ISC DHCP - Allow/Deny/Ignore Declarations
Allow, deny, and ignore declarations may be configured globally or within given topological declarations to govern server behavior accordingly. These particular declarations are broken down into those that can be declared within pool scopes and those that apply to scopes of all other types.
Pool-Level Allow/Deny Declarations
These declarations govern the assignment of an address from a given pool based on the client types defined below.
- known-clients – a known client is one that has a host declaration within the configuration file. The allow known-clients declaration allows the assignment of an address within a pool to a client if it has a host declaration; deny known-clients will disallow assignment of an address to a client with a host declaration from the pool.
- unknown-clients – an unknown client does not have a host declaration within the configuration file. The allow unknown-clients declaration allows the assignment of an address within a pool to a client if it does not have a host declaration; deny unknown-clients will disallow assignment of an address to a client that does not have a host declaration from the pool.
- members of “class” – this declaration is used to define whether addresses within this pool can be assigned to members matching the specified class definition (allow) or not (deny).
allow members of “class”;
deny members of “class”;
Where class is the class name of a class declaration defining its members via match statements.
- dynamic bootp clients – this declaration allows or denies address assignment from this pool for BOOTP clients.
allow dynamic bootp clients;
deny dynamic bootp clients;
- all clients – this declaration allow or denies address allocation from this pool for all (any) clients. Denying all clients can be used to define a pool that is not yet turned up in production. Flipping the definition to allow then brings it online in the server.
allow all clients;
deny all clients;
- after time – this declaration with allow or deny keywords enables or disables respectively address allocation from this pool at or after a specified point in time. This declaration is useful for moving clients from one pool to another. The deny after time could be used on the pool from which clients are being moved; the DHCP server will modify the lease time to be the time specified plus the min-lease-time option value.
The allow after time declaration would be defined on the pool to which the clients are being moved, configuring the DHCP server to service clients with leases only after time. The time parameter is formatted as a UTC (coordinated universal time) time string; e.g., 2008-03-17 08:27:32 -0500.
allow after time;
deny after time;
Non-Pool-Level Allow/Deny Declarations
These declaration statements should not be used within pool blocks but may be used globally or within other topological declarations statements unless otherwise specified.
- bootp – use of allow bootp enables the processing of BOOTP clients by the DHCP server, which is the default behavior. Both deny and ignore actions disallow bootp clients in this context, but the use of deny will enable logging of the denial, while ignore will not log the event.
- booting – this declaration type only applies within host declarations and configures the DHCP server to respond to the corresponding host’s request (allow) or to deny the request with logging (deny) or without (ignore).
- duplicates – this declaration enables or disables the assignment of multiple IP addresses to a given host (MAC address). If deny duplicates is configured, when a client requests a lease from a server that has a host declaration matching the client’s MAC address , the server will assign the address but all other leases associated with that MAC address will be discarded. ignore duplicates is not defined.
- declines – this declaration determines whether the DHCP server will honor client DHCPDECLINE messages. When the server receives a DHCPDECLINE message, it may indicate that the offered address was invalid or otherwise in use, so the server marks the address as unavailable. However, a malicious or buggy client could rifle through the entire pool and render its addresses unavailable to legitimate clients. Therefore, the deny declines configures the server to not respond to DHCPDECLINE messages.
- client-updates – this declaration configures the server to honor or deny the client’s intention to update its own A record in DNS. This will be discussed further in the section on dynamic DNS. ignore client-updates is not defined.
- leasequery – when used with the allow keyword, this declaration configures the server to answer DHCP LeaseQuery messages. DHCP LeaseQuery enables an external device to query the DHCP server regarding the lease state for a specified hardware address. The deny keyword configures the DHCP server to not respond to DHCP LeaseQuery messages.