the response if you requested it! I suspect that you would get a lot more out of Infoblox if you were able to run it as a single integrated system (in your case, a full DDI solution) rather than two parallel solutions, but I do understand the cost implications. The question becomes whether or not you can make a cost justification based on benefits of integration, and that will be a very individual decision for your business.

                                                                                                       

                                                                                                      As a side note on integration, Solarwinds just added BIND 8.x/9.x support in IPAM v4.0 in May this year, and the product does not yet support ISC DHCP. My guess (and hope) is that ISC DHCP is next on the roadmap for DHCP integration!

                                                                                                      • Re: I Don't See the Point of IPAM
                                                                                                        michal.hrncirik

                                                                                                        I will try to respond your question - why we did MS & Cisco integration but not Infoblox so far. The primary reason for this was, that I've heard from many people, that they don't want to pay for expensive DHCP & DNS appliances as in case of Bluecast or Infoblox and they would rather use existing infrastructure and utilize MS or Cisco DHCP instead (and ISC/BIND too). The truth is that I hear about integration with Infoblox from time to time, but it looks that in this case, people would like to convert the rest for the Infoblox API/functionality into SolarWinds IPAM (like backup/restore for IP subnets/dhcp sopes and DNS zones.). what about you, what you would be willing to pay for in a case you've invested (and investing) into Infoblox solution, not happy with their IPAM and want to buy 3rd party one?

                                                                                                      • Re: I Don't See the Point of IPAM
                                                                                                        foonly

                                                                                                        I wonder how scanning will work after IPv6 is deployed with huge address spaces. It is impossible to scan a /64 space - it would take years even if you scanned 1000 addresses per second.

                                                                                                         

                                                                                                        I wonder if either InfoBlox or SolarWinds can take advantage of MAC Address change traps to capture updates in near real time to partially address this.

                                                                                                         

                                                                                                        I find that DHCP is not nearly as much of a problem as ad-hoc "temporary" static addresses, and resurrection of old systems that have been powered off for a long time. Even if you have an IPAM solution, you still need SOP's to handle network connection, disconnection, and decommission of devices.

                                                                                                         

                                                                                                        Virtual servers make this even more of a problem, because you can so easily create new "temporary" or test servers that can live in a state of suspended animation on disk for long periods before booting. Using DHCP helps this. But I've seen massive split DHCP problems on our WAN with major datacenter power outages. One must have an SOP to make sure that DHCP is up before any devices that depend on it boot.

                                                                                                         

                                                                                                        It's always the manual stuff that will bite you.

                                                                                                          • Re: I Don't See the Point of IPAM
                                                                                                            matt.matheus

                                                                                                            I'm certainly hoping that companies don't deploy /64 subnets.  There is simply no reason for such a large subnet.  No, just because you can deploy /64 sized subnets doesn't mean you should.  I think if you size your networks appropriately, there shouldn't ever be an issue with scanning.

                                                                                                      • Re: I Don't See the Point of IPAM
                                                                                                        matt.matheus

                                                                                                        For me, the benefit of IPAM is the automated scanning and updating of IP use documentation.  Long gone are the days where it was appropriate to simply pick an address out of a hat after using ping to find something that wasn't in use.  Manual updating of tedious things like IP documentation leads to mistakes and sadly, people who just 'forget' to do it.  The monetary investment in something like Solarwinds IPAM is recouped fairly quickly in time saved working out IP address conflicts. 

                                                                                                        • Re: I Don't See the Point of IPAM
                                                                                                          jspanitz

                                                                                                          We (mostly) ditched the spreedsheets and us ipam.  It has made life a bit easier.  We have not taken the dns / dhcp integration plunge yet though.  The only reason we keep the spreedsheets around is for historical purposes.

                                                                                                          • Re: I Don't See the Point of IPAM
                                                                                                            Radioteacher

                                                                                                            We are also an IPAM shop.

                                                                                                             

                                                                                                            Is there a way in IPAM to keep up with Static IP NAT's as a "set".

                                                                                                              So if we looked at IP 10.10.10.10 in IPAM it would state it was NAT or PAT to IP 192.168.1.1?

                                                                                                             

                                                                                                            If I could do that I could kill my last IP spread sheet.

                                                                                                             

                                                                                                            We do not have Firewall Security Manager yet....

                                                                                                            • Re: I Don't See the Point of IPAM
                                                                                                              zackm

                                                                                                              We use our CMDB for all of our IP addresses. To be quite honest, it is inefficient at best.

                                                                                                              • Re: I Don't See the Point of IPAM
                                                                                                                mraky

                                                                                                                excel...  main reason is, we work together with many vendors. Dxcel is defacto standart for data structure.... so you can create templates... its powerfull, and simple...    But IPAM is also usefull.. but more for monitoring/verification.

                                                                                                                • Re: I Don't See the Point of IPAM
                                                                                                                  michal.hrncirik

                                                                                                                  How important is for you for example automatic IP address provisioning/workflow for IP address assignment. that's still part of IPAM are. It's also related to VM provisioning, what if IPAM would do this kind of IP address "automation/provisioning"?

                                                                                                                  Also, isn't IPAM just a secondary tool for your primary problem which is DHCP and DNS management? If you were be looking for DNS, DHCP solutions is IPAM just something that's you automatically expect to come, or you look for IPAM regardless the DNS and DHCP?

                                                                                                                   

                                                                                                                  What if IPAM would provide you with "one-click" backup & restore of your DHCP or DNS configurations, would you perceive this software as something more just "spreadsheet replacement"?

                                                                                                                  • Re: I Don't See the Point of IPAM
                                                                                                                    RichardLetts

                                                                                                                    We manage close on half a million IP addresses using text files and some spreadsheets; We're migrating slowly to a database, and SWO IPAM.

                                                                                                                     

                                                                                                                    We have over fourteen thousand subnets, and thousands of domains. [the UW is significantly larger than most people realize]; Our scale is such that anything that relies on polling is going to be wildly inefficient, and we have a strong aversion to anything that requires root, telnet, or other similarly insecure technologies. About 18 months ago I did an extensive evaluation of IPAM software and found their features very immature, especially in helping us migrate into them... if we had started with them they might have been functional, but not from where were coming from. Following from that review we realized that our data was poor for integrating into commercial products -- difficulties in loading it was because of things like out-of-zone records, invalid domain names, and other record-keeping data we had embedded in comments in the files. We're taking on IPv6 in a large way, and dealing with IPv6 addresses is a challenge.

                                                                                                                     

                                                                                                                    Step 1 was to cleanup the data and to that end we are slowly moving our text files into a database. This database will reflect 'how things should be'.

                                                                                                                    Step 2 is to use that to populate SWO and then use the integration with UDT to determine 'how things are'.

                                                                                                                      • Re: I Don't See the Point of IPAM
                                                                                                                        michal.hrncirik

                                                                                                                        thanks for feedback Richard, we are trying to offer the easiest way to people how to migrate from their spreadsheet. But it's true, we rely on some best practices and standards in IP address management, so we can't automatically fix or convert some of the scenarios above. But let me ask you, would you better see IPAM saying "clean up this data and point to specific parts" or just let IPAM to clean that automatically (in this case, it would just use some set of rules how to do that, so I assume some situation would not be covered).

                                                                                                                          • Re: I Don't See the Point of IPAM
                                                                                                                            RichardLetts

                                                                                                                            I have ideas on this and will create them in the ideation area.

                                                                                                                             

                                                                                                                            IPAM should pull the data using AXFR and use that to populate the database; trying to parse configuration files is a vendor-specific solution, prone to errors, and generally a terrible idea. i.e. 'neither' is my answer  to your question: the AXFR data should be clean, and does not need your software to clean it up. It side-steps many of the issues.

                                                                                                                        • Re: I Don't See the Point of IPAM
                                                                                                                          sonic boom

                                                                                                                          IF you are using IPAM as a high lvl tool for subnets, it's great.  But should you ever need to run a report for management or someone just wanting to know which IP's are being used, well then IPAM just falls flat on it's face.  It will generate one excel spreadsheet for each subnet.  1200 subnet's = 1200 spreadsheets....

                                                                                                                            • Re: I Don't See the Point of IPAM
                                                                                                                              RandyBrown

                                                                                                                              Maybe I’m misunderstanding you …

                                                                                                                               

                                                                                                                              I just ran a ‘canned’, out-of-the-box report for IPAM called “IPAM - All used IP Addresses” and it gave me a report that shows all in-use IP addresses.  One report, all subnets included.  I can even schedule it to be emailed weekly to management if I have the inclination to do so.

                                                                                                                                • Re: I Don't See the Point of IPAM
                                                                                                                                  sonic boom

                                                                                                                                  You are correct, I should have specified, from within IPAM and not Solarwinds reporting, an option to export an entire folder worth of subnets to one spreadsheet.  I have subnets broken down by Division, then by office.  So if a manager asks for Used IP addresses for a specific division, I need to create a custom report each time until i have all options eventually built.  An option to select a folder within IPAM and select report would be nice.

                                                                                                                              • Re: I Don't See the Point of IPAM
                                                                                                                                newkidd2

                                                                                                                                Our network engineers resisted IPAM, and were decided to stick to their spreadsheets...but now use IPAM a lot.  I think the reason for their reluctance had a lot to do with the way the IPAM tree was designed before I took over.  It was very confusing and also hard for users to know where each subnet was in the tree.  When I took over, we did the following:

                                                                                                                                 

                                                                                                                                1. Checked out the IPAM tree on the SolarWinds demo site (http://oriondemo.solarwinds.com/Orion/IPAM/subnets.aspx), whcih we liked quite a bit. 
                                                                                                                                2. Re-designed the IPAM tree based one from the SolarWinds demo site, with customizations applicable to our firm.
                                                                                                                                3. Made some presentations to our users and showed off the new IPAM tree. 


                                                                                                                                From then on, the spreadsheets are pretty much all gone.  So, I would recommend that you consider re-designing your tree so it works best for you and the IPAM users. Best wishes.

                                                                                                                                • Re: I Don't See the Point of IPAM
                                                                                                                                  pyro13g

                                                                                                                                  We used spreadsheets in the past and they were problematic.  Lot's of errors, poor clean up of retired addresses, etc.  We don't use solarwinds IPAM but we do use Infoblox Trinzic appliances.  We just finished a hardware refresh on them.  We are so confident in the solution that we let appropriate end users do what they need all by themselves.  Get there own IP's, add, delete, change DNS records, reserve DHCP addresses, etc.  I can't remember the last time a duplicate IP was accidentally assigned.  The solution we use can also do an active discovery on network segments to try and expose machines not responding to ICMP and that do not have any other records within the services running on the Infoblox..  Very similar to nmap. 

                                                                                                                                  • Re: I Don't See the Point of IPAM
                                                                                                                                    jreagan

                                                                                                                                    We currently use spreadsheets and like everyone else they are an issue because not everyone works on keeping them up to date and current. We have begun trying to clean this up but it's a time consuming process going by the ARP table in our router.

                                                                                                                                      • Re: I Don't See the Point of IPAM
                                                                                                                                        andrethegiant

                                                                                                                                        Spreadsheets are useful for a small enviroment...

                                                                                                                                        For medium/large environment an IPAM could be useful... but maybe better could be an assets inventory and management system.

                                                                                                                                          • Re: I Don't See the Point of IPAM
                                                                                                                                            RichardLetts

                                                                                                                                            see my post above; we manage a large amount of IPv4 and IPv6 space using spreadsheets, text files, wiki pages, and a small amount of database (pretty much one table making it no more complex than a spreadsheet)

                                                                                                                                            IPAM's sweet-spot for products appears to be:

                                                                                                                                            - medium sized environments (anything with a /16 or smaller of public IPv4 space) [see ARIN definitions for size: ARIN Fee Schedule]

                                                                                                                                            - standardized environments (think an organization with many retail stores, each with very identical network configurations)

                                                                                                                                            - service provider (where you don't track more finely than subnets)

                                                                                                                                             

                                                                                                                                            My first task with our IPAM environment is to normalize our data into one database, and the user-interface on products is not helping with this.

                                                                                                                                        • Re: I Don't See the Point of IPAM
                                                                                                                                          cahunt

                                                                                                                                          Integration with UDT is great, and once you get the grand experience of managing anything massive with a simple spreadsheet you begin to demand a tool to assist with the congurency and even proper backup. IP duplication may be a minor issue in come cases, but when you duplicate an important IP and everything goes awry it is good to have a tool to easily reference and know that it is updated properly. Having the experience of seeing inventory managed by spreadsheet and the disasters that can happen with that it just makes sense to manage your IP inventory with something that is a little more than fully static. IPAM can also assist in some inventory management. Most tools allow for some additions or customizations so you can get more out of it, rather than just a glorified spreadsheet of your network space allocation.

                                                                                                                                          • Re: I Don't See the Point of IPAM
                                                                                                                                            foonly

                                                                                                                                            Our ActiveDirectory team recently advised that Windows 2012 has IPAM now. It does, but it's pretty weak. It only tracks devices that register with Windows DHCP. It cannot handle statics automatically like SolarWinds can. It cannot handle BIND or Cisco DHCP like SolarWinds can.

                                                                                                                                             

                                                                                                                                            Finally, I really wish IPAM would get its address info from ARP tables, and possibly based on MAC address change traps.

                                                                                                                                             

                                                                                                                                            =seymour=

                                                                                                                                             

                                                                                                                                              • Re: I Don't See the Point of IPAM
                                                                                                                                                RichardLetts

                                                                                                                                                this is what Neighbour polling does in IPAM (grab the ARP table from the router supporting the subnet)

                                                                                                                                                • Re: I Don't See the Point of IPAM
                                                                                                                                                  bradreyes83
                                                                                                                                                  I never got Windows 2012 working correctly.   We have some crazy group policies that prevent IPAM from auto provisioning.  On a side note, I hate spread sheets.  Only one person can work in Excel at a time without the risk of over writing someone else's changes.  In addition, I like to know historical data for an IP address.  It helps us figure out why we might of had certain rules in our ACLs.
                                                                                                                                                    • Re: I Don't See the Point of IPAM
                                                                                                                                                      cahunt

                                                                                                                                                      The new sharepoint 2013 allows for dual editing... and I am sure there are better solutions for sharing/editing network documents.

                                                                                                                                                        But IPAM gives you that central repository to hold that data; just export it to the Network Drive or SP for others to view and utilize.

                                                                                                                                                        Update Weekly or monthly depending on your size so this is not something you are exporting daily.

                                                                                                                                                  • Re: I Don't See the Point of IPAM
                                                                                                                                                    michal.hrncirik

                                                                                                                                                    Inspired by this great thread, we prepared 10 questions in this short IP Address Management Survey. I would love to see the summary of your votes and thoughts.

                                                                                                                                                    • Re: I Don't See the Point of IPAM
                                                                                                                                                      Mark Doering

                                                                                                                                                      We presently use the IPAM tool in the Engineer's Toolset and have it set to publish all subnets automatically to the web with a directory in the solarwinds web root.  We then have a link in our menu bar that points to the index.  This works... but only as long as we have someone logged in with the application open.  I've been trying to get buy in to purchase the web version for easier consumption/updating without having a user logged in. With the number of systems and admins as we have IPAM is almost a requirement.

                                                                                                                                                      • Re: I Don't See the Point of IPAM
                                                                                                                                                        mraky

                                                                                                                                                        Hi everybody,

                                                                                                                                                        so i just added IPAM to solarwind server/orion.

                                                                                                                                                         

                                                                                                                                                        what i can see i really like idea, but 1  basic feature is missing. And i believe it is not so hard to do it. IPAM is not integrated fully to Soalrwinds NPM at this moment. What i mean? I mean there is no e simple pooler/ way to update IPAM database from existing network ( we do not use dns/dhcp. just mesh of routers, and hundred-thousands of subnets ) I had to export all data from solarwinds, and then prepare nice xls sheet & import. Then i had to request support to help me howto add all addresses for all imported subnets -  it is solved. but its nothing simple to do. Moreover to keep it updated will be nightmare

                                                                                                                                                         

                                                                                                                                                         

                                                                                                                                                         

                                                                                                                                                        i sent new feature request - please support me if you agree on it. ( i hope there is no similar request)

                                                                                                                                                        http://thwack.solarwinds.com/ideas/3337

                                                                                                                                                         

                                                                                                                                                         

                                                                                                                                                        br,

                                                                                                                                                        m