Host declarations in different ranges within the same subnet

Sten Carlsen stenc at s-carlsen.dk
Wed Jun 13 17:11:42 UTC 2012 


On 13/06/12 18:44, Marcio Merlone wrote:
> Em 13-06-2012 12:40, Simon Hobson escreveu:
>> By doing it with classes, you don't need to bother with
>> known/unknown. Just use an 'allow members of "foo"' in each pool
>> where you want members of the class "foo" to be able to get an
>> address and it'll do it for you. Members of the class will be given
>> access, anything that's not a member will not.
>>
>> Whenever you use an allow (or deny), there is an implicit deny (or
>> allow). So once you've allowed members of a class, then everything
>> else is implicitly denied. Don't mix allow and deny - they don't work
>> as most people expect, and I can't remember how it works even though
>> it's been explained several times over the years !
>>
>> If you want a separate pool for all clients not in any of the
>> classes, then yo do it like this :
>>
>> pool {
>>   range ...
>>   deny members of "foo";
>>   deny members of "bar";
>> }
>> You need to list all the classes you've allowed elsewhere in the deny
>> list. Any not denied will be implicitly allowed.
>
> Things are getting nicely clear now. In fact, I don't need two
> classes, I just need to protect one range to some few selected hosts
> (subclass). The remaining hosts should go to the other range.
> Everything put on place, this should do:
>
> class "classFirewallFullAccess" {
>     match pick-first-value (option dhcp-client-identifier, hardware);
> }
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:01;
> subclass "classFirewallFullAccess" 1:00:00:00:00:00:02;
>
> host closedFw3 {
>     hardware ethernet 00:00:00:00:00:03;
> }
> host closedFw4 {
>     hardware ethernet 00:00:00:00:00:04;
> }
>
> shared-network foo {
>
>      subnet 10.0.0.0 netmask 255.255.255.0 {
>          # GODS: Those have 'permit' on firewall
>          pool {
>              allow members of "classFirewallFullAccess";
>              option routers 10.0.0.100;
>              option blah;
>              range 10.0.0.1 10.0.0.10;
>          }
>          # Mortals: should use the proxy
>          pool {
>              deny unknown-clients;
Here you probably also want to deny "classFirewallFullAccess". Or you
may wish to say: allow known-clients, that will exclude both your class
and the unknown clients.
>              option routers 10.0.0.200;
>              option argh;
>              range 10.0.0.11 10.0.0.20;
>          }
>     }
>
>     # This goes for external sales people, customers, visitors, whatever
>     subnet 10.1.1.0 netmask 255.255.255.0 {
>         ....
>         allow unknown-clients;
>         ....
>     }
> }
>
> I know, I know, this is not a safe/good way to restrict normal people
> on the firewall, someone can manually setup an IP address within the
> GODs range, but this is another issue. ;)
>
> Thanks and best regards.
>
> -- 
> *Marcio Merlone*
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120613/68b01a56/attachment.html>

More information about the dhcp-users mailing list