members allow/deny question
Douglas Armstrong
doug at ovationdata.com
Wed Nov 29 21:04:58 UTC 2006
Duane Cox wrote:
> Here is a snip from my configuration.
>
> My question is, is the specific "deny" needed?
> What would happen if the "allow" pool was full, but another pool was
> available because there was no deny, assuming I deleted the "deny"
> statement?
>
> shared-network LMC1A-WEST-CH5 {
> subnet 10.11.5.0 netmask 255.255.255.0 {
> }
>
> subnet 10.252.235.128 netmask 255.255.255.224 {
> }
>
> pool {
> failover peer "dhcp";
> deny known-clients;
> deny dynamic bootp clients;
> range 10.11.5.100 10.11.5.250;
> option routers 10.11.5.254;
> allow members of "IPTV";
> }
>
> pool {
> failover peer "dhcp";
> deny known-clients;
> deny dynamic bootp clients;
> range 10.252.235.130 10.252.235.158;
> option routers 10.252.235.129;
> deny members of "IPTV";
> }
> }
>
> which aren’t.
Be very careful using allow and deny together, as the opposite is in
effect. If you deny known clients than there is no need to allow unknown
clients as by default that is what you have done. per the man page:
Each entry in a pool’s permit list is introduced with the allow or deny
keyword. If a pool has a permit list, then only those clients that match
specific entries on the permit list will be eligible to be assigned
addresses from the pool. If a pool has a deny list, then only those
clients that do not match any entries on the deny list will be eligible.
*If both permit and deny lists exist for a pool, then only clients that
match the permit list and do not match the deny list will be allowed
access.*
Doug Armstrong
www.ovationdata.com
More information about the dhcp-users
mailing list