How to restrict Windows XP DHCP clients to a specific subnet?

Ole Holm Nielsen Ole.H.Nielsen at
Fri Feb 14 08:52:13 UTC 2014

Chris Buxton clists at wrote:
> If you mix allow and deny statements in the same scope, the following rules apply:
> 1. If the client matches any deny statement, it is denied. Otherwise, move to step 2.
> 2. If the client matches any allow statement, it is allowed. Otherwise, move to step 3.
> 3. Denied.
> If only one type of statement (allow or deny) is given, the default for unmatched clients is the opposite of whichever statement type is used.
> If no allow or deny statement is in effect, the client is allowed.

Thank you so much for explaining this logic!  Did you glean this from 
the source code, or from somewhere else?

Question: Where might this logic be documented properly (the ISC web page)?

But then Sten Carlsen stenc at wrote:
> To me it looks like there are two separate sets of allow/deny - one for
> hosts and another for classes.
> I used "allow <some class>" and it turned out that this had no effect on
> my host statements, so I had to add a "deny unknown hosts" as well to
> get the desired result.

Chris, can you augment the logic which you explained so nicely including 
the simultaneous usage of host statements as well as classes?

It seems to me what we need this as well: Most clients are defined in 
host statements, but the odd cases (such as soon-to-be-obsoleted Windows 
XP clients) must be treated using classes.

Thanks a lot,

Ole Holm Nielsen
Department of Physics, Technical University of Denmark

More information about the dhcp-users mailing list