Using IPAM

This page contains information about using IPAM Grid Manager to manage DNS and DHCP configuration.

Introduction

IPAM, which stands for “IP Address Management”, is the integrated platform used by IT professionals to manage DNS and DHCP configuration for their networks and authoritative zones served by campus DNS and DHCP.

The user interface for IPAM is called Grid Manager.

How do I gain access to IPAM?

IT Professionals listed in Contacts Database with the “DNS Requests” permission for one or more network(s) and/or domain(s) may log in to IPAM Grid Manager and make changes to objects and records within those network(s) and domain(s).

The preferred way to obtain Contacts Database permissions for an existing network or domain is to contact the person responsible for that network or domain and ask them to grant you permissions.  If you cannot identify this person, feel free to contact hostmgr@illinois.edu for help.  Please note, however, that bulk permission change requests should be submitted to the Contacts Database team via consult@illinois.edu.

Updated permissions in Contacts Database are automatically read and imported into IPAM nightly.

Note that this nightly job currently takes a long time to run, typically (as of Nov 2021) finishing all its work in IPAM by 11am on the following day, except when interrupted by system patching on the 3rd Wednesday of each calendar month.

Employees with a home campus other than Urbana must have an account in the Urbana UofI Active Directory in order to access IPAM.

About Contacts Database

Contacts are the people (or distribution lists) who should be informed when problems or questions arise regarding this domain:

  • The Primary contact is the technical person who has operational (day-to-day) responsibility for the domain and will be contacted first regarding any questions or problems.
  • The Backup contact will be contacted if the Primary contact is unavailable or does not respond.
  • The Administrative contact is managerial rather than technical (typically a department head or business manager), representing the unit that owns the domain and pays for it.  They will be contacted for help re-establishing Primary and Backup contacts if the ones listed are out of date or not responding.
  • You may list more than one Primary, Backup, or Administrative Contact.  You may also list contacts of type “Other” who are allowed to view the domain in Contacts Database but who will generally not be contacted with questions about the domain.
  • To avoid confusion, don’t use the Service-specific contact types “Service Owner” and “Service Liaison” for Domains and Networks.  (If these are present, we will treat them as type “Other”.)
  • Please list at least two Primary/Backup contacts (i.e. two Primary or one of each) and at least one Administrative contact.
  • Please do NOT list the same person in multiple contact roles.

Permissions identify the Active Directory users (or groups) who are allowed to manage this domain:

  • Change Contacts permission-holders can update the information in Contacts Database (which includes granting and revoking permissions), and are expected to keep this information up to date as people leave the University, change jobs, etc.
  • DNS Requests permission-holders can perform self-service tasks in IPAM Grid Manager and request non-self-service changes from hostmgr@illinois.edu.  Note that requests for certain major irrevocable changes such as deactivating a domain or transferring it to another owner will be reconfirmed with a Primary contact (unless originated by a Primary contact).

Note that Contacts and Permissions are entirely separate concepts; it is common to grant Permissions to the same people who are Contacts, but not required.

Networks in CDB have DNS Requests permission too, but they can also have other types of permission which are used to manage access to other services.  See Contact Types in Contacts Database (CDB) for more information.

How do I log in?

Visit https://ipam.illinois.edu and click the “SSO Login” button (without entering anything in the text boxes) to authenticate using Shibboleth single sign-on.

When the Shibboleth identity provider redirects you back to IPAM, you will be automatically logged in and should see a (fairly sparse) dashboard page.  If you instead end up back at the IPAM login screen, or if you see “Error: ‘Auto Create User’ option disabled, login denied”, this probably means you don’t currently have permissions to access IPAM (see How do I gain access to IPAM? above).

Technical notes:

  • The “SSO Login” button requires your browser to briefly connect to an additional non-standard HTTPS port (8765/tcp) on the Grid Manager server, which may not work if you are behind a firewall that restricts outbound connectivity.

Alternative Login Method

  • Multi-Factor Authentication (MFA) is still required.  IPAM is not able to prompt you interactively for a second authentication factor, but you can append a passcode or factor name to your password as documented in https://guide.duo.com/append-mode.

    If you don’t append anything to your password, you should automatically receive a push notification (if you have a smartphone registered for Duo).

    If you have more than one smartphone registered for Duo, you might need to append e.g. “,push2” to use your second device.

    If your actual password happens to contain any commas (the delimiter character for append mode), we suggest always appending something (e.g. “,push”) so that your authentication can succeed on the first try without requiring an extra round-trip to AD on the back end.

  • For UIC and UIS employees, be sure to enter the userPrincipalName of your Urbana UofI Active Directory account (typically yournetid@illinois.edu), not yournetid@uic.edu or yournetid@uis.edu

Your user profile for the Alternative Login Method will not reflect any customizations you have previously made while using SSO Login, nor vice versa.  See this known issue for details.

How do I log out?

Your Grid Manager session will automatically log out if it is idle for over 4 hours.  To log out manually, click the drop-down control labeled with your username in the upper right-hand corner of the interface, and select “Logout”.

In either case, logging out from IPAM does not end your Shibboleth identity provider session, which means you may still be able to click “SSO Login” and get right back in again.  You can prevent this by additionally visiting https://shibboleth.illinois.edu/idp/profile/Logout or by completely closing your web browser (see also Logging out of individual web applications with Shibboleth).

How soon will my changes take effect?

Many changes made in Grid Manager take effect instantly. Other changes (e.g. creating a DHCP Range) take effect only after a behind-the-scenes service restart, which will automatically occur within 5 minutes of making such a change.

Keep in mind that DNS records are routinely cached in accordance with their TTL (time-to-live) values.  Even though authoritative DNS record changes take effect instantly in IPAM, some clients may continue to see the old record data until it has expired from all caches.

For changes to high-profile DNS records (e.g. migrating a live production service), Technology Services recommends that you temporarily lower the TTL of the record in question (e.g. to 1 minute) at least one hour prior to making the actual change, and then restore the TTL to the campus default (1 hour) after the change is complete and you have confirmed that everything is working properly.

If you don’t want your changes to take effect immediately, see the section on Scheduled Tasks in Advanced Tips and Tricks.

Getting started and navigating the interface

New users should start at Getting Started with IPAM. This page contains basic information about navigating the Grid Manager web interface once you have logged in.

DNS Configuration Tasks

Host Records explains how to create, edit, and delete Host records.

Stand-alone DNS Records explains how to create, edit, and delete all other types of DNS records.

DNS Traffic Control explains how to dynamically adjust DNS query responses based on server health checks.

DHCP Configuration Tasks

DHCP Ranges (Dynamic Pools) explains how to configure a pool of IP addresses that can be assigned interchangeably to any eligible DHCP client.

DHCP Fixed Addresses explains how to configure an individual IP address for use exclusively by a single DHCP client.

Managing DHCP Leases contains information about working with leases, which represent the allocation of a particular IP address to a particular client for a specified period of time.

Advanced Features

Advanced Tips and Tricks contains some additional tips to help you use Grid Manager more efficiently. These tips will be most helpful to users who have already logged in once or twice and have familiarized themselves with the basics. If you’re just getting started with Grid Manager, we recommend you skip this section for now and come back to it later on.

CSV Imports and Exports gives instructions on how to to perform “bulk” updates which create or modify many DNS and/or DHCP objects at once.

Using the IPAM API contains information about using Grid Manager’s application programming interfaces.

Customized Training

If you’d like free, customized training for your particular unit or department about how to manage DNS and DHCP using Grid Manager, contact hostmgr@illinois.edu.

Known Issues

Known Issues contains information about known issues with Grid Manager that may be relevant to campus network administrators.