How to restrict Windows XP DHCP clients to a specific subnet?

Sten Carlsen stenc at s-carlsen.dk
Sat Feb 15 01:21:51 UTC 2014 

On 14/02/14 23.50, Chris Buxton wrote:
> On Feb 14, 2014, at 4:01 AM, Glenn Satchell <glenn.satchell at uniq.com.au> wrote:
>> On Fri, February 14, 2014 7:52 pm, Ole Holm Nielsen wrote:
>>> Chris, can you augment the logic which you explained so nicely including
>>> the simultaneous usage of host statements as well as classes?
>>>
>>> It seems to me what we need this as well: Most clients are defined in
>>> host statements, but the odd cases (such as soon-to-be-obsoleted Windows
>>> XP clients) must be treated using classes.
>> known hosts is a list that matches all hosts defined in host statements,
>> doesn't matter if they have a fixed-address or not.
> That’s not the entire story. I’m not sure of the particulars, but my company’s developers have figured out an OMAPI command that makes a MAC address get treated as a known host, without adding a host statement.
>
> Don’t think of allow and deny for hosts and classes as two separate things. If the client is denied by “deny known-hosts”, then it is denied. Period. No amount of allowing members of some other class is going to override that.
I did check what I did when I set my present system up, it still does
not make sense to me if your explanations are correct. ( I don't say
they are wrong, but I don't see the connection)

I have 2 classes with match hardware and a number of subclass statements
to go with them. I also have a number of host statements with hardware
addresses and a fixed address.

I have 3 ranges, one for each class and one for unknown hosts. So I
thought the following should be fine:

range-1  allow members of class-1
range-2  allow members of class-2
range-3  allow unknown-hosts

I expected that everything not allowed would be denied, so members of
class-1 were not allowed in range-3.

What I found was that my members of the classes would get IPs in
range-3. To make it work as expected, I had to use deny statements for
members of class-1, class-2 and known-hosts in range-3.

This contradicts the common understanding that allowing one thing means
everything else is denied?
>
> In one case where we do require use of both allow and deny together, a client is a known host but is also classed into a blacklist class. (The blacklist class matches on hardware address, and the client’s hardware address is a subclass of that.) We end up allowing known-hosts but also denying the blacklist class in order to achieve the effect we want, because members of that blacklist class can be known hosts. The deny statement on the class overrides the allow statement covering known hosts, for clients that have been blacklisted.
>
> Regards,
> Chris Buxton
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140215/59d5dfaa/attachment.html>

More information about the dhcp-users mailing list