Host declarations in different ranges within the same subnet

Marcio Merlone marcio.merlone at a1.ind.br
Wed Jun 13 16:44:21 UTC 2012 

Em 13-06-2012 12:40, Simon Hobson escreveu:
> By doing it with classes, you don't need to bother with known/unknown. 
> Just use an 'allow members of "foo"' in each pool where you want 
> members of the class "foo" to be able to get an address and it'll do 
> it for you. Members of the class will be given access, anything that's 
> not a member will not.
>
> Whenever you use an allow (or deny), there is an implicit deny (or 
> allow). So once you've allowed members of a class, then everything 
> else is implicitly denied. Don't mix allow and deny - they don't work 
> as most people expect, and I can't remember how it works even though 
> it's been explained several times over the years !
>
> If you want a separate pool for all clients not in any of the classes, 
> then yo do it like this :
>
> pool {
>   range ...
>   deny members of "foo";
>   deny members of "bar";
> }
> You need to list all the classes you've allowed elsewhere in the deny 
> list. Any not denied will be implicitly allowed.

Things are getting nicely clear now. In fact, I don't need two classes, 
I just need to protect one range to some few selected hosts (subclass). 
The remaining hosts should go to the other range. Everything put on 
place, this should do:

class "classFirewallFullAccess" {
     match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "classFirewallFullAccess" 1:00:00:00:00:00:01;
subclass "classFirewallFullAccess" 1:00:00:00:00:00:02;

host closedFw3 {
     hardware ethernet 00:00:00:00:00:03;
}
host closedFw4 {
     hardware ethernet 00:00:00:00:00:04;
}

shared-network foo {

      subnet 10.0.0.0 netmask 255.255.255.0 {
          # GODS: Those have 'permit' on firewall
          pool {
              allow members of "classFirewallFullAccess";
              option routers 10.0.0.100;
              option blah;
              range 10.0.0.1 10.0.0.10;
          }
          # Mortals: should use the proxy
          pool {
              deny unknown-clients;
              option routers 10.0.0.200;
              option argh;
              range 10.0.0.11 10.0.0.20;
          }
     }

     # This goes for external sales people, customers, visitors, whatever
     subnet 10.1.1.0 netmask 255.255.255.0 {
         ....
         allow unknown-clients;
         ....
     }
}


I know, I know, this is not a safe/good way to restrict normal people on 
the firewall, someone can manually setup an IP address within the GODs 
range, but this is another issue. ;)

Thanks and best regards.

-- 
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120613/724093fa/attachment.html>

More information about the dhcp-users mailing list