DHCP or Static IPs?
December 14th, 2006 Posted in Network
Currently, all our desktops & laptops use DHCP on our network. I’ve been considering changing them to static for a cleaner network, easier monitoring of our computers and help in detecting rouge clients & other devices (by keeping a DHCP server going, but regulating that IP range).
For laptops it’s a little complicated since they go to other networks, so I’d have to put the IP info on the Alternate Configuration tab on both the LAN and wLANÂ settings.
What do you do DCHP or Static IPs on your desktops and laptops? Why?
Thanks for your input!
Watch my uStream
December 14th, 2006 at 12:29 pm
DHCP, because it’s basically plug and play for the clients. Of course that’s also the worst thing about it when it comes to security. I’ll be curious to see what you end up doing.
December 14th, 2006 at 1:32 pm
I recommend that you consider DHCP reservations as a middle ground between the static addresses and your current DHCP configuration. There are several reasons for this, but the main reason is for centralized control of changes to DNS, Default Gateways, and Subnet Mask. I would definitely continue to use DHCP for laptops sine they are frequently moved between your network and other networks. If you feel that static are the only way for you then you might offer your users the ability to change their own IP settings on the laptops for when they travel. Here are a couple of scripts you can user in two separate BAT files to easily switch between static and DHCP without having to open the TCP/IP settings of their NIC.
Since my job most often requires me to interface with network devices via telnet or ssh I like not having to use the mouse when in a tight network closet. I am often working on IP segments that do not have DHCP configured so I put several of these types of files with short easy to remember names in my system directory. You can use any other folder found in your path statement. That way I can run them from any folder on the command line without having to use the mouse.
One way to stop the rouge clients is by implementing port security on your switches where you match a port to a specific MAC address. Most IOS versions from Cisco support this as a standard these days. I am not sure about 3Com. This can be difficult to manage in an area where you have a lot of visiting network users. In that case you should consider putting those non-secured drops in a DMZ off your firewall to keep them off of your trusted/inside network IP segment.
December 15th, 2006 at 12:08 am
Trace,
I would stay with a DHCP server. If you ever need to change IP addressing/subnets it is much easier to update it in one place than go to every machine and manually change them. If your worried about security, look into LAN segmentation and MAC address filtering.
Our network is segmented into 3 parts (one for staff, one for the “public” and one for wireless). I have MAC address filtering enabled on every staff port; which immediately locks the port if the proper MAC address doesn’t connect. Laptops are not allowed on our staff network unless they are church provided. The public and wlan networks do not have MAC address filtering enabled, as this is not needed. Our wireless access is restricted by a Captive Portal. I use Angry IP Scanner to check the network for rogue addresses, its a great little utility. Also many DHCP servers have the ability to only allow leases to certain MAC addresses, thats another option you may consider. If you got the Sonicwall you should easily be able to segment your network and provide “secured” DHCP services without having to use statics. I know we had statics for a while; but last year we needed to change our IPs, network wide, and it was a pain. This year we are back to DHCP-provided addressing.
December 15th, 2006 at 10:18 am
[...] This is a fairly common question in small IT shops. I have faced this question a couple of times in my IT career and I will share some details from my experiences. I posted a lengthy comment on the subject of DHCP vs static IP addresses on my friend Trace’s new blog. Trace started a brand new blog a few weeks ago titled Trace Pupke:another church IT blog. Trace is the IT Director of Seacoast Church. Here is what I had to say on the question of “DHCP or Static IPs?“. I recommend that you consider DHCP reservations as a middle ground between the static addresses and your current DHCP configuration. There are several reasons for this, but the main reason is for centralized control of changes to DNS, Default Gateways, and Subnet Mask. I would definitely continue to use DHCP for laptops since they are frequently moved between your network and other networks. If you feel that static addresses are the only way for you then you might offer your users the ability to change their own IP settings on the laptops for when they travel. Here are a couple of scripts you can user in two separate BAT files to easily switch between static and DHCP without having to open the TCP/IP settings of their NIC. Put the following two lines in a file called office.bat. netsh interface ip set address name=”Local Area Connection” static 192.168.0.2 255.255.255.0 192.168.0.1 1 netsh interface ip set dns “Local Area Connection” static 4.2.2.1 primary Put these next two lines in file named away.bat. netsh interface ip set address name=”Local Area Connection” source=dhcp netsh interface ip set dns name=”Local Area Connection” source=dhcp Note: The “name” variable must match the Name shown for that NIC in the Control Panel/Network Connections. If you are wondering how I ssh from the command line of Windows you should check out my post titled SSH from Windows CMD line. [...]
December 21st, 2006 at 1:22 am
DHCP with LOOOOONG lease times is what we’re doing.
March 2nd, 2007 at 12:52 am
[...] Trace Pupke wonders about using DHCP or Static IPs on his network, especially in regards to DHCP security. We use DHCP, and I wouldn’t think about trying to manage static IPs, it would be a nightmare. Eventually my plan is to use the new HP ProCurve switches we just got (more coming about those sometime soon) to enforce either MAC-based port security, especially in publicly-accessible network ports, or to go all out and use 802.1x authentication just like I’ve partially implemented already on our wireless network so that only authorized users could connect to the port. Or even better, allow anyone to connect to the public network on a port, and if they authenticated with 802.1x as a staff member, give them staff level access instead. I know the switches we have now will do this, it’s just a bit complex to get set up, and moreso to make sure it’s reliable enough for real use, and that all clients are configured properly. [...]