How to restrict Windows XP DHCP clients to a specific subnet?

[Chris Buxton]

On Feb 14, 2014, at 4:01 AM, Glenn Satchell <glenn.satchell at uniq.com.au> wrote:
> On Fri, February 14, 2014 7:52 pm, Ole Holm Nielsen wrote:
>> Chris, can you augment the logic which you explained so nicely including
>> the simultaneous usage of host statements as well as classes?
>> 
>> It seems to me what we need this as well: Most clients are defined in
>> host statements, but the odd cases (such as soon-to-be-obsoleted Windows
>> XP clients) must be treated using classes.
> 
> known hosts is a list that matches all hosts defined in host statements,
> doesn't matter if they have a fixed-address or not.

That’s not the entire story. I’m not sure of the particulars, but my company’s developers have figured out an OMAPI command that makes a MAC address get treated as a known host, without adding a host statement.

Don’t think of allow and deny for hosts and classes as two separate things. If the client is denied by “deny known-hosts”, then it is denied. Period. No amount of allowing members of some other class is going to override that.

In one case where we do require use of both allow and deny together, a client is a known host but is also classed into a blacklist class. (The blacklist class matches on hardware address, and the client’s hardware address is a subclass of that.) We end up allowing known-hosts but also denying the blacklist class in order to achieve the effect we want, because members of that blacklist class can be known hosts. The deny statement on the class overrides the allow statement covering known hosts, for clients that have been blacklisted.

Regards,
Chris Buxton