How to restrict Windows XP DHCP clients to a specific subnet?

Glenn Satchell glenn.satchell at
Fri Feb 14 12:01:26 UTC 2014

On Fri, February 14, 2014 7:52 pm, Ole Holm Nielsen wrote:
> Chris Buxton clists at wrote:
>> If you mix allow and deny statements in the same scope, the following
>> rules apply:
>> 1. If the client matches any deny statement, it is denied. Otherwise,
>> move to step 2.
>> 2. If the client matches any allow statement, it is allowed. Otherwise,
>> move to step 3.
>> 3. Denied.
>> If only one type of statement (allow or deny) is given, the default for
>> unmatched clients is the opposite of whichever statement type is used.
>> If no allow or deny statement is in effect, the client is allowed.
> Thank you so much for explaining this logic!  Did you glean this from
> the source code, or from somewhere else?
> Question: Where might this logic be documented properly (the ISC web
> page)?
> But then Sten Carlsen stenc at wrote:
>> To me it looks like there are two separate sets of allow/deny - one for
>> hosts and another for classes.
>> I used "allow <some class>" and it turned out that this had no effect on
>> my host statements, so I had to add a "deny unknown hosts" as well to
>> get the desired result.
> Chris, can you augment the logic which you explained so nicely including
> the simultaneous usage of host statements as well as classes?
> It seems to me what we need this as well: Most clients are defined in
> host statements, but the odd cases (such as soon-to-be-obsoleted Windows
> XP clients) must be treated using classes.

known hosts is a list that matches all hosts defined in host statements,
doesn't matter if they have a fixed-address or not.

These hosts can also be a member of a class if they pass the match
requirement defined in the class.

known or unknown hosts are completely independent of class membership.

I hope I've made that clear :)


More information about the dhcp-users mailing list