Excluding a class from matches...

Glenn Satchell Glenn.Satchell at uniq.com.au
Wed Aug 5 02:38:36 UTC 2009

ok, what if you reverse the logic in your class, then you can allow
that class, the allow implies deny everything else? eg:

class "DeviceType1" { match if not substring ( hardware, 1, 3 ) = 12:34:56; }

subnet .... {
       option ... ;
       pool {
               # deny devices who are not 12:34:56:
               allow members of "DeviceType1";
               range ... ;
               option ... ;
       pool {
               allow members of "DeviceType2";
               range ... ;
               option ... ;


PS Please reply to the list only, I don't need to get the posting twice.

>Date: Tue, 4 Aug 2009 19:52:28 -0400
>Subject: Re: Excluding a class from matches...
>From: David McKen <dmlmcken at gmail.com>
>I considered that option but unfortunately I have one other constraint
>that I forgot to mention. I have 3 classes of devices on this network
>with isc dhcp classes setup for each, this setup works fine but I need
>one of the classes to support this behavior. Due to this the deny
>option won't work well for me. I read on the list that is not a good
>idea to have allow and deny statements within a single pool. so there
>would be no way to apply the extra restrictions.
>The specific setup is that we have management networks on the same
>VLAN as customer browsing networks (this is due to a limitation on the
>equipment). Both are handed out via DHCP, we use the MAC prefix to
>distinguish between the two. The new requirement is to move customers
>over to a special "captive" network when they don't pay their bill.
>Most of the data will be stored in a database so being able to have
>the dhcp server call some script who's return value is 1 if its a
>match and 0 if it isn't will actually work quite well for me so I
>don't have to keep restarting the dhcp service every time one of these
>macs needs to get added or removed.
>On Tue, Aug 4, 2009 at 7:35 PM, Glenn
>Satchell<Glenn.Satchell at uniq.com.au> wrote:
>>>Date: Tue, 4 Aug 2009 18:30:17 -0400
>>>Subject: Excluding a class from matches...
>>>From: David McKen <dmlmcken at gmail.com>
>>>To: dhcp-users at lists.isc.org
>>>X-BeenThere: dhcp-users at lists.isc.org
>>>Good Day list,
>>>I am looking to do the following:
>>>1. For all macs whose prefix do not begin with 12:34:56 do not match /
>>>give an ip.
>>>2. For specific macs (list is coming from a database so can be
>>>provided via subclass or group I guess) put them in a specific subnet
>>>3. For all other macs matching criteria #1 put them in subnet #2.
>>>If I drop requirement #2 I can do this quite easily via classes.
>>>class "DeviceType" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>>>and apply the class to the subnet desired.
>>>I am a bit lost as to how to do this with requirement #2 in place
>>>which is to put certain devices in a special "holding" network until
>>>they can be dealt with.
>>>Was looking for some line that would allow me to say " if not in
>>>'someclass' " as I could use this to prevent the macs from #2 from
>>>matching the "global" matches.
>>>Came across something called "execute based class matching" from the
>>>mailing lists. I am a bit fuzzy as to how this works but it may be
>>>what I'm looking for. Can anyone shed some light on how this works?
>>>David McKen
>> Hi David
>> So you define your class similar to above
>> class "DeviceType1" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>> class "DeviceType2" { match hardware }
>> subclass "DeviceType2"  1:12:34:56:d:e:f;
>> subclass "DeviceType2"  1:a:b:c:d:e:f;
>> ...
>> subnet .... {
>>        option ... ;
>>        pool {
>>                # deny devices who are not 12:34:56:
>>                deny members of "DeviceType1";
>>                # deny our special list
>>                deny members of "DeviceType2";
>>                range ... ;
>>                option ... ;
>>        }
>>        pool {
>>                allow members of "DeviceType2";
>>                range ... ;
>>                option ... ;
>>        }
>> }
>> When you allow a class it denies all other classes in that pool. When
>> you deny a class it allows all other classes. The ranges must not
>> overlap in the pools. You can also put other options in each pool, eg
>> different router, dns servers and so on, and they will apply to devices
>> using that pool.
>> dhcpd.conf man page has examples on subclasses,the leading "1" is the
>> hardware type, almost always ethernet these days. dhcp-eval has
>> examples of arithmetic and if/else tests, etc.
>> regards,
>> -glenn
>> --
>> Glenn Satchell     mailto:glenn.satchell at uniq.com.au | I telephoned the
>> Uniq Advances Pty Ltd         http://www.uniq.com.au | swine flu info
>> PO Box 70 Paddington NSW Australia 2021              | line and all I got
>> tel:0409-458-580  tel:02-9380-6360  fax:02-9380-6416 | was crackling.
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>dhcp-users mailing list
>dhcp-users at lists.isc.org

More information about the dhcp-users mailing list