Trying to keep out Non-Phones in a Subnet

Simon Hobson dhcp1 at
Thu Jan 15 21:51:21 UTC 2009

Martin McCormick wrote:
>	We set up a subnet just for VOIP phones and would like
>to disallow devices such as work stations, etc, from using that
>network. We already have a class for Cisco telephones which
>works fine so what we would like to happen is for any Cisco
>telephone to get a dynamic address on this network and anything
>else to get nothing but a log entry so we can find out what the
>problem is and get them plugged in to the correct network. After
>doing some research, I tried the following configuration which
>fails for pretty obvious reasons. All non-defined hosts are
>unknown hosts. I was hoping that their belonging to a class
>might make them known. Bad config follows:
>subnet netmask {
>option subnet-mask;
>option routers;
>ddns-updates on;
>option domain-name "voip-test.osu";
>option broadcast-address;
>default-lease-time 3600;
>max-lease-time 3600;
>  pool {
>deny dynamic bootp clients;
>failover peer "stw";
>allow members of "cisco-telephone";
>         deny unknown-clients;

'allow members of "cisco-telephone";' is sufficient to prevent other 
devices from accessing that pool - so just delete the 'deny 
unknown-clients;' line. When ever you use an allow, anything not 
allowed is implicitly denied (and the reverse if you use a deny, 
anything not denied is allowed).

Simon Hobson

Visit for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list