How to restrict Windows XP DHCP clients to a specific subnet?

Sten Carlsen stenc at
Thu Feb 13 19:29:28 UTC 2014

On 13/02/14 18.30, Chris Buxton wrote:
> If you mix allow and deny statements in the same scope, the following rules apply:
> 1. If the client matches any deny statement, it is denied. Otherwise, move to step 2.
> 2. If the client matches any allow statement, it is allowed. Otherwise, move to step 3.
> 3. Denied.
> If only one type of statement (allow or deny) is given, the default for unmatched clients is the opposite of whichever statement type is used.
> If no allow or deny statement is in effect, the client is allowed.
> Obviously, mixing allow and deny is tricky and should only be done when necessary. I have seen a case or two where it is necessary, though.
One more detail:
To me it looks like there are two separate sets of allow/deny - one for
hosts and another for classes.

I used "allow <some class>" and it turned out that this had no effect on
my host statements, so I had to add a "deny unknown hosts" as well to
get the desired result.
> Regards,
> Chris Buxton
> On Feb 13, 2014, at 6:55 AM, Ole Holm Nielsen <Ole.H.Nielsen at> wrote:
>> Simon Hobson dhcp1 at wrote:
>>> Where you use an allow clause, anything not specifically allowed is denied, so you can do :
>>>  pool {
>>>    allow members of "tom";
>>>    allow members of "dick";
>>>    allow members of "harry";
>>>    range ...;
>>>  }
>>> which will allow members of those classes but nothing else.
>>> Do not be tempted to mix allow and deny - it doesn't work as most people would expect, it's been explained just how it does work a few times, but I can't remember. Simplest advice is "just don't" as it's not likely to give the result you expect.
>> I've been testing this now, and unfortunately it seems that you're right!  Mixing allow/deny statements within a pool breaks completely any logic which I can see.
>> Where might this strange allow/deny behavior be documented?  The DHCP Handbook 2nd ed. discusses on p. 344 various allow and deny statements, but has nothing to say about mixing them.
>> The dhcpd.conf man-page (ISC dhcp 4.1.1 that comes with RHEL 6.5) says quite the opposite from what you have explained:
>>> If both permit and deny lists exist for a pool, then only clients that match the permit list and do not match the  deny list will be allowed access.
>> Confusion is apparently abundant!
>> -- 
>> Ole Holm Nielsen
>> Department of Physics, Technical University of Denmark
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at

Best regards

Sten Carlsen

No improvements come from shouting:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dhcp-users mailing list