You can use option filters to classify DHCP clients and decide which DHCP options each group of clients can receive. By default, regardless of the networks in which the DHCP clients reside and whether an option filter is applied to a DHCP range or range template, all DHCP clients that match the filter criteria receive the DHCP options and values you define in the filter. You can change this configuration so the appliance does not use the filter to classify DHCP clients. For information about how to configure this, see Defining Option Filters.
You can add DHCP options and the Hardware Operator option to an option filter. (For information about the Hardware Operator option, see DHCP Hardware Operator.) Depending on whether the options you add to the filter are also defined at the Grid, member, network, and DHCP range levels, and whether you add the filter to the Class Filter List or Logic Filter List, the appliance either appends them to the existing options or overwrites the option values before returning them to the matching clients. For more information about how the appliance returns DHCP options, see Adding Filters to the Logic Filter List.
The appliance can filter an address request by the options (such as root-server-ip-address or user-class) of the requesting host. Depending on how you apply an option filter, the appliance can grant or deny an address request if the requesting host matches the filter criteria. You can also create complex match rules that use the AND and OR logic to further define the filter criteria. When you select match rules in Grid Manager, you can preview the rules before committing them to the filter. Grid Manager provides an expression builder that automatically builds the rules after you define them. For information, see Defining Option Filters.
To define an option filter and apply it to an address range:

1. Define an option filter based on either the predefined or custom DHCP options. For information, see Defining Option Filters.
2. Apply the filter to a DHCP address range or range template in the Class Filter List or Logic Filter List. For information, see Applying Filters to DHCP Objects.

After you define an option space and add options to it, you can set up option filters and define option values. For example, to handle two different client classes, you can define two option filters (vendor-class_1 and vendor-class_2) and send different option values to different clients based on the vendor-class-identifier options that you obtain from the clients.

DHCP Hardware Operator

You can define the Hardware Operator option and add it as a match rule to an option filter. This option enables the appliance to match the hardware type and MAC address of the DHCP client, which it derives from the hardware type, hlen (hardware length) and chaddr (client hardware address) fields of the client's DHCP Discover and Renew packets.
To add Hardware Operator to an option filter, fill in the fields as follows:

• In the first drop-down list, select Hardware Operator. Note that because it is not a DHCP Option, it does not have an actual option number.
• In the second drop-down list, select one of the following operators: equals, does not equal, substring equals and substring does not equal.
  If the operator is substring equals or substring does not equal, specify the offset and length.
• In the text field, enter the string that represents the hardware type and MAC address to match. For example, the htype value is 1 for the Ethernet hardware type. The hardware types (hrd) are defined at http://www.iana.org/assignments/arp-parameters/arp-parameters.xml.

This filter rule assumes that the values exist in the DHCP packets.
The following table provides examples of rules that include the Hardware Operator option. The entry in the first drop-down list for all rules is Hardware Operator.
Table 31.1 Hardware Operator Sample Rules

Defining Option Filters

To define an option filter:

1. From the Data Management tab, select the DHCP tab -> IPv4 Filters tab, and then expand the Toolbar and click Add -> IPv4 Option Filter.
2. or
   From any panel in the DHCP tab, expand the Toolbar and click Add -> IPv4 Option Filter.
3. In the Add IPv4 Option Filter wizard, complete the following:
   • Name: Enter a meaningful name for the option filter. For example, you can enter Linux if you plan to use this option filter to screen Linux systems. The name must be unique within a specific network. If you want to specify option settings in the filter, the filter name must be unique among all option filters.
   • Comment: Enter useful information about the filter.
   • Apply this filter as a global DHCP class: This check box is selected by default. When you select this check box, the appliance defines a global class statement in the dhcpd configuration file for members that have DHCP enabled, regardless of whether the filter is applied to a DHCP range or range template. All DHCP clients that belong to this class receive the DHCP options and values you define in the filter. When you clear this check box, you cannot apply this filter to the Class Filter List of a range or range template. You cannot clear this check box if the filter is currently applied to a range or range template. The appliance displays an error message when you try to save this configuration.

3. Click Next and complete the following to add match rules:

1. • In the first drop-down list, select a DHCP option. For example, select user-class(77) for a specific user class, such as mobile users.
   • In the second drop-down list, select an operator.
     If you select equals or does not equal, enter the value of the selected option you want the filter to match in the field.
     If your operator and match value include a substring of an option value, enter the offset and length of the substring based on the following definitions:

• • • Offset: Enter the number of characters at which the match value substring starts in the option data. Enter 0 to start at the beginning of the option data, enter 1 for the second position, and so on. For example, when you enter 2 and have a match value of MSFT, the appliance matches the value MSFT starting at the third character of the option data.
    • Length: Enter the length of the match value. For example, if the match value is MSFT, the length is 4.

You can do the following and repeat the filter selection steps to add another rule:

• • Click + to add another rule at the same level.
  • Click |<- to add an all (logical AND) or any (logical OR) operator line and a parenthetical rule that is indented one level and above the first rule.
  • Click ->| to add an all (logical AND) or any (logical OR) operator line and a parenthetical rule that is indented one level.

After you add all the match rules, you can click Preview to view the rules that are written to the dhcpd configuration file or click Reset to remove the previously configured rules and start again. For information about how to use match rules, see Using Match Rules in Option Filters.

4. Click Next and complete the following to define which DHCP options to return to the matching client:

1. • Option Space: Select an option space from the drop-down list. This field is not displayed if you do not have custom option spaces. The appliance uses the DHCP option space as the default.
   • Lease Time: Enter the value of the lease time in the field and select the time unit from the drop-down list. The lease time applies to hosts that meet the filter criteria.

Options to Merge with Object Options
Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

• • Option Space: Click the down arrow and select an option space from the drop-down list. The selected option space contains the corresponding DHCP options that you can use as filter criteria.
  • Option Name: Click the down arrow and from the drop-down list, select the DHCP option you want to use as filter criteria.
  • Value: Enter the match value that you want the filter to use for the selected DHCP option. To add more options to the filter, click the Add icon and repeat the steps.

5. Click Next to define extensible attributes. For information, see Using Extensible Attributes.

6. Save the configuration and click Restart if it appears at the top of the screen.

Using Match Rules in Option Filters

Each match rule you define in an option filter further defines the filter criteria of a matching client. You can add multiple match rules to an option filter. The appliance writes these rules to the dhcpd configuration file. You can also create complex match rules that use the AND and OR logic to further define the filter criteria. After you define the match rules, you can preview the rules before committing them to the filters.
For example, you can define the following rules in an option filter:

DHCP option = vendor-class-identifier

Substring offset = 0 (the match value starts at the beginning of the option data received from the client)

Substring length = 4 (the length of the match value MSFT)

Match value = MSFT

The appliance generates the following rules in the dhcpd configuration file:
 

You can also define more complex rules using the AND and OR logic as follows:

DHCP option = vendor-class-identifier

Match value = infoblox2000a

OR

DHCP option = vendor-encapsulated-options

Substring offset = 0 (the match value starts at the first character of the option data received from the client)

Substring length = 8 (the length of the match value infoblox)

Match value = infoblox

AND

DHCP option = vendor-encapsulated-options

Substring offset = 10 (the match value starts at the ninth character of the option data received from the client)

Substring length = 5, the length of the match value 2000a

Match value = 2000a

The appliance generates the following rules in the dhcpd configuration file:

class "infoblox" {

match if (option vendor-class-identifier=infoblox2000a:) or

((substring(option vendor-encapsulated-options,0,8)="infoblox") and

(substring(option vendor-encapsulated-options,10,5)="2000a")); vendor-option-space DHCP

}

Configuring User Class Fi lters

The NIOS appliance can filter DHCP address requests by user class filters. A user class indicates a category of user, application, or device of which the DHCP client is a member. User class identifiers are configured on DHCP clients and are sent during a DHCP address request operation. The client includes the user class identifier in DHCP option 77 when sending DHCPDISCOVER and DHCPREQUEST messages.
By using user class identifiers, a DHCP server can screen address requests and assign addresses from select address ranges based on the different user class identifiers it receives. For example, if you assign a user class filter named mobile to a range of addresses from 10.1.1.31–10.1.1.80, the appliance selects an address from that range if it receives an address request that includes the user class name mobile and there are still addresses available in that range. You might want mobile users to receive these addresses because you have given them shorter lease times than other, more stationary DHCP clients. See Figure 31.6.
Figure 31.6 Applying User Class Filtering

If the NIOS appliance receives address requests with the user class mobile and there are no available addresses in address range 2 but there are available addresses in ranges 1 and 3, the appliance begins assigning addresses from address range 3 (because its addresses are higher than those in range 1). Then, if all addresses in range 3 are in use, the appliance begins assigning addresses from address range 1. If you want the appliance to assign addresses to mobile users (that is, those identified with the user class mobile) exclusively from address range 2, then you must apply user class filters for "mobile" to address ranges 1 and 3 that deny lease requests matching that user class.

Configuration Example: Using Option Filters

The following example shows you how to create an option space, add custom options to it, create an option filter, and a match rule to filter the options so that the NIOS appliance can filter an address request by the vendor options of the requesting hosts. It can grant or deny an address request if the requesting host matches the filter.

1. Add an option space called MSFT, and then add the following options to it. For information, see Applying DHCP Options.

2. From the Data Management tab, select the DHCP tab -> IPv4 Filters tab and click the Add icon.

3. In the AddIPv4Filter wizard, enter the filter name i86pc, and then select Options as the filter type.

4. Select MSFT as the option space, select an option, specify a value for it, and then add it to the i86pc option filter. You can select multiple options. Add the following options to the i86pc option filter:

5. From the Data Management tab, select the DHCP tab -> IPv4 Filters tab -> filter_name, and then click the Add icon.

6. In the AddIPv4MatchRule wizard, select i86pc as the option filter, select vendor-class-identifier(60) as the matching option, and then enter MSFT as the matching value.

7. Add a DHCP range to the network. For information, see Configuring IPv4 Address Ranges.

8. Apply the i86pc option filter to the DHCP address range. For information, see Applying Filters to DHCP Objects.

9. Click Restart to restart services.