Document toolboxDocument toolbox

Applying Filters to DHCP Objects

Owned by Panna .
Last updated: Aug 16, 2022 by Shwetha S
11 min read

To further control how the appliance allocates IPv4 or IPv6 addresses to DHCP client requests, you can apply DHCP filters to determine the following:

  • The class statements

  • The address ranges from which it assigns leases

  • When to grant or deny leases to the matching clients

  • Which DHCP options to return to the matching clients

You can apply IPv4 or IPv6 logic filters at the Grid DHCP or Member DHCP. You can choose to keep the inherited properties or override them when you edit the IPv4 / IPv6 networks, IPv4 / IPv6 network containers, IPv4 / IPv6 network templates, IPv4 / IPv6 shared networks, IPv4 / IPv6 DHCP ranges, IPv4 / IPv6 DHCP range templates, IPv4 / IPv6 fixed addresses, IPv4 / IPv6 reservations, IPv4 / IPv6 fixed address templates, IPv4 / IPv6 reservation templates, or IPv4 / IPv6 host addresses.

Adding Filters to the Class Filter List

You can apply any DHCP filter to the Class Filter List of a DHCP range or range template. The appliance uses the matching rules of these filters to select the address range from which it assigns a lease. You can define permissions for these filters to instruct the appliance whether to grant or deny a lease to the matching client. When you add a filter with a grant permission, the client must match the filter criteria to receive a lease. When you define a filter with a deny permission, clients that do not match the filter criteria still receive leases. Only the client that matches the filter criteria is denied a lease.
Filters in the Class Filter List correspond to the class statement generated in the dhcpd configuration file, which is a classification of the client packet. All DHCP clients that match the option filter and relay agent filter criteria become members of the same class and are eligible to receive DHCP options for that class, regardless of the networks in which the clients reside. However, a client can only become a member of the MAC or NAC filter class when it is granted a lease from the DHCP range based on the filter criteria. Whether a client receives specific options and option values depends on the hierarchy of the options and how you apply the filters. For information about how the appliance returns DHCP options, see Adding Filters to the Logic Filter List.

Adding Filters to the Logic Filter List

The filters you add to the Logic Filter List correspond to the match rules that are written to the dhcpd configuration file. The appliance uses these filters to identify DHCP options and values to return to the matching clients. You can apply option, MAC, and NAC filters to the Logic Filter List. Note that a DHCP client is eligible to receive DHCP options defined in a filter if it matches the filter criteria. Whether the client receives specific options and their corresponding values depends on the hierarchy of the options and the list of options requested by the client through DHCP option 55. You can configure the appliance to ignore the option list requested by a matching client and return all the options that the client is eligible to receive. For information about how to ignore the option list requested by a client, see Configuring General IPv4 DHCP Properties.

Notes

  • The appliance allows you to add an empty IPv4 logic filter at the end of the logic filter list, which means that you can add an IPv4 logic filter without defining DHCP options in it. In addition, you can change the order of the filters in the logic filter list.

  • When a range has multiple class filters assigned to it, if any of the filters deny a lease to a client, then the client will not get a lease even if another class filter allows it. 

The appliance decides which options and values to return to a client based on the following:

  • If you have different DHCP options defined in a range and any DHCP filters in the Class Filter and Logic Filter lists, and these options do not overlap, the appliance merges and returns all options to the matching client. For example, a DHCP client obtains a lease from a DHCP address range (R) through an option filter in the Class Filter List (CF), which contains an option statement (O1) with a value of (S1). The appliance then matches a filter in the Logic Filter List (LF) that contains an option statement (O2) with a value of (S2). In this case, option statements O1 and O2 and their values S1 and S2 are merged and returned to the matching client.

  • If there are overlapping DHCP options in a range and any DHCP filters in the Class Filter and Logic Filter lists, the values defined in the Class Filter List filters take precedence over those defined in the range and filters in the Logic Filter List. The appliance returns the option value defined in the class filters to the matching client. For example, a DHCP client obtains a lease from a DHCP address range (R) through an option filter in the Class Filter List (CF), which contains an option statement (O1) with a value of (S1). The appliance then matches a filter in the Logic Filter List (LF) that contains the same option statement (O1) with a value of (S2). In this case, the option value S1 defined in the option filter in the Class Filter List takes precedence and is returned to the DHCP client.

  • When you apply option, MAC, and NAC filters to the Logic Filter List, the appliance translates their match rules into a DHCP if/elseif/else statement using the match rules of the first filter on the list as the "if" expression in the statement. Match rules in subsequent filters are translated into the "elseif" statements, and the last filter that does not contain any match rules is translated into the "else" statement. Note that a filter without any match rules can only be added as the last filter in the Logic Filter List.

For more information about how the appliance grants and denies leases to requesting clients and determines which DHCP options to return to the matching clients, see Configuration Example: Using the Class and Logic Filter Lists below.
To apply filters:

  1. Grid: From the Data Management tab -> DHCP tab, select Grid DHCP Properties from the Toolbar.
    Member: From the Data Management tab, select the DHCP tab -> Members tab -> member checkbox -> Edit icon.
    Network: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network checkbox, and then click the Edit icon.
    DHCP Range: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network ->addr_range checkbox, and then click the Edit icon
    Fixed Address: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network -> fixed_address checkbox, and then click the Edit icon.
    IPv4 Reservation: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network -> reservation checkbox, and then click the Edit icon.
    Host Address: From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> network -> host_record checkbox, and then click the Edit icon. Select the host IP address, and then click the Edit icon.
    IPv4 Network or Fixed Address Template: From the Data Management tab, select the DHCP tab -> Templates tab -> (IPv4 network or fixed address) template checkbox, and then click the Edit icon.

  2. In the editor, click Toggle Advanced Mode, and then select the Filters tab.

  3. Logic Filter List: You can keep the inherited IPv4 logic filters or override them. To override the value that has been inherited from the upper level, click Override. Click the Add icon to add a filter to match a client based on the match rules defined in the filter. 
    If you have only one configured DHCP filter, the appliance displays the filter in the table. Otherwise, in the DHCP Filter Selector dialog box, click the filter you want to add. Use SHIFT+click and CTRL+click to select multiple filters.

  4. Complete the following to add the Class Filter to a DHCP address range:

    • Click the Add icon to add a filter to identify the class of a matching client, and to grant or deny a lease to a client. For more information, see Adding Filters to the Class Filter List above.

      If you have only one configured DHCP filter, the appliance displays the filter in the table. Otherwise, in the DHCP Filter Selector dialog box, click the filter you want to add. Use SHIFT+click and CTRL+click to select multiple filters.
      For each filter you add, click the Action column and select one of the following from the drop-down list:

    • Grant lease:
      For MAC address filters: Select this to assign an IP address from the address range to a requesting host whose MAC address matches the MAC address in the filter.
      For relay agent filters: Select this to assign an IP address from the address range when one or both of the relay agent identifiers of the requesting host match the filter criteria.
      For option filters: Select this to assign an IP address from the address range to a requesting host whose DHCP options match the DHCP options and match rules defined in the filter.
      For NAC filters: Select this to assign an IP address from the address range to a requesting host based on the authentication results from a RADIUS authentication server group.
      For DHCP fingerprint filters: Select this to grant a lease from the address range to a requesting host based whose DHCP fingerprint matches the DHCP fingerprint in the filter.

    • Deny lease:
      For MAC address filters: Select this to deny an address request from a host whose MAC address matches a MAC address in the filter.
      For relay agent filters: Select this to deny an address request when one or both relay agent identifiers match the filter criteria in the filter.
      For option filters: Select this to deny an address request from a host whose DHCP options match the options and match rules in the filter.
      For NAC filters: Select this to deny an address request from a host based on the authentication results from a RADIUS authentication server group.
      For DHCP fingerprint filters: Select this to deny a lease request when the DHCP fingerprint of the requesting host matches the DHCP fingerprint in the filter.
      The appliance uses filters in both the Class Filter and Logic Filter lists to determine the DHCP options and values it returns to the matching clients.

Note

You can only add a filter that does not contain any match rules as the last filter in the Logic Filter List.

     5. Save the configuration and click Restart if it appears at the top of the screen.

Configuration Example: Using the Class and Logic Filter Lists

The following example shows you how to define DHCP filters and apply them to the class and logic filter lists. It also shows you the DHCP configuration file that is generated based on the configuration.
In this example, you first define a MAC filter, two option filters (one without match rules), and a NAC filter, and then apply the MAC filter to the Class Filter List and the other filters to the Logic Filter List of the address range 10.34.34.6 - 10.34.34.55.

  1. Configure and save a MAC filter as follows. For more information, see Defining MAC Address Filters.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 MAC Address Filter.

    2. In the Add IPv4 MAC Filter wizard, complete the following:

      • Name: Enter MAC1.

    3. Click Next and complete the following to define the DHCP options to return to the matching client:

      • Lease Time: Enter 1234 and select seconds from the drop-down list.
        Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and select log-server(7) from the drop-down list.

      • Value: Enter 10.34.34.3 as the value for the log-server option that is sent to the client in the OFFER/ACK message.

    4. Save the configuration.

  2. Add a MAC address filter item as follows. For more information, see Adding MAC Address Filter Items.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 MAC Address Filter Item.

    2. In the Add IPv4 MAC Address Filter Item wizard, complete the following:

      • MAC Address Filter: Click Select Filter. In the DHCP Filter Selector dialog box, click MAC1.

      • MAC Address: Enter AB:DE:CC:DD:EE:01 as the MAC address.

    3. Save the configuration.

  3. Configure and save an option filter with match rules as follows. For more information, see Defining Option Filters.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 / IPv6 Option Filter.

    2. In the AddIPv4OptionFilter wizard, complete the following:

      • Name: Enter Option1.

    3. Click Next and complete the following to add match rules:

      • In the first drop-down list, select vendor-class-identifier.

      • In the second drop-down list, select substring equals, and then enter the following:

        • Offset: Enter 0 to match the value starting at the first character of the option data.

        • Length: Enter 4.

        • Enter MSFT as the matching value.
          Click Preview and the appliance displays the expression: (vendor-class-identifier,0,4="MSFT").

    4. Click Next and complete the following to define the DHCP options to return to the matching client:
      Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and from the drop-down list, select time-server(4).

      • Value: Enter 10.34.34.2 as the value for the time-server option that is sent to the client in the OFFER/ACK message.

    5. Save the configuration.

  4. Configure and save another option filter without match rules as follows:

    1. In the AddIPv4OptionFilter wizard, complete the following:

      • Name: Enter Option2.

    2. Click Next. Do not define any match rules.

    3. Click Next again and complete the following to define the DHCP options to return to the matching client:
      Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and from the drop-down list, select domain-name(6).

      • Value: Enter www.infoblox.com.

    4. Save the configuration.

  5. Configure and save a NAC filter as follows. For more information, see Defining NAC Filters.

    1. From the Data Management tab, select the DHCP tab -> Filters tab, and then expand the Toolbar and click Add -> IPv4 NAC Filter.

    2. In the AddFilter Wizard, complete the following and click Next:

      • Name: Enter NAC1.

    3. Create a rule as follows:

      • In the first drop-down list, select Compliance State.

      • In the second drop-down list, select equals.

      • In the third drop-down list, select Compliant.

        Click Preview and the appliance displays the expression: (Sophos.ComplianceState="Compliant").

    4. Click Next and complete the following to define DHCP options:

      • Lease Time: Enter 1000 and select seconds from the drop-down list.

        Options to Merge with Object Options: Click the Add icon. Grid Manager adds a new row to the table with the default DHCP option space and option name displayed. Complete the following:

      • Option Name: Click the down arrow and from the drop-down list, select cookies-servers(8).

      • Value: Enter 10.34.34.5.

    5. Save the configuration.

  6. Apply the filters to the address range as follows.

    1. From the Data Management tab, select the DHCP tab -> Networks tab -> Networks -> 10.34.34.6-10.34.34.55 checkbox, and then click the Edit icon.

    2. In the DHCP Range editor, click Toggle Advanced Mode.

    3. Click the Filters tab and complete the following:
      Class Filter List: Click the Add icon and add MAC1 as a class filter. Click the Action column and select Grant lease from the drop-down list.
      Logic Filter List: Click the Add icon and add Option1, NAC1, and Option2 respectively as logic filters

    4. Save the configuration.
      The appliance generates the following information in the DHCP configuration file based on the filter configuration in this example:

# MAC filter "MAC1"

class "MAC1" {

default-lease-time 1234;

min-lease-time 1234;

max-lease-time 1234;

option log-servers 10.34.34.3;

}

# NAC filter "NAC1"

{option sophos.compliance

state="compliant"

}
subnet 10.34.34.0 netmask 255.255.255.0 {

pool {

infoblox-range 10.34.34.6 10.34.34.55;

range 10.34.34.6 10.34.34.55;

option routers 10.34.34.1;

# INFOBLOXMACFILTERDEBUGINFO: allow members of "MAC1";

if (substring(option vendor-class-identifier,0,4)="MSFT") {

# Option filter "Option1"

option time-servers 10.34.34.2;

}

elsif (option Sophos.ComplianceState="Compliant") {

# NAC filter "NAC1"

default-lease-time 1000;

min-lease-time 1000;

max-lease-time 1000;

option cookie-servers 10.34.34.5;

}

else {

# Option filter "Option2"

default-lease-time 2500;

min-lease-time 2500;

max-lease-time 2500;

option domain-name "www.infoblox.com"; }

}

Depending on client requests and the matching criteria, the following scenarios can happen in this example:

If the requesting client matches the MAC1 and Option1 filters, the appliance returns the following:

  • Lease time = 1234 seconds (from the MAC filter)

  • Returned options:

    • Router(3) with a value of 10.34.34.1 (from the address range)

    • Log-server(7) with a value of 10.34.34.3 (from the MAC filter MAC1)

    • Time-server(4) with a value of 10.34.34.2 (from the option filter Option1)

If the requesting client matches the MAC1 and NAC1 filters, the appliance returns the following:

  • Lease time = 1234 seconds (from the MAC filter MAC1)Returned options:

    • Router(3) with a value of 10.34.34.1 (from the address range)

    • Log-server(7) with a value of 10.34.34.3 (from the MAC filter MAC1)

    • Cookie-server(8) with a value of 10.34.34.5 (from the NAC filter NAC1)

If the client matches the MAC1 filter, but not the Option1 or NAC1 filters, the appliance returns the following:

  • Lease time = 1234 seconds (from the MAC filter)

  • Returned options:

    • Router(3) with a value of 10.34.34.1 (from the address range)

    • Log-server(7) with a value of 10.34.34.3 (from the MAC filter MAC1)

    • Domain-name(6) with a value of www.infoblox.com (from the option filter Option2)

If the requesting client does not match the MAC1 filter, no lease is granted.