Trying to keep out Non-Phones in a Subnet

Martin McCormick martin at
Thu Jan 15 21:36:32 UTC 2009

	We set up a subnet just for VOIP phones and would like
to disallow devices such as work stations, etc, from using that
network. We already have a class for Cisco telephones which
works fine so what we would like to happen is for any Cisco
telephone to get a dynamic address on this network and anything
else to get nothing but a log entry so we can find out what the
problem is and get them plugged in to the correct network. After
doing some research, I tried the following configuration which
fails for pretty obvious reasons. All non-defined hosts are
unknown hosts. I was hoping that their belonging to a class
might make them known. Bad config follows:

subnet netmask {
option subnet-mask;
option routers;
ddns-updates on;
option domain-name "voip-test.osu";
option broadcast-address;
default-lease-time 3600;
max-lease-time 3600;
 pool {
deny dynamic bootp clients;
failover peer "stw";
allow members of "cisco-telephone";
        deny unknown-clients;
} #end network

What we need is something like
allow members of "cisco-telephone";
        deny everybody-else;

	What we do not want is to have to keep up a list of
manually-defined hosts.

	On other networks, we will invert this logic and 
deny members of "cisco-telephone";

	Since the default is to allow unknown-clients on most
networks, this inverted logic should work.

	Thanks for any suggestions or links to examples.

More information about the dhcp-users mailing list