How to restrict Windows XP DHCP clients to a specific subnet?

Sten Carlsen stenc at
Fri Feb 14 20:10:49 UTC 2014

On 14/02/14 20.51, Doug Barton wrote:
> On 02/14/2014 07:25 AM, Simon Hobson wrote:
>> Sten Carlsen <stenc at> wrote:
>>> They are, to my knowledge and experience, independent.
>>> I.e. you make the allow/deny setup for each, both as described.
>> I think the question was more ...
>> If the class allow/deny statements mean that a client should be
>> denied and the host (known host) allow/deny statements mean that it
>> should be allowed (or vice versa), which one takes effect ? One says
>> allow, the other says deny, one has to lose.
> I think y'all are making this too complicated. :)  In the case of
> wanting to allow only a certain thing (whether class or known hosts)
> it's simple. Anything not allowed is denied. There is no reason to mix
> allow and deny statements there.
> If you want to deny some things, but allow everything else, put the
> deny statements in. Everything else will be allowed.
Well, do remember that hosts and classes are independent and both must
be considered.

So the question was really:

host H1 {hardware 1:xxxxx}

class C1 { match hardware; }

subclass C1{ hardware 1:xxxxx;}

range {
allow C1;
Deny known-hosts;

Forget the syntax mistakes, but a host that matches both H1 and C1 will
be allowed/denied?

With different more complicated matching criteria for the class, this
could easily happen by mistake - so what will the result be?

> Or put more simply, if you are mixing allow and deny statements in the
> same stanza you are almost certainly doing it wrong.
> hope this helps,
> Doug
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at

Best regards

Sten Carlsen

No improvements come from shouting:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dhcp-users mailing list