2

I am running a DHCP server on Debian Wheezy, with isc-dhcp-server. Because people were connecting unauthorized machines, my DHCP leases were running thin, and eventually, authorized machines could not connect to our network. So, I asked about blocking certain MAC addresses from even picking up an address via DHCP, and that helped.

I decided that I want to sort out the IP addresses here. We have 5 servers, 8 access points, 12 managed switches, between 20 and 30 printers, plus all the authorized clients. My goal is to leave the servers at their IPs (between .0.1 and .0.5, inclusively), then put the printers in the next range, then the other network equipment, leaving a subnet just for these static reservations.

I would like to then separate the IPs of different departments, based on their names. I have a subnet for one pool, just as a test, set up to go to 192.168.6.x, which is still inside the original subnet (192.168.0.0/19). I put the following into my /etc/dhcp/dhcpd.conf file:

class "dlc" {
        match if substring (option host-name,0,3) = "dlc";
}
class "DLC" {
        match if substring (option host-name,0,3) = "DLC";
}

subnet 192.168.0.0 netmask 255.255.224.0 {
pool {
        deny members of "blacklist";
        allow members of "dlc";
        allow members of "DLC";
        range 192.168.6.1 192.168.6.50;
        // Other options not important
    }

The blacklist class relates to the previous question, blocking based on MACs. The machines in this test group all start with either DLC or dlc. I have one machine that is able to get an address into this range. I also changed the Lease Times to a much lower value than before:

default-lease-time 7200;
#default-lease-time 28800;
#max-lease-time 36000;
max-lease-time 14400;

My general pool is listed after this pool, which allows all clients, except those in the blacklist group. All within the same subnet range of 192.168.0.0/19. Eventually, every department will have its own group.

So, I looked for ways of expiring leases. I tried this answer of stopping the DHCP server, blowing away the leases file, then restarting it, but the machines are still claiming the same addresses. I do not mind if I need to go to the machines to run a script, as I can push programs or scripts out to client machines quite easily. All clients are either Windows 7 or 8.1.

What can I do to force machines that otherwise have a valid IP address to get a new one in my specific range? This is more for my own organization of the network, and to more easily recognize when rogue devices get connected.

Community
  • 1
Canadian Luke
  • 885
  • 14
  • 41
  • It sure would be nice if this question were asked and answered in the Network Engineering site, but I realize you might likely just get a tumbleweed badge over there. – Paul Nov 26 '14 at 19:36
  • @Paul I'll flag for migration if I don't hear anything within the next few weeks. It's not a critical thing, just something that would make my life much easier. – Canadian Luke Nov 26 '14 at 19:38
  • Unplugging the network cable typically triggers a new DHCP request. Power cycling the switch should have a similar effect. – HBruijn Nov 26 '14 at 19:44
  • @HBruijn I'll give that a try tonight, and report back. I know that just unplugging and plugging the cable in does not work for our network, but I'll try resetting the switches. – Canadian Luke Nov 26 '14 at 19:49
  • Can you create a script to execute an ipconfig /release and ipconfig /renew, or alternatively, ask the DHCP client service to restart? – JasonAzze Nov 26 '14 at 20:23
  • I'd probably try the `ipconfig /release *` and `ipconfig /renew *`, since just restarting the DHCP Client service won't have it ask for a new address. – Canadian Luke Nov 26 '14 at 20:40
  • @Zoredache Not yet, but I'll try that and report back. That shouldn't kill the computers' connections during the work day, though :) – Canadian Luke Nov 26 '14 at 20:54
  • @Zoredache Want to make that an answer? It seems to have been solved now :) – Canadian Luke Nov 26 '14 at 22:51
  • I have add an answer, but feel free to add your own or edit mine with more details. I really don't use ISC-DHCP hardly at all. I was just making an educated guess about what might work. – Zoredache Nov 26 '14 at 22:56

1 Answers1

2

I have never used the pools members to filter what clients use which pools, but my quick suggestion is to simply make sure the clients you want to use a specific pool are prevented from using other pools, so that there should be no possibility of the clients getting address from a pool other than the one you want.

So deny 'dlc' from using your main pool.

Zoredache
  • 128,755
  • 40
  • 271
  • 413