Help with class match understanding.

Tom Greaser tgreaser at hsc.wvu.edu
Fri Dec 14 18:55:18 UTC 2007


 Thanks.. 
To recap .. since its a class its applied because
its more specific than my group scope inside.  
Thus it takes the boot unknown true; options from that 
group scope voip and uses those options instead of whats in group inside ..

If i move the class match statement outside the group voip
and put it at the top with the global options are set.. will
it not use group voip options ?


And since im new to classes.. can i put multiple classes
per pool ??
ie.
subnet 10.1.2.0 netmask 255.255.255.0 {
pool {
        option routers 10.1.2.1;
        range 10.1.2.4 10.1.2.254;
        allow members of "user-pcs";
        deny members of "voip-phones";
        allow memebers of "servers";
        deny members of "bad-people";
        allow memeber of "ME";
        } #ends pool
}


 
>>> Glenn Satchell <Glenn.Satchell at uniq.com.au> 12/14/07 7:31 AM >>> 

>Date: Thu, 13 Dec 2007 14:57:54 -0500
>From: "Tom Greaser" <tgreaser at hsc.wvu.edu>
>To: <dhcp-users at isc.org>
>Subject: Re: Help with class match understanding.
>Content-Disposition: inline
>X-archive-position: 5175
>X-ecartis-version: Ecartis v1.0.0
>X-original-sender: tgreaser at hsc.wvu.edu
>List-software: Ecartis version 1.0.0
>X-List-ID: <dhcp-users.isc.org>
>X-list: dhcp-users
>X-MIME-Autoconverted: from quoted-printable to 8bit by mail.uniq.com.au id 
lBDJx7aP014427
>
>>>> Simon Hobson <dhcp1 at thehobsons.co.uk> 12/13/07 2:09 PM >>> 
>> Again, can't really comment as we can't read the config file. However 
>> (and this came up earlier this week), class statements are global in 
>> scope.
>
>you caught me being lazy..I  should have dont that in the first place since I 
knew i didnt have
>something right / dont understand classes as well as i thought i did.. Ive even 
tried putting
>the boot unknown false in  group 1.. still shows phones getting IP.
>
>
>
>
>
>server-identifier server;
>option domain-name "domain";
>default-lease-time 43200; # 12 hours
>max-lease-time 43220; # 12 hours 2min
>boot-unknown-clients false;
>use-host-decl-names true;
>option ieee802-3-encapsulation false;
>option router-discovery false;
>ddns-update-style interim;
>ddns-updates on;
>ddns-ttl 600;
>log-facility local1;
>option option-150 code 150 = array of ip-address;
>option ip-forwarding false;
>ddns-domainname "domain";
># ddns-rev-domainname "in-addr.arpa";
>ignore client-updates;
>update-optimization false;
>set vendor-id = option vendor-class-identifier;
>
>group { 
>
>## inside data
>option domain-name-servers ; 
>option netbios-name-servers ; 
>authoritative;
>option ntp-servers  ;
>option log-servers ;
>option nds-tree-name ; 
>option nds-servers  ;
>option slp-directory-agent true ; 
>
>
>
>subnet 10.3.20.0 netmask 255.255.255.0 {
>        option routers 10.3.20.1;
>        range 10.3.20.4 10.3.20.254;
>}
>
>
>
>if exists agent.circuit-id
>{
>        log ( info, concat( "Lease for ", binary-to-ascii (10, 8, ".", 
leased-address), " connected to interface ",
>        binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id, 2)), " 
(3750s subtract 2or4!), VLAN ",
>        binary-to-ascii (10, 16, "", substring( option agent.circuit-id, 2, 
2)),  " Hardware ",
>        binary-to-ascii(16, 8, ":", hardware)));
>
>}
>
>} # end inside group
>
>group {  
>
>## phones
>
>option domain-name-servers  ;
>authoritative;
>option ntp-servers  ;
>option log-servers  ;
>option option-150  ;
>option tftp-server-name "";
>boot-unknown-clients true;
>option dhcp-renewal-time 86400; ## 1day
>default-lease-time 2592000;  ##1 month
>max-lease-time 2592000;   #1 month
>ddns-updates off;
>
>### even though boot unkown  is ture the allowed statement
>## in the subnet pool will only allow devices that match vendor id to get an ip
>class "voip-phones" {
>	match if substring (option vendor-class-identifier, 0, 28) = "Cisco 
Systems, Inc. IP Phone" 
>or
>	substring (option vendor-class-identifier, 0, 10) = "ATA188-H17"; 
>} ## ends class
>
>
>subnet 10.183.50.0 netmask 255.255.255.0 {
>pool {
>        option routers 10.183.50.1;
>	range 10.183.50.4 10.183.50.254;
>	allow members of "voip-phones"; ## explicity denies non voip 
> 	} #ends pool
>}
> 
>} #ends phone group
>
>
>group { 
>
>### servers group
>option domain-name-servers ;
>option netbios-name-servers ;
>authoritative;
>default-lease-time 1209600; # 2 weeks  
>max-lease-time 1209620; # 2weeks  2min
>option ntp-servers ;
>option log-servers ;
>
>
>### hsc-at vlan 29 ###
>subnet 10.4.0.0 netmask 255.255.255.0 {
>        option routers 10.4.0.1;
>#        range 10.4.0.10 10.4.0.254;
>}
>} ## ends server group
>
>
>### group outside
>group {
>server-identifier  ;
>option domain-name-servers  ;
>option netbios-name-servers  ;
>authoritative;
>option log-servers public.200;
>next-server ;
>filename "pxelinux.0";
>
>### (outside firewall) ###
>subnet 10.10.10.0 netmask 255.255.255.0 {
>        option routers 10.10.10.1;
>        option domain-name-servers public.70,public.71;
>}
>
>} # end outside group

classes exist in the global scope, so their definition exists in the
other groups, subnets and pools. You must put

  deny members of voip-phones";

in all your other pools where you don't want that behaviour.

regards,
-glenn





More information about the dhcp-users mailing list