6

Im looking to better understand this piece of advice in relation to setting up devices on internal networks with static IP addresses, and why that is considered a bad idea.

On the surface of it, setting up static IP addresses for devices on an internal network that acts as a server doesn't seem like a particularly bad idea when those servers need to communicate with each other regularly. If server A needs to request a web page or an FTP connection or whatever from server B, the task is made much simpler by making sure that server B can always be found at a specific address instead of searching through the network for server B each time.

The only immediate issue that I can think of when setting a static IP address is that the IP address is defined from the servers side and not the router (e.g. the server says to the router, "I want to be connected to your network at IP address 192.168.0.42"). This is fine in most simple cases, but if there's a collision (two different devices are both asking/demanding to be 192.168.0.42), the setup is bound to fail somehow.

Beyond that one case though, why is setting up servers on an internal network with static IP addresses such a bad idea?

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
BruceJohnJennerLawso
  • 185
  • 1
  • 6

4 Answers4

6

It's not true that static IP addresses are always a bad idea. For small networks, with a handful of devices, it may make perfect sense. Static addresses are simple to understand and configure -- and not as complex as setting up a DHCP and DNS server. For small networks to which you might hook up a Raspberry Pi -- as mentioned in the question you linked to -- I think static addresses are fine. The blanket, "Telecommunications engineers never do this" is not accurate.

Most of the regular users on this forum work with much larger networks -- hundreds, thousands, or tens of thousands of devices. At that scale, manually keeping track of individual device addresses is nearly impossible. When networks are that large, things are changing constantly (that's why we have jobs). PCs move, servers get replaced, new applications get created, and old ones are retired. Networks expand and contract, adding new sites or reconfiguring old ones.

If everything had a static address, any change would become an impossible task. Imagine moving a server from one data center to another. The IP address would have to change. Every application that communicates with that server would have to be modified. Software would break, systems would fail, and IT would look very different than it does today. Facebook and Google could not do what they do managing all their servers' IP addresses in a spreadsheet.

Ron Trunk
  • 66,852
  • 5
  • 65
  • 126
  • Yes and no. When you're dealing with a "farm" (group of identical services), and don't care which actual server you access, dynamic server addressing is ok. When you have one subnet with multiple services in it, you need to know where each lives. I don't trust dynamic DNS for this. – Ricky Jan 20 '18 at 05:05
  • And yes, I do maintain a /21 in a spreadsheet. (and in the past a total of around /12) – Ricky Jan 20 '18 at 05:08
  • 1
    @RickyBeam Of course no matter what one recommends here, *someone* will be successfully doing the opposite. ;-p – Ron Trunk Jan 20 '18 at 17:14
2

Statically configuring addresses doesn't scale, and can be a problem when moving devices in a network. That is the reason for DNS. With DNS, you can refer to a host by name, and the DNS will take care of resolving the name to the currently assigned IP address.

Statically configuring addresses may make sense on small networks, but even on medium sized networks it can become a burden.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
  • 1
    This presumes DNS is usable, which on some corporate networks is not the case for the odd VPN solution. Changing an IP address for a major server may distress users on another network using "hosts" details or hard coded scripts. Some (most) cloud providers still can't use hostnames in their network security groups. DNS is not universal. – mckenzm Jan 17 '19 at 04:31
1

Two reasons to not use static IP addresses, and utilize DHCP reservations instead:

  1. You avoid IP conflicts
  2. IP reservations are centrally managed

An anecdotal story of why static IP address are a bad idea: Years ago, as a network administrator for a Credit Union with several branch offices, we had a branch go down. We researched endlessly for days. The router was up, and we could even ping it, but it would not route traffic to the remote branch. Days later I suddenly had a bright idea to ping the router IP and then unplug the router. Lo and behold, the pings still replied. Why? Long story short, I figured out that a Linksys router had been configured many years earlier with a local static IP address. At some point we needed a 4-port switch somewhere, but had to wait a week or more to get one. So a tech plugged in this router as a switch, which is normally fine. It had the same IP address statically configured, as the branch router. Neither device could warn us of an IP conflict, so we had no idea. Resetting the Linksys router to defaults wiped the static IP and suddenly the branch came back up.

Static IP addresses mean the network configuration is fragmented and not centrally managed. I don't care how good you are at spreadsheets and updating them when setting a static IP address. Nothing is as good as having a DHCP server manage everything. If you need a static IP, connect the device, let it get an IP, then reserve that IP in DHCP. Since it's tied to the MAC, it'll always get that same address, and no other device can ever get that IP. IP conflicts don't occur unless someone sets a static IP address.

The top answer here says "It's not true that static IP addresses are always a bad idea", and that static IPs are "not as complex as setting up a DHCP" server. If you're setting more than one device with a static IP, then you've already done more work than setting up a DHCP server. A DHCP server is configured once, and adding a reservation is usually as simple as checking a box to reserve a lease. Sure, configuring a windows DHCP server scope can take some time, but most routers are far more simplistic. All it takes is one IP conflict to cause a huge headache.

Ricky
  • 111
  • 2
  • *If you're setting more than one device with a static IP, then you've already done more work than setting up a DHCP server.* Consider the work involved in setting up a server (BTW, how does it get its address??), configuring the server security, administrative accesses, software upgrades, patches, *etc.*. Plus, you have to buy a server and license the software. Do you really think that's easier than two or a handful of static devices? – Ron Trunk Dec 05 '22 at 20:55
  • *Static IP addresses mean the network configuration is fragmented and not centrally managed* Incorrect. You're *assuming* just because the address was set on a device, it wasn't (isn't, and never is) recorded somewhere -- like, even DNS! I've done this for many decades. There are MANY ways to track address assignments. You also significantly discount the work necessary to setup a server, and the DHCP service on it. If someone else has already done most of the work, it can be as simple as "Deploy VM". (been there too.) – Ricky Dec 06 '22 at 01:47
  • 1
    I haven't managed a dhcp server spanning the whole site, but I agree that with static addresses it can cause some serious issues when someone sets up a gateway address as a server address. It happens. – saba Dec 06 '22 at 08:47
  • @RonTrunk Licenses? I've never heard of a licensed DHCP server. That stuff is free literally everywhere, and numerous open source versions of it are available in an incredibly large number of projects. Most of which are already configured out of the box. Server security? That stuff is typically already built in. DHCP is rarely some sort of standalone service, and security is as simple as setting a password. Updates? DHCP server updates are incredibly rare, and not an actual concern. – Ricky Dec 06 '22 at 14:54
  • @Ricky Central management is different from central records. DNS isn't an example of central management because DNS doesn't manage the IP address assignment itself. What happens when two devices are registering themselves to a DNS server with the same IP address? Each time the A record is overwritten unless the record is static. Something like a spreadsheet is also not an example of central management. A DHCP server can be set up in less than a minute, unless, again, we're talking about a more complex DHCP server like on Windows Server – Ricky Dec 06 '22 at 15:02
  • 1
    @Ricky What you're describing is fine for a home network, but in many organizations you can't just set up a server "out of the box," and just "setting a password" in insufficient security and management. Larger organizations have many more constraints than what you imagine. But I see we're not going to agree on this. – Ron Trunk Dec 06 '22 at 15:29
-2

Static ips are more hack-able . Threat actor have more possibility changes to reach target ip compare to dynamic ip . Because ip is assigned permanently with nic card .Dynamic IP addresses changes with each session on the network as per DHCP scope time frame configuration on DHCP pools and dynamic ip make more challenging and difficult for threat actor to compromise data security. As static IP addresses never change, they can become a security risk as it is easier to track the computer it is linked to . In case if single desktop is comprised in network hacker can easily reach to servers and from there to database. By using DHCP protocol we can reduces attacks on organization IT infrastructure because ip will continuously changes and hacker can't trace targeted ip because it will change randomly frequently with respect to lease and renewal time period configured on dhcp scope

Sagar Uragonda
  • 835
  • 1
  • 16
  • 73