Excluding a class from matches...

David McKen dmlmcken at gmail.com
Wed Aug 5 16:39:42 UTC 2009 

Sometime that works sometimes it doesn't. The specific macs I am
attempting to exclude will match the prefix 12:34:56. From going
through the list the problem is the order in which classes are
evaluated is not deterministic, nor is it most specific match.

The scenario is there is a pool where customers normally receive ips
from which gives them ips where they can browse. The mac for this
interface begins with 12:34:56. When customers don't pay their bill I
want them to be moved to a different network where all they can see is
a page saying "pay your bill".

The solution I hoped would work was:

class "PayYourBill" { match hardware; }
subclass "PayYourBill" 1:12:34:56:XX:YY:ZZ;

class "Browsing" { match if substring ( hardware,  1, 3 ) = 12:34:56; }

Where XX:YY:ZZ is specific to the customer.

As a side note is there any way to specify to the "Browsing" class do
not match anything that matches the "PayYourBill" class?

BTW, I am using version 3.1.2_p1 (latest of the 3.1 series). Thus far
I am unaware of any enhancements that would be useful to me from the
4.X series.

On Tue, Aug 4, 2009 at 10:38 PM, Glenn
Satchell<Glenn.Satchell at uniq.com.au> wrote:
> ok, what if you reverse the logic in your class, then you can allow
> that class, the allow implies deny everything else? eg:
>
> class "DeviceType1" { match if not substring ( hardware, 1, 3 ) = 12:34:56; }
>
> subnet .... {
>        option ... ;
>        pool {
>                # deny devices who are not 12:34:56:
>                allow members of "DeviceType1";
>                range ... ;
>                option ... ;
>        }
>        pool {
>                allow members of "DeviceType2";
>                range ... ;
>                option ... ;
>        }
>
> regards,
> -glenn
>
> PS Please reply to the list only, I don't need to get the posting twice.
>
>>Date: Tue, 4 Aug 2009 19:52:28 -0400
>>Subject: Re: Excluding a class from matches...
>>From: David McKen <dmlmcken at gmail.com>
>>
>>I considered that option but unfortunately I have one other constraint
>>that I forgot to mention. I have 3 classes of devices on this network
>>with isc dhcp classes setup for each, this setup works fine but I need
>>one of the classes to support this behavior. Due to this the deny
>>option won't work well for me. I read on the list that is not a good
>>idea to have allow and deny statements within a single pool. so there
>>would be no way to apply the extra restrictions.
>>
>>The specific setup is that we have management networks on the same
>>VLAN as customer browsing networks (this is due to a limitation on the
>>equipment). Both are handed out via DHCP, we use the MAC prefix to
>>distinguish between the two. The new requirement is to move customers
>>over to a special "captive" network when they don't pay their bill.
>>
>>Most of the data will be stored in a database so being able to have
>>the dhcp server call some script who's return value is 1 if its a
>>match and 0 if it isn't will actually work quite well for me so I
>>don't have to keep restarting the dhcp service every time one of these
>>macs needs to get added or removed.
>>
>>On Tue, Aug 4, 2009 at 7:35 PM, Glenn
>>Satchell<Glenn.Satchell at uniq.com.au> wrote:
>>>
>>>>Date: Tue, 4 Aug 2009 18:30:17 -0400
>>>>Subject: Excluding a class from matches...
>>>>From: David McKen <dmlmcken at gmail.com>
>>>>To: dhcp-users at lists.isc.org
>>>>X-BeenThere: dhcp-users at lists.isc.org
>>>>
>>>>Good Day list,
>>>>
>>>>I am looking to do the following:
>>>>1. For all macs whose prefix do not begin with 12:34:56 do not match /
>>>>give an ip.
>>>>2. For specific macs (list is coming from a database so can be
>>>>provided via subclass or group I guess) put them in a specific subnet
>>>>#1.
>>>>3. For all other macs matching criteria #1 put them in subnet #2.
>>>>
>>>>If I drop requirement #2 I can do this quite easily via classes.
>>>>class "DeviceType" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>>>>
>>>>and apply the class to the subnet desired.
>>>>
>>>>I am a bit lost as to how to do this with requirement #2 in place
>>>>which is to put certain devices in a special "holding" network until
>>>>they can be dealt with.
>>>>
>>>>Was looking for some line that would allow me to say " if not in
>>>>'someclass' " as I could use this to prevent the macs from #2 from
>>>>matching the "global" matches.
>>>>
>>>>Came across something called "execute based class matching" from the
>>>>mailing lists. I am a bit fuzzy as to how this works but it may be
>>>>what I'm looking for. Can anyone shed some light on how this works?
>>>>
>>>>Signed
>>>>David McKen
>>>
>>> Hi David
>>>
>>> So you define your class similar to above
>>>
>>> class "DeviceType1" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>>>
>>> class "DeviceType2" { match hardware }
>>> subclass "DeviceType2"  1:12:34:56:d:e:f;
>>> subclass "DeviceType2"  1:a:b:c:d:e:f;
>>> ...
>>>
>>> subnet .... {
>>>        option ... ;
>>>        pool {
>>>                # deny devices who are not 12:34:56:
>>>                deny members of "DeviceType1";
>>>                # deny our special list
>>>                deny members of "DeviceType2";
>>>                range ... ;
>>>                option ... ;
>>>        }
>>>        pool {
>>>                allow members of "DeviceType2";
>>>                range ... ;
>>>                option ... ;
>>>        }
>>> }
>>>
>>> When you allow a class it denies all other classes in that pool. When
>>> you deny a class it allows all other classes. The ranges must not
>>> overlap in the pools. You can also put other options in each pool, eg
>>> different router, dns servers and so on, and they will apply to devices
>>> using that pool.
>>>
>>> dhcpd.conf man page has examples on subclasses,the leading "1" is the
>>> hardware type, almost always ethernet these days. dhcp-eval has
>>> examples of arithmetic and if/else tests, etc.
>>>
>>> regards,
>>> -glenn
>>> --
>>> Glenn Satchell     mailto:glenn.satchell at uniq.com.au | I telephoned the
>>> Uniq Advances Pty Ltd         http://www.uniq.com.au | swine flu info
>>> PO Box 70 Paddington NSW Australia 2021              | line and all I got
>>> tel:0409-458-580  tel:02-9380-6360  fax:02-9380-6416 | was crackling.
>>>
>>> _______________________________________________
>>> dhcp-users mailing list
>>> dhcp-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>>
>>_______________________________________________
>>dhcp-users mailing list
>>dhcp-users at lists.isc.org
>>https://lists.isc.org/mailman/listinfo/dhcp-users
>>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list