DHCP "static" assignments
Glenn Satchell
glenn.satchell at uniq.com.au
Thu Aug 8 15:21:14 UTC 2013
Hi Greg
My responses are inline below. It's ok to be puzzled, dhcpd has a rich
configuration language, and to borrow from Perl TMTOWTDI. That doesn't
mean that just because it works means it's the "right" way or Best
Practise.
On Thu, August 8, 2013 11:47 pm, Gregory Sloop wrote:
> I'm puzzled.
>
> I decided to read the docs [again] *very* carefully, since I'd gone
> over them before fairly carefully and was a bit surprised at the
> responses I got yesterday saying that I shouldn't include the IP
> address in the host dec. in the pool at all. [And that bad things
> would happen if I *did* have it in a pool, even with the "deny
> unknown-clients" clause/directive.]
>
> It *appears* that the recommendation given yesterday will work, given
> everyone's experience. [I have not tried it yet, and I am and have
> been running it my way for years.]
>
> But it appears the way I am doing it most closely matches the
> documentation.
>
>
> From the dhcp.conf man page...
> ---
> ALLOW DENY AND IGNORE IN SCOPE
> The following usages of allow and deny will work in any scope,
> although it is not recommended that they be used in pool
> declarations.
>
> The unknown-clients keyword
>
> allow unknown-clients;
> deny unknown-clients;
> ignore unknown-clients;
>
> The unknown-clients flag is used to tell dhcpd whether or
> not to dynamically assign addresses to unknown clients.
> Dynamic address assignment to unknown clients is allowed by
> default. An unknown client is simply a client that has no
> host declaration.
>
> The use of this option is now deprecated. If you are trying to
> restrict access on your network to known clients, you
> should use deny unknown-clients; inside of your address pool, as
> described under the heading ALLOW AND DENY WITHIN POOL
> DECLARATIONS.
> --- AND ---
> ALLOW AND DENY WITHIN POOL DECLARATIONS.
> ...
> known-clients;
>
> If specified, this statement either allows or prevents allocation
> from this pool to any client that has a host declara-
> tion (i.e., is known). A client is known if it has a host
> declaration in any scope, not just the current scope.
>
> unknown-clients;
>
> If specified, this statement either allows or prevents allocation
> from this pool to any client that has no host declaration
> (i.e., is not known).
> ---
>
> So, not to complain about the help you all have given, but it appears
> to me that this says that having a host declaration makes it a "known
> client" and that if you use the "deny unknown-client" directive in the
> pool, NO unknown clients will get that address, and the host
> declaration should ensure that no OTHER client should get that address...
True, except for the last bit about the host declaration. The host
statement does not block other clients from getting that address if they
match the allow/deny requirements for the pool. In your example any other
known clients that do not have a fixed-address statement are potentially
able to get that address. the way to ensure no other clients can get the
address is to not include it in the range.
> So, in what cases are you all claiming that having it declared in the
> pool, but with a host definition *and* a "deny unknown-clients" would
> result in the IP defined in the host declaration [and in the pool,
> with a "deny unknown-clients" clause] getting assigned to anyone else?
You can have a host declaration without a fixed-address statement. That
makes it a known client that still wants to get an address from a dynamic
range.
Examples have already been given of how you can get devices with duplicate
ip addresses so I won't repeat them here. There is asection titled IP
ADDRESS CONFLICT PREVENTION in the dhcpd,conf man page.
> Next, while it may work, not having the address in any pool, doesn't
> match the docs, at least in intent. [Again, my reading of the docs.]
See also the dhcpd man page:
Subnets
dhcpd needs to know the subnet numbers and netmasks of all
subnets for which it will be providing service. In addi-
tion, in order to dynamically allocate addresses, it must be
assigned one or more ranges of addresses on each subnet
which it can in turn assign to client hosts as they boot.
Thus, a very simple configuration providing DHCP support
might look like this:
subnet 239.252.197.0 netmask 255.255.255.0 {
range 239.252.197.10 239.252.197.250;
}
Multiple address ranges may be specified like this:
subnet 239.252.197.0 netmask 255.255.255.0 {
range 239.252.197.10 239.252.197.107;
range 239.252.197.113 239.252.197.250;
}
If a subnet will only be provided with BOOTP service and no
dynamic address assignment, the range clause can be left out
entirely, but the subnet statement must appear.
> It looks to me as if the docs INTEND for you to have the address in a
> pool, and restrict the assignment via the "deny unknown-clients"
> clause inside the pool.
Now looking at dhcpd.conf, in the section DYNAMIC ADDRESS ALLOCATION.
There may be a host declaration matching the client's iden-
tification. If that host declaration contains a fixed-
address declaration that lists an IP address that is valid
for the network segment to which the client is connected.
In this case, the DHCP server will never do dynamic address
allocation. In this case, the client is required to take
the address specified in the host declaration.
Not doing dynamic allocation means that it does not make use of any range
statements.
And further down in the same man page.
The host statement
host hostname {
[ parameters ]
[ declarations ]
}
The host declaration provides a scope in which to provide
configuration information about a specific client, and also
provides a way to assign a client a fixed address.
If you look at the rest of that section there is no mention of the
requirement to have a corresponding entry in a range statement.
> I really don't want to start a war here - I'm just trying to make
> sense of what appear to be deviations from the docs. Perhaps I
> misunderstand the docs, or perhaps the explanations given do. I just
> want to make sure I really grok what's intended, as well as how it
> might practically work - even if the docs don't describe it that way.
That's fair enough. The man pages are quite long, and have evolved over
many years, so sometimes they do not always have perfect continuity or
entirely logical layout.
This reply is intended to be in the spirit of your question, and I hope it
comes across that way.
> [I'm running 4.1-R4, BTW - the standard Ubuntu package.]
The version shouldn't make any difference, this behaviour has been around
since the very first versions.
A few years ago there was a book The DHCP Hanbdbook (2nd Ed) which you can
still get on Amazon
http://www.amazon.com/The-DHCP-Handbook-2nd-Edition/dp/0672323273 This is
considered the definitive reference guide for configuring ISC DHCPD. Ralph
Droms is the chair of the IETF working group for DHCP and editor of the
dhcp RFCs. Ted Lemon is the original author of ISC dhcpd. So I think these
guys know what they are talking about :)
regards,
-glenn
> TIA
> -Greg
>
More information about the dhcp-users
mailing list