How to deny classless clients instead of unknown-clients.

Marcio Merlone marcio.merlone at a1.ind.br
Tue Feb 18 19:57:33 UTC 2020


Em 18/02/2020 15:19, Simon Hobson escreveu:
> Marcio Merlone <marcio.merlone at a1.ind.br> wrote:
>> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration.
>>
>> To illustrate:
>>
>> class "clsFoo" {
>>      match pick-first-value (option dhcp-client-identifier, hardware);
>> }
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>
>> pool {
>>     deny unknown-clients;
>>     allow members of "clsFoo";
>>     range 192.168.0.30 192.168.0.200;
>> }
>> }
>>
>> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
>>
>> In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations?
> So to be clear, you want members of clsFoo to get a lease, and other clients to be denied ?

Yes, kind of, I plan on having another pool for unknown-clients, like this:

subnet ...{
pool {
    allow members of "clsFoo";
    range 192.168.0.30 192.168.0.200;
}
}

subnet ...{
pool {
    allow unknown-clients;
    range 10.0.0.30 10.0.0.200;
}
}


> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided.

Tks for the tip. But I usually have to add an explicit deny clause to 
avoid unwanted clients by experience.


> Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed.

Not true on my experience, see below.


> So :
> pool {
>     allow members of "clsFoo";
>     range 192.168.0.30 192.168.0.200;
> }
> should be sufficient. Members of clsFoo will be allowed, anything else will be denied.

I commented out all deny lines, keeping just allow for all pools. Yet, 
an unknown-client just got an IP from the clsFoo pool.

I cannot invert this logic, none of my clients are "known", but classy. 
Shouldn't a subclass definition make that a known host? Itching to open 
a feature request.


> It gets trickier when you have more than one class, and want to have a pool for "anything else". In that case you would need :
>
> pool {
>    deny members of "a";
>    deny members of "b";
>    ...
>    range ...
> }

That's the case, I have 4 classes, one pool for each, plus another pool 
for unknown-clients. But no luck yet.


-- 
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/00579cc1/attachment.htm>


More information about the dhcp-users mailing list