How to restrict Windows XP DHCP clients to a specific subnet?

Glenn Satchell glenn.satchell at
Sat Feb 15 10:12:18 UTC 2014

On Sat, February 15, 2014 12:21 pm, Sten Carlsen wrote:
> On 14/02/14 23.50, Chris Buxton wrote:
>> On Feb 14, 2014, at 4:01 AM, Glenn Satchell <glenn.satchell at>
>> wrote:
>>> On Fri, February 14, 2014 7:52 pm, Ole Holm Nielsen wrote:
>>>> Chris, can you augment the logic which you explained so nicely
>>>> including
>>>> the simultaneous usage of host statements as well as classes?
>>>> It seems to me what we need this as well: Most clients are defined in
>>>> host statements, but the odd cases (such as soon-to-be-obsoleted
>>>> Windows
>>>> XP clients) must be treated using classes.
>>> known hosts is a list that matches all hosts defined in host
>>> statements,
>>> doesn't matter if they have a fixed-address or not.
>> That’s not the entire story. I’m not sure of the particulars, but my
>> company’s developers have figured out an OMAPI command that makes a MAC
>> address get treated as a known host, without adding a host statement.
>> Don’t think of allow and deny for hosts and classes as two separate
>> things. If the client is denied by “deny known-hosts”, then it is
>> denied. Period. No amount of allowing members of some other class is
>> going to override that.
> I did check what I did when I set my present system up, it still does
> not make sense to me if your explanations are correct. ( I don't say
> they are wrong, but I don't see the connection)
> I have 2 classes with match hardware and a number of subclass statements
> to go with them. I also have a number of host statements with hardware
> addresses and a fixed address.
> I have 3 ranges, one for each class and one for unknown hosts. So I
> thought the following should be fine:
> range-1  allow members of class-1
> range-2  allow members of class-2
> range-3  allow unknown-hosts
> I expected that everything not allowed would be denied, so members of
> class-1 were not allowed in range-3.
> What I found was that my members of the classes would get IPs in
> range-3. To make it work as expected, I had to use deny statements for
> members of class-1, class-2 and known-hosts in range-3.
> This contradicts the common understanding that allowing one thing means
> everything else is denied?

A single client can be a member of many classes. In this case it is
possible to be a member of class-1 and also be an unknown-host. Then it
would be allowed to get an IP from either pool. Which one that might be is
not clearly defined.


More information about the dhcp-users mailing list