],
"subnet": "192.0.8.0/23",
"reservations": [
- { "hw-address": "00:00:00:11:22:33" },
- { "hw-address": "00:00:00:44:55:66" },
- { "hw-address": "00:00:00:77:88:99" },
- { "hw-address": "00:00:00:aa:bb:cc" }
+ // Some host reservations without addresses (so addresses
+ // will be from the know-client only pool).
+ { "hw-address": "00:00:00:11:22:33", "hostname": "h1" },
+ { "hw-address": "00:00:00:44:55:66", "hostname": "h2" },
+ { "hw-address": "00:00:00:77:88:99", "hostname": "h3" },
+ { "hw-address": "00:00:00:aa:bb:cc", "hostname": "h4" }
]
}
]
// everyone is allowed. When a class is specified, only packets belonging
// to that class are allowed for that subnet.
"subnet4": [
+ // This one is for VoIP devices only.
{
-// This one is for VoIP devices only.
"pools": [ { "pool": "192.0.2.1 - 192.0.2.200" } ],
"subnet": "192.0.2.0/24",
"client-class": "VoIP",
"interface": "ethX"
},
-// This one doesn't have any client-class specified, so everyone
-// is allowed in. The normal subnet selection rules still apply,
-// though. There is also a static class reservation for a client
-// using MAC address 1a:1b:1c:1d:1e:1f. This client will always
-// be assigned to this class.
+
+ // This one doesn't have any client-class specified, so everyone
+ // is allowed in. The normal subnet selection rules still apply,
+ // though. There is also a static class reservation for a client
+ // using MAC address 1a:1b:1c:1d:1e:1f. This client will always
+ // be assigned to this class.
{
"pools": [ { "pool": "192.0.3.1 - 192.0.3.200" } ],
"subnet": "192.0.3.0/24",
"interface": "ethX"
},
-// The following list defines a subnet with pools. For some pools
-// we defined a class that is allowed in that pool. If not specified
-// everyone is allowed. When a class is specified, only packets belonging
-// to that class are allowed for that pool.
- {
+ // The following list defines a subnet with pools. For some pools
+ // we defined a class that is allowed in that pool. If not specified
+ // everyone is allowed. When a class is specified, only packets belonging
+ // to that class are allowed for that pool.
+ {
"pools": [
+ // This one is for VoIP devices only.
{
-// This one is for VoIP devices only.
"pool": "192.0.4.1 - 192.0.4.200",
"client-class": "VoIP"
},
-// This one doesn't have any client-class specified, so everyone
-// is allowed in.
+
+ // This one doesn't have any client-class specified,
+ // so everyone is allowed in.
{
"pool": "192.0.5.1 - 192.0.5.200"
} ],
- "subnet": "192.0.4.0/23",
- "interface": "ethY"
- }
+
+ "subnet": "192.0.4.0/23",
+ "interface": "ethY"
+ }
]
},
],
"subnet": "2001:db8:8::/46",
"reservations": [
- { "hw-address": "00:00:00:11:22:33" },
- { "hw-address": "00:00:00:44:55:66" },
- { "hw-address": "00:00:00:77:88:99" },
- { "hw-address": "00:00:00:aa:bb:cc" }
+ // Some host reservations without addresses (so addresses
+ // will be from the know-client only pool).
+ { "duid": "00:11:22:33", "hostname": "h1" },
+ { "duid": "00:44:55:66", "hostname": "h2" },
+ { "duid": "00:77:88:99", "hostname": "h3" },
+ { "duid": "00:aa:bb:cc", "hostname": "h4" }
]
}
]
"client-class": "cable-modems",
"interface": "ethX"
},
-// The following subnet contains a class reservation for a client using
-// DUID 01:02:03:04:05:0A:0B:0C:0D:0E. This client will always be assigned
-// to this class.
+
+ // The following subnet contains a class reservation for a client using
+ // DUID 01:02:03:04:05:0A:0B:0C:0D:0E. This client will always be assigned
+ // to this class.
{
"pools": [ { "pool": "2001:db8:2::/80" } ],
"subnet": "2001:db8:2::/64",
} ],
"interface": "ethX"
},
-// The following subnet contains a pool with a class constraint: only
-// clients which belong to the class are allowed to use this pool.
+
+ // The following subnet contains a pool with a class constraint: only
+ // clients which belong to the class are allowed to use this pool.
{
"pools": [
{
...
],
...
+}</screen>
+ </para>
+
+ <para>
+ The following example shows restricting access to an address pool.
+ This configuration will restrict use of the addresses 2001:db8:1::1
+ to 2001:db8:1::FFFF to members of the "Client_enterprise" class.
+ <screen>
+"Dhcp6": {
+ "client-classes": [
+ {
+ "name": "Client_enterprise_",
+ "test": "substring(option[1].hex,0,6) == 0x0002AABBCCDD'",
+ "option-data": [
+ {
+ "name": "dns-servers",
+ "code": 23,
+ "space": "dhcp6",
+ "csv-format": true,
+ "data": "2001:db8:0::1, 2001:db8:2::1"
+ }
+ ]
+ },
+ ...
+ ],
+ "subnet6": [
+ {
+ "subnet": "2001:db8:1::/64",
+ <userinput>
+ "pools": [
+ {
+ "pool": "2001:db8:1::-2001:db8:1::ffff",
+ "client-class": "Client_foo"
+ }
+ ]</userinput>
+ },
+ ...
+ ],
+ ...
}</screen>
</para>
</section>
</para>
<para>
- When subnets belong to a shared network the classification applies
- to subnet selection but not to pools, e.g., a pool in a subnet
- limited to a particular class can still be used by clients which do not
- belong to the class if the pool they are expected to use is exhausted.
- So the limit access based on class information is also available
- at the pool level, see <xref linkend="classification-pools"/>.
+ Client classification can also be used to restrict access to specific
+ pools within a subnet. This is useful when to segregate clients belonging
+ to the same subnet into different address ranges.
</para>
<para>
</para>
<para>
- When subnets belong to a shared network the classification applies
- to subnet selection but not to pools, e.g., a pool in a subnet
- limited to a particular class can still be used by clients which do not
- belong to the class if the pool they are expected to use is exhausted.
- So the limit access based on class information is also available
- at the address/prefix pool level, see <xref
- linkend="classification-pools"/>.
+ Client classification can also be used to restrict access to specific
+ pools within a subnet. This is useful when to segregate clients belonging
+ to the same subnet into different address ranges.
</para>
<para>
projects / thirdparty / kea.git / commitdiff
