How to deny classless clients instead of unknown-clients.
Marcio Merlone
marcio.merlone at a1.ind.br
Tue Feb 18 19:57:33 UTC 2020
Em 18/02/2020 15:19, Simon Hobson escreveu:
> Marcio Merlone <marcio.merlone at a1.ind.br> wrote:
>> I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration.
>>
>> To illustrate:
>>
>> class "clsFoo" {
>> match pick-first-value (option dhcp-client-identifier, hardware);
>> }
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>
>> pool {
>> deny unknown-clients;
>> allow members of "clsFoo";
>> range 192.168.0.30 192.168.0.200;
>> }
>> }
>>
>> subclass "clsFoo" 1:xx:xx:xx:12:34:56;
>>
>> In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations?
> So to be clear, you want members of clsFoo to get a lease, and other clients to be denied ?
Yes, kind of, I plan on having another pool for unknown-clients, like this:
subnet ...{
pool {
allow members of "clsFoo";
range 192.168.0.30 192.168.0.200;
}
}
subnet ...{
pool {
allow unknown-clients;
range 10.0.0.30 10.0.0.200;
}
}
> The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided.
Tks for the tip. But I usually have to add an explicit deny clause to
avoid unwanted clients by experience.
> Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed.
Not true on my experience, see below.
> So :
> pool {
> allow members of "clsFoo";
> range 192.168.0.30 192.168.0.200;
> }
> should be sufficient. Members of clsFoo will be allowed, anything else will be denied.
I commented out all deny lines, keeping just allow for all pools. Yet,
an unknown-client just got an IP from the clsFoo pool.
I cannot invert this logic, none of my clients are "known", but classy.
Shouldn't a subclass definition make that a known host? Itching to open
a feature request.
> It gets trickier when you have more than one class, and want to have a pool for "anything else". In that case you would need :
>
> pool {
> deny members of "a";
> deny members of "b";
> ...
> range ...
> }
That's the case, I have 4 classes, one pool for each, plus another pool
for unknown-clients. But no luck yet.
--
*Marcio Merlone*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20200218/00579cc1/attachment.htm>
More information about the dhcp-users
mailing list