How to restrict Windows XP DHCP clients to a specific subnet?

Ole Holm Nielsen Ole.H.Nielsen at
Thu Feb 13 14:55:16 UTC 2014

Simon Hobson dhcp1 at wrote:
> Where you use an allow clause, anything not specifically allowed is denied, so you can do :
>   pool {
>     allow members of "tom";
>     allow members of "dick";
>     allow members of "harry";
>     range ...;
>   }
> which will allow members of those classes but nothing else.
> Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.

I've been testing this now, and unfortunately it seems that you're 
right!  Mixing allow/deny statements within a pool breaks completely any 
logic which I can see.

Where might this strange allow/deny behavior be documented?  The DHCP 
Handbook 2nd ed. discusses on p. 344 various allow and deny statements, 
but has nothing to say about mixing them.

The dhcpd.conf man-page (ISC dhcp 4.1.1 that comes with RHEL 6.5) says 
quite the opposite from what you have explained:
> If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the  deny list will be allowed access.

Confusion is apparently abundant!

Ole Holm Nielsen
Department of Physics, Technical University of Denmark

More information about the dhcp-users mailing list