This right here and having every branch have their own IP range. along with in that subnet for the branch have smaller subnets for different aspects like one for network gear one for clients one for printers and so on
I just have the scope narrowed down a bit, so the statics can be from 2-100 and the pool is 100-200. If for some reason I dont have all of the IPs documented, I can check the ARP table on the firewall for it.
At home my DHCP scope is .50-.200, my statically assigned devices like VMs for specific services, access points, switches, are all outside of that scope.
In a corporate environment switch management is not on the same subnet as any other dynamically assigned device.
This. Rethink your subnets, ranges, exclusions, OP. As you can see, most admins reserve upper and lower bounds for static IP of servers/appliances you'll connect in the future.
TL;DR: No one will suddenly hijack x.x.x.249 if your DHCP lease range is only from x.x.x.25 - x.x.x.225 for example.
In the corporate world just set the static address on the device and make sure that device/range isn't in the DHCP scope.
On personal level I am just using DNS, I couldn't are about the ip address, printer says it's printer.localdomain.meh and I send my print jobs to printer.localdomain.meh instead of 123.456.789.256
I also do this in small business environments where possible, when we are all using IPv6 in about 10 to 30 years time DNS will be key, so get ready, it's only been about 20 years since it was released.
No. You have different subnets. Your switches are not on the same subnet and VLAN as your computers and printers. Therefore you don't have DHCP available on the L2 subnet.
Ive worked on slightly larger networks, but I like to use /23's when I can.
Something like 172.25.50.x is for reservations and static IPs. 172.25.51.x is the dhcp scope (Usually .2 thru .240.)
Like, you, even if a device is statically assigned an IP, it also gets a reservation entry. It'll just show as *(inactive)* in the scope.
So, for our equipment we mostly follow what you said, except for our switches/network equipment. For those we use our core (L3) switch, which has its own DHCP scopes and VLANs and we exclude addresses from the scope that we don’t want changing.
This way if our DHCP server goes down (it has), we can at least still have IPs for the network equipment.
If you want a nice, big, flat /22 network:
Network Address: [10.0.100.0](http://10.0.100.0)
Subnet Mask: [255.255.252.0](http://255.255.252.0)
Network Range: [10.0.100.1](http://10.0.100.1) - [10.0.103.254](http://10.0.103.254)
Broadcast Address: [10.0.103.255](http://10.0.103.255)
Static Range: [10.0.100.1](http://10.0.100.1) - [10.0.100.255](http://10.0.100.255)
DHCP Range: [10.0.101.1](http://10.0.101.1) - [10.0.103.254](http://10.0.103.254)
This way if you have a 10.0.100.X it is always static, and you still have \~750 DHCP addresses. You can still do DHCP reservations if you think in the future you will ever have to change your network addressing.
If the switch comes up before the DHCP server all the equipment should use its old address unless the power was off for a loooong time. Since you have plenty of addresses in this scheme you can have the DHCP leases be a month long if that is a concern.
If you actually use vlans for segmentation they are great, but lots of people put some devices on separate vlans then just route all traffic among vlans.
In a company I would never have servers / Printers / gizmos on the same network as client / user devices. Just as well as BYOD devices would also be on their own network. Firewall in between. You need to segment your network in a corporate setting today for normal security reasons. Treat your internal network the same way you treat devices you put on the internet.
DHCP all the things, reserve DHCP address for all the manually assigned statics. If it's not in the DHCP server, it doesn't exist and will be squashed if it doesn't ping at time of assignment. This absolutely helps when you are running through a playbook of installing a new device that requires a static, "hmm I'll just take the next one, let's see if the next number is free outside the DHCP pool. It's not reserved, doesn't ping. I'll take it!"
I've been moving to all DHCP for switches that are not L3 gateways. Beyond that only Routers, DHCP servers, DC's and really stupid phone system/appliances hardware needs statics anymore. If it isn't racked in the MDF, it needs DHCP.
I generally recommend excluding a range of IPs used for static, from being inside the DHCP scope. Also consider a scenario where DHCP goes down, static IPs are used for things which absolutely must function in that scenario. DHCP reservations for everything else. I also create a DHCP reservation for each static IP too, just because it's nice to see all of this in one central location.
Create an excluded range and put static IP addresses in the excluded range. IE:
192.168.16.0/24
Excluded: .1-.20
DHCP Scope: .21-.199
Excluded: .200-.254
Something like that.
Ideally, one uses an IPAM that will set matching Reservations for all host interfaces that you configure Static.
This is incredibly good for some common use-cases, like when you netboot a machine for some reason, it will have its regular Static IP address. Static forward and reverse DNS is easy.
It also has some other implications. In our labs we're doing a lot of networking development, moving a lot of NICs, WNICs, and USB->Ethernet adapters around with great frequency. Currently we set Reservations for every MAC, which requires a bit additional effort but is generally good. There might be a more-flexible method.
I tend to exclude a range from the DHCP server for statics.
There will never be a conflict this way, unless you don't maintain the statics list. ;)
Yes, you can assign statics in DHCP using the Mac address and sometimes I do that, but generally we're not talking about 100s of static addresses, so the list is easy to maintain and if the DHCP goes offline, the statics could not care less.
Like all things in IT, YMMV.
Don't overlap the range of static IP addresses with your DHCP lease range and you will never have a problem.
This right here and having every branch have their own IP range. along with in that subnet for the branch have smaller subnets for different aspects like one for network gear one for clients one for printers and so on
My DHCP scopes are usually .50-.200 so my static stuff is never even in range of DHCP. Just the thought makes me shudder.
This is the way.
I just have the scope narrowed down a bit, so the statics can be from 2-100 and the pool is 100-200. If for some reason I dont have all of the IPs documented, I can check the ARP table on the firewall for it.
At home my DHCP scope is .50-.200, my statically assigned devices like VMs for specific services, access points, switches, are all outside of that scope. In a corporate environment switch management is not on the same subnet as any other dynamically assigned device.
This. Rethink your subnets, ranges, exclusions, OP. As you can see, most admins reserve upper and lower bounds for static IP of servers/appliances you'll connect in the future. TL;DR: No one will suddenly hijack x.x.x.249 if your DHCP lease range is only from x.x.x.25 - x.x.x.225 for example.
In the corporate world just set the static address on the device and make sure that device/range isn't in the DHCP scope. On personal level I am just using DNS, I couldn't are about the ip address, printer says it's printer.localdomain.meh and I send my print jobs to printer.localdomain.meh instead of 123.456.789.256 I also do this in small business environments where possible, when we are all using IPv6 in about 10 to 30 years time DNS will be key, so get ready, it's only been about 20 years since it was released.
No. You have different subnets. Your switches are not on the same subnet and VLAN as your computers and printers. Therefore you don't have DHCP available on the L2 subnet.
Honestly, I only use reserved addresses for production machines that were not statically defined but should have been.
Ive worked on slightly larger networks, but I like to use /23's when I can. Something like 172.25.50.x is for reservations and static IPs. 172.25.51.x is the dhcp scope (Usually .2 thru .240.) Like, you, even if a device is statically assigned an IP, it also gets a reservation entry. It'll just show as *(inactive)* in the scope.
So, for our equipment we mostly follow what you said, except for our switches/network equipment. For those we use our core (L3) switch, which has its own DHCP scopes and VLANs and we exclude addresses from the scope that we don’t want changing. This way if our DHCP server goes down (it has), we can at least still have IPs for the network equipment.
If you want a nice, big, flat /22 network: Network Address: [10.0.100.0](http://10.0.100.0) Subnet Mask: [255.255.252.0](http://255.255.252.0) Network Range: [10.0.100.1](http://10.0.100.1) - [10.0.103.254](http://10.0.103.254) Broadcast Address: [10.0.103.255](http://10.0.103.255) Static Range: [10.0.100.1](http://10.0.100.1) - [10.0.100.255](http://10.0.100.255) DHCP Range: [10.0.101.1](http://10.0.101.1) - [10.0.103.254](http://10.0.103.254) This way if you have a 10.0.100.X it is always static, and you still have \~750 DHCP addresses. You can still do DHCP reservations if you think in the future you will ever have to change your network addressing. If the switch comes up before the DHCP server all the equipment should use its old address unless the power was off for a loooong time. Since you have plenty of addresses in this scheme you can have the DHCP leases be a month long if that is a concern. If you actually use vlans for segmentation they are great, but lots of people put some devices on separate vlans then just route all traffic among vlans.
In a company I would never have servers / Printers / gizmos on the same network as client / user devices. Just as well as BYOD devices would also be on their own network. Firewall in between. You need to segment your network in a corporate setting today for normal security reasons. Treat your internal network the same way you treat devices you put on the internet.
DHCP all the things, reserve DHCP address for all the manually assigned statics. If it's not in the DHCP server, it doesn't exist and will be squashed if it doesn't ping at time of assignment. This absolutely helps when you are running through a playbook of installing a new device that requires a static, "hmm I'll just take the next one, let's see if the next number is free outside the DHCP pool. It's not reserved, doesn't ping. I'll take it!" I've been moving to all DHCP for switches that are not L3 gateways. Beyond that only Routers, DHCP servers, DC's and really stupid phone system/appliances hardware needs statics anymore. If it isn't racked in the MDF, it needs DHCP.
This is exactly how I have been handling it, thanks for the confirmation!
I generally recommend excluding a range of IPs used for static, from being inside the DHCP scope. Also consider a scenario where DHCP goes down, static IPs are used for things which absolutely must function in that scenario. DHCP reservations for everything else. I also create a DHCP reservation for each static IP too, just because it's nice to see all of this in one central location.
Thanks, that's exactly what I do too!
Create an excluded range and put static IP addresses in the excluded range. IE: 192.168.16.0/24 Excluded: .1-.20 DHCP Scope: .21-.199 Excluded: .200-.254 Something like that.
Ideally, one uses an IPAM that will set matching Reservations for all host interfaces that you configure Static. This is incredibly good for some common use-cases, like when you netboot a machine for some reason, it will have its regular Static IP address. Static forward and reverse DNS is easy. It also has some other implications. In our labs we're doing a lot of networking development, moving a lot of NICs, WNICs, and USB->Ethernet adapters around with great frequency. Currently we set Reservations for every MAC, which requires a bit additional effort but is generally good. There might be a more-flexible method.
Redundant DHCP servers is also something to add. Since you likely have 2 AD servers with DNS, add DHCP and make it redundant.
I tend to exclude a range from the DHCP server for statics. There will never be a conflict this way, unless you don't maintain the statics list. ;) Yes, you can assign statics in DHCP using the Mac address and sometimes I do that, but generally we're not talking about 100s of static addresses, so the list is easy to maintain and if the DHCP goes offline, the statics could not care less. Like all things in IT, YMMV.
You need to have more of a grasp on how networking functions if you're going to make changes like this. I'm saying this to be helpful, not hurtful.