IOS DHCP Best Practices

Similar Messages

• IOS Template - Best Practices

  Hello,
  Does anyone have a standard template that they apply to all ios switches/routers/waps? I'm looking for some best practices for ios configs. For example, which services do you disable on all devices, what snmp settings, etc..
  Thanks!

  Hi,
  See the below link :
  http://www.cymru.com/Documents/secure-ios-template.html
  Regards,
  Mehrdad

• IOS Update Best Practices for Business Devices

  We're trying to figure out some best practices for doing iOS software updates to business devices.  Our devices are scattered across 24 hospitals and parts of two states. Going forward there might be hundreds of iOS devices at each facility.  Apple has tools for doing this in a smaller setting with a limited network, but to my knowledge, nothing (yet) for a larger implementation.  I know configurator can be used to do iOS updates.  I found this online:
  https://www.youtube.com/watch?v=6QPbZG3e-Uc
  I'm thinking the approach to take for the time being would be to have a mobile sync station setup with configurator for use at each facility.  The station would be moved throughout the facility to perform updates to the various devices.  Thought I'd see if anyone has tried this approach, or has any other ideas for dealing with device software updates.  Thanks in advance. 

  Hi Bonesaw1962,
  We've had our staff and students run iOS updates OTA via Settings -> Software Update. In the past, we put a DNS block on Apple's update servers to prevent users from updating iOS (like last fall when iOS 7 was first released). By blocking mesu.apple com, the iPads weren't able to check for or install any iOS software updates. We waited until iOS 7.0.3 was released before we removed the block to mesu.apple.com at which point we told users if they wanted to update to iOS 7 they could do so OTA. We used our MDM to run reports periodically to see how many people updated to iOS 7 and how many stayed on iOS 6. As time went on, just about everyone updated on their own.
  If you go this route (depending on the number of devices you have), you may want to take a look at Caching Server 2 to help with the network load https://www.apple.com/osx/server/features/#caching-server . From Apple's website, "When a user on your network downloads new software from Apple, a copy is automatically stored on your server. So the next time other users on your network update or download that same software, they actually access it from inside the network."
  I wish there was a way for MDMs to manage iOS updates, but unfortunately Apple hasn't made this feature available to MDM providers. I've given this feedback to our Apple SE, but haven't heard if it is being considered or not. Keeping fingers crossed.
  Hope this helps. Let us know what you decide on and keep us posted on the progress. Good luck!!
  ~Joe

• DHCP Best Practices

  Want to confirm best practices for DHCP for wireless users...
  Client would rather use WLC internal DHCP server to manage 4 scopes - APs, employees, wireless device, and guests. I typically use the wireless controller's internal server for guests, but for the others I usually recommend using the existing deployed server. This provides several advantages, but I'm looking more for the cons against using the internal server.
  Any input would be appreciated.
  -k

  I have used the wlc internal dhcp for guest use for a long time. Also in big installs where there are a few hundred guest users. Yes the WLC internal dhcp is not a "TRUE" dhcp, but if everything is configured correctly, you should not have any issues. Monitor the amount of dhcp address that are handed out, because that might be where it becomes a pain. Guest users will need an ip address to hit the webauth page..... So really take a look, since most of the time you will have the ssid broadcasted, is that wireless device utility might associate to your ssid not on purpose, just because how they have their device configured.... this will take up one of your dhcp address.

• Best practice for DHCP Server 2008 utilization of IP Addresses

  I am currently using 85% of addresses on my DHCP server running windows 2008 Server. Does microsoft recommend a particular percentage (%) of its utilization before building another scope? Or what is the industry's best practice or microsoft's
  recommendation to build another scope?

  Hi,
  As far as I know, there is no standard for the
  usage of DHCP scope. Just make sure that the IP address pool isn’t exhausted.
  For the best practices of DHCP, please refer to the article below,
  DHCP Best Practices
  http://technet.microsoft.com/en-us/library/cc780311(v=WS.10).aspx
  Recommended tasks for the DHCP server role
  http://technet.microsoft.com/en-us/library/cc731392.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Best Practices For Household IOS's/Apple IDs

  Greetings:
  I've been searching support for best practices for sharing primarily apps, music and video among multple iOS's/Apple IDs.  If there is a specific article please point me to it.
  Here is my situation: 
  We currently have 3 iPads (2-kids, 1-dad) in the household and one iTunes account on a win computer.  I previously had all iPads on single Apple ID/credit card and controlled the kids' downloads thru the Apple ID password that I kept secret.  As the kids have grown older, I found myself constantly entering my password as the kids increased there interest in music/apps/video.  I like this approach because all content was shared...I dislike because I was constantly asked to input password for all downloads.
  So, I recently set up an individual account for them with the allowance feature at iTunes that allows them to download content on their own (I set restrictions on their iPads).  Now I have 3 Apple IDs under one household.
  My questions:
  With the 3 Apple IDs, what is the best way to share apps,music, videos among myself and the kids?  Is it multiple accounts on the computer and some sort of sharing? 
  Thanks in advance...

  Hi Bonesaw1962,
  We've had our staff and students run iOS updates OTA via Settings -> Software Update. In the past, we put a DNS block on Apple's update servers to prevent users from updating iOS (like last fall when iOS 7 was first released). By blocking mesu.apple com, the iPads weren't able to check for or install any iOS software updates. We waited until iOS 7.0.3 was released before we removed the block to mesu.apple.com at which point we told users if they wanted to update to iOS 7 they could do so OTA. We used our MDM to run reports periodically to see how many people updated to iOS 7 and how many stayed on iOS 6. As time went on, just about everyone updated on their own.
  If you go this route (depending on the number of devices you have), you may want to take a look at Caching Server 2 to help with the network load https://www.apple.com/osx/server/features/#caching-server . From Apple's website, "When a user on your network downloads new software from Apple, a copy is automatically stored on your server. So the next time other users on your network update or download that same software, they actually access it from inside the network."
  I wish there was a way for MDMs to manage iOS updates, but unfortunately Apple hasn't made this feature available to MDM providers. I've given this feedback to our Apple SE, but haven't heard if it is being considered or not. Keeping fingers crossed.
  Hope this helps. Let us know what you decide on and keep us posted on the progress. Good luck!!
  ~Joe

• Best practice configure DHCP server NAC

  hi all,
  any idea how the best practice deploy dhcp on cas? i tired follow user guide configure dhcp on cas but still cannot running smoothly user just only grep ip authenticate.
  - CCA agent very slow appear when user get ip dhcp on authenticate.any idea ?
  - how to integrated profiler with nac appliance .?

  Hi ahmed,
  You have configured your CAS to be your DHCP server, Thats well and good because you are using Real IP mode, Which Supports the CAS to be a DHCP server.
  Remember
  This Setting is only For your Authentication VLAN that your client gets an ip While Authentication ok.
  When your Client switches to Access VLAN , your client trafiic no longer flows through the CAS so CAS is now not responsible for DHCP.
  You'll have to configure another DHCP on the Trusted Side which can Lease IPs to the Acess VLAN Members.
  As you have configured OOB then your client is in Acess VLAN and does not come in contact with the CAS so you need the Trusted side DHCP to give the Client an IP address.
  Here in your Scenario your ACCESS VLANS are 2022,2044
  Hope this helps, Do reply after Testing.
  Thank You
  Regards
  Edward

• Airport Extreme best practice configuration for Sleep Proxy, DHCP/NAT and PPPOE

  Hi
  I have recently bought a Airport Extreme and it is working well.  One of the reasons I bought is to take advantage of the Bonjour Sleep Proxy on it so I can wake my MAC up remotely from my iPad using the REMOTE app to stream things like iTunes etc...  I followed the set up instructions and basically let it configure itself.  I have an ISP router / modem which currently is providing DHCP services, NAT and PPPOE.
  The Airport detected all of this and set itself up as bridge only.  The speed of the network outo to the internet is fine (more or less what it was before).  However, in doing a bit of research, I have found out that if I want the Airport to act as a sleep proxy, I need it to "host" the network.  I am not an expert in networking but from what I understand I need the Airport to be moved from "Bridge Only" to at least be providing DHCP to my internal network clients.
  This has prompted me to ask what is "Best practice" when it comes to configuring the Airport given I want to have Sleep Proxy enabled.  I think the two options I have are as follows but would really welcome feedback on which is the best option to go for or if there are other options I should be thinking of
  (1)  Have the Airport perform DHCP for my internal clients and leave the ISP router/modem doing NAT
  (2)  Have the Airport perform DHCP and NAT.  I think to do this I need to turn the ISP router / modem into Bridge mode only.  (I've looked and I seem to have this option on the device.  It's an Irish ISP branded device but I think it is a Zyxel)
  I have no reason to believe the ISP router / model is doing a bad job but given I understand the Airport Extreme is a reasonably high-end device (I think?) I am wondering if option 2 is the way to go.
  In addition, during my research, I have also discovered that many people seem to have their Airport Extreme also handle PPPOE.  This is currently being done by my ISP router/modem.  I am  inclined to leave it this way (following the mantra if it isn't broken, don't fix it) but if there was a good reason to have the Aiport do this, perhaps I should make the switch?  Having said this, I have seen on this forum and others, some posts about problems with Internet connection drops when the Airport is handling PPPOE.
  So, a bit of a long post, but if anyone has any information or perspective on this, I'd very much appreciate it. 
  Thanks
  Dave

  I forgot to thank you, John Galt. Yap, it solve my problem by restoring back the original firmware to 7.6.1. My unit is Airport Extreme 2012. I am still using double NAT because I cannot figure it out on how to set DHCP only in the Network tab.
  My goal it to use the airport extreme to the internet and to share the internet to all my devices in the house. Just like my previous Accesspoints. Before I use AP+router Linksy$ WRT54G and D-l!nk DIR-655 without activating the NAT to share my internet connection and they work.
  My problem is that when I set it to DHCP in the internet tab and DHCP in the Network tab in Airport Utility inorder to solve the double NAT situation, only one of all my devices (wired or wireless) can connect to the internet. Each time I connect the other device(s) to the internet my subscriber will verify my subscription (web browser based verification) in which I have to manually enter my account number, etc to validate my subscription.
  So I stick to double NAT so that I can share the internet
  Our broadband provider uses DHCP to link us to the internet. If I change the settings to Static in the Internet Tab, my broadband provider will not let me connect to the internet. In the Airport Utility if I set to static in the Internet Tab inorder to set it to solve the double NAT, a message box appear informing me that I have invalid beginning IP address in the DCHP range in the Network Tab when it appears that only the last 3 digits of the DHCP range is editable.
  Is there any way of configuring the Airport Utility's Internet TAB to DHCP and Network TAB to DHCP to connect to the internet with all my devices without the double NAT and without the aid of another device such as AP or router or switch connected to the Airport or vice versa?

• Flash Alternative Content ~ Best Practice ~ Safari on iOS Devices ~ iPad iPhone iPod Touch

  Hi Folks,
  Is there a documented best practice for providing alternate content for Flash in Safari on iOS devices?
  I am getting white space where my Flash animation would normally appear, and management is displeased. I need to display alternative content in this space. I'm hopeful that Adobe has published a best practice for how to accomplish this.
  tyvm
  Keith

  Not sure about Adobe official stance but they have started using swfobject Flash detection to place Flash <objects> on the Web page. The problem I see with the Adobe implementation is that about the only alternate content they recommend is "Click here to download the latest version of Flash player".
  That is about the lamest alternate content you could possibly imagine! Just because you recommend that your viewers download the new version.... doesn't mean they will... so they still go without REAL alternate content.
  A MUCH BETTER use of swfobject is to actually provide alternate content! For your review::
  If you think that Flash is somehow bad for SEO, it's time to dispell that MYTH!
  If fact, in some circumstances I'll use Flash INSTEAD of just HTML because then I'll have better SEO than with just HTML alone.
  http://www.worldbarefootcenter.com/
  The link to World Barefoot Center in the above post is just one example. View the source code and you see a couple paragraphs of text along with regular HTML links.... but what displays is the Flash version of the image and Flash links.
  The client provided the artwork for the page... and that's what they wanted to use a .jpg image. Well yes, that could be done in HTML but it would be virtually invisible to Google. So Instead I converted the image into a Flash .swf and used swfobject to display the Flash. swfobject allows you to create alternate content inside the <div> which also holds the Flash .swf, then when the page is loaded it detects if the browser has the Flash pluggin. If it does, it displays just the Flash content, if not, it displays the alternate content. Since almost everyone has the Flash pluggin, for most people the Flash version of the <div> will display.
  The alternate content for that <div> can be any regular HTML text, images, media player, links, etc., anything that you would use if you were not using the Flash. Now the best part is that the alternate content can be "over the top" as far as optimizing for SEO, since it will not be seen by most viewers.
  Here's another example of SEO with Flash.. again, the page is just a single image provided by the client:
  http://www.ksowetsuits.com/
  View the source code. The alt content is paragraph after paragraph of information about the site, including lists and links. If it was just the HTML, it might be kind of a boring Home page. But for SEO I can go "over the top" in promoting the site, since most viewers will never see that part... but it's all indexed by search engines. The end result is BETTER SEO using Flash than just HTML.
  On another Web site, a Flash video is displayed, the alt content is the complete text narration of the video. Now how many people would take the time to read that if they could just watch the video instead?? again, better SEO with Flash than without. In fact in one case we had first page search result from that video narration within 4 hours of posting the page.
  On still another site with a Flash video, the alt content is another video, but a .mov version, which will, in effect play Flash video on the iPhone (not possible you say??). Well since the iPhone does not have Flash pluggin, it simply displays the .mov version of the video, while everyione else sees the Flash version.
  So anyway, if Flash is a part of your Web development, you should look into using swfobject and alternate content.
  http://code.google.com/p/swfobject/
  Best wishes,
  Eye for Video
  www.cidigitalmedia.com
  So it is and has been for a number of years now, very easy to provide alternate content for non Flash devices... and that includes text, images, and video.
  Best wishes,
  Adninjastrator

• Looking for best practices when creating DNS reverse zones for DHCP

  Hello,
  We are migrating from ISC DHCP to Microsoft DHCP. We would like the DHCP server to automatically update DNS A and PTR records for computers when they get an IP. The question is, what is the best practice for creating the reverse look up zones in DNS? Here
  is an example:
  10.0.1.0/23
  This would give out IPs from 10.0.1.1-10.0.2.254. So with this in mind, do we then create the following reverse DNS zones?:
  1.0.10.in-addr.arpa AND 2.0.10.in-addr.arpa
  OR do we only create:
  0.10.in-addr.arpa And both 10.0.1 and 10.0.2 addresses will get stuffed into those zones.
  Or is there an even better way that I haven't thought about? Thanks in advance.

  Hi,
  Base on your description, creating two reverse DNS zones 1.0.10.in-addr.arpa and 2.0.10.in-addr.arpa, or creating one reverse DNS zone 0.10.in-addr.arpa, both methods are all right.
  Best Regards,
  Tina

• IOS Software Upg(s) - Best Practices?

  Hello, I have several 2960 switches that are all running 12.2(35)SE5.
  I know that 12.2(50)SE1 is out there, and I am curious when it is best to upgrade the software version?
  If my switch is still PRE-production, am I better off to always upgrade to the current software on a switch if it still has not yet been deployed?
  I saw in the release notes for (50)that there were some VLAN authentication updates, and we are in the midst of designing a VLAN deployment using some L3 switches.
  Without KNOWING if I need a specific feature udpate, are there any best practices that may help guide me?
  As mentioned, because this switch is not yet in production, I'm thinking that the time is right if I'm going to upgrade the IOS.

  Best practice is NOT jumping into a new IOS code unless you need a feature provided by the new IOS or your current IOS has a critical bug that is corrected with the new IOS.
  With that said, it seems the new feature is worth having in your environment so 50SE1 may fit the bill. It's your call if you want to be exposed to new bugs.
  HTH,
  Edison.

• IOS FW/IPS on a 2651XM best practices

  I have a 2651XM with 128MB and I'm trying to figure out what the best practices are as far as IPS is concerned. I downloaded the latest SDF and I'm trying to load all the threats (excluding the disabled ones) via SDM but for some reason the number that's actually gets applied is always lower than the original number listed when I first select them. I can see that the router runs out of memory while loading the definitions but I'd guess that that's normal. This happens even if I just try to load the ones with High severity. Am I doing something wrong? What's a good number of definitions given the the specs of my router. Also, can I automatically block all packets matched against IPS. Are the built-in definitions a waste of time or should I be using those?
  Also, how would I go about creating my own SDF - I can see that hey come in XML format.
  Thanks in advance!

  you can use this link for a bereinformaiom.
  http://www.snort.org/pub-bin/sigs.cgi?sid=469

• Best practice on sqlite for games?

  Hi Everyone, I'm new to building games/apps, so I apologize if this question is redundant...
  I am developing a couple games for Android/iOS, and was initially using a regular (un-encrypted) sqlite database. I need to populate the database with a lot of info for the games, such as levels, store items, etc. Originally, I was creating the database with SQL Manager (Firefox) and then when I install a game on a device, it would copy that pre-populated database to the device. However, if someone was able to access that app's database, they could feasibly add unlimited coins to their account, unlock every level, etc.
  So I have a few questions:
  First, can someone access that data in an APK/IPA app once downloaded from the app store, or is the method I've been using above secure and good practice?
  Second, is the best solution to go with an encrypted database? I know Adobe Air has the built-in support for that, and I have the perfect article on how to create it (Ten tips for building better Adobe AIR applications | Adobe Developer Connection) but I would like the expert community opinion on this.
  Now, if the answer is to go with encrypted, that's great - but, in doing so, is it possible to still use the copy function at the beginning or do I need to include all of the script to create the database tables and then populate them with everything? That will be quite a bit of script to handle the initial setup, and if the user was to abandon the app halfway through that population, it might mess things up.
  Any thoughts / best practice / recommendations are very appreciated. Thank you!

  I'll just post my own reply to this.
  What I ended up doing, was creating the script that self-creates the database and then populates the tables (as unencrypted... the encryption portion is commented out until store publishing). It's a tremendous amount of code, completely repetitive with the exception of the values I'm entering, but you can't do an insert loop or multi-line insert statement in AIR's SQLite so the best move is to create everything line by line.
  This creates the database, and since it's not encrypted, it can be tested using Firefox's SQLite manager or some other database program. Once you're ready for deployment to the app stores, you simply modify the above set to use encryption instead of the unencrypted method used for testing.
  So far this has worked best for me. If anyone needs some example code, let me know and I can post it.

• Best practice for integrating a 3 point metro-e in to our network.

  Hello,
  We have just started to integrate a new 3 point metro-e wan connection to our main school office. We are moving from point to point T-1?s to 10 MB metro-e. At the main office we have a 50 MB going out to 3 other sites at 10 MB each. For two of the remote sites we have purchase new routers ? which should be straight up configurations. We are having an issue connecting the main office with the 3rd site.
  At the main office we have a Catalyst 4006 and at the 3rd site we are trying to connect to a catalyst 4503.
  I have attached configurations from both the main office and 3rd remote site as well as a basic diagram of how everything physically connects. These configurations are not working ? we feel that it is a gateway type problem ? but have reached no great solutions. We have tried posting to a different forum ? but so far unable to find the a solution that helps.
  The problem I am having is on the remote side. I can reach the remote catalyst from the main site, but I cannot reach the devices on the other side of the remote catalyst however the remote catalyst can see devices on it's side as well as devices at the main site.
  We have also tried trunking the ports on both sides and using encapsulation dot10q ? but when we do this the 3rd site is able to pick up a DHCP address from the main office ? and we do not feel that is correct. But it works ? is this not causing a large broad cast domain?
  If you have any questions or need further configuration data please let me know.
  The previous connection was a T1 connection through a 2620 but this is not compatible with metro-e so we are trying to connect directly through the catalysts.
  The other two connection points will be connecting through cisco routers that are compatible with metro-e so i don't think I'll have problems with those sites.
  Any and all help is greatly welcome ? as this is our 1st metro e project and want to make sure we are following best practices for this type of integration.
  Thank you in advance for your help.
  Jeff

  Jeff, form your config it seems you main site and remote site are not adjacent in eigrp.
  Try adding a network statement for the 171.0 link and form a neighbourship between main and remote site for the L3 routing to work.
  Upon this you should be able to reach the remote site hosts.
  HTH-Cheers,
  Swaroop

• Best Practices when replacing 2003 server R2 with a new domainname and server 2012 r2 on same lan network

  I have a small office (10 computers with five users) that have a Windows 2003 server that has a corrupted AD. Their 2003 server R2 is essentially a file server and provides authentication.  They purchased a new Dell 2012 R2 server.  
  It seems easier to me to just create a new domain (using their public domain name).  
  But I need as little office downtime. as possible . Therefore I would like to promote this server to its new domain on the same lan as the current domain server.  I plan to manually replicate the users and folder permissions.  Once done, I plan to
  remove the old server from the network and join the office computers to the new domain.  
  They also they are also running a legacy application that will require some tweaking by another tech. I have been hoping to prep the new domain prior to new legacy tech arriving.  That is why I would like both domain to co-exist temporarily. I have read
  that the major issues involved in this kind of temporary configuration will then be related to setting up dns.  They are using the firewall to provide dhcp.
  Are there any best practices documents for this situation?
  Or is there a better or simpler strategy?
  Gary Metz

  I followed below two links. I think it should be the same even though the links are 2008 R2 migration steps.
  http://kpytko.pl/active-directory-domain-services/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/
  http://blog.zwiegnet.com/windows-server/migrate-server-2003-to-2008r2-active-directory-and-fsmo-roles/
  Hope this help!