[Kea-users] Limiting pools to a subset of MAC address

Christopher Causer ml-kea-users at chyc.co.uk
Wed Apr 21 12:36:53 UTC 2021 

Hello Kea-users!

My employer has been using ISC DHCP via DHCP relay for many decades, and we are thinking about making the move to Kea. One feature currently used is the limiting of pools to a subset of MAC addresses. This is currently done with class/subclass statements in our dhcpd.conf, shown below (I've changed MAC addresses and class names from the actual text in our config but otherwise I think it's a reasonable representation of what we have)

```
class "department1" {match hardware; }
  subclass "department1" 01:NN:NN:NN:NN:00;
  subclass "department1" 01:NN:NN:NN:NN:01;
  .....

class "department2" {match hardware;}
  subclass "department2" 01:NN:NN:NN:NN:NN:02;
  subclass "department2" 01:NN:NN:NN:NN:NN:01;

subnet 10.0.0.0 255.255.255.0 {
  pool {
     ......
     allow members of "department1";
     range 10.0.0.1 10.0.0.100;
   }
}
```

I ran a subset of our config through keama[1] (a subset because it seemed to choke on our 30,000 reservations, 200 classes and 30,000 subclasses). It returned a separate class with test for each MAC:

```
"client-classes": [
      {
        "name": "department1"
      },
      {
        "name": "sub#department1#1",
        "test": "concat(substring(pkt4.htype,-1,all), pkt4.mac) == 0x01NNNNNNNNNN00"
      },
      {
        "name": "sub#department1#2",
        "test": "concat(substring(pkt4.htype,-1,all), pkt4.mac) == 0x01NNNNNNNNNN01"
      },
........
```

And in the subnet pools section

```
"pools": [
  { "pool": "10.0.0.1 - 10.0.0.100", "client-class": "department1"}
 ]
````

I have a few questions:

1. I cannot see this subclassing syntax described in the Kea documentation, where "sub#department1#X" implicitly becomes a member of parent class "department1", but cannot see the subclasses explicitly linked within our generated configuration either. Which is it?

2. Is there a better way to limit a subnet to a particular subset of MAC addresses? Could I just have reservations without an IP address within a subnet4 subnet, and then have a requirement for member('KNOWN') within the pool?

3. If option 2 is possible, whenever I just have `{ "hw-address": "NN:NN:NN:NN:NN:NN" } `within the reservations, Kea refuses to start with "specified reservation for DUID: hwtype=1 NN:NN:NN:NN:NN:NN must include at least one resource,  i.e. hostname, IPv4 address, IPv6 address/prefix, options". I can get around it by adding spurious `"option-data"` within the reservation but that to me feels like a workaround rather than a solution. Am I missing something here?

Any help gratefully received, and thanks for Kea!


Christopher

Running kea-dhcp4-server 1.6.3-0ubuntu1


[1] https://cloudsmith.io/~isc/repos/keama/packages/detail/deb/isc-dhcp-keama/4.4.2/

More information about the Kea-users mailing list