static IPs, nested logic
Andrei Filimonov
af at baltmax.com
Wed Jun 21 12:40:40 UTC 2006
Hi,
Could anybody please help me finding an efficient solution.
I have 2 questions.
1) How do i manage static ip addresses, if the only way to identify the
client is by his option agent.remote-id number;
The easy way would be creating a separate class for each ip addres like:
class "aaa-bbb-ccc-ddd" {
match if option agent.remote-id = 00:00:ff:aa:d2:19;
}
then simply place this class in a pool with one ip address
pool {
...
deny members of "aaa-bbb-ccc-ddd";
range aaa.bbb.ccc.1 aaa.bbb.ccc.253;
}
pool {
allow members of "aaa-bbb-ccc-ddd";
range aaa.bbb.ccc.254 aaa.bbb.ccc.254;
}
...
but this is very inconvenient because the number of pools and static ip
addresses is starting to grow.
Soon there will be like 500 classes for static users, and 500 such 1
address subpools, that is very difficult to manage.
What could be the solution?
2) The only way to identify the subnet ( subnet from which the
particular user should recive an ip address ) is by the option
agent.circuit-id number.
so i create a class for each subnet
like
class "subnet1" {
match if option agent.circuit-id = 00:00:00:01;
}
and then i place
that class in an adequate subnet
like
subnet aaa.bbb.ccc.0 netmask 255.255.255.0 {
option routers blah blah
..
pool{
allow members of "subnet1";
..
}
}
it works ok.
But what if i want to add an additional pool to the subnet, for the
users with restricted rights for example.
So i want the server to select the right subnet for the user and only
then filter them by other classes which are irrelevant to the subnet
user chooses to be in.
pool{
allow members of "subnet1";
deny members of "restrictedusers";
..
}
pool{
allow mumbers of "subnet1";
allow members of "restrictedusers";
...
}
something like that wont work because allows/denies have OR logic if I'm
not mistaken.
so how do i make a nested criteria.
something like
..{
allow members of "subnet1";
pool{
deny members of "group1";
...
}
pool{
allow members of "group1";
...
}
}
Thank you.
More information about the dhcp-users
mailing list