Permit/Deny MAC Addresses per subnet
Randall C Grimshaw
rgrimsha at syr.edu
Fri Jul 31 20:56:05 UTC 2009
We do something like you suggest. We have a list of macaddresses that can be offered an address from different pools dynamically where normal systems can only 'use' one.
class "CLSR" {
match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "CLSR" 1:00:11:22:23:44:55;
subclass "CLSR" 1:00:11:22:23:44:56;
....
class "QUARANTINE" {
match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "QUARANTINE" 1:00:11:22:33:44:57;
subclass "QUARANTINE" 1:00:11:22:33:44:58;
....
Then wrap your different subnet definitions as shared networks and permit the classes above as memberships
shared-network buildingname {
subnet 172.20.36.0 netmask 255.255.255.0 {
pool {
failover peer "dhcp";
range 172.20.36.5 172.20.36.5;
range 172.20.36.9 172.20.36.9;
allow unknown clients;
deny members of "LWAPP";
deny dynamic bootp clients;
}
option routers 172.20.36.1;
option subnet-mask 255.255.255.252;
option broadcast-address 172.20.36.255;
option domain-name-servers 123.456.21.20;
default-lease-time 600;
max-lease-time 700;
}
subnet 172.21.36.0 netmask 255.255.255.0 {
pool {
failover peer "dhcp";
range 172.21.36.136 172.21.36.140;
allow members of "QUARANTINE";
deny dynamic bootp clients;
}
option routers 172.21.36.1;
option subnet-mask 255.255.255.252;
option broadcast-address 172.21.36.255;
option domain-name-servers 172.17.21.20;
default-lease-time 600;
max-lease-time 700;
}
subnet 123.456.36.0 netmask 255.255.255.0 {
pool {
failover peer "dhcp";
range 123.456.36.136 123.456.36.140;
deny unknown clients;
deny members of "QUARANTINE";
deny members of "LWAPP";
deny members of "RAS";
deny members of "NOACCESS";
deny dynamic bootp clients;
}
pool {
failover peer "dhcp";
range 123.456.36.80 123.456.36.81;
allow members of "CLSR";
deny dynamic bootp clients;
}
option routers 123.456.36.1;
option subnet-mask 255.255.255.0;
option broadcast-address 123.456.36.255;
option domain-name-servers 123.456.1.49, 123.456.12.5;
default-lease-time 7200;
max-lease-time 14400;
}
}
group { # you can even group the host entries to override the values above but beware that info requests will not
option domain-name-servers 123.456.789.2,123.456.789.3;
host STA001122334455 {
hardware ethernet 00:11:22:33:44:55;
fixed-address 123.456.185.19;
}
host DYN001122334455 {
hardware ethernet 00:11:22:33:44:55;
}
host STA001122334456 {
hardware ethernet 00:11:22:33:44:56;
fixed-address 123.456.185.19;
}
host DYN001122334456 {
hardware ethernet 00:11:22:33:44:56;
}
}
Good luck!!
Randy
-----Original Message-----
From: dhcp-users-bounces at lists.isc.org [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Ryan Harden
Sent: Friday, July 31, 2009 4:21 PM
To: dhcp-users at lists.isc.org
Subject: Permit/Deny MAC Addresses per subnet
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I have an interesting problem that I'd like suggestions on how to resolve.
I need to build a DHCP server that will serve a few hundred subnets.
There are specific security requirements for each of these subnets.
There are a handful of techs that have permission to work on each or
some of these subnets. I need each tech to be able to DHCP from a small
pool within each subnet. So I need some MAC addresses to be allowed on
certain subnets, but not others.
I had originally planned on creating separate files for each group of
allowed MAC addresses and $INCLUDE-ing these files within the subnets
for which the groups are allowed. Having done so, I'm reminded by the
'dhcpd -t' command that a "host" statement is allowed exactly once and
is global regardless of context within within the dhcpd.conf file.
So I actually have two problems:
1) A MAC address can only show up once within dhcpd.conf.
2) All "host" entries are global, which leads me to believe that if a
client matches a "host" entry anywhere in the file, it will be able to
request an address for any "subnet" configured therein.
I run several ISC-DHCPD servers now but am unable to come up with a
solution to my problem given my current knowledge of dhcpd.conf.
Are my assumptions correct? Suggestions??
/Ryan
- --
Ryan M. Harden, BS, KC9IHX Office: 217-265-5192
CITES - Network Engineering Cell: 630-363-0365
2130 Digital Computer Lab Fax: 217-244-7089
1304 W. Springfield email: hardenrm at illinois.edu
Urbana, IL 61801
University of Illinois - Urbana/Champaign
University of Illinois - ICCN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD4DBQFKc1JCtuPckBBbXboRAv0FAJ4+l062yjor2U9V3q/XsIB8cext7QCXc6my
px68zz7yeyNyOsYGKv6a/w==
=MC/s
-----END PGP SIGNATURE-----
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list