DHCP vs. Static vs. Reserved

[alarmguy]

Is there any advantage to taking devices from the "DHCP Server" list and using the "DHCP Static Assignment" Section of my router which places it on the "Reserve IP address" Section of my Motorola Router ?
Wouldn't it be less secure if the IP address is always to the same device?
Anyway, I was just curious why I have that option.

Ok, another question.
Is there any reason or advantage to take all devices off the DHCP Client list, shut off DHCP and manually enter them into the client static list. Im aware (I THINK) it makes the Wifi network more secure but dont really feel the need for it.
I do wonder if there is any performance advantage ?

Thanks,

 

[Quattro Pete]

No "performance" advantage, but static IPs make it easier from a management perspective. If you want to access a particular device by calling on its IP address, this is much simpler to do if that IP address stays the same. Otherwise, if it doesn't have a static IP assigned, next time you try to access that device you're screwed because it now has a different IP address. Static IP addresses also make it easier from a monitoring perspective - for example, if you want to monitor how much traffic/bandwidth each device on your network generates, having it associated with a static IP address makes it much easier from a trending perspective.

Lastly, if you are running some kind of a server on one of your home machines, you do want it to have a static IP so that you can configure port forwarding on your router correctly. Another use case would be if you have a network printer at home.

I reserve static IPs for all my devices in my LAN, in one part of the IP range. Then I leave another IP range for dynamic IPs. This way, if I see on my router that a dynamic IP was given to some new, previously uncrecognized device, I can easily spot it and investigate whether this is one of my "own" or some kind of an intruder or guest.

I don't think static IP per se is any less secure.


Clarification: when I say "static IP" I mean I define IP address reservation/assignment on my router for each MAC address (Static DHCP). I don't hard code a static IP on each network adapter on each device itself.

 

[mk378]

There is no security or performance difference. They are different ways to the same objective -- that every machine on the network must have a unique IP address.

The reason to have a reserved or static assignment is so the machine (typically a file server, web server, printer etc) can be known by number. The only time you absolutely need a known number is to route into it from the Internet. Properly configured local DNS and auto-discovery protocols work with dynamically assigned IPs. Accessing a printer or server by name instead of IP number is more user-friendly and will not require users to reconfigure their machine if the IP scheme of the network is changed.

Configuring static IPs within each machine is a big management headache for a network of any size. Nobody does that any more. A lot of institutions do reserve every machine's IP at the DHCP server. The DHCP server is a central point to administer.

Security by obscurity is pointless with IPv4 since there are so limited numbers. There are scripts routinely scanning every IPv4 in the world since there's only about 4 billion of them.

 

[Shavez00]

There's no security advantage to using DHCP vs Static. For most home networks DHCP is what you should use. If you use Static you need to manually put the IP address in each computer on the network and keep track of what IPs you're using so that you don't have an IP address conflict. DHCP does this for you so you don't need to keep track of them, the computers can just request an address and get an available one. If you have a server on your network you're going to want to give that file/media/wherever server a static IP address so other computers can find it everytime. You can get around this by setting up a DNS server, but then the DNS server will require a static IP address. Generally I'll exclude the first 10 IP addresses in the IP address range from the DHCP address pool to use them for any servers or network equipment that will need them.

 

[uc50ic4more]

Every device on my network has a static IP, else it would be a nightmare having devices "talk" to each other.

From a security perspective, having my ISP grant me a static IP allows me to allow remote logins (SSH) on my web site servers (hosted at a variety of data centres) from only my IP. I suppose the same measures could be taken at home: allowing only 192.168.* to access a specific service; but not allowing traffic on (some given port) at the router level would mitigate that, too.

 

[simple_gifts]

We use reserved IPs allocated thru DHCP for access control like has been indicated.

If setting up iptables for example PCs can be granted ssh access thru a range of IPs so that new people that need ssh access have their MACs registered in the "lower part" of the DHCP range. The obvious drawback is that the PC is granted network access to the device that needs administering, not a particular user (other than ssh login credentials)

I suspect 1 user 1 PC is common as a security posture in a mixed OS environment.

 

[blupupher]

I have my server, 2 HTPC's, x-box (all for easier management of connections), and door bell camera (was having connection issues) on reserved IP addresses.
Everything else is handed out by the router.

 

[LDM]

Performance no. It can make security easier if you want to exclude certain vlans or IP ranges from things like specific ports or even entire access to the outside internet. For your average home user with a few devices, its probably not very important for security either though.

I personally have my home network setup with my personally owned devices all set with a reserved IP in a specific range. Any outside device (like my work laptop) will get an IP address above x.x.x.50, so if I look in my logs or router management I can see what devices have been on my network easier. I have about 20 reserved IPs for my various equipment, so that still leaves me with 30 available IPs just case.

And yes, I'm an IT professional so I'm used to doing things this way. Like I said before, for your average home user, what I do is overkill and almost certainly not needed for someone that has a few home devices on wireless.

 

[Quattro Pete]

Another benefit of having a reserved/static IP is ability to apply bandwidth limiters to them, in case you don't want certain devices/users (kids) hogging up too much of your internet connection and prioritizing others (work PCs).

 

[Kawiguy454]

The reserved network IP address is locked to the hardware's MAC address. Doing this the device stays default DHCP so easy/no setup but the network always assigns the same address. On a home network this could be used as additional security measure. On large network we use this to drop deploy printers without managing the printers settings beyond basic DHCP. And the addresses can be within the DHCP address pool

 

[mk378]

Blocking by source IP is some security on the Internet since it is hard to clone someone else's public IP. There is a risk that if you lose that IP (have to change ISP) you would be locked out.

In a LAN it would be trivial to go to static settings to change a machine's IP to a privileged one.

 

[Silver]

I think you're confusing a static IP on a LAN with a static IP over the net. The first one is fine and very useful for the reasons mentioned above. The outside world won't see your LAN individual IP's regardless of what they are. Your gateway which feeds your network data from the internet will still have a dynamically DHCP assigned IP address from your ISP's server, which the world will see. You can't change that unless you call them up, request it, and pay extra.

 

[OVERKILL]

Another benefit of having a reserved/static IP is ability to apply bandwidth limiters to them, in case you don't want certain devices/users (kids) hogging up too much of your internet connection and prioritizing others (work PCs).

Depending on the equipment, you can do that via group policy, which uses MAC addresses. That's how I restrict what my kids do.

 

[Quattro Pete]

Depending on the equipment, you can do that via group policy, which uses MAC addresses. That's how I restrict what my kids do.

True. I just looked at the BW Limiter tab in my router - it can be set either by IP or by MAC address.

 

[LDM]

True. I just looked at the BW Limiter tab in my router - it can be set either by IP or by MAC address.

Both will work. If you only have a few devices then using the MAC address is fine. Where it gets fun is when you have very large subnets or vlans with hundreds of devices. Being able to segregate them via IP becomes a lot more useful then, especially when you have PCs, printers, and other devices all sharing the same subnet/vlan.

 

[OVERKILL]

Both will work. If you only have a few devices then using the MAC address is fine. Where it gets fun is when you have very large subnets or vlans with hundreds of devices. Being able to segregate them via IP becomes a lot more useful then, especially when you have PCs, printers, and other devices all sharing the same subnet/vlan.

True, but I'm usually assigning switchports to specific VLAN's and GP's at that point.

Let's say all printers go on VLAN10, you could BW restrict VLAN10 with a GP and apply QoS making it low priority. Assign the ports that are going to have printers on them to VLAN10 and, assuming you don't have EU's moving gear around, that's a workable version of that scenario. Phone traffic would be VLAN100, workstations VLAN2 for example. Inter-VLAN routing enabled between 10 and 2. Of course you can use wildcard MAC's (if supported) to assign a range of IP's to a given brand of equipment, say HP printers, which somewhat precludes the use of having to carve them out into their own VLAN.

There are quite a few different ways to approach it depending on the gear being used and desired topology. At home, I'm running 3x VLAN's, I block VPN traffic (in case my kids try and get around the restrictions) and all DNS traffic from going to anywhere but CIRA. Since the pool of devices is reasonably small, just carving out a GP for their devices made the most sense. I don't care what their IP's are, I know what VLAN and subnet they are on so just shoving them all in a GP based on MAC works. I could have just put them on their own VLAN and assigned that GP to that entire subnet too though.

 

[alarmguy]

Wow, great responses, thanks. I think Kawiguy and Quattro response is how I was thinking on using it and all the others responses added value as I can surely be reassured if I reserve IP on my Motorola router there is no security gain or hit and no performance gain or hit.

Here is why I think I want to make every device a reserved IP.
1. Its super SIMPLE to do on my Motorola 2600. I Simply copy and past on the same page to reserve each device.

2. I can edit/assign names of each device on the reserve list, many of my devices only have Mac IDs if I move them to the reserve list I can name them. For example, I coped and pasted my Mac mini Desktop which was already displaying as "myname Mac mini" also my iPhone and wife iPhone display as well but I have roughly 18 constantly connected devices plus another 10 not always connected of which 85% of them are not named, If I reserve the IP I can name them and keep track of everything on my network.

3. Keep in mind I do this stuff as a hobby kind of, so I would like to have names for all my devices associated with the Mac Ids also, of course would be able to see if anyone ever was on my home network that isnt supposed to be but that is not a concern of mine. Just a fun thing.

Thanks again,

 

[eljefino]

The reserved network IP address is locked to the hardware's MAC address. Doing this the device stays default DHCP so easy/no setup but the network always assigns the same address. On a home network this could be used as additional security measure. On large network we use this to drop deploy printers without managing the printers settings beyond basic DHCP. And the addresses can be within the DHCP address pool

I do this too, so if the mobile computer has to connect to another network it doesn't need any settings changes. But when it's home, it can always be found at the same IP.