dhcpd.conf - one class per customer

Philippe Maechler plcmaechler at gmail.com
Tue Jun 19 14:31:39 UTC 2012 

Hi Randall,

Thanks for your fast reply!

On 18 June 2012 16:30, Randall C Grimshaw <rgrimsha at syr.edu> wrote:
> At first glance there is also the possibility of using a group statement to enclose the host definition which is already being managed.
There is one group with the vendor-specific-options and all Modems
(host entries) belong to that group.

> you can allow or deny access to a pool based on that membership.
How is this possible? I haven't found something like a named group
which I can refer to in the allow/deny statement.

>You may have already discovered that your environment is one of the exceptions where is it helpful to include both allow and deny statements in the pool access list.
I read so much about problems when mixing allow and deny within the
same pool, that I haven't looked into this topic. Where exactly can
this help me/reduce the complexity?

Philippe Maechler

> ________________________________________
> From: dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org [dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org] on behalf of Philippe Maechler [plcmaechler at gmail.com]
> Sent: Monday, June 18, 2012 10:18 AM
> To: dhcp-users at lists.isc.org
> Subject: dhcpd.conf - one class per customer
>
> Hi all,
>
> I'm trying to find a "healthy" way to configure a dhcp (dhcp-4.2.1) on
> a FreeBSD server for an access network and could use some help.
> I wrote to this address on Friday but haven't seen my posting in a
> mailbox or an archive. So if the first message aperast somewhere....
> sorry for double posting :)
>
>
> The modem in use, asks for temporary ip address and receives some
> vendor specific options. it then reboots and ask for an mgmt ip
> address in a predefined vlan.
> After that there will be requests for a voice- and a public ip
> address. all requests arrive over a different relay agent.
>
>
> each access port has his own class. If the port is active I add the
> mac address to the subclass. Inside the temp. ip pool I add an allow
> statement for each port
> class "000085_Port" {
>       match if ( substring ( option agent.circuit-id, 0, 14 ) =
> "hostname01 1/1" );
>       match hardware;
> }
> subclass "000085_Port"     1:00:11:22:33:44:56;
>
>
> each modem gets a host entry inside a group and a voice class:
> group {
>       option vendor-encapsulated-options = "something";
>       host 000085_NT { hardware ethernet 0:11:22:33:44:56; }
> }
> class "000085_Voice" {
>       match if ( substring ( option agent.circuit-id, 0, 19 ) =
> "hostname01 1/1:0200" );
>       match hardware;
> }
> subclass "000085_Voice"     1:00:11:22:33:44:56;
>
> Inside the mgmt IP pool I have: deny unknown clients;
> and inside the voice IP pool we have:
> allow member of "000085_Voice";
>
>
> The public request are handled like the temp request but without a
> subclass match (I do not know that mac address).
> class "000085_DHCP" { match if ( substring ( option agent.circuit-id,
> 0, 19 ) = "hostname01 1/1:0300" ); }
>
> So for one connection I have to create 3 classes 2 subclasses and 1
> host entry. I think this is a bit complicated...
>
>
> Q: Can such a setup, with all the classes and match if patterns, work
> for bigger installations, lets say 1'000 or 5'000 what about 20'000?
> The lease-time is 1h for the temp and public pool. The other pools
> have a longer lease time ~4h - 6h
> All pools contain 500-1000 IP addresses and if one pool gets full I'll
> create another one.
>
> Q: the vendor options inside the group is global right? so these
> options will be sent to the client regardless of the subnet the
> request comes in as long as the mac address is correct?
>
> Q: Is there an easier way to do it?
> one idea is to use 2 classes per customer. one for temp-, mgmt- and
> voice, where we use the subclass. and one class for the cpe where we
> do not know the mac address. But I don't know if this gives me the
> same control over the pool assignments.
>
> Q: All the match-ifs try to match a substring of agent.circuit-id or
> agent.remote-id. can I substring once or twice and save the result and
> use that instead of another substring call?
> something like:
> set access.hostname = substring(agent.circuit-id, 0, 10);
> set access.vlan = substring(agent.circuit-id, 11, 4);
>
> and later:
> match if (access.hostname = "hostname01");
>
>
> Q: At the begining I had all the "allow members of" in a seperate file
> and included it after the "range" statement. The error i got was
> something like "allow/deny expected". When I copy & pasted the content
> from the file the server starts up. Can I use include "filename.txt"
> everywhere?
>
>
> Thanks,
>
> Philippe
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list