Trying to keep out Non-Phones in a Subnet
Martin McCormick
martin at dc.cis.okstate.edu
Thu Jan 15 21:36:32 UTC 2009
We set up a subnet just for VOIP phones and would like
to disallow devices such as work stations, etc, from using that
network. We already have a class for Cisco telephones which
works fine so what we would like to happen is for any Cisco
telephone to get a dynamic address on this network and anything
else to get nothing but a log entry so we can find out what the
problem is and get them plugged in to the correct network. After
doing some research, I tried the following configuration which
fails for pretty obvious reasons. All non-defined hosts are
unknown hosts. I was hoping that their belonging to a class
might make them known. Bad config follows:
subnet 10.194.8.0 netmask 255.255.248.0 {
option subnet-mask 255.255.248.0;
option routers 10.194.15.254;
ddns-updates on;
option domain-name "voip-test.osu";
option broadcast-address 10.194.15.255;
default-lease-time 3600;
max-lease-time 3600;
pool {
deny dynamic bootp clients;
failover peer "stw";
range 10.194.12.0 10.194.15.249;
allow members of "cisco-telephone";
deny unknown-clients;
}
} #end network 10.194.8.0
What we need is something like
allow members of "cisco-telephone";
deny everybody-else;
What we do not want is to have to keep up a list of
manually-defined hosts.
On other networks, we will invert this logic and
deny members of "cisco-telephone";
Since the default is to allow unknown-clients on most
networks, this inverted logic should work.
Thanks for any suggestions or links to examples.
More information about the dhcp-users
mailing list