I am running a DHCP server on Debian Wheezy, with isc-dhcp-server. Because people were connecting unauthorized machines, my DHCP leases were running thin, and eventually, authorized machines could not connect to our network. So, I asked about blocking certain MAC addresses from even picking up an address via DHCP, and that helped.
I decided that I want to sort out the IP addresses here. We have 5 servers, 8 access points, 12 managed switches, between 20 and 30 printers, plus all the authorized clients. My goal is to leave the servers at their IPs (between .0.1 and .0.5, inclusively), then put the printers in the next range, then the other network equipment, leaving a subnet just for these static reservations.
I would like to then separate the IPs of different departments, based on their names. I have a subnet for one pool, just as a test, set up to go to 192.168.6.x, which is still inside the original subnet (192.168.0.0/19). I put the following into my /etc/dhcp/dhcpd.conf
file:
class "dlc" {
match if substring (option host-name,0,3) = "dlc";
}
class "DLC" {
match if substring (option host-name,0,3) = "DLC";
}
subnet 192.168.0.0 netmask 255.255.224.0 {
pool {
deny members of "blacklist";
allow members of "dlc";
allow members of "DLC";
range 192.168.6.1 192.168.6.50;
// Other options not important
}
The blacklist
class relates to the previous question, blocking based on MACs. The machines in this test group all start with either DLC
or dlc
. I have one machine that is able to get an address into this range. I also changed the Lease Times to a much lower value than before:
default-lease-time 7200;
#default-lease-time 28800;
#max-lease-time 36000;
max-lease-time 14400;
My general pool is listed after this pool, which allows all clients, except those in the blacklist
group. All within the same subnet range of 192.168.0.0/19. Eventually, every department will have its own group.
So, I looked for ways of expiring leases. I tried this answer of stopping the DHCP server, blowing away the leases file, then restarting it, but the machines are still claiming the same addresses. I do not mind if I need to go to the machines to run a script, as I can push programs or scripts out to client machines quite easily. All clients are either Windows 7 or 8.1.
What can I do to force machines that otherwise have a valid IP address to get a new one in my specific range? This is more for my own organization of the network, and to more easily recognize when rogue devices get connected.
I have never used the pools members to filter what clients use which pools, but my quick suggestion is to simply make sure the clients you want to use a specific pool are prevented from using other pools, so that there should be no possibility of the clients getting address from a pool other than the one you want.
So deny 'dlc' from using your main pool.