shared-network

Glenn Satchell glenn.satchell at uniq.com.au
Sun Nov 14 14:24:41 UTC 2010 

On 15/11/10 01:20 AM, Glenn Satchell wrote:
> On 15/11/10 12:42 AM, Laszlo Fekete wrote:
>>
>>
>> On 11/12/2010 12:23 PM, Niall O'Reilly wrote:
>>> On 11 Nov 2010, at 18:07, Laszlo Fekete wrote:
>>>
>>>> Just another question: I have some clients without fixed address and
>>>> they get ip dynamically from 192.168.5.0/24 , so this stored in
>>>> dcpd.leases. But later give them fixed address from 160.1.2.0/26. Is it
>>>> possible if the client don't send dhcpdiscover just dhcprequest with
>>>> the
>>>> dinamic ip, than the dhcp server give ip from static pool even if there
>>>> is a lease in leases file or delete the lease which mac address has a
>>>> fixed address in dhcpd.conf at dhcpd reload/restart?
>>> You'll probably need complementary 'deny' statements in the
>>> corresponding pools. Here's what we do.
>>>
>>> shared-network some-name {
>>>
>>> subnet 137.43.162.0 netmask 255.255.255.0 {
>>> option subnet-mask 255.255.255.0;
>>> option routers 137.43.162.1;
>>> pool {
>>> range 137.43.162.129 137.43.162.190;
>>> deny unknown clients;
>>> max-lease-time 7200;
>>> }
>>> }
>>>
>>> subnet 10.137.162.0 netmask 255.255.255.0 {
>>> option subnet-mask 255.255.255.0;
>>> option routers 10.137.162.1;
>>> pool {
>>> range 10.137.162.65 10.137.162.94;
>>> deny known clients;
>>> max-lease-time 600;
>>> }
>>> }
>>> }
>> This isn't working. Dhcpd don't care about fixed address if there is a
>> dynamic lease in leases file.
>> Is there an option, that first check fixed adresses or delete lease
>> which has a mac address with fixed address?
>>
>
> If the client requests an IP address that is on a valid subnet for the
> client, then dhcpd will renew it. I believe this is in the relevant RFC
> (rfc2131?) as part of the strategy of allowing a client to keep an IP
> address as long as possible.
>
> So if a given client currently has a valid dynamic address, and you want
> it to switch then you need to temporarily deny that IP, so that it will
> be forced to go back to DHCPDISCOVER. Then it will see the fixed-address
> settings. eg:
>
> If you're using IPv6 the the length of the substring should be
> appropriately longer :)
>
> The match string consists of 3 bytes of IP address (c0:a8:5 = 192.168.5)
> followed by the hardware address, which is 1 followed by the mac
> address. Yes, it's evil.
>
> # must be authoritative to send DHCPNAK
> authoritative;
>
> class "blocked-ips" {
> match concat(substring(leased-address, 0, 3), hardware);
> deny booting;
> }

Oops, that should be subclass without a dash!

subclass "blocked-ips" c0:a8:5:1:aa:bb:cc:dd:ee:ff
subclass "blocked-ips" c0:a8:5:1:01:02:03:04:05:06
# repeat as required ...

-- 
regards,
-glenn
--
Glenn Satchell                            |  Miss 9: What do you
Uniq Advances Pty Ltd, Sydney Australia   |  do at work Dad?
mailto:glenn.satchell at uniq.com.au         |  Miss 6: He just
http://www.uniq.com.au tel:0409-458-580   |  types random stuff.

More information about the dhcp-users mailing list