Excluding a class from matches...

David McKen dmlmcken at gmail.com
Tue Aug 4 23:52:28 UTC 2009 

I considered that option but unfortunately I have one other constraint
that I forgot to mention. I have 3 classes of devices on this network
with isc dhcp classes setup for each, this setup works fine but I need
one of the classes to support this behavior. Due to this the deny
option won't work well for me. I read on the list that is not a good
idea to have allow and deny statements within a single pool. so there
would be no way to apply the extra restrictions.

The specific setup is that we have management networks on the same
VLAN as customer browsing networks (this is due to a limitation on the
equipment). Both are handed out via DHCP, we use the MAC prefix to
distinguish between the two. The new requirement is to move customers
over to a special "captive" network when they don't pay their bill.

Most of the data will be stored in a database so being able to have
the dhcp server call some script who's return value is 1 if its a
match and 0 if it isn't will actually work quite well for me so I
don't have to keep restarting the dhcp service every time one of these
macs needs to get added or removed.

On Tue, Aug 4, 2009 at 7:35 PM, Glenn
Satchell<Glenn.Satchell at uniq.com.au> wrote:
>
>>Date: Tue, 4 Aug 2009 18:30:17 -0400
>>Subject: Excluding a class from matches...
>>From: David McKen <dmlmcken at gmail.com>
>>To: dhcp-users at lists.isc.org
>>X-BeenThere: dhcp-users at lists.isc.org
>>
>>Good Day list,
>>
>>I am looking to do the following:
>>1. For all macs whose prefix do not begin with 12:34:56 do not match /
>>give an ip.
>>2. For specific macs (list is coming from a database so can be
>>provided via subclass or group I guess) put them in a specific subnet
>>#1.
>>3. For all other macs matching criteria #1 put them in subnet #2.
>>
>>If I drop requirement #2 I can do this quite easily via classes.
>>class "DeviceType" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>>
>>and apply the class to the subnet desired.
>>
>>I am a bit lost as to how to do this with requirement #2 in place
>>which is to put certain devices in a special "holding" network until
>>they can be dealt with.
>>
>>Was looking for some line that would allow me to say " if not in
>>'someclass' " as I could use this to prevent the macs from #2 from
>>matching the "global" matches.
>>
>>Came across something called "execute based class matching" from the
>>mailing lists. I am a bit fuzzy as to how this works but it may be
>>what I'm looking for. Can anyone shed some light on how this works?
>>
>>Signed
>>David McKen
>
> Hi David
>
> So you define your class similar to above
>
> class "DeviceType1" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>
> class "DeviceType2" { match hardware }
> subclass "DeviceType2"  1:12:34:56:d:e:f;
> subclass "DeviceType2"  1:a:b:c:d:e:f;
> ...
>
> subnet .... {
>        option ... ;
>        pool {
>                # deny devices who are not 12:34:56:
>                deny members of "DeviceType1";
>                # deny our special list
>                deny members of "DeviceType2";
>                range ... ;
>                option ... ;
>        }
>        pool {
>                allow members of "DeviceType2";
>                range ... ;
>                option ... ;
>        }
> }
>
> When you allow a class it denies all other classes in that pool. When
> you deny a class it allows all other classes. The ranges must not
> overlap in the pools. You can also put other options in each pool, eg
> different router, dns servers and so on, and they will apply to devices
> using that pool.
>
> dhcpd.conf man page has examples on subclasses,the leading "1" is the
> hardware type, almost always ethernet these days. dhcp-eval has
> examples of arithmetic and if/else tests, etc.
>
> regards,
> -glenn
> --
> Glenn Satchell     mailto:glenn.satchell at uniq.com.au | I telephoned the
> Uniq Advances Pty Ltd         http://www.uniq.com.au | swine flu info
> PO Box 70 Paddington NSW Australia 2021              | line and all I got
> tel:0409-458-580  tel:02-9380-6360  fax:02-9380-6416 | was crackling.
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list