Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
When networks fail, hams to the rescue
Alliance to promote Windows-managed Macs in enterprise
Lockheed Martin gets $89 million to converge DoD distribution networks
Clothes don't make this man: Sweatshirt helps nail Citibank card scammer
Microsoft readies new try for Yahoo
Gartner: Seven cloud-computing security risks
Autonomy, Endeca rate among top enterprise search vendors
Barracuda countersues Trend Micro in patent case
Mozilla's Firefox 3 sets geeky world record
Microsoft SharePoint popularity comes with issues
IBM mainframe acquisition raises antitrust concerns
Diary of a deliberately spammed housewife
Report: Tech giants forming 'patent troll' alliance
Trojan lurks, waiting to steal admin passwords
California enacts cell-phone driving ban
LANs /

Freedom from IP address overload

Lucent's QIP Enterprise is the best tool for ending your IP addressing nightmare.

By Barry Nance
Network World, 05/01/00

Not so long ago, network managers would assign and manage IP addresses by manually updating tab-delimited HOSTS text files of static addresses and then distribute the resulting files throughout the company. Network administrators would put copies of the files in the appropriate directories for each server and each client. Many of these same companies added to the paperwork hell by mandating the manual assignment of a locally administered address for each network adapter, which overrode the burned-in network adapter ID. The resulting workload was a millstone around network administrators' necks. Major hiring efforts and acquisitions of other companies crushed the administrators, whose lives became a horror show overnight (and over weekends).

Interactive scorecard and NetResults
See our scores and adjust them based on your needs (requires JavaScript); key findings and vendor contact info. How we did it
Speedy delivery chart

Because no one could think of a good reason for using them, most companies have abandoned the assignment of locally administered network adapter addresses. The advent of BOOTP alleviated some of the IP address management burden. However, requests for comment for Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) hold the most promise for network administrators who want their lives back. Tools that automatically assign IP addresses and offer easy administration of TCP/IP protocol stack configurations are readily available and mature. Not only do they save network administrators time and effort, but these products also eliminate duplicate IP addresses on networks and frugally dole out IP addresses from dynamic ranges. Typically costing less than $5 per node, the tools are not very expensive.

To help you find the best DNS/DHCP tool, we invited six vendors to submit their IP address management products. Cisco declined our invitation to test its Network Registrar product because it is between product versions. We asked that the tools support the DNS and DHCP specifications, be able to assign IP addresses across multiple routed subnet domains, track and report on address assignments, and work in a heterogeneous platform environment (see "How we did it").

We received and tested five products: Lucent's QIP Enterprise 5.0 (Service Pack 2 with Registration Manager, Provisioning Manager, Services Manager and Audit Manager optional components); two Network TeleSystems' Shadow IPserver S50 network appliances (one primary, one secondary) and Shadow IPserver software (IPmanager, IPcentral and IPserver Console); Process Software's IP AddressWorks 2.0; Nortel Networks' NetID 4.1.5; and Check Point Software's Meta IP 4.1 (Service Pack 3). We also compared these products to Novell's NetWare 5.1 network operating system (10-user version) and Microsoft's Windows 2000 Server operating system, which offer DNS and DHCP services as part of the operating system.

Blue Ribbon winner
Lucent's QIP Enterprise 5.0
Our Blue Ribbon Award goes to Lucent's QIP Enterprise, which proved to be a serious and productive network utility, especially for enterprise-size networks. Its scalability, excellent performance and useful features make it the best DHCP and DNS tool.

We found the user-to-address mapping of Check Point's Meta IP worth mentioning as a great time saver. Network TeleSystems' Shadow IPserver and Meta IP offered the best-designed user interfaces, and the built-in DHCP and DNS functions of NetWare and Win 2000 are useful for small and midsize businesses that already use Novell Directory Services (NDS) or Microsoft's Active Directory to keep track of network resources.

Name that node

QIP Enterprise impressed us with its ability to handle large volumes of IP addresses and assign them rapidly. It let us easily spread the workload across multiple QIP Enterprise servers, and Lucent's software interoperated well with other vendors' DHCP and DNS implementations. QIP Enterprise's DNS server supports the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) Versions 4.9 and 8, with extensions. Its DHCP server functioned perfectly, as either primary or secondary, when we ran it alongside the other products' DHCP servers.

QIP Enterprise's multithreaded design, which contributes to its fast performance, was apparent when we inspected it via NT Server's Performance Monitor. In our reliability tests, QIP Enterprise ensured that IP address leases weren't orphaned or reassigned. It sent lease information updates to other primary or secondary DNS servers and recorded the address assignments in its central relational database for audit, reporting and recovery purposes.

QIP Enterprise's approach to incremental zone transfers is unique and highly effective. Eschewing RFC 1995's documented process as cumbersome and unreliable, Lucent's programmers designed a proprietary BIND extension that uses Dynamic DNS to accomplish the zone transfer, and keep master and slave servers synchronized. QIP Enterprise periodically performs full zone transfers as a backup mechanism.

In our lab, the two Shadow IPserver's S50 network devices acted in tandem to provide highly reliable redundant primary and secondary DNS and DHCP services. Shadow IPserver was nearly as quick as QIP Enterprise in doling out IP addresses, and its rich feature set is evidence that network administrators helped design the product. Shadow IPserver's IPcentral component let us define policies for network configuration and access, automatically reconciled and handled legacy static address assignments within our DHCP environment and made quick work of discovering the elements of our existing IP network.

Not as fast as QIP Enterprise and Shadow IPserver but with plenty of features, Nortel's NetID was highly fault-tolerant in our tests. When we tested its reliability by disconnecting WAN links and stopping its database, NetID's individual primary and secondary components continued to function independently. The servers also emitted alarms that we viewed through the NetID Management Console. The Windows NT version of NetID we tested supports BIND 8.1.1, and Nortel says its Unix version supports BIND 8.1.2. Like QIP Enterprise, NetID distributed DHCP address assignments to other NetID DNS servers as well as the NetID relational database (Sybase or Oracle).

From a central management platform, NetID manages static and dynamic addresses. It also contains special support for companies that want to migrate from static to dynamic addressing. By allowing dynamic address ranges to overlap static addresses, NetID helps administrators transition to DHCP on a subnet-by-subnet basis.

Despite its name, Check Point's Meta IP isn't yet ready to assume the IP address management chores of a large organization. Although Meta IP's DNS is a direct port of BIND 8.2.2 (the ISC's reference implementation of DNS), address assignment performance fell far short of QIP Enterprise, Shadow IPserver and NetID. However, Meta IP did integrate openly and seamlessly with the other products' DNS/DHCP servers in the lab, and Check Point extended the BIND reference code to replicate all lease information between primary and secondary DHCP servers.

Check Point markets two configurations of Meta IP: Meta IP Standard and Meta IP Enterprise. The Standard edition can manage only up to 1,000 dynamically assigned addresses, while the Enterprise edition has no self-imposed limits. Both editions offer what Check Point terms user-to-address mapping, a highly useful function that detects logons and equates logon account IDs with assigned IP addresses. Both also integrate with Check Point's FireWall-1 product to enforce security as they assign IP addresses and track names in a firewalled environment.

Process Software's IP AddressWorks, like Meta IP, is a highly standards-compliant implementation of DNS and DHCP. IP AddressWorks was quicker in our tests at assigning addresses than Meta IP, but still slower than QIP Enterprise, Shadow IPserver and NetID. Its DHCP Safe Failover feature did a superior job of handling server failures. IP AddressWorks didn't skip a beat when we disconnected DHCP servers from different subnets in the lab. However, it lacks the ability to define and group clients in as many ways as QIP Enterprise and NetID.

NetWare's DHCP and DNS functions are NetWare Loadable Modules (NLM) that use NDS to store and retrieve IP address information. If you already have a working live NDS tree, you'll find Novell's DHCP and DNS a natural extension to your directory. However, you wouldn't want to introduce NetWare into your company just to manage your IP addresses.

Because we used NetWare in its usual role as file server at the same time we forced it to assign IP addresses, NetWare was slower than all except Win 2000 at responding to DHCP-DISCOVER messages. As a result of some programming bugs (invalid pointers) we encountered, the DHCP/DNS NLMs also caused a few protection faults. These faults crashed our NetWare servers. If you decide to use NetWare's DNS/DHCP feature and you have multiple NetWare machines, we recommend putting the NLMs on your least critical and least busy NetWare servers.

Just as NetWare's DHCP and DNS rely on Novell's NDS technology, Win 2000 address management services rely on Microsoft's Active Directory technology. If you're at a small to midsize organization that decided to use Active Directory as the central inventory tool for network resources, Win 2000's DHCP and DNS functions may be right for you. We were delighted that Active Directory uses a multimaster replication engine, which meant we didn't have to maintain separate replication network pathways for DNS. We also liked Win 2000's multicast address allocation feature. However, on a Win 2000 server that we kept busy as a file server and Web server, the Active Directory-based DHCP and DNS in Win 2000 performed much slower than all other products reviewed. Moreover, Active Directory is new technology from Microsoft, and the company is still adding features.

User administration

Whether it's a Class A, B or C address, an IP address should be relevant to the computer or network device to which it's assigned. A DHCP server that randomly assigns addresses is only slightly better than distributing a manually updated HOSTS file. Fortunately, these DNS/DHCP products offered many ways to associate an IP address with specific users, devices and subnets. For example, Meta IP's creative use of logon account information made it the most productive tool for classifying users, while Lucent's QIP Enterprise puts the onus on each user to create correct IP address relationships. That scheme saves time for network administrators but opens up the possibility of confusion and error.

Network TeleSystems' Shadow IPserver takes a policy-based approach to classifying users for IP address assignment. Using rules and criteria set up by a network administrator, Shadow IPserver groups users by DHCP User Class (such as marketing, engineering and accounting), media access control (MAC) address and the rarely used DHCP Vendor Class. Unfortunately, in contrast to QIP Enterprise's and Meta IP's approaches, Shadow IPserver makes the hapless network administrator assign each user to a User Class (one by one), take note of the user's MAC address or find a TCP/IP protocol stack that supports DHCP Vendor Class. Only its excellent user interface saved Shadow IPserver from a lower score for administration in our scorecard.

Meta IP's user-to-address mapping technology made our jobs as IP address administrators a snap. In contrast to specifying users' MAC addresses or subnet IDs, user-to-address mapping is clearly a superior method of identifying IP clients. Using Meta IP, we mapped dynamically-assigned IP addresses to clients based on logon account ID, logon time and MAC address. By automatically correlating file server logons with dynamic IP address leases, Meta IP let us painlessly track address assignments by user rather than by machine address. Meta IP stored the result in its database for reporting purposes and monitoring network usage.

With its complementary Registration Manager option, QIP Enterprise can distinguish requests for IP addresses by MAC address (for example, DHCP Client ID) as well as DHCP Vendor Class. By default, QIP Enterprise allots addresses from a general address pool. When the client then visits Registration Manager's intranet Web site to identify himself or herself in a manner designated by the network administrator, QIP Enterprise associates the assigned IP address with that client's MAC address. QIP Enterprise responds to subsequent DHCP-DISCOVER requests from that MAC address with the registered IP address. A network administrator can change QIP Enterprise's registration for that client to allocate an address based on group membership in an alternate or preferred subnet. QIP Enterprise clients can belong to a single group or multiple groups. Of course, replacing the user's network adapter or entire desktop computer when hardware problems occur forces that user back through the registration process.

The Subnet Organizer component within QIP Enterprise handles true Variable-Length Subnet Masking (VLSM). This let us easily join or split subnets with other noncontiguous subnets. The component also provides a customizable management interface for delegating an IP address space to specific administrators or groups of administrators across domains, networks and subnets. QIP Enterprise transparently and quickly passed the appropriate DHCP and DNS inheritances to the newly configured subnets we created.

Nortel's NetID also supports VLSM IP address architectures. Partitioning or joining subnets with NetID was even easier than QIP Enterprise, and we liked how NetID automatically calculated the subnet mask values. However, NetID needs a better approach to identifying users for IP address assignment, one that saves network administrators from the tedious chore of manually placing each user in a group or logical subnet.

Process Software's IP AddressWorks can import user ID and address assignment information from a variety of sources, including spreadsheets, Address Resolution Protocol caches and other DNS servers. Because it's slow and doesn't offer the sophisticated client categorization capability of products such as QIP Enterprise and NetID, we suggest IP AddressWorks is only appropriate for small networks whose IP address population undergoes few changes.

If you're a NetWare 5.1 customer with an existing NDS tree, the additional work of classifying users for IP address assignment is trivial. Your NDS tree already contains user IDs, MAC addresses, user groups and other criteria. Similarly, if you've installed and set up Active Directory on a Win 2000 server, setting up address classification schemes for users is simply a drag-and-drop affair.

Storing addresses

One of the key factors that determines the scalability of these products is how they store address pools and user classification data. Quick, nimble storage mechanisms with several customizable reporting options and greater capacity for large client populations can handle a wider range of IP address assignment situations.

Lucent bundles a run-time version of the Sybase Adaptive Server relational database with QIP Enterprise, and it also supports the use of Oracle 7.X or 8.X. We used both databases in the lab and found the Sybase Relational Database Management System (RDBMS) slightly faster. QIP Enterprise integrates via Lightweight Directory Access Protocol (LDAP) with directory servers, but its primary storage medium is the RDBMS. QIP Enterprise worked well with Net-scape's directory product in our tests.

Nortel's NetID works with the Sybase or Oracle relational databases but comes with neither. As with QIP Enterprise, the Sybase option (we used Adaptive Server 11.5 vs. Oracle8i) was faster. Like Lucent's product, NetID integrates with directory servers, such as Netscape's, via LDAP.

QIP Enterprise and NetID offer a greater number of report formats than the other DNS/DHCP tools, and the ability to query each product's relational database with ad hoc reporting tools is icing on the cake.

Check Point's Meta IP and Process Software's IP AddressWorks store IP address information in LDAP-accessible data stores. Network TeleSystems' Shadow IPserver internally uses a proprietary data storage mechanism, and it doesn't support LDAP or relational databases. The Meta IP, IP AddressWorks and Shadow IPserver reporting tools are barely adequate for small and midsize companies. For the requirements of an enterprise, these tools simply don't offer a sufficient variety of management views.

NetWare stores IP address information in the NDS tree as new NDS objects. Examples of these new objects include DNS/DHCP Locator, DNS Zone, DNS Resource Record Set, Subnet, Address Range and Subnet Pool. You'll need to buy a third-party report generator if you want to query the NDS tree for IP address information.

Win 2000 stores its DNS and DHCP information in the Active Directory infrastructure, for which Microsoft or a third party desperately needs to create query and reporting tools.

Managing the tools

QIP Enterprise, NetID, Meta IP and Shadow IPserver offer a Web browser-based interface. QIP Enterprise, NetID and Meta IP supply Windows (or Motif, for the Unix version) management consoles, while Shadow IPserver also provides a command-line interface. We found Shadow IPserver's and Meta IP's Web browser interfaces especially easy to use.

IP AddressWorks' user interface is a Win32 program that presented an uncluttered view of IP address resources and offered drag-and-drop movement of users among groups. We liked its clean, simple design.

The NetWare and Win 2000 management interfaces are Win32 programs that display expandable and collapsible tree views of IP address information along with other NDS tree or Active Directory data.

All the products' interfaces, whether Web- or Windows-based, showed DNS and DHCP servers, zones, subnets, current leases and subpools. Furthermore, QIP Enterprise, NetID and Meta IP excelled at letting a network administrator delegate tasks to assistants.

Protocols, installation and documentation

All the products conformed adequately to the existing DNS and DHCP RFCs, interoperating successfully when we used them in various combinations of primary and secondary servers. They were all easy to install. In fact, Network TeleSystems' Shadow IPserver came preloaded on its network appliance hardware -- no installation needed. However, we would've liked Shadow IPserver, NetWare and Win 2000 better if they supported LDAP and Open Database Connectivity for storage purposes.

QIP Enterprise, the Shadow IPserver software, IP AddressWorks, NetID and Meta IP came with printed documentation that's easy-to-follow and adequate. Novell and Microsoft don't send printed DHCP and DNS setup instructions with NetWare and Win 2000. We had to browse the online documentation, which at times we found unclear. Alternatively, you can get a good third-party NetWare or Win 2000 book at your bookstore.

If you're still editing and distributing a departmentwide or companywide HOSTS file of static IP address assignments you maintain manually, we suggest you take a close look at Lucent's QIP Enterprise.

Speed Test
To test the programs' performance, we ran six instances, one on each subnet, of a C++ program that requested a total of 50,000 IP addresses via DHCP. The NetWare and Windows 2000 servers also worked as file and Web servers during the test. We also configured the QIP and NetID products to use Oracle's database.

Product Elapsed seconds Leases per sec.*
QIP Enterprise 131 382
Shadow IPserver 144 347
NetID 146 342
IP Address
Works		 157 318
Meta IP 161 311
NetWare 205 244
Windows 2000 Server 212 236
*50,000 requests divided by elapsed seconds

How we did it

Our test environment consisted of six routed Fast Ethernet subnet domains and a T-1 connection to our ISP. The Internet link let us perform massive zone transfers and other large-scale IP address operations, but most of our testing occurred just on our network 's intranet. Throughout the subnet domains, we ran several concurrent instances of a C++ program we wrote that issued DHCP-DISCOVER messages. Some of these messages were valid requests for IP address information, but we also deliberately created many invalid requests. Our invalid situations included duplicate requests, missing DHCP-REQUEST messages and lease renewal requests at other than the usual lease half-life interval. To cause address reassignment, we forced clients to frequently join and leave the network. To test performance, we used a stopwatch to measure how quickly each Dynamic Host Configuration Protocol (DHCP) server could assign 50,000 IP addresses.

We also tested the products ' handling of implied source subnet qualifier overrides to verify selection of the correct address for a particular logical network. This test helps us assess how a product behaves when you need to migrate multiple subnets on a single broadcast segment to a flat, switched network topology.

We moved clients from one subnet to another, gave unique values to the DHCP client ID field and assigned different values to the user class ID and vendor class ID DHCP parameters to see how the DHCP servers would respond. We looked at how each vendor 's DHCP server handled sequences of valid and invalid DHCP-DISCOVER, DHCP-OFFER, DHCP-REQUEST and DHCP-PACK messages. We tested each DHCP server 's ability to respond to a variety of different client platform 's TCP/IP protocol stacks with DHCP configuration options appropriate to those platforms. The 25 client computers on our network were a mix of Windows 2000 Professional, NT Workstation 4.0, Windows 98, OS/2 Warp 4.0 and Macintosh System 8 platforms.

We also evaluated each product 's dynamic Domain Name System functions as well as its ability to efficiently update its DNS database with names and addresses from the ISP 's DNS server. We even combined these products in various ways to determine their interoperability.

We factored in the ease with which we could administer the products, centrally or remotely, paying particular attention to each vendor 's address pool maintenance and network monitoring tools. We looked at each product 's support for BIND 8 and DHCP Version 6; determined each product 's level of security; and took into consideration what each vendor offers by way of scalability and fault tolerance.

Except for Network TeleSystems ' Shadow IPserver, which is a combination hardware and software product consisting of two network appliances preloaded with the IP address management software, we ran the address management software products on three Gateway NS-8000 computers with 333-MHz Pentium II dual processors, 512M bytes of RAM and three 9G-byte RAID drives. In each case, the operating system platform was Windows NT Server 4.0 with Service Pack 5.

For reporting and querying tools, we used either the database that shipped with the product or one recommended by the vendor to store the IP address data.

Network Associates ' Sniffer protocol analyzer software, running on a Dolch PAC63 computer, decoded and displayed network traffic.

RELATED LINKS

Nance, a software developer and consultant for 29 years, is the author of Introduction to Networking, 4th Edition and Client/Server LAN Programming. His e-mail address is barryn@erols.com .

Interactive scorecard and NetResults
See our scores and adjust them based on your needs (requires JavaScript); key findings and vendor contact info.

Review: DNS/DHCP servers
Network World, 03/15/99.

Sticky IP addresses
Network World, 01/24/00.

Dealing with IP address overlapping
Network World, 08/09/99.

Xylan switches gain policy features
Network World, 05/10/99.

The benefits of dynamic DNS
Network World, 10/04/99.

Dr. Intranet: More on DHCP
Network World, 02/15/99.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.