Freedom from IP Address Overload

FRAMINGHAM (05/01/2000) - Not so long ago, network managers would assign and manage IP addresses by manually updating tab-delimited HOSTS text files of static addresses and then distribute the resulting files throughout the company. Network administrators would put copies of the files in the appropriate directories for each server and each client. Many of these same companies added to the paperwork hell by mandating the manual assignment of a locally administered address for each network adapter, which overrode the burned-in network adapter ID. The resulting workload was a millstone around network administrators ' necks. Major hiring efforts and acquisitions of other companies crushed the administrators, whose lives became a horror show overnight (and over weekends).

Because no one could think of a good reason for using them, most companies have abandoned the assignment of locally administered network adapter addresses. The advent of BOOTP alleviated some of the IP address management burden. However, requests for comment for Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) hold the most promise for network administrators who want their lives back. Tools that automatically assign IP addresses and offer easy administration of TCP/IP protocol stack configurations are readily available and mature. Not only do they save network administrators time and effort, but these products also eliminate duplicate IP addresses on networks and frugally dole out IP addresses from dynamic ranges. Typically costing less than $5 per node, the tools are not very expensive.

To help you find the best DNS/DHCP tool, we invited six vendors to submit their IP address management products. Cisco Systems Inc. declined our invitation to test its Network Registrar product because it is between product versions. We asked that the tools support the DNS and DHCP specifications, be able to assign IP addresses across multiple routed subnet domains, track and report on address assignments, and work in a heterogeneous platform environment.

We received and tested five products: Lucent Technologies Inc.'s QIP Enterprise 5.0 (Service Pack 2 with Registration Manager, Provisioning Manager, Services Manager and Audit Manager optional components); two Network TeleSystems Inc.'s Shadow IPserver S50 network appliances (one primary, one secondary) and Shadow IPserver software (IPmanager, IPcentral and IPserver Console); Process Software 's IP AddressWorks 2.0; Nortel Network Corp.'s NetID 4.1.5; and Check Point Software Technologies Ltd.'s Meta IP 4.1 (Service Pack 3). We also compared these products to Novell Inc.'s NetWare 5.1 network operating system (10-user version) and Microsoft Corp.'s Windows 2000 Server operating system, which offer DNS and DHCP services as part of the operating system.

Our Blue Ribbon Award goes to Lucent 's QIP Enterprise, which proved to be a serious and productive network utility, especially for enterprise-size networks. Its scalability, excellent performance and useful features make it the best DHCP and DNS tool.

We found the user-to-address mapping of Check Point 's Meta IP worth mentioning as a great time saver. Network TeleSystems ' Shadow IPserver and Meta IP offered the best-designed user interfaces, and the built-in DHCP and DNS functions of NetWare and Win 2000 are useful for small and midsize businesses that already use Novell Directory Services (NDS) or Microsoft 's Active Directory to keep track of network resources.

Name that node

QIP Enterprise impressed us with its ability to handle large volumes of IP addresses and assign them rapidly. It let us easily spread the workload across multiple QIP Enterprise servers, and Lucent 's software interoperated well with other vendors ' DHCP and DNS implementations. QIP Enterprise 's DNS server supports the Internet Software Consortium 's (ISC) Berkeley Internet Name Domain (BIND) Versions 4.9 and 8, with extensions. Its DHCP server functioned perfectly, as either primary or secondary, when we ran it alongside the other products ' DHCP servers.

QIP Enterprise 's multithreaded design, which contributes to its fast performance, was apparent when we inspected it via NT Server 's Performance Monitor. In our reliability tests, QIP Enterprise ensured that IP address leases weren 't orphaned or reassigned. It sent lease information updates to other primary or secondary DNS servers and recorded the address assignments in its central relational database for audit, reporting and recovery purposes.

QIP Enterprise 's approach to incremental zone transfers is unique and highly effective. Eschewing RFC 1995 's documented process as cumbersome and unreliable, Lucent 's programmers designed a proprietary BIND extension that uses Dynamic DNS to accomplish the zone transfer, and keep master and slave servers synchronized. QIP Enterprise periodically performs full zone transfers as a backup mechanism.

In our lab, the two Shadow IPserver 's S50 network devices acted in tandem to provide highly reliable redundant primary and secondary DNS and DHCP services.

Shadow IPserver was nearly as quick as QIP Enterprise in doling out IP addresses, and its rich feature set is evidence that network administrators helped design the product. Shadow IPserver 's IPcentral component let us define policies for network configuration and access, automatically reconciled and handled legacy static address assignments within our DHCP environment and made quick work of discovering the elements of our existing IP network.

Not as fast as QIP Enterprise and Shadow IPserver but with plenty of features, Nortel 's NetID was highly fault-tolerant in our tests. When we tested its reliability by disconnecting WAN links and stopping its database, NetID 's individual primary and secondary components continued to function independently. The servers also emitted alarms that we viewed through the NetID Management Console. The Windows NT version of NetID we tested supports BIND 8.1.1, and Nortel says its Unix version supports BIND 8.1.2. Like QIP Enterprise, NetID distributed DHCP address assignments to other NetID DNS servers as well as the NetID relational database (Sybase or Oracle).

From a central management platform, NetID manages static and dynamic addresses.

It also contains special support for companies that want to migrate from static to dynamic addressing. By allowing dynamic address ranges to overlap static addresses, NetID helps administrators transition to DHCP on a subnet-by-subnet basis.

Despite its name, Check Point 's Meta IP isn 't yet ready to assume the IP address management chores of a large organization. Although Meta IP 's DNS is a direct port of BIND 8.2.2 (the ISC 's reference implementation of DNS), address assignment performance fell far short of QIP Enterprise, Shadow IPserver and NetID. However, Meta IP did integrate openly and seamlessly with the other products ' DNS/DHCP servers in the lab, and Check Point extended the BIND reference code to replicate all lease information between primary and secondary DHCP servers.

Check Point markets two configurations of Meta IP: Meta IP Standard and Meta IP Enterprise. The Standard edition can manage only up to 1,000 dynamically assigned addresses, while the Enterprise edition has no self-imposed limits.

Both editions offer what Check Point terms user-to-address mapping, a highly useful function that detects logons and equates logon account IDs with assigned IP addresses. Both also integrate with Check Point 's FireWall-1 product to enforce security as they assign IP addresses and track names in a firewalled environment.

Process Software 's IP AddressWorks, like Meta IP, is a highly standards-compliant implementation of DNS and DHCP. IP AddressWorks was quicker in our tests at assigning addresses than Meta IP, but still slower than QIP Enterprise, Shadow IPserver and NetID. Its DHCP Safe Failover feature did a superior job of handling server failures. IP AddressWorks didn 't skip a beat when we disconnected DHCP servers from different subnets in the lab. However, it lacks the ability to define and group clients in as many ways as QIP Enterprise and NetID.

NetWare 's DHCP and DNS functions are NetWare Loadable Modules (NLM) that use NDS to store and retrieve IP address information. If you already have a working live NDS tree, you 'll find Novell 's DHCP and DNS a natural extension to your directory. However, you wouldn 't want to introduce NetWare into your company just to manage your IP addresses.

Because we used NetWare in its usual role as file server at the same time we forced it to assign IP addresses, NetWare was slower than all except Win 2000 at responding to DHCP-DISCOVER messages. As a result of some programming bugs (invalid pointers) we encountered, the DHCP/DNS NLMs also caused a few protection faults. These faults crashed our NetWare servers. If you decide to use NetWare 's DNS/DHCP feature and you have multiple NetWare machines, we recommend putting the NLMs on your least critical and least busy NetWare servers.

Just as NetWare 's DHCP and DNS rely on Novell 's NDS technology, Win 2000 address management services rely on Microsoft 's Active Directory technology.

If you 're at a small to midsize organization that decided to use Active Directory as the central inventory tool for network resources, Win 2000 's DHCP and DNS functions may be right for you. We were delighted that Active Directory uses a multimaster replication engine, which meant we didn 't have to maintain separate replication network pathways for DNS. We also liked Win 2000 's multicast address allocation feature. However, on a Win 2000 server that we kept busy as a file server and Web server, the Active Directory-based DHCP and DNS in Win 2000 performed much slower than all other products reviewed.

Moreover, Active Directory is new technology from Microsoft, and the company is still adding features.

User administration

Whether it 's a Class A, B or C address, an IP address should be relevant to the computer or network device to which it 's assigned. A DHCP server that randomly assigns addresses is only slightly better than distributing a manually updated HOSTS file. Fortunately, these DNS/DHCP products offered many ways to associate an IP address with specific users, devices and subnets. For example, Meta IP 's creative use of logon account information made it the most productive tool for classifying users, while Lucent 's QIP Enterprise puts the onus on each user to create correct IP address relationships. That scheme saves time for network administrators but opens up the possibility of confusion and error.

Network TeleSystems ' Shadow IPserver takes a policy-based approach to classifying users for IP address assignment. Using rules and criteria set up by a network administrator, Shadow IPserver groups users by DHCP User Class (such as marketing, engineering and accounting), media access control (MAC) address and the rarely used DHCP Vendor Class. Unfortunately, in contrast to QIP Enterprise 's and Meta IP 's approaches, Shadow IPserver makes the hapless network administrator assign each user to a User Class (one by one), take note of the user 's MAC address or find a TCP/IP protocol stack that supports DHCP Vendor Class. Only its excellent user interface saved Shadow IPserver from a lower score for administration in our scorecard.

Meta IP 's user-to-address mapping technology made our jobs as IP address administrators a snap. In contrast to specifying users ' MAC addresses or subnet IDs, user-to-address mapping is clearly a superior method of identifying IP clients. Using Meta IP, we mapped dynamically-assigned IP addresses to clients based on logon account ID, logon time and MAC address. By automatically correlating file server logons with dynamic IP address leases, Meta IP let us painlessly track address assignments by user rather than by machine address.

Meta IP stored the result in its database for reporting purposes and monitoring network usage.

With its complementary Registration Manager option, QIP Enterprise can distinguish requests for IP addresses by MAC address (for example, DHCP Client ID) as well as DHCP Vendor Class. By default, QIP Enterprise allots addresses from a general address pool. When the client then visits Registration Manager 's intranet Web site to identify himself or herself in a manner designated by the network administrator, QIP Enterprise associates the assigned IP address with that client 's MAC address. QIP Enterprise responds to subsequent DHCP-DISCOVER requests from that MAC address with the registered IP address. A network administrator can change QIP Enterprise 's registration for that client to allocate an address based on group membership in an alternate or preferred subnet. QIP Enterprise clients can belong to a single group or multiple groups.

Of course, replacing the user 's network adapter or entire desktop computer when hardware problems occur forces that user back through the registration process.

The Subnet Organizer component within QIP Enterprise handles true Variable-Length Subnet Masking (VLSM). This let us easily join or split subnets with other noncontiguous subnets. The component also provides a customizable management interface for delegating an IP address space to specific administrators or groups of administrators across domains, networks and subnets. QIP Enterprise transparently and quickly passed the appropriate DHCP and DNS inheritances to the newly configured subnets we created.

Nortel 's NetID also supports VLSM IP address architectures. Partitioning or joining subnets with NetID was even easier than QIP Enterprise, and we liked how NetID automatically calculated the subnet mask values. However, NetID needs a better approach to identifying users for IP address assignment, one that saves network administrators from the tedious chore of manually placing each user in a group or logical subnet.

Process Software 's IP AddressWorks can import user ID and address assignment information from a variety of sources, including spreadsheets, Address Resolution Protocol caches and other DNS servers. Because it 's slow and doesn 't offer the sophisticated client categorization capability of products such as QIP Enterprise and NetID, we suggest IP AddressWorks is only appropriate for small networks whose IP address population undergoes few changes.

If you 're a NetWare 5.1 customer with an existing NDS tree, the additional work of classifying users for IP address assignment is trivial. Your NDS tree already contains user IDs, MAC addresses, user groups and other criteria.

Similarly, if you 've installed and set up Active Directory on a Win 2000 server, setting up address classification schemes for users is simply a drag-and-drop affair.

Storing addresses

One of the key factors that determines the scalability of these products is how they store address pools and user classification data. Quick, nimble storage mechanisms with several customizable reporting options and greater capacity for large client populations can handle a wider range of IP address assignment situations.

Lucent bundles a run-time version of the Sybase Adaptive Server relational database with QIP Enterprise, and it also supports the use of Oracle 7.X or 8.X. We used both databases in the lab and found the Sybase Relational Database Management System (RDBMS) slightly faster. QIP Enterprise integrates via Lightweight Directory Access Protocol (LDAP) with directory servers, but its primary storage medium is the RDBMS. QIP Enterprise worked well with Net-scape 's directory product in our tests.

Nortel 's NetID works with the Sybase or Oracle relational databases but comes with neither. As with QIP Enterprise, the Sybase option (we used Adaptive Server 11.5 vs. Oracle8i) was faster. Like Lucent 's product, NetID integrates with directory servers, such as Netscape 's, via LDAP.

QIP Enterprise and NetID offer a greater number of report formats than the other DNS/DHCP tools, and the ability to query each product 's relational database with ad hoc reporting tools is icing on the cake.

Check Point 's Meta IP and Process Software 's IP AddressWorks store IP address information in LDAP-accessible data stores. Network TeleSystems ' Shadow IPserver internally uses a proprietary data storage mechanism, and it doesn 't support LDAP or relational databases. The Meta IP, IP AddressWorks and Shadow IPserver reporting tools are barely adequate for small and midsize companies.

For the requirements of an enterprise, these tools simply don 't offer a sufficient variety of management views.

NetWare stores IP address information in the NDS tree as new NDS objects.

Examples of these new objects include DNS/DHCP Locator, DNS Zone, DNS Resource Record Set, Subnet, Address Range and Subnet Pool. You 'll need to buy a third-party report generator if you want to query the NDS tree for IP address information.

Win 2000 stores its DNS and DHCP information in the Active Directory infrastructure, for which Microsoft or a third party desperately needs to create query and reporting tools.

Managing the tools

QIP Enterprise, NetID, Meta IP and Shadow IPserver offer a Web browser-based interface. QIP Enterprise, NetID and Meta IP supply Windows (or Motif, for the Unix version) management consoles, while Shadow IPserver also provides a command-line interface. We found Shadow IPserver 's and Meta IP 's Web browser interfaces especially easy to use.

IP AddressWorks ' user interface is a Win32 program that presented an uncluttered view of IP address resources and offered drag-and-drop movement of users among groups. We liked its clean, simple design.

The NetWare and Win 2000 management interfaces are Win32 programs that display expandable and collapsible tree views of IP address information along with other NDS tree or Active Directory data.

All the products ' interfaces, whether Web- or Windows-based, showed DNS and DHCP servers, zones, subnets, current leases and subpools. Furthermore, QIP Enterprise, NetID and Meta IP excelled at letting a network administrator delegate tasks to assistants.

Protocols, installation and documentationAll the products conformed adequately to the existing DNS and DHCP RFCs, interoperating successfully when we used them in various combinations of primary and secondary servers. They were all easy to install. In fact, Network TeleSystems ' Shadow IPserver came preloaded on its network appliance hardware ¥ no installation needed. However, we would 've liked Shadow IPserver, NetWare and Win 2000 better if they supported LDAP and Open Database Connectivity for storage purposes.

QIP Enterprise, the Shadow IPserver software, IP AddressWorks, NetID and Meta IP came with printed documentation that 's easy-to-follow and adequate. Novell and Microsoft don 't send printed DHCP and DNS setup instructions with NetWare and Win 2000. We had to browse the online documentation, which at times we found unclear. Alternatively, you can get a good third-party NetWare or Win 2000 book at your bookstore.

If you 're still editing and distributing a departmentwide or companywide HOSTS file of static IP address assignments you maintain manually, we suggest you take a close look at Lucent 's QIP Enterprise.

Nance, a software developer and consultant for 29 years, is the author of Introduction to Networking, 4th Edition and Client/Server LAN Programming. His e-mail address is barryn@erols.com.

Join the newsletter!

Error: Please check your email address.

More about ADVENTCheck Point Software TechnologiesCheck Point Software TechnologiesCiscoInternet Software ConsortiumLogicalLucentLucent TechnologiesMicrosoftNDSNetAppNovellOraclePoint Software TechnologiesSybase AustraliaTandemTelesystems

Show Comments

Market Place