How to restrict Windows XP DHCP clients to a specific subnet?

Fri Jan 31 13:33:02 UTC 2014

Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk> wrote:

> 1. Define a subnet which *only* permits a certain list of host declarations (i.e., my XP PCs) to get a lease.
> 
> 2. In all other subnets, the XP PCs *must not* get a lease.
> 
> Whatever I've tried, it seems that XP hosts receive leases on every subnet, which they shouldn't.
> 
> Question 1: How do I prevent a group of hosts (the list of XP PCs) from getting a lease on every subnet?
> 
> I've been reading the DHCP Handbook (2nd ed.) without getting any closer to my goal.  Neither groups nor classes appear to solve the problem (I'm not that experienced with DHCP).

You define a class that matches the group of machines - in this case XP clients.

Use "allow members of ..." and "deny members of ..." to control which subnets the machines are allowed to get leases in. I suspect your problem (guessing since "it didn't work" isn't very descriptive of what you've tried) is that you have not denied the class from other subnets. Specifically, just because you have a subnet (or more correctly, a pool in a subnet) that has 'allow members of "foo"', that does not prevent members of "foo" getting leases in other subnets.

You can do the deny in two ways :

subnet a.b.c.d ... {
  pool {
    allow members of "foo";
    range ...
  }
}

subnet e.f.g.h ... {
  pool {
    deny members of "foo";
    range ...;
  }
}

Or alternatively, if there are other classes you could do :
subnet e.f.g.h ... {
  pool {
    allow members of "bar";
    range ...;
  }
}

Where you use an allow clause, anything not specifically allowed is denied, so you can do :
  pool {
    allow members of "tom";
    allow members of "dick";
    allow members of "harry";
    range ...;
  }
which will allow members of those classes but nothing else.

Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.