Are there any good FOSS tools to do an audit of reserved IPs used in a Linux/UNIX ISC DHCPd environment? I'm trying to ensure that we do not have stale IP addresses reserved when old MAC addresses are pulled.
Are there any good FOSS tools to do an audit of reserved IPs used in a Linux/UNIX ISC DHCPd environment? I'm trying to ensure that we do not have stale IP addresses reserved when old MAC addresses are pulled.
Per your comments to David's answer, it sounds like you need something to regularly poll the ARP tables on your default gateway and/or servers.
Some relatively simple Perl scripting of their SNMP tables should allow you to probe that, and build a long-term database of MAC -> IP mappings. See e.g. http://docstore.mik.ua/orelly/perl/sysadmin/ch10_03.htm
The original question asked for FOSS tools for this purpose, but I'm not aware of any that do it just right.
I have had to perform this exercise in the past, so I can explain why some other suggestions here may not be enough. I'd ask what kind of routers you're using on your network.
Scanning the network at a particular time is not sufficient; it ignores the temporal aspect of use, among other things. Simply, a host may not be online while you did the scan. Another problem is that a host may have a firewall enabled to block the scan.
A human process... well, they're such squishy things, why would you want a human to do this?
Comparing DHCP conf to vended leases may be insufficient as well. The leases database would again have to be tracked over time. But the real problem is that you may have created an entry in your configuration which is being used statically, rather than via DHCP. Someone may have requested an address, found they could not configure DHCP properly, and hard-coded the address assigned to the machine.
The solution I used was to collect ARP records from (Cisco) routers. The minimal information you need to capture is IP address, MAC address and some temporal data (first seen, last seen) over some period of time. This could then be compared against your DHCP configuration to see which registrations are NOT being used and may be reclaimed. ARP logs reveal other information of use, such as
Registered MAC with registered IP address but no DHCP lease record -- host is hard-coded to their registration, not using DHCP.
Registered MAC not using registered IP address -- if on the same network, likely hard-coding to the wrong address; if on another network, host may have relocated.
Unregistered MAC with registered or unregistered IP address -- perhaps a new NIC, perhaps a rogue hard-coder.
You also need to create (and publish for users) a policy so the script that compares DHCP records with ARP information will nominate addresses to be reclaimed after some time N of non-usage. We used six months, though we did end up reclaiming an address of a staff member who went on sabbatical. Adjust as reasonable.
Hope this helps!
I've no idea if or how well this works but it appears to collect some of the data you require so it could be a start.
If you mean dynamic allocation of leases, you don't have to do anything. The ISC dhcpd tries to hold on to previously assigned leases as long as possible until the lease pool is empty. It will then scavenge from expired (and therefore currently unused) leases.
If you mean static reservations, the answer is: human process.
You are cleaning up your DNS (and, if applicable, NIS) when old computers are decommissioned, right? So add a note to that process to clean up DHCP reservations at the same time.
In our case, we have a perl script that reads a specially formatted source file and generates NIS, DNS (forward AND backward), and DHCP tables automatically, distributes them, and notifies the serving daemons. This means we have one stop to clean up after ourselves and/or add something new.
I think you could put together a pretty simple perl script that would compare /etc/dhcpd.conf and /var/lib/dhcp/dhcpd.leases
I'd look at http://search.cpan.org/~jhthorsen/Net-ISC-DHCPd/lib/Net/ISC/DHCPd.pm which seems to have modules for reading both of those types of files.
Another thought would be to capture and parse the output of a command like: nmap -sP -oG output.txt 10.0.0.0/8
If the command was run at Noon, or some other time when "everyone" should be on line it would likely capture the phantom laptop most of the time.
In places like schools and universities they register users based on their mac address, Tools like arpwatch have a database of static ARP entries. It is best to audit your network space prior to building an MAC address database. This is run on the NAT/DHCP gateway.
DHCP should not be depended on for network user management. What happens if someone picks a static IP?
Good luck, Ash