Security and network administrators are increasingly wary of internal security threats, in addition to threats from the outside, due to the introduction of uncertified hardware and software on the network, such as personal portable computers and mobile devices that can be potentially compromised and not compliant to the security practices of the organization. Link layer-based filtering for Dynamic Host Configuration Protocol (DHCP) introduced in Windows Server 2008 R2 enables administrators to control network access based on media access control (MAC) address, providing a low-level security method. The link layer filtering controls allow the administrator to specify which MAC addresses are allowed on the network and which are denied access. You can use wild cards to allow or deny network access based on vendor MAC prefixes.
DHCP PowerShell introduced in Windows Server 2012 makes it very easy and seamless for admins to manage Link Layer filtering for IPv4 clients.
Following cmdlets are provided to manage Link Layer Filtering in DHCP Server:
Get-DhcpServerv4FilterList: Gets the enabled/disabled state of allow and deny filter list set.
Set-DhcpServerv4FilterList: Enables/Disables the allow and the deny MAC address filter lists.
Get-DhcpServerv4Filter: Gets the list of all MAC addresses from the allow and/or the deny list.
Add-DhcpServerv4Filter: Adds one or more MAC address filters to the allow or deny list.
Remove-DhcpServerv4Filter: Removes the specified MAC address or MAC address pattern from the allow list or the deny list of the DHCP server.
If you wan to add a large list of MAC addresses to the allow or deny filter list, an input text file in CSV format can be used to provide the MAC address filter list to be configured on the DHCP server. This data can be easily pipelined to Add-DhcpServerv4Filter cmdlet to add the complete list to the DHCP Server. The input text file (filter.csv in the example used later) containing the MAC address filters should be of the following format -
Allow,1a-1b-1c-1d-1e-1f,Filter for Computer1
Allow,2a-2b-2c-2d-2e-2f, Filter for Computer2
Deny,3a-3b-3c-3d-3e-3f, Filter for Computer3
Allow,4a-4b-4c-4d-4e-4f, Filter for Computer4
The following command adds all these filters to the local DHCP Server.
Import-Csv Filter.csv | Add-DhcpServerv4Filter -Force
The Import-Csv cmdlet converts each data record in filter.csv to an object containing List, MacAddress and Description as members of the object. Each object created by Import-Csv is sent through the pipeline to Add-DhcpServerv4Filter which adds the MAC address records to the filter list on the DHCP server.
‘-Force’ parameter ensures that if a filter by same MAC address already exists, it is over-ridden. If ‘-Force’ parameter is not given and MAC address being added to the list already exists in the list on the DHCP server, the cmdlet will return an error.
In case, filters need to be added to DHCP Server running on remote machine, ‘-ComputerName’ parameter can be used to specify remote DHCP Server. Without the ComputerName parameter, as in the example above, the filters will be added to the DHCP server running on the local computer.
Hope this blog added another tool in your PowerShell armory!
The MAC filter is a great thing but I don't understand why in the failover they are not replicated
Stefano, you can use the IPAM console in 2012R2 to configure the MAC filters on the DHCP server. IPAM will perform the configuration on both the DHCP servers. Alternatively, you can use the PowerShell script provided in the following blog -
What is the difference between the Allow & Deny filters and an allow/deny policy? In my testing, if I have a policy that allows only certain MAC addresses, adding MAC addresses to the allow or deny filter doesn't do anything. Why have both? Please point
me to documentation that details the use of filters vs. the use of policies. Thanks!
Ben, allow and deny filters are server level/global settings and apply to all scopes on the DHCP server. With MAC address based policy, you can apply different filters to different scopes on the DHCP server.
What about DHCPv6? What are the options for MAC address filtering on DHCPv6?
Erwan, MAC address filtering is not supported by Windows DHCPv6 server