IP Address Management
Originally
ADR-0035 IP_Address_Management (v5) · Source on Confluence ↗IP Address Management
Status: Accepted
Deciders: ryan.cullison@droneup.com, sybil.melton@droneup.com, eric.brookman@droneup.com, blake.jones@droneup.com
Date: Date: May 4, 2023
Technical Story
Document decision for IP Address Management (IPAM) solution
Context and Problem Statement
- Currently a Google Sheet is the source of truth. There are concerns that there are networks that are not documented and overlap could cause problems in the future.
- IPAM can be a blueprint of the IP infrastructure and a Single Source of Truth for not only the IP Plan but, just as important, all the related metadata that can enrich IP addresses and Network subnets such as the localization: where an equipment, a server, a printer or a camera are located (e.g. name of the site, the room or latitude and longitude).
- IPAM solutions do not provide: Network monitoring, DNS server, RADIUS server, Configuration management, Facilities management
- DDI solutions provide DNS, DHCP, and IPAM
Decision Drivers
Properly document IP infrastructure in central location
Prevent IP network overlap
Facilitate orchestration & automation
- Perform secure provisioning with API of next available prefix/IP
Simplify management tasks
RBAC
Provide auditable data history and summarized reports
Considered Options
| Product Name | Product Type | Deployment Type | License |
|---|---|---|---|
| Netbox Community | IPAM DCIM | software on VM or container | open source |
| Netbox Cloud | IPAM DCIM | SaaS | commercial |
| Nautobot Cloud | IPAM DCIM | SaaS available in future software on VM or container | commercial (open source available) |
| EfficientIP Solidserver | DDI | virtual or hardware appliances | commercial |
| Infoblox BloxDDI | DDI | cloud managed virtual/hardware appliances or containers | commercial |
Decision Outcome
Netbox Community
- Good, because Ansible, Terraform, Python SDK available
- Good, because Okta Single sign-on available
- Good, because track the complete desired state of the device inventory in the network and provide a unified view as a single source of truth to easily verify the current state of the inventory at any time - and review any deviations found within the same portal.
- Good, because a single converged database for viewing IP networks and addresses, VRFs, VLANs, equipment racks, different types of devices and where they’re installed, network/console/power connections, virtual machines, and more.
- Good, because has a data model which caters specifically to the needs of network engineers and operators
- Good, because customizable and extensible through community plugins
- Good, because REST and GraphQL API available
- Good, because includes Prometheus metrics
- Good, because no purchase required
- Bad, because infrastructure will need to be built and maintained by ITOps
- Bad, because cloud provider IPAM sync will need to be custom built
Pros and Cons of the Options
Netbox Cloud
NS1’s cloud-managed version of Netbox, the popular open source tool.
Subscription paid annually.
- Intro has 48 hour email support; dedicated single instance; $5500/yr
- Standard: Intro + 24 hour email support, Dual Instances for HA and increased performance, performance autoscaling; $20,000/yr. Enterprise features available as add-on
- Enterprise: Standard + test environments, cross region failover, custom domains and more; contact for pricing
Good, because SaaS offering, vendor managed upgrades
Good, because Okta single sign-on included in all tiers
Good, because easy extensibility and API Driven Automation
Good, because Ansible, Terraform, Python SDK available
Good, because track the complete desired state of the device inventory in the network and provide a unified view as a single source of truth to easily verify the current state of the inventory at any time - and review any deviations found within the same portal.
Good, because a single converged database for viewing IP networks and addresses, VRFs, VLANs, equipment racks, different types of devices and where they’re installed, network/console/power connections, virtual machines, and more.
Good, because data model which caters specifically to the needs of network engineers and operators
Good, because customizable and extensible through plugins
Good, because REST and GraphQL API available
Bad, because additional subscription cost and vendor
Bad, because cloud provider IPAM sync will need to be custom built
Nautobot Cloud
Nautobot is a Source of Truth platform with an extensible plugin system that enables it to serve as a network automation platform. Built on top of a fork of NetBox v2.10.4, it has the same type of features. Commercial and Open source available. Nautobot Cloud is launching in early 2023.
Good, because proprietary apps available
- ChatOps integration (Slack) including Ansible, Grafana, etc
- Capacity metrics
- Data Validation
- Device Lifecycle Management
- Sandbox environments available
- Batfish - Automated ACL & Security Policy Verification
Good, because has same benefits as Netbox
Bad, because must contact vendor for Cloud version availability
Bad, infrastructure will need to be built and maintained if non-cloud version used
Bad, because additional licensing cost and vendor
EfficientIP Solidserver
The SOLIDserver™ DDI suite is designed to deliver highly scalable, secure and robust virtual and hardware appliances for critical DNS-DHCP-IPAM services. EfficientIP DDI appliances intelligently simplify and automate IPv4 and IPv6 address management and VLANs/VXLANs with multi-vendor DNS and DHCP services (Microsoft®, ISC BIND DNS and DHCP, AWS Route 53, Azure DNS, and Google Cloud Platform). Through a policy-driven approach, EfficientIP simplifies delegation to non-expert administrators with resource templates, workflows and an easy-to-use interface. The “one-click” upgrade technology and global patching management allows for lower administration costs with a modern DDI infrastructure.
- Good, because builtin IPAM Sync with Google Cloud
- Good, because IPAM system can be collected and manipulated through API for real-time integration with any third-party IT system to simplify deployment, improve compliancy control and audit trails, and deliver advanced automation across platforms.
- Good, because automation with Terraform, Ansible, Python, Ruby available
- Good, because dynamic and centralized repository of all your network related resources, the “IP Golden Records” (DDI, VLAN/VXLAN/VRF, app, devices).
- Bad, because no SaaS offering, appliance based solution (hardware or VM)
- Bad, because additional licensing cost and vendor
Infoblox BloxOne DDI
BloxOne DDI provides a cloud-managed interface for automated DNS, DHCP and IP address management, and policy control across multiple locations. BloxOne DDI is available as a virtual machine (VM) on VMware and as a container on Docker. A hardware appliance is optionally available for purchase from Infoblox.
- Good, because builtin GCP Discovery
- Good, because ZTP automates and vastly simplifies the deployment of BloxOne DDI at scale. BloxOne DDI appliances “phone home” to authenticate, download and deploy configurations globally across all remote sites.
- Good, because a full complement of APIs is also available for secure, programmatic access to supported features throughout the solution.
- Bad, because no SaaS offering, appliance based solution (hardware, VM, Docker) that is cloud managed
- Bad, because BloxOne DDI for internal services is licensed by the number of active IP addresses and the number of instances deployed. Unknown how this could tie into IPAM if DHCP/DNS are not used.
- Bad, because additional licensing cost and vendor