DHCP MAC address Filter management made easy with DHCP PowerShell

  • Article

Security and network administrators are increasingly wary of internal security threats, in addition to threats from the outside, due to the introduction of uncertified hardware and software on the network, such as personal portable computers and mobile devices that can be potentially compromised and not compliant to the security practices of the organization. Link layer-based filtering for Dynamic Host Configuration Protocol (DHCP) introduced in Windows Server 2008 R2 enables administrators to control network access based on media access control (MAC) address, providing a low-level security method. The link layer filtering controls allow the administrator to specify which MAC addresses are allowed on the network and which are denied access. You can use wild cards to allow or deny network access based on vendor MAC prefixes.

DHCP PowerShell introduced in Windows Server 2012 makes it very easy and seamless for admins to manage Link Layer filtering for IPv4 clients.

Following cmdlets are provided to manage Link Layer Filtering in DHCP Server:

Get-DhcpServerv4FilterList: Gets the enabled/disabled state of allow and deny filter list set.

Set-DhcpServerv4FilterList: Enables/Disables the allow and the deny MAC address filter lists.

Get-DhcpServerv4Filter: Gets the list of all MAC addresses from the allow and/or the deny list.

Add-DhcpServerv4Filter: Adds one or more MAC address filters to the allow or deny list.

Remove-DhcpServerv4Filter: Removes the specified MAC address or MAC address pattern from the allow list or the deny list of the DHCP server.

If you wan to add a large list of MAC addresses to the allow or deny filter list, an input text file in CSV format can be used to provide the MAC address filter list to be configured on the DHCP server. This data can be easily pipelined to Add-DhcpServerv4Filter cmdlet to add the complete list to the DHCP Server. The input text file (filter.csv in the example used later) containing the MAC address filters should be of the following format -

List,MacAddress,Description

Allow,1a-1b-1c-1d-1e-1f,Filter for Computer1

Allow,2a-2b-2c-2d-2e-2f, Filter for Computer2

Deny,3a-3b-3c-3d-3e-3f, Filter for Computer3

Allow,4a-4b-4c-4d-4e-4f, Filter for Computer4

The following command adds all these filters to the local DHCP Server.

Import-Csv Filter.csv | Add-DhcpServerv4Filter -Force

The Import-Csv cmdlet converts each data record in filter.csv to an object containing List, MacAddress and Description as members of the object. Each object created by Import-Csv is sent through the pipeline to Add-DhcpServerv4Filter which adds the MAC address records to the filter list on the DHCP server.

‘-Force’ parameter ensures that if a filter by same MAC address already exists, it is over-ridden. If ‘-Force’ parameter is not given and MAC address being added to the list already exists in the list on the DHCP server, the cmdlet will return an error.

In case, filters need to be added to DHCP Server running on remote machine, ‘-ComputerName’ parameter can be used to specify remote DHCP Server. Without the ComputerName parameter, as in the example above, the filters will be added to the DHCP server running on the local computer.

Hope this blog added another tool in your PowerShell armory!

Comments

  • Anonymous
    December 18, 2014
    The MAC filter is a great thing but I don't understand why in the failover they are not replicated
  • Anonymous
    December 18, 2014
    Stefano, you can use the IPAM console in 2012R2 to configure the MAC filters on the DHCP server. IPAM will perform the configuration on both the DHCP servers. Alternatively, you can use the PowerShell script provided in the following blog -http://blogs.technet.com/b/teamdhcp/archive/2012/11/27/automatic-syncing-of-scope-configuration-changes-between-2-dhcp-failover-servers.aspx
  • Anonymous
    December 28, 2014
    What is the difference between the Allow & Deny filters and an allow/deny policy? In my testing, if I have a policy that allows only certain MAC addresses, adding MAC addresses to the allow or deny filter doesn't do anything. Why have both? Please point me to documentation that details the use of filters vs. the use of policies. Thanks!
  • Anonymous
    January 02, 2015
    Ben, allow and deny filters are server level/global settings and apply to all scopes on the DHCP server. With MAC address based policy, you can apply different filters to different scopes on the DHCP server.
  • Anonymous
    February 11, 2015
    What about DHCPv6? What are the options for MAC address filtering on DHCPv6?
  • Anonymous
    February 11, 2015
    Erwan, MAC address filtering is not supported by Windows DHCPv6 server
  • Anonymous
    July 28, 2015
    What about importing the MACs into a policy? Instead of copy/paste/add?
  • Anonymous
    July 29, 2015
    Hello Linc, please take a look at the script at which takes an input file of MAC addresses and creates a MAC address based policy.
    https://gallery.technet.microsoft.com/scriptcenter/Scope-based-Link-Layer-64c8ab30
  • Anonymous
    September 17, 2015
    the export list function in filters doesnt create a list in the importable format?
  • Anonymous
    September 17, 2015
    The comment has been removed
  • Anonymous
    November 28, 2015
    If in my DHCP I have three scope one is for my wifi .I want to remove that from Mac filtering from how to do that

    Basically my question is how to exclude one scope from Mac filtering
  • Anonymous
    November 29, 2015
    Hi Srijit,if you need to filter clients based on MAC address only in 2 of the scopes, you will need to use scope level MAC filtering using DHCP policies. Please see the blog athttp://blogs.technet.com/b/teamdhcp/archive/2012/09/15/scope-level-link-layer-filtering-using-dhcp-policies-in-windows-server-2012.aspx