The Spot IPAM blog.
Address-space planning, conflict detection, and network-ops notes for infrastructure teams.
- Your SOC 2 asset inventory can't account for half your IP space, and the auditor noticed A security and audit lead presents an asset inventory for SOC 2 and ISO 27001 that ledgers servers and laptops but has no authoritative record of allocated address space, leaving in-scope network assets undocumented. The control around inventory and ownership comes back as an exception.
- The site-to-site VPN to your biggest customer failed because you both use 192.168.0.0/16 A NetOps lead provisions a partner VPN and the tunnel comes up, but no traffic flows because both networks overlap on the same private range. The deal-critical integration stalls on an address collision nobody checked for.
- The shadow VPCs no cloud network engineer knows about, until they overlap your on-prem space A cloud network engineer maintains a clean view of the sanctioned VPCs while teams spin up their own across AWS, Azure, and GCP with default CIDRs that collide with on-prem and each other. The overlap only surfaces when someone tries to connect them.
- You revoked their badge and their VPN. You never reclaimed the IP space they provisioned. A security and audit lead runs a clean offboarding for access and credentials, but the departed engineer's self-service subnet allocations, test VPCs, and reserved blocks stay live and ownerless. They surface a year later as unexplained allocations in an audit.
- The one engineer who understood the IP plan resigned. The map left with them. A platform engineering manager realizes after a key departure that the real address-allocation logic lived in one person's head and a personal spreadsheet, not in any shared system. Every subnet decision now starts with archaeology.
- You never published a ROA, so the day your prefix got hijacked you had no defense A network architect treats RPKI as someone else's problem, leaving the org's prefixes without Route Origin Authorizations. When the address space is hijacked via a bogus BGP announcement, there's no cryptographic record to make filtering routers reject it.
- The IPv4 block you leased came pre-poisoned: blocklisted, hijacked history, and dead on arrival An infrastructure director leases an IPv4 range to expand capacity, then discovers the addresses carry reputation blocklist entries and a hijacking history from the prior holder. Mail bounces and traffic gets dropped from day one.
- You spent six figures leasing IPv4 you already owned but couldn't find A cost-conscious infrastructure director approves an IPv4 block purchase because the team 'needs more space,' when in fact a third of the existing allocation sits idle and unaccounted-for in stale records. At $35-45 per address, the waste is real money.
- Your IPv6 rollout is leaking MAC addresses, and your privacy review missed it A network architect ships an IPv6 deployment using EUI-64 interface identifiers, embedding device MAC addresses into routable addresses and creating a persistent device-tracking vector. A privacy or DPIA review later flags it as a finding.
- The IPv6-only mandate had a date. Your procurement team treated it as optional. An infrastructure director in a federal-adjacent supply chain discovers a contract requires IPv6-only operation, but the network never moved past dual-stack pilots. The 80%-by-FY2025 target in OMB M-21-07 is now a procurement gate the org can't pass.
- Your IPAM spreadsheet was already wrong the morning you opened it An infrastructure director relies on a master IP spreadsheet as the system of record, not realizing it reflects intent from whenever someone last remembered to update it, not reality. Every decision built on it inherits the error.
- You released the cloud IP but left the DNS record. An attacker took the address and your subdomain. A security and audit lead signs off on decommissioning a service, but the A-record stays behind pointing at a now-released elastic IP. The provider hands that IP to someone else, and the dangling record becomes a subdomain takeover.
- DNS said one thing, the IP plan said another, and the migration trusted the wrong one A NetOps lead runs a cutover assuming DNS, DHCP, and the IPAM record all agree, but months of drift mean A-records point at addresses that were reassigned long ago. The migration sends traffic to the wrong hosts.
- The ghost allocation nobody will claim, and why you can't safely reclaim it A network architect finds dozens of live allocations with no owner, no ticket, and no application name, and every attempt to reclaim them stalls because no one will sign off on turning them off. Dead space accumulates while real subnets run dry.
- Kubernetes quietly ate your VPC: how pod-per-IP exhausts the address plan you sized for VMs A platform engineering manager sizes a VPC for a few hundred instances, then the EKS cluster assigns an IP per pod and burns through the /16 in a quarter. The cluster stops scheduling pods because the subnets are dry.
- You discover you're out of address space during the incident, not before it A platform engineering manager scales out under load and the VPC simply can't hand out more IPs, because nobody was watching subnet utilization trend toward zero. The capacity wall shows up as failed instance launches mid-incident.
- The subnet your IPAM marked 'free' was running payroll. You found out when you reassigned it. A cloud network engineer reclaims a block flagged available and reassigns it, but the addresses were live on an unmanaged appliance the spreadsheet never tracked. A duplicate-IP conflict knocks the finance system offline on a Friday.
- Your PCI network diagram is a work of fiction, and the QSA opened your IPAM to prove it A security and audit lead hands the assessor a tidy network diagram, but the QSA cross-checks it against live subnet inventory and finds in-scope CDE hosts on segments the diagram never mentioned. PCI DSS 4.0 requirement 1.2.3 turns a documentation gap into a failed assessment.
- Your two 10.0.0.0/8 networks will collide on day one of the acquisition. Nobody scoped the renumber. An infrastructure director signs off on an M&A integration plan that assumes two private networks will 'just connect,' but both sides built on overlapping RFC 1918 space and now half the combined enterprise needs renumbering. The cost lands after the deal closes, not before.
- The /24 two teams both think they own, until the routing loop hits production A NetOps lead approves a subnet request from a spreadsheet that two engineers edited the same week, and the same 10.20.40.0/24 ends up live in two data centers. The collision surfaces as asymmetric routing and intermittent timeouts that take three days to trace.