members allow/deny question
Simon Hobson
dhcp1 at thehobsons.co.uk
Wed Nov 29 21:41:32 UTC 2006
Duane Cox wrote:
>My question is, is the specific "deny" needed?
>What would happen if the "allow" pool was full, but another pool was
>available because there was no deny, assuming I deleted the "deny"
>statement?
>
>shared-network LMC1A-WEST-CH5 {
> subnet 10.11.5.0 netmask 255.255.255.0 {
> }
>
> subnet 10.252.235.128 netmask 255.255.255.224 {
> }
>
> pool {
> failover peer "dhcp";
> deny known-clients;
> deny dynamic bootp clients;
> range 10.11.5.100 10.11.5.250;
> option routers 10.11.5.254;
> allow members of "IPTV";
> }
>
> pool {
> failover peer "dhcp";
> deny known-clients;
> deny dynamic bootp clients;
> range 10.252.235.130 10.252.235.158;
> option routers 10.252.235.129;
> deny members of "IPTV";
> }
>}
Allow and Deny is a non-trivial area ! Generally the suggestion is
that if you use an allow, then anything not allowed is denied, and
vice-versa. Not sure if that applied to allow/deny dynamic bootp
clients and known-clients - I think these are handled separately.
Leaving these two out for the moment, yes, you must deny your IPTV
clients from a pool if you do not want them to get an address from
it, this may be an explicit deny, or an implicit deny.
For example, if you had 2 different groups you could do :
pool {
...
allow members of "a" ;
}
pool {
...
allow members of "b" ;
}
pool {
...
deny members of "a" ;
deny members of "b" ;
}
In the first pool, b is implicitly denied. In the second pool, a is
implicitly denied. In the third pool, we must explicitly deny both a
and b.
If you leave out the deny statements in pool three, then members of a
can use pool1 or pool3, and members of b can use pool2 or pool3.
Simon
More information about the dhcp-users
mailing list