Versions Compared

Version Old Version 1 New Version Current
Changes made by

Panna .

Panna .

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To further control how the appliance allocates IPv4 or IPv6 addresses to DHCP client requests, you can apply DHCP filters to determine the following:

...

You can apply any DHCP filter to the Class Filter List of a DHCP range or range template. The appliance uses the matching rules of these filters to select the address range from which it assigns a lease. You can define permissions for these filters to instruct the appliance whether to grant or deny a lease to the matching client. When you add a filter with a grant permission, the client must match the filter criteria to receive a lease. When you define a filter with a deny permission, clients that do not match the filter criteria still receive leases. Only the client that matches the filter criteria is denied a lease.
Filters in the Class Filter List correspond to the class statement generated in the dhcpd configuration file, which is a classification of the client packet. All DHCP clients that match the option filter and relay agent filter criteria become members of the same class and are eligible to receive DHCP options for that class, regardless of the networks in which the clients reside. However, a client can only become a member of the MAC or NAC filter class when it is granted a lease from the DHCP range based on the filter criteria. Whether a client receives specific options and option values depends on the hierarchy of the options and how you apply the filters. For information about how the appliance returns DHCP options, see Adding Filters to the Logic Filter List.

Adding Filters to the Logic Filter List

...

Note

Notes

  • The appliance allows you to add an empty IPv4 logic filter at the end of the logic filter list, which means that you can add an IPv4 logic filter without defining DHCP options in it. In addition, you can change the order of the filters in the logic filter list.

  • When a range has multiple class filters assigned to it, if any of the filters deny a lease to a client, then the client will not get a lease even if another class filter allows it. 

The appliance decides which options and values to return to a client based on the following:

...

For more information about how the appliance grants and denies leases to requesting clients and determines which DHCP options to return to the matching clients, see Configuration Example: Using the Class and Logic Filter Lists below.
To apply filters:

  1. Grid: From the Data Management tab -> DHCP tab, select Grid DHCP Properties from the Toolbar.
    Member: From the Data Management tab, select the DHCP tab -> Members tab -> member checkbox -> Edit icon.
    Network: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network checkbox, and then click the Edit icon.
    DHCP Range: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network ->addr_range checkbox, and then click the Edit icon
    Fixed Address: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network -> fixed_address checkbox, and then click the Edit icon.
    IPv4 Reservation: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network -> reservation checkbox, and then click the Edit icon.
    Host Address: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network -> host_record checkbox, and then click the Edit icon. Select the host IP address, and then click the Edit icon.
    IPv4 Network or Fixed Address Template: From the Data Management tab, select the DHCP tab -> Templates tab -> (IPv4 network or fixed address) template checkbox, and then click the Edit icon.

  2. In the editor, click Toggle Advanced Mode, and then select the Filters tab.

  3. Logic Filter List: You can keep the inherited IPv4 logic filters or override them. To override the value that has been inherited from the upper level, click Override. Click the Add icon to add a filter to match a client based on the match rules defined in the filter. 
    If you have only one configured DHCP filter, the appliance displays the filter in the table. Otherwise, in the DHCP Filter Selector dialog box, click the filter you want to add. Use SHIFT+click and CTRL+click to select multiple filters.

  4. Complete the following to add the Class Filter to a DHCP address range:

    • Click the Add icon to add a filter to identify the class of a matching client, and to grant or deny a lease to a client. For more information, see Adding Filters to the Class Filter List above.

      If you have only one configured DHCP filter, the appliance displays the filter in the table. Otherwise, in the DHCP Filter Selector dialog box, click the filter you want to add. Use SHIFT+click and CTRL+click to select multiple filters.
      For each filter you add, click the Action column and select one of the following from the drop-down list:

    • Grant lease:
      For MAC address filters: Select this to assign an IP address from the address range to a requesting host whose MAC address matches the MAC address in the filter.
      For relay agent filters: Select this to assign an IP address from the address range when one or both of the relay agent identifiers of the requesting host match the filter criteria.
      For option filters: Select this to assign an IP address from the address range to a requesting host whose DHCP options match the DHCP options and match rules defined in the filter.
      For NAC filters: Select this to assign an IP address from the address range to a requesting host based on the authentication results from a RADIUS authentication server group.
      For DHCP fingerprint filters: Select this to grant a lease from the address range to a requesting host based whose DHCP fingerprint matches the DHCP fingerprint in the filter.

    • Deny lease:
      For MAC address filters: Select this to deny an address request from a host whose MAC address matches a MAC address in the filter.
      For relay agent filters: Select this to deny an address request when one or both relay agent identifiers match the filter criteria in the filter.
      For option filters: Select this to deny an address request from a host whose DHCP options match the options and match rules in the filter.
      For NAC filters: Select this to deny an address request from a host based on the authentication results from a RADIUS authentication server group.
      For DHCP fingerprint filters: Select this to deny a lease request when the DHCP fingerprint of the requesting host matches the DHCP fingerprint in the filter.
      The appliance uses filters in both the Class Filter and Logic Filter lists to determine the DHCP options and values it returns to the matching clients.

Note

Note

You can only add a filter that does not contain any match rules as the last filter in the Logic Filter List.

...

The following example shows you how to define DHCP filters and apply them to the class and logic filter lists. It also shows you the DHCP configuration file that is generated based on the configuration.
In this example, you first define a MAC filter, two option filters (one without match rules), and a NAC filter, and then apply the MAC filter to the Class Filter List and the other filters to the Logic Filter List of the address range 10.34.34.6 - 10.34.34.55.

  1. Configure and save a MAC filter as follows. For more information, see Defining MAC Address Filters.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 MAC Address Filter.

    2. In the Add IPv4 MAC Filter wizard, complete the following:

      • Name: Enter MAC1.

    3. Click Next and complete the following to define the DHCP options to return to the matching client:

      • Lease Time: Enter 1234 and select seconds from the drop-down list.
        Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and select log-server(7) from the drop-down list.

      • Value: Enter 10.34.34.3 as the value for the log-server option that is sent to the client in the OFFER/ACK message.

    4. Save the configuration.

  2. Add a MAC address filter item as follows. For more information, see Adding MAC Address Filter Items.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 MAC Address Filter Item.

    2. In the Add IPv4 MAC Address Filter Item wizard, complete the following:

      • MAC Address Filter: Click Select Filter. In the DHCP Filter Selector dialog box, click MAC1.

      • MAC Address: Enter AB:DE:CC:DD:EE:01 as the MAC address.

    3. Save the configuration.

  3. Configure and save an option filter with match rules as follows. For more information, see Defining Option Filters.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 / IPv6 Option Filter.

    2. In the AddIPv4OptionFilter wizard, complete the following:

      • Name: Enter Option1.

    3. Click Next and complete the following to add match rules:

      • In the first drop-down list, select vendor-class-identifier.

      • In the second drop-down list, select substring equals, and then enter the following:

        • Offset: Enter 0 to match the value starting at the first character of the option data.

        • Length: Enter 4.

        • Enter MSFT as the matching value.
          Click Preview and the appliance displays the expression: (vendor-class-identifier,0,4="MSFT").

    4. Click Next and complete the following to define the DHCP options to return to the matching client:
      Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and from the drop-down list, select time-server(4).

      • Value: Enter 10.34.34.2 as the value for the time-server option that is sent to the client in the OFFER/ACK message.

    5. Save the configuration.

  4. Configure and save another option filter without match rules as follows:

    1. In the AddIPv4OptionFilter wizard, complete the following:

      • Name: Enter Option2.

    2. Click Next. Do not define any match rules.

    3. Click Next again and complete the following to define the DHCP options to return to the matching client:
      Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and from the drop-down list, select domain-name(6).

      • Value: Enter www.infoblox.com.

    4. Save the configuration.

  5. Configure and save a NAC filter as follows. For more information, see Defining NAC Filters.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 NAC Filter.

    2. In the AddFilter Wizard, complete the following and click Next:

      • Name: Enter NAC1.

    3. Create a rule as follows:

      • In the first drop-down list, select Compliance State.

      • In the second drop-down list, select equals.

      • In the third drop-down list, select Compliant.

        Click Preview and the appliance displays the expression: (Sophos.ComplianceState="Compliant").

    4. Click Next and complete the following to define DHCP options:

      • Lease Time: Enter 1000 and select seconds from the drop-down list.

        Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and from the drop-down list, select cookies-servers(8).

      • Value: Enter 10.34.34.5.

    5. Save the configuration.

  6. Apply the filters to the address range as follows.

    1. From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> 10.34.34.6-10.34.34.55 checkbox, and then click the Edit icon.

    2. In the DHCP Range editor, click Toggle Advanced Mode.

    3. Click the Filters tab and complete the following:
      Class Filter List: Click the Add icon and add MAC1 as a class filter. Click the Action column and select Grant lease from the drop-down list.
      Logic Filter List: Click the Add icon and add Option1, NAC1, and Option2 respectively as logic filters

    4. Save the configuration.
      The appliance generates the following information in the DHCP configuration file based on the filter configuration in this example:

# MAC filter "MAC1"

class "MAC1" {

...