# $Id: common.conf 1384 2010-10-19 01:04:54Z jhealy $ # # Common DHCP server configuration file. Should be included by both # failover peers for proper operation. # #----------------------------------------------------------------------- # Overview #----------------------------------------------------------------------- # File created by Jason Healy (jhealy@suffieldacademy.org) # This configuration is for the entire Suffield Academy network. In # accordance with DHCP config rules, all connected subnets are mentioned # in this file, even if they do not have DHCP service on them. Thus, this # file represents an accurate map of the entire Suffield Network. # In general, on the subnets where DHCP is enabled, we follow this pattern: # # 1) A chunk of address space at the beginning of each subnet is not touched # by DHCP. This allows for the addition of static hosts later without # having to worry about address conflicts. # 2) The next chunk of address space is reserved for "registered" DHCP # leases. These are leases where the MAC address is known to the server. # 3) Finally, a chunk of address space is allocated for regular DHCP # that any client may use. These are the "rogue" addresses. # The DHCP server is configured to automagically update the DNS records of # the leases it has. Thus, the only information that needs to go in DNS are # records for non-DHCP addresses (e.g., servers). All other machines, # including the "static" leases above, are automatically handled by the DHCP # server. This provides both forward- and reverse-lookup capability for all # hosts automatically. The hostnames used are either those specified by the # client (for users that have given their machine a hostname), those specified # by the "static" leases (in our config files), or an automatically generated # dynamic name if no other name can be found. # Dynamic DNS updates are performed using a shared-secret implementation. The # key files are generated and stored on disk. Because both the DNS and DHCP # server reside on the same machine, they simply include the same on-disk key # files. Should the services ever be split up on different machines, the # key files will need to be copied to both machines. # (End of introduction -- configuration options begin below) # Global options include "/etc/dhcp.d/global-options.inc"; # DDNS options include "/etc/dhcp.d/ddns-options.inc"; #----------------------------------------------------------------------- # Client Groupings #----------------------------------------------------------------------- # Net group { ddns-updates true; ddns-domainname "net.suffieldacademy.org"; use-host-decl-names on; include "/etc/dhcp.d/clients_net.inc"; # identify Aruba APs and send them special options subclass "vendor-class" "ArubaAP" { option vendor-class-identifier "ArubaAP"; option serverip 172.19.32.3; } # include separate file of AP host declarations include "/etc/dhcp.d/clients_net_aruba.inc"; } # Gear group { ddns-updates true; ddns-domainname "gear.suffieldacademy.org"; use-host-decl-names on; include "/etc/dhcp.d/clients_gear.inc"; # autogenerated print file include "/etc/dhcp.d/clients_gear_printers.inc"; } # Faculty group { ddns-updates true; ddns-domainname "faculty.suffieldacademy.org"; use-host-decl-names on; include "/etc/dhcp.d/clients_faculty.inc"; } # Students group { ddns-updates true; ddns-domainname "students.suffieldacademy.org"; use-host-decl-names on; include "/etc/dhcp.d/clients_students.inc"; } #----------------------------------------------------------------------- # Subnet Declarations #----------------------------------------------------------------------- # Template subnet: # (Note that all pools have "deny dynamic bootp clients". This is a # a requirement for failover.) # subnet 172...0 netmask 255.240.0.0 { # option routers 172...1; # option subnet-mask 255.255.240.0; # option broadcast-address 172...255; # # Registered Clients # pool { # range 172...0 172...255; # deny unknown clients; # failover peer "suffield"; # deny dynamic bootp clients; # } # # Rogue Clients # pool { # range 172...0 172...254; # allow unknown clients; # failover peer "suffield"; # deny dynamic bootp clients; # } # } # Private internal subnet: Failover subnet 172.31.254.0 netmask 255.255.255.0 { # no automated service on this subnet } # Equipment-Default subnet 172.31.0.0 netmask 255.255.128.0 { option routers 172.31.0.1; option subnet-mask 255.255.128.0; option broadcast-address 172.31.31.255; # Registered Clients pool { range 172.31.31.0 172.31.31.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients # do not allow rogues onto this network } # DMZ-Default subnet 172.30.0.0 netmask 255.255.0.0 { option routers 172.30.0.1; option subnet-mask 255.255.0.0; option broadcast-address 172.30.255.255; # VPN Range is 172.30.127.0 - 172.30.127.255 # Registered Clients pool { range 172.30.128.0 172.30.253.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.30.254.0 172.30.255.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Trusted-Default subnet 172.28.0.0 netmask 255.255.224.0 { option routers 172.28.0.1; option subnet-mask 255.255.224.0; option broadcast-address 172.28.31.255; # Registered Clients pool { range 172.28.2.0 172.28.27.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.28.28.0 172.28.31.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Trusted-Netadmin subnet 172.28.32.0 netmask 255.255.240.0 { option routers 172.28.32.1; option subnet-mask 255.255.240.0; option broadcast-address 172.28.47.255; # Registered Clients pool { range 172.28.34.0 172.28.43.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.28.44.0 172.28.47.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Trusted-FacultyApartments subnet 172.28.48.0 netmask 255.255.240.0 { option routers 172.28.48.1; option subnet-mask 255.255.240.0; option broadcast-address 172.28.63.255; # Registered Clients pool { range 172.28.50.0 172.28.59.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.28.60.0 172.28.63.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Trusted-Wireless subnet 172.28.64.0 netmask 255.255.240.0 { option routers 172.28.64.1; option subnet-mask 255.255.240.0; option broadcast-address 172.28.79.255; # Registered Clients pool { range 172.28.66.0 172.28.75.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.28.76.0 172.28.79.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Public-Wireless subnet 172.24.0.0 netmask 255.255.224.0 { option routers 172.24.0.1; option subnet-mask 255.255.224.0; option broadcast-address 172.24.31.255; # Registered Clients pool { range 172.24.2.0 172.24.27.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.24.28.0 172.24.31.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Public-Default subnet 172.24.32.0 netmask 255.255.240.0 { option routers 172.24.32.1; option subnet-mask 255.255.240.0; option broadcast-address 172.24.47.255; # Registered Clients pool { range 172.24.34.0 172.24.43.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.24.44.0 172.24.47.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Public-Labs subnet 172.24.48.0 netmask 255.255.240.0 { option routers 172.24.48.1; option subnet-mask 255.255.240.0; option broadcast-address 172.24.63.255; # Registered Clients pool { range 172.24.50.0 172.24.59.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.24.60.0 172.24.63.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Public-Library subnet 172.24.64.0 netmask 255.255.240.0 { option routers 172.24.64.1; option subnet-mask 255.255.240.0; option broadcast-address 172.24.79.255; # Registered Clients pool { range 172.24.66.0 172.24.75.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.24.76.0 172.24.79.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Public-StudentUnion subnet 172.24.80.0 netmask 255.255.240.0 { option routers 172.24.80.1; option subnet-mask 255.255.240.0; option broadcast-address 172.24.95.255; # Registered Clients pool { range 172.24.82.0 172.24.91.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.24.92.0 172.24.95.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Academy subnet 172.22.0.0 netmask 255.255.240.0 { option routers 172.22.0.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.15.255; # Registered Clients pool { range 172.22.2.0 172.22.11.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.12.0 172.22.15.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Barnes subnet 172.22.16.0 netmask 255.255.240.0 { option routers 172.22.16.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.31.255; # Registered Clients pool { range 172.22.18.0 172.22.27.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.28.0 172.22.31.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Brewster subnet 172.22.32.0 netmask 255.255.240.0 { option routers 172.22.32.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.47.255; # Registered Clients pool { range 172.22.34.0 172.22.43.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.44.0 172.22.47.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Fuller subnet 172.22.48.0 netmask 255.255.240.0 { option routers 172.22.48.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.63.255; # Registered Clients pool { range 172.22.50.0 172.22.59.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.60.0 172.22.63.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Hornick subnet 172.22.64.0 netmask 255.255.240.0 { option routers 172.22.64.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.79.255; # Registered Clients pool { range 172.22.66.0 172.22.75.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.76.0 172.22.79.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Kotchen subnet 172.22.80.0 netmask 255.255.240.0 { option routers 172.22.80.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.95.255; # Registered Clients pool { range 172.22.82.0 172.22.91.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.92.0 172.22.95.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Montgomery subnet 172.22.96.0 netmask 255.255.240.0 { option routers 172.22.96.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.111.255; # Registered Clients pool { range 172.22.98.0 172.22.107.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.108.0 172.22.111.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Nathena subnet 172.22.112.0 netmask 255.255.240.0 { option routers 172.22.112.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.127.255; # Registered Clients pool { range 172.22.114.0 172.22.123.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.124.0 172.22.127.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Spencer subnet 172.22.128.0 netmask 255.255.240.0 { option routers 172.22.128.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.143.255; # Registered Clients pool { range 172.22.130.0 172.22.139.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.140.0 172.22.143.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Samii subnet 172.22.144.0 netmask 255.255.240.0 { option routers 172.22.144.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.159.255; # Registered Clients pool { range 172.22.146.0 172.22.155.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.156.0 172.22.159.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-Tompkins subnet 172.22.160.0 netmask 255.255.240.0 { option routers 172.22.160.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.175.255; # Registered Clients pool { range 172.22.162.0 172.22.171.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.172.0 172.22.175.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # Student-Dorm-New4 subnet 172.22.176.0 netmask 255.255.240.0 { option routers 172.22.176.1; option subnet-mask 255.255.240.0; option broadcast-address 172.22.191.255; # Registered Clients pool { range 172.22.178.0 172.22.187.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.22.188.0 172.22.191.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 11: Guest-Authed subnet 172.16.0.0 netmask 255.255.224.0 { option routers 172.16.0.1; option subnet-mask 255.255.224.0; option broadcast-address 172.16.31.255; # Registered Clients pool { range 172.16.2.0 172.16.27.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.16.28.0 172.16.31.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 12: Guest-MAC subnet 172.16.32.0 netmask 255.255.224.0 { option routers 172.16.32.1; option subnet-mask 255.255.224.0; option broadcast-address 172.16.63.255; # Registered Clients pool { range 172.16.34.0 172.16.59.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.16.60.0 172.16.63.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 13: Guest-Static subnet 172.16.64.0 netmask 255.255.224.0 { option routers 172.16.64.1; option subnet-mask 255.255.224.0; option broadcast-address 172.16.95.255; # Registered Clients pool { range 172.16.66.0 172.16.91.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.16.92.0 172.16.95.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 14: Guest-Heaven subnet 172.16.96.0 netmask 255.255.224.0 { option routers 172.16.96.1; option subnet-mask 255.255.224.0; option broadcast-address 172.16.127.255; # Registered Clients pool { range 172.16.98.0 172.16.123.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.16.124.0 172.16.127.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 15: Guest-Hell subnet 172.16.128.0 netmask 255.255.224.0 { option routers 172.16.128.1; option subnet-mask 255.255.224.0; option broadcast-address 172.16.159.255; # Registered Clients pool { range 172.16.130.0 172.16.155.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.16.156.0 172.16.159.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 21: Students-Authed subnet 172.17.0.0 netmask 255.255.224.0 { option routers 172.17.0.1; option subnet-mask 255.255.224.0; option broadcast-address 172.17.31.255; # Registered Clients pool { range 172.17.2.0 172.17.27.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.17.28.0 172.17.31.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 22: Students-MAC subnet 172.17.32.0 netmask 255.255.224.0 { option routers 172.17.32.1; option subnet-mask 255.255.224.0; option broadcast-address 172.17.63.255; # Registered Clients pool { range 172.17.34.0 172.17.59.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.17.60.0 172.17.63.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 23: Students-Static subnet 172.17.64.0 netmask 255.255.224.0 { option routers 172.17.64.1; option subnet-mask 255.255.224.0; option broadcast-address 172.17.95.255; # Registered Clients pool { range 172.17.66.0 172.17.91.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.17.92.0 172.17.95.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 24: Students-Heaven subnet 172.17.96.0 netmask 255.255.224.0 { option routers 172.17.96.1; option subnet-mask 255.255.224.0; option broadcast-address 172.17.127.255; # Registered Clients pool { range 172.17.98.0 172.17.123.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.17.124.0 172.17.127.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 25: Students-Hell subnet 172.17.128.0 netmask 255.255.224.0 { option routers 172.17.128.1; option subnet-mask 255.255.224.0; option broadcast-address 172.17.159.255; # Registered Clients pool { range 172.17.130.0 172.17.155.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.17.156.0 172.17.159.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 31: FacStaff-Authed subnet 172.18.0.0 netmask 255.255.224.0 { option routers 172.18.0.1; option subnet-mask 255.255.224.0; option broadcast-address 172.18.31.255; # Registered Clients pool { range 172.18.2.0 172.18.27.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.18.28.0 172.18.31.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 32: FacStaff-MAC subnet 172.18.32.0 netmask 255.255.224.0 { option routers 172.18.32.1; option subnet-mask 255.255.224.0; option broadcast-address 172.18.63.255; # Registered Clients pool { range 172.18.34.0 172.18.59.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.18.60.0 172.18.63.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 33: FacStaff-Static subnet 172.18.64.0 netmask 255.255.224.0 { option routers 172.18.64.1; option subnet-mask 255.255.224.0; option broadcast-address 172.18.95.255; # Registered Clients pool { range 172.18.66.0 172.18.91.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.18.92.0 172.18.95.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 34: FacStaff-Heaven subnet 172.18.96.0 netmask 255.255.224.0 { option routers 172.18.96.1; option subnet-mask 255.255.224.0; option broadcast-address 172.18.127.255; # Registered Clients pool { range 172.18.98.0 172.18.123.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.18.124.0 172.18.127.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 35: FacStaff-Hell subnet 172.18.128.0 netmask 255.255.224.0 { option routers 172.18.128.1; option subnet-mask 255.255.224.0; option broadcast-address 172.18.159.255; # Registered Clients pool { range 172.18.130.0 172.18.155.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.18.156.0 172.18.159.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 41: Netadmin subnet 172.19.0.0 netmask 255.255.224.0 { option routers 172.19.0.1; option subnet-mask 255.255.224.0; option broadcast-address 172.19.31.255; # Registered Clients pool { range 172.19.2.0 172.19.27.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.19.28.0 172.19.31.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 42: Wifi subnet 172.19.32.0 netmask 255.255.224.0 { option routers 172.19.32.1; option subnet-mask 255.255.224.0; option broadcast-address 172.19.63.255; # Registered Clients pool { range 172.19.56.0 172.19.59.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.19.60.0 172.19.63.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 43: Jail subnet 172.19.64.0 netmask 255.255.224.0 { option routers 172.19.64.1; option subnet-mask 255.255.224.0; option broadcast-address 172.19.95.255; # Registered Clients pool { range 172.19.66.0 172.19.91.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.19.92.0 172.19.95.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 44: Gear subnet 172.19.96.0 netmask 255.255.224.0 { option routers 172.19.96.1; option subnet-mask 255.255.224.0; option broadcast-address 172.19.127.255; # Registered Clients pool { range 172.19.98.0 172.19.123.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.19.124.0 172.19.127.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 45: Labs subnet 172.19.128.0 netmask 255.255.224.0 { option routers 172.19.128.1; option subnet-mask 255.255.224.0; option broadcast-address 172.19.159.255; # Registered Clients pool { range 172.19.130.0 172.19.155.255; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.19.156.0 172.19.159.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } } # VLAN 48: BMS (Building Management) subnet 172.19.194.0 netmask 255.255.255.0 { option routers 172.19.194.1; option subnet-mask 255.255.255.0; option broadcast-address 172.19.194.255; # Registered Clients pool { range 172.19.194.200 172.19.194.229; deny unknown clients; failover peer "suffield"; deny dynamic bootp clients; } # Rogue Clients pool { range 172.19.194.230 172.19.194.254; allow unknown clients; failover peer "suffield"; deny dynamic bootp clients; } }