Permit/Deny MAC Addresses per subnet

Randall C Grimshaw rgrimsha at syr.edu
Fri Jul 31 20:56:05 UTC 2009 

We do something like you suggest. We have a list of macaddresses that can be offered an address from different pools dynamically where normal systems can only 'use' one.

class "CLSR" {
  match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "CLSR" 1:00:11:22:23:44:55;
subclass "CLSR" 1:00:11:22:23:44:56;
....

class "QUARANTINE" {
  match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "QUARANTINE" 1:00:11:22:33:44:57;
subclass "QUARANTINE" 1:00:11:22:33:44:58;
....

Then wrap your different subnet definitions as shared networks and permit the classes above as memberships

shared-network buildingname {
subnet 172.20.36.0 netmask 255.255.255.0 {
   pool {
     failover peer "dhcp";
     range 172.20.36.5 172.20.36.5;
     range 172.20.36.9 172.20.36.9;
     allow unknown clients;
     deny members of "LWAPP";
     deny dynamic bootp clients;
   }
   option routers 172.20.36.1;
   option subnet-mask 255.255.255.252;
   option broadcast-address 172.20.36.255;
   option domain-name-servers 123.456.21.20;
   default-lease-time 600;
   max-lease-time 700;
}
subnet 172.21.36.0 netmask 255.255.255.0 {
   pool {
     failover peer "dhcp";
     range 172.21.36.136 172.21.36.140;
     allow members of "QUARANTINE";
     deny dynamic bootp clients;
   }
   option routers 172.21.36.1;
   option subnet-mask 255.255.255.252;
   option broadcast-address 172.21.36.255;
   option domain-name-servers 172.17.21.20;
   default-lease-time 600;
   max-lease-time 700;
}
subnet 123.456.36.0 netmask 255.255.255.0 {
   pool {
     failover peer "dhcp";
     range 123.456.36.136 123.456.36.140;
     deny unknown clients;
     deny members of "QUARANTINE";
     deny members of "LWAPP";
     deny members of "RAS";
     deny members of "NOACCESS";
     deny dynamic bootp clients;
   }
   pool {
     failover peer "dhcp";
     range 123.456.36.80 123.456.36.81;
     allow members of "CLSR";
     deny dynamic bootp clients;
   }
   option routers 123.456.36.1;
   option subnet-mask 255.255.255.0;
   option broadcast-address 123.456.36.255;
   option domain-name-servers 123.456.1.49, 123.456.12.5;
   default-lease-time 7200;
   max-lease-time 14400;
}
}

group { # you can even group the host entries to override the values above but beware that info requests will not
option domain-name-servers 123.456.789.2,123.456.789.3;
host STA001122334455 {
   hardware ethernet 00:11:22:33:44:55;
   fixed-address 123.456.185.19;
}
host DYN001122334455 {
   hardware ethernet 00:11:22:33:44:55;
}
host STA001122334456 {
   hardware ethernet 00:11:22:33:44:56;
   fixed-address 123.456.185.19;
}
host DYN001122334456 {
   hardware ethernet 00:11:22:33:44:56;
}
}

Good luck!!

Randy


-----Original Message-----
From: dhcp-users-bounces at lists.isc.org [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Ryan Harden
Sent: Friday, July 31, 2009 4:21 PM
To: dhcp-users at lists.isc.org
Subject: Permit/Deny MAC Addresses per subnet

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I have an interesting problem that I'd like suggestions on how to resolve.

I need to build a DHCP server that will serve a few hundred subnets.
There are specific security requirements for each of these subnets.
There are a handful of techs that have permission to work on each or
some of these subnets. I need each tech to be able to DHCP from a small
pool within each subnet. So I need some MAC addresses to be allowed on
certain subnets, but not others.

I had originally planned on creating separate files for each group of
allowed MAC addresses and $INCLUDE-ing these files within the subnets
for which the groups are allowed. Having done so, I'm reminded by the
'dhcpd -t' command that a "host" statement is allowed exactly once and
is global regardless of context within within the dhcpd.conf file.

So I actually have two problems:
1) A MAC address can only show up once within dhcpd.conf.
2) All "host" entries are global, which leads me to believe that if a
client matches a "host" entry anywhere in the file, it will be able to
request an address for any "subnet" configured therein.

I run several ISC-DHCPD servers now but am unable to come up with a
solution to my problem given my current knowledge of dhcpd.conf.

Are my assumptions correct? Suggestions??

/Ryan
- --
Ryan M. Harden, BS, KC9IHX		Office: 217-265-5192
CITES - Network Engineering		Cell:  	630-363-0365
2130 Digital Computer Lab		Fax:    217-244-7089
1304 W. Springfield	 		email:  hardenrm at illinois.edu
Urbana, IL  61801 			

	 University of Illinois - Urbana/Champaign
               University of Illinois - ICCN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD4DBQFKc1JCtuPckBBbXboRAv0FAJ4+l062yjor2U9V3q/XsIB8cext7QCXc6my
px68zz7yeyNyOsYGKv6a/w==
=MC/s
-----END PGP SIGNATURE-----
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list