How to restrict Windows XP DHCP clients to a specific subnet?

John Wobus jw354 at
Fri Feb 14 21:35:13 UTC 2014

> So the question was really:
> Given:
> host H1 {hardware 1:xxxxx}
> class C1 { match hardware; }
> subclass C1{ hardware 1:xxxxx;}
> range {
> allow C1;
> Deny known-hosts;
> }
> Forget the syntax mistakes, but a host that matches both H1 and C1  
> will be allowed/denied?
> With different more complicated matching criteria for the class,  
> this could easily happen by mistake - so what will the result be?

As far as I know, the man page's rule, which Chris Buxton very nicely
put into alternate words, determine the outcome.

"Deny known-hosts", being a "deny statement", overrides anything else  
so host H1 is denied.
Host H1 has a host statement, which is what makes it fall under 'known- 

The "independence" of 'host' and  'class' statements is that they don't
override each other regarding whether a host is known/unknown
or is/not a member of a particular class.  No affect.
But the deny/allow statement precedence applies equally.

I've managed to avoiding mixing allows and denies but I've seen
cases where it looked to me like mixing would be required.  Fortunately,
the man page explains the effect of mixing.

John Wobus
Cornell U IT

More information about the dhcp-users mailing list