Link Layer Based Filtering?

  • Article

Overview

The increased threat perception has caused security to be instrumented and enabled at various levels in the enterprise IT infrastructure. Network and system administrators are increasingly becoming security conscious and are constantly on the lookout to insulate their systems from any potential threats that may arise from addition of new clients/devices on their networks. The proliferation of IP enabled devices in an enterprise poses security related challenges to a network admin. The administrators would like to have the ability to specifically control as to which clients can avail of enterprise network resources or conversely rogue clients that should be explicitly denied access to the network.

This kind of access control is precisely what MAC address based filtering feature in Windows Server 2008 R2 DHCP Server provides. This feature puts another low level network access control lever in the hands of the administrator. MAC address based filtering provides a mechanism for issuance/denial of DHCP leases and other network configuration, based on MAC addresses. It provides an additional layer of security on the network and allows the administrators to filter incoming DHCP Requests to DHCP Server based on the MAC Address of the DHCP client. Windows Server 2008 R2 DHCP server has an allow and deny list which can be populated with MAC addresses of clients which need to be allowed or denied access, respectively, to IP address leases and other network configuration.

Sample Scenarios

 

 

Scope

 

Comments

  • Anonymous
    January 01, 2003
    This tool can be used by DHCP Administrators to view all the events generated by Windows DHCP Server

  • Anonymous
    January 01, 2003
    Hello Everybody, Thanks for all those who tried the MacFilterCallout dll . As you all must have checked

  • Anonymous
    January 01, 2003
    Hey Pete, In case you were using the MacFilterCallout dll and you have the Maclist.txt file with you, you can use the following tool to import the entries in WS08 R2 DHCP Server: http://blogs.technet.com/teamdhcp/archive/2009/02/16/mac-filter-import-tool.aspx Or else, the DHCP MMC in WS08 R2 also supports converting active lease to filters. Hopefully this would make your job easier. Thanks Raunak Pandya DHCP Server Team

  • Anonymous
    January 01, 2003
    We have had questions asked of us on the impact of the link layer filtering (aka MAC address based filtering)on the DHCP server performance. Based on the testing conducted for measuring impact of MAC address based filtering on performance, we have found negligible performance drop with MAC address based filtering configured. With 100,000 MAC addresses configured (50,000 each in allow and deny list), the drop in average response time was to the order of 1-2% across multiple test runs. Prasad

  • Anonymous
    January 01, 2003
    DHCP Server team is excited to announce that the much appreciated and loved feature, MAC Address based

  • Anonymous
    January 01, 2003
    Hello Bruce, If I understand your concern correctly, you need to have link layer filtering or MAC based filtering in previous version of Windows OS. We had been supporting this through our callout dll, please check the following link if it suffices your requirements. http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx Thanks, Subhash Badri

  • Anonymous
    March 17, 2009
    Is there a way of importing a list of MAC addresses into the 2008 R2 DHCP server. I cannot find the MAClist file that there was on the Windows 2003 server version and I have about 800 addresses to be added to the ALLOWED list. Thanks Pete

  • Anonymous
    July 02, 2009
    I have not seen the DHCP Security change feature yet and was wondering if there is a download for the DHCP module so that it can be used on all of the Windows 2000, 2003 and 2008 Non-R2 servers.  If you have a small business you may not have the budget to upgrade the entire server platform to 2008R2, so what is Microsoft doing to help these types of customers?  It would seem Microsoft should provide this to help follow the Presidents lead on Cybersecurity http://www.whitehouse.gov/the_press_office/Statement-by-the-President-on-the-White-House-Organization-for-Homeland-Security-and-Counterterrorism/ Can anyone tell me if there is a DHCP update for these other platforms that allows an Administrator a way to control which MAC addresses get on your network?   I would hope it has a MAC request window to allow the network administrator to see all of the requesting MAC ID’s in a simple window which would have an option to provide a Security ADMIN to allow Once or Allow Permanent Access, Decline Access by the requesting MAC ID selected in the window by an Admin.

  • Anonymous
    October 21, 2012
    You say the deny list takes precedence? I want to deny all mac addresses except for those I explicitly allow.  I thought this would be accomplished by adding * to the deny list and adding the individual addresses to the allow list, but if the deny list takes precedence then it would seem that even the allowed devices would be blocked.  Obviously I'm not understanding something here. Help?

  • Anonymous
    October 21, 2012
    Nevermind! Found my answer: technet.microsoft.com/.../ff521761.aspx