How to restrict Windows XP DHCP clients to a specific subnet?
Sten Carlsen
stenc at s-carlsen.dk
Fri Feb 14 20:10:49 UTC 2014
On 14/02/14 20.51, Doug Barton wrote:
> On 02/14/2014 07:25 AM, Simon Hobson wrote:
>> Sten Carlsen <stenc at s-carlsen.dk> wrote:
>>
>>> They are, to my knowledge and experience, independent.
>>>
>>> I.e. you make the allow/deny setup for each, both as described.
>>
>> I think the question was more ...
>> If the class allow/deny statements mean that a client should be
>> denied and the host (known host) allow/deny statements mean that it
>> should be allowed (or vice versa), which one takes effect ? One says
>> allow, the other says deny, one has to lose.
>
> I think y'all are making this too complicated. :) In the case of
> wanting to allow only a certain thing (whether class or known hosts)
> it's simple. Anything not allowed is denied. There is no reason to mix
> allow and deny statements there.
>
> If you want to deny some things, but allow everything else, put the
> deny statements in. Everything else will be allowed.
Well, do remember that hosts and classes are independent and both must
be considered.
So the question was really:
Given:
host H1 {hardware 1:xxxxx}
class C1 { match hardware; }
subclass C1{ hardware 1:xxxxx;}
range { 1.2.3.4 1.2.3.8
allow C1;
Deny known-hosts;
}
Forget the syntax mistakes, but a host that matches both H1 and C1 will
be allowed/denied?
With different more complicated matching criteria for the class, this
could easily happen by mistake - so what will the result be?
>
> Or put more simply, if you are mixing allow and deny statements in the
> same stanza you are almost certainly doing it wrong.
>
> hope this helps,
>
> Doug
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140214/c8083cfe/attachment.html>
More information about the dhcp-users
mailing list