- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
Perhaps the fact that IPv4 addresses are sold out will increase the likelihood of IP address conflicts. You know, humans are strange creatures. Whenever there is a shortage of a certain resource, that resource becomes more valuable to everyone, even for those who don't really need it. Maybe some of your users have heard that IP addresses are rare these days and have started collecting them for hard times. Considering that public IP addresses are unique makes them even more valuable for collectors. 😉
Seriously, IP address conflicts are a common problem in every network. There are a few things you can do to avoid IP address conflicts in the first place.
Use DHCP ^
When DHCP was relatively new (BootP in the beginning), many admins argued that this service posed a security threat because it gave hackers a new attack surface. This is certainly true. However, assigning IP addresses manually is not only a maintenance nightmare; it also increases the likelihood of IP address conflicts considerably. Nowadays, most admins agree that the advantages of DHCP far outweigh its disadvantages. If you want to increase security (and if you love maintenance nightmares), you can assign IP addresses to MAC addresses manually at your DHCP server.
Enable IP address conflict detection in your DHCP server ^
By default, the DHCP service assumes that no one else can assign IP addresses in the LAN. Thus if an IP address hasn't been assigned according to its lease database, it shouldn't be in use. This is certainly a somewhat high-handed attitude. To tell your DHCP server to be a bit more careful, you can enable IP address conflict detection. Right-click the IPv4 node in the DHCP management console and select the Advanced tab. Set "Conflict detection attempts" to 1 or 2. This ensures that the DHCP service will ping every IP address to check if it is really available before it is assigned to the client. Note that each additional conflict detection attempt delays the DHCP server response by a second. Hence I wouldn't work with more than two conflict detection attempts. Take note that this feature is not available for IPv6.
Use shorter DHCP lease times ^
Especially if you have a network with high client turnover or with a shortage of IP addresses, you might consider reducing the default lease times. The default lease time is 8 days. However, clients will renew their lease already after 50% (4 days) of the lease time is over. If this fails, the client will try again after 87.5% of elapsed the time. Once the lease time is over and the renewal failed, the client will no longer use the IP address and will try to get a new one. So if you want clients to check every day that the IP address has not been assigned to another PC, you can set the DHCP lease time to 2 days. Of course, this increases the risk that clients are without an IP address if all your DHCP servers are down. You can change the DHCP lease duration in the General tab of the scope options.
Work with multiple DHCP servers ^
Since each DHCP server is assigned a specific scope (block of IP addresses), multiple DHCP servers on a LAN don't cause IP address conflicts. However, this increases the fault tolerance of the DHCP service in your network. So just in case one DHCP server goes down, there are still others that will provide IP addresses to client computers. A computer with no IP address is not much better off than a computer with a duplicate IP address.
Don't allow end users to configure IP addresses ^
By default, members of the users group are not allowed to configure IP addresses. This has a reason. So don't let others do your work and make sure that end users don't mess with your network. This also applies to laptop users. Hotels that require users to configure IP addresses are very rare nowadays. Thus there is no more reason to allow end users to configure network settings.
Work with reserved IP addresses ^
Some computers need permanent IP addresses. It is a common mistake to assign these IP addresses manually. Even if your documentation is perfect, a mistyped IP address can bring down an important server within seconds. It is better to reserve IP addresses for certain MAC addresses in your DHCP server. Some organizations follow this practice also for servers. However, I wouldn't go that far in small networks. Just make sure to ping the IP address before you assign it to a server. Also ensure that you document reserved IP addresses. It is not enough to just rely on the DHCP server's database.
Back up your DHCP server several times a day ^
If the server that runs the DHCP service crashes and you have to install a new DHCP server, it is not unlikely that IP address conflicts occur because the new DHCP server might assign IP addresses to clients that are already in use. Hence, it is essential that you restore the database with the IP address leases of the old DHCP server before the new one goes live.