Wrong gateway when using class in a subnet

Simon Hobson dhcp1 at thehobsons.co.uk
Fri Jun 1 12:58:33 UTC 2012 

Nuno Marques wrote:

>subnet 10.99.112.0 netmask 255.255.255.0{
>                 option routers 10.99.112.1;
>
>         class "Cisco-AP-c1140" {
>         match if option vendor-class-identifier = "Cisco AP c1140";
>         option vendor-class-identifier "Cisco AP c1140";
>         vendor-option-space Cisco_LWAPP_AP;
>         option Cisco_LWAPP_AP.server-address 10.99.4.221; }
>
>....
>}
>
>subnet 10.99.113.0 netmask 255.255.255.0{
>                 option routers 10.99.113.1;
>
>         class "Cisco-AP-c1140" {
>         match if option vendor-class-identifier = "Cisco AP c1140";
>         option vendor-class-identifier "Cisco AP c1140";
>         vendor-option-space Cisco_LWAPP_AP;
>         option Cisco_LWAPP_AP.server-address 10.99.4.221; }
>
>....
>}
>
>The problem is, an AP on the second subnet will receive the gateway 
>from the first (10.99.112.1).
>My guess is DHCP is giving the first 'option router' that matches the class.

You've hit (I think) a known inheritance "gotcha" - it also applies 
to host declarations which is why standard advice is to put host 
statements in the global scope.

Even though you have declared it within a subnet, the class statement 
is global - hence anything that matches it may match it whatever 
subnet they are in. If the client is in a different subnet, then they 
will be given (by rules of inheritance) options from the subnet where 
the class is defined.

I don't think we've come across a situation where this inheritance is 
desired ! It's simple to avoid, just don't put your class (or host) 
declarations within a subnet.

>If I put the class declaration on the top of the configuration and 
>remove it from every subnet it works as expected, but I got several 
>subnets that shouldn't have this configuration, so I want to keep it 
>out of the general configuration.

The class declaration is global anyway, so putting it inside a subnet 
doesn't limit it's scope.

As Jason Gerfen says, you need to use allow/deny statements in the 
subnets to control access.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list