Reply
Accepted Solution

Question about DHCP sync and exclusion

fnielsen
Techie
Posts: 6
2308     0

Been using Infoblox for a while, but only recently enabled synchronization between the Grid DB and our active Microsoft DNS and DHCP services, came up with two questions:

  • For DHCP servers at a particular location\domain, a few hours after integrating we found all our DHCP scopes had been removed.  We initially had issues with insufficient permissions with the service account used, which were eventually corrected; and we also decided to remove and restructure some of the network definitions within the IPAM database that pertained to the DHCP scopes after we had enabled the sync.  Can either of these action potentially explain the scopes getting removed on the Microsoft systems?
  • Many of our DHCP scopes include exclusion ranges.  These are being synced along with the other DHCP scope options.  However the IPAM flags the status for the IP addresses within these exclusion ranges as "used".  Seems to me these excluded IP addresses should be "unused" - at least that's what we'd like to see.

Re: Question about DHCP sync and exclusion

Adviser
Posts: 80
2309     0

Don't know about the Microsoft DHCP server issue. I always start in read-only mode first.

 

About the second. A reserved address is a 'used' addres in IPAM because it's reserved. Maybe this reserved range (exclusion) contains your gateway IP, you don't want that to be used by anything else right?

Re: Question about DHCP sync and exclusion

[ Edited ]
fnielsen
Techie
Posts: 6
2309     0

on exclusions, yes that's kind of my point: we want to say that for IP addresses in that excluded range, we intend to manually make reserved IP assignments in the IPAM for statically configured hosts - but because they are currently statused as used, this makes 'next available IP' and other functions completely unavailable.  The subnets also show as 100% utilized in the IPAM when in fact there are IP addresses available for static assignment.

 

I can achieve the behavior we want to see in IPAM by adjusting the start or end of a DHCP scope (rather than using exclusions), but doing that way means I cannot have a reserved\excluded range in the middle of a scope, or have multiple excluded ranges in a scope.

 

It just seems to me that IP addresses that are excluded should be unused until otherwise flagged for something else in IPAM.  What am I missing?

Re: Question about DHCP sync and exclusion

TTiscareno Community Manager
Community Manager
Posts: 340
2309     0

IP's are marked as used once an object is associated with them in the database and a reservation/exclusion accomplishes this. The reason why it is considered as used is because NIOS does not know why it was reserved or excluded. It may be that you intended for it to be available for future use but others may want to block off those addresses because they have been handed to another group to use at their convenience and do not want to update IPAM information or will do so later on.

 

When administrators will be manually provisioning IP's, they will generally leave a block of addresses available outside of a DHCP range for this purpose. That block of addresses will remain available when using the Get Next Available IP function.

 

Regards,

Tony

Re: Question about DHCP sync and exclusion

fnielsen
Techie
Posts: 6
2309     0

I still struggle with the mindset on this.  When you exclude a range from DHCP, it should not show as used by DHCP - which it does today on our 8.2 systems.  

 

If the intention of an exclusion is to reserve this excluded block for something else\future\static\whatever, there are arguably better functions on the IPAM side for doing that.  If the intention of an exclusion is to leave those IPs unused for future assignment, well.. too bad I guess.

 

And having a requirement to do it at the top or bottom of a scope to let them be unused in IPAM, makes the Infoblox approach less flexible.  Leaving one block (or ten) outside of a DHCP scope's assignment range via ranged exlusions is an exceedingly common practice in MSFT-only DHCP environments.

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Businesses are investing heavily into securing company resources from cyber-attacks form cybercrimin