Trying to keep out Non-Phones in a Subnet

Martin McCormick martin at dc.cis.okstate.edu
Thu Jan 15 21:36:32 UTC 2009


	We set up a subnet just for VOIP phones and would like
to disallow devices such as work stations, etc, from using that
network. We already have a class for Cisco telephones which
works fine so what we would like to happen is for any Cisco
telephone to get a dynamic address on this network and anything
else to get nothing but a log entry so we can find out what the
problem is and get them plugged in to the correct network. After
doing some research, I tried the following configuration which
fails for pretty obvious reasons. All non-defined hosts are
unknown hosts. I was hoping that their belonging to a class
might make them known. Bad config follows:

subnet 10.194.8.0 netmask 255.255.248.0 {
option subnet-mask 255.255.248.0;
option routers 10.194.15.254;
ddns-updates on;
option domain-name "voip-test.osu";
option broadcast-address 10.194.15.255;
default-lease-time 3600;
max-lease-time 3600;
 pool {
deny dynamic bootp clients;
failover peer "stw";
range 10.194.12.0 10.194.15.249;
allow members of "cisco-telephone";
        deny unknown-clients;
}
} #end network 10.194.8.0

What we need is something like
allow members of "cisco-telephone";
        deny everybody-else;

	What we do not want is to have to keep up a list of
manually-defined hosts.

	On other networks, we will invert this logic and 
deny members of "cisco-telephone";

	Since the default is to allow unknown-clients on most
networks, this inverted logic should work.

	Thanks for any suggestions or links to examples.



More information about the dhcp-users mailing list