How to restrict Windows XP DHCP clients to a specific subnet?

Fri Jan 31 13:20:09 UTC 2014

Hello,

> We run the ISC DCHP version 4.1.1 server that comes with Red Hat RHEL 6.5 
> Linux.  We grant DHCP leases only to known hosts, and we have files with 
> declarations of host names and their MAC addresses to achieve this.
>
> We have a new challenge because we want to restrict all Windows XP PCs 
> (and we know who they are :-) to a specific VLAN subnet, where we want to 
> impose strict firewall rules.  If a user connects his XP PC to any other 
> VLAN subnet, the DHCP server must ignore this client.
>
> I've searched unsuccessfully for a dhcpd.conf configuration example 
> implementing this desired goal:
>
> 1. Define a subnet which *only* permits a certain list of host 
> declarations (i.e., my XP PCs) to get a lease.
>
> 2. In all other subnets, the XP PCs *must not* get a lease.

We are experimenting with an ISC DHCP configuration to achieve the goal you 
describe. Currently the following seems to do the job:

class "Claudus" {
         match hardware ;
         set client-class= "Claudus" ;
}

subclass "Claudus" 1:00:21:70:6f:2f:78 ;
subclass "Claudus" ......

subnet 10.0.0.0       netmask 255.255.255.0   {  # Claudus-net
         option routers                  10.0.0.1 ;
         pool {
                 allow members of "Claudus" ;
                 deny dynamic bootp clients ;
                 range 10.0.0.8      10.0.0.127 ;
         }
}

On *all* other pools define 'deny members of "Claudus"'. The result is that 
if a machine, mentioned in the subclass definition, requests an IP address 
in an allowed (and regulated) VLAN, an IP address is assigned. If this 
machine requests an IP address from any other VLAN, it will not get an IP 
address.

HTH,
   Wim Nelis.

******************************************************************************************************************

The NLR disclaimer is valid for NLR e-mail messages.

This message is only meant for providing information. Nothing in this e-mail message amounts to a contractual
or legal commitment on the part of the sender.
This message may contain information that is not intended for you. If you are not the addressee or if this
message was sent to you by mistake, you are requested to inform the sender and delete the message.
Sender accepts no liability for damage of any kind resulting from the risks inherent in the electronic
transmission of messages.

******************************************************************************************************************