<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFCC" text="#000000">
<br>
<div class="moz-cite-prefix">On 14/02/14 23.50, Chris Buxton wrote:<br>
</div>
<blockquote
cite="mid:DB37DB0F-CDE6-4A54-9375-27A4E3D0958D@buxtonfamily.us"
type="cite">
<pre wrap="">On Feb 14, 2014, at 4:01 AM, Glenn Satchell <a class="moz-txt-link-rfc2396E" href="mailto:glenn.satchell@uniq.com.au"><glenn.satchell@uniq.com.au></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Fri, February 14, 2014 7:52 pm, Ole Holm Nielsen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Chris, can you augment the logic which you explained so nicely including
the simultaneous usage of host statements as well as classes?
It seems to me what we need this as well: Most clients are defined in
host statements, but the odd cases (such as soon-to-be-obsoleted Windows
XP clients) must be treated using classes.
</pre>
</blockquote>
<pre wrap="">
known hosts is a list that matches all hosts defined in host statements,
doesn't matter if they have a fixed-address or not.
</pre>
</blockquote>
<pre wrap="">
That’s not the entire story. I’m not sure of the particulars, but my company’s developers have figured out an OMAPI command that makes a MAC address get treated as a known host, without adding a host statement.
Don’t think of allow and deny for hosts and classes as two separate things. If the client is denied by “deny known-hosts”, then it is denied. Period. No amount of allowing members of some other class is going to override that.</pre>
</blockquote>
I did check what I did when I set my present system up, it still
does not make sense to me if your explanations are correct. ( I
don't say they are wrong, but I don't see the connection)<br>
<br>
I have 2 classes with match hardware and a number of subclass
statements to go with them. I also have a number of host statements
with hardware addresses and a fixed address.<br>
<br>
I have 3 ranges, one for each class and one for unknown hosts. So I
thought the following should be fine:<br>
<br>
range-1 allow members of class-1<br>
range-2 allow members of class-2<br>
range-3 allow unknown-hosts<br>
<br>
I expected that everything not allowed would be denied, so members
of class-1 were not allowed in range-3.<br>
<br>
What I found was that my members of the classes would get IPs in
range-3. To make it work as expected, I had to use deny statements
for members of class-1, class-2 and known-hosts in range-3.<br>
<br>
This contradicts the common understanding that allowing one thing
means everything else is denied?<br>
<blockquote
cite="mid:DB37DB0F-CDE6-4A54-9375-27A4E3D0958D@buxtonfamily.us"
type="cite">
<pre wrap="">
In one case where we do require use of both allow and deny together, a client is a known host but is also classed into a blacklist class. (The blacklist class matches on hardware address, and the client’s hardware address is a subclass of that.) We end up allowing known-hosts but also denying the blacklist class in order to achieve the effect we want, because members of that blacklist class can be known hosts. The deny statement on the class overrides the allow statement covering known hosts, for clients that have been blacklisted.
Regards,
Chris Buxton
_______________________________________________
dhcp-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/dhcp-users">https://lists.isc.org/mailman/listinfo/dhcp-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</body>
</html>