Dhcp help

Simon Hobson dhcp1 at thehobsons.co.uk
Sat Jan 10 08:08:13 UTC 2009 

Matt Faggione wrote:

>I am trying to set up a shared network for my set top boxes to pull 
>address from. The Occam blades ip address is 10.22.0.21 it is a 
>member of the 10.22.0.0/24 network and this is where the stb ip 
>request comes from. We want the stb to pull a 10.22.64.x address, 
>because this is a different subnet all together we need to set up a 
>shred network. Every time we reboot a stb it gets and address from 
>the wrong subnet. The request comes from 10.22.0.21 and in get 
>10.101.1.101.  10.101.1.3 is the server ip and we have a small range 
>in there for testing, this is not what we want the occam stb's to 
>pull.



>shared-network Occam
>{
>
>subnet 10.22.0.0 netmask 255.255.255.0
>{
>}
>
>
>
>###############################################################################
># Subnet declarations
># ---------------------------
># The subnet declaration example below will handle all Amino 110 and
># Thomson Copperhead and Viper for a particular subnet.  Note: It is required
># to have a subnet decleration for local subnet even if this dhcp 
>server is not
># serving any addresses on this range
>###############################################################################
>
># This should handle all STBs (Copperhead, Viper and Amino110) on the
># 192.168.5.0 network
>subnet 10.101.1.0 netmask 255.255.255.0
>{
>                 option routers 10.101.1.254;
>                 option broadcast-address 10.101.1.255;
>                 range dynamic-bootp 10.101.1.100 10.101.1.220;
>
>
>}
>###Occam Pine Acres/video###
>
>  subnet 10.22.64.0 netmask 255.255.192.0 {
>
>  option broadcast-address 10.22.127.255;
>  option subnet-mask 255.255.192.0;
>  option routers 10.22.64.1;
>  option domain-name-servers 10.3.3.10,10.3.3.11;
>  option root-path "US/Central";
>  option time-servers 10.3.3.10;
>  option ntp-servers ;
>  pool {
>  range 10.22.64.1 10.22.127.254;
>  allow members of "Occam_Test_Video";
>  }
>}

You've allowed members of the Occam_Test_Video class in the 
10.22.64.0/22 subnet, but you have not barred them from the 
10.101.1.0/24 subnet. The 10.101.1.100 10.101.1.220 does not have any 
allow or deny restrictions, therefore it is available for ANY client 
that matches the shared subnet.

If Occam_Test_Video were your only class, then adding a 'deny members 
of "Occam_Test_Video"' to this pool would suffice. With all the other 
classes, then you may have to be more creative. I'm not sure if you 
can create a class along the lines of "match if not a member of a and 
not a member of b and not ..." which may be what you want. The other 
way is simply to deny all the classes that should get an address from 
that pool - though that gets messy when you've loads of classes.

However, don't mix allow and deny in one access list - it isn't like 
(say) Cisco ACLs where the first one matches. Simplest is to use only 
allow (in which case anything not allowed is implicitly denied), or 
only use deny (in which case anything not denied is implicitly 
allowed).

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list