How to deny classless clients instead of unknown-clients.

[Simon Hobson]

Marcio Merlone <marcio.merlone at a1.ind.br> wrote:

> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration.
> 
> To illustrate:
> 
> class "clsFoo" {
>     match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subnet 192.168.0.0 netmask 255.255.255.0 {
> 
> pool {
>    deny unknown-clients;
>    allow members of "clsFoo";
>    range 192.168.0.30 192.168.0.200;
> }
> }
> 
> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
> 
> In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations?

So to be clear, you want members of clsFoo to get a lease, and other clients to be denied ?

The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided. Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed.

So :
pool {
   allow members of "clsFoo";
   range 192.168.0.30 192.168.0.200;
}
should be sufficient. Members of clsFoo will be allowed, anything else will be denied.

It gets trickier when you have more than one class, and want to have a pool for "anything else". In that case you would need :

pool {
  deny members of "a";
  deny members of "b";
  ...
  range ...
}

Simon