How to configure Link Layer based filtering

In the scenarios where there are increasing security concerns and potential threats in networks, Link Layer based filtering feature in Windows Server 2008 R2 DHCP Server provides administrators the ability to specifically control network resource access to the clients by issuance or denial of IP Address to them, based on MAC address of clients configured in allow or deny filter respectively.

Here is the step by step guide for configuring Link Layer based filtering.

(I) Enabling/Disabling Allow and Deny Link Layer filters.

1. From the Network Administration group, start DHCP Manager. The DHCP Manager window appears.

2. Under the server node for which you want to configure Link Layer based filtering, go to IPv4 node.

3. From the right click menu, choose Properties. This shows the properties page for IPV4 node.

4. Go to the filter tab, check/uncheck the checkboxes to enable/disable MAC based allow or deny filters.

5. Choose Ok when done.

Also filters can be enabled/disabled the command line

netsh dhcp server v4 set filter EnforceAllowList=0 EnforceDenyList=1

(II)Adding a new MAC Address to any of the lists.

1. From the Network Administration group, start DHCP Manager. The DHCP Manager window appears.

2. Under the server node for which you want to configure Link Layer based filtering, go to IPv4 node.

3. Expand the filter node under IPV4 node to list allow and deny filter nodes.

4. To add a MAC address to the allow list, choose new filter from the right click menu. The New Filter dialog box appears.

      5. Enter the MAC address and the description for the new filter.

6. Click Ok when done.

Also from the command line, filters can be added using following command.

netsh dhcp server v4 add filter allow 00-1C-23-20-AF-4E "filter description"

 

(III) Configuring Filter Exemptions

By default, all the hardware type other than ethernet are exempted from filtering. Any of these exemptions can be removed at any time. Steps to remove filter exemption for a hardware type.

1. From the Network Administration group, start DHCP Manager. The DHCP Manager window appears.

2. Under the server node for which you want to configure Link Layer based filtering, go to IPv4 node.

3. From the right click menu, choose properties. This shows the properties page for IPV4 node.

4. Click Advanced button at the bottom right corner. Advance Filter Properties page is shown.

5. To add/remove filter exemption for a hardware type, check/uncheck the checkbox associated with that hardware type.

6. Click Ok and Apply when done.

From the command line, execute the following command to change filter exemption settings.

netsh dhcp server v4 add/delete filterexemption <hardware type>

(IV) Active Lease to Filter

In the scenarios where there already exist active leases and the admin wants to configure Link Layer based filters, it would be an additional overhead for him to add a new filter for each of the active leases. Below is a quick and easy way to do the same.

1. From the Network Administration group, start DHCP Manager. The DHCP Manager window appears.

2. Under the scope node for which you want to add the Link Layer based filters, go to lease node.

3. One the right hand side pane of the MMC, select the leases for which filters have to be created.

4. Right click and from the menu, choose add to filter. Select the filter type(allow/deny) from the sub-menu.

5. Click Yes when prompted for a confirmation.

Dhcp Server Management API’s for Link Layer based Filters

DWORD

DhcpAddFilterV4(

__in_z_opt DHCP_CONST WCHAR *ServerIpAddress,

__in DHCP_FILTER_ADD_INFO *AddFilterInfo,

__in BOOL ForceFlag

)

DWORD

DhcpDeleteFilterV4(

__in_z_opt DHCP_CONST WCHAR *ServerIpAddress,

__in DHCP_ADDR_PATTERN *DeleteFilterInfo

)

DWORD

DhcpSetFilterV4(

__in_z_opt DHCP_CONST WCHAR *ServerIpAddress,

__in DHCP_FILTER_GLOBAL_INFO *GlobalFilterInfo

)

DWORD

DhcpGetFilterV4(

__in_z_opt DHCP_CONST WCHAR *ServerIpAddress,

__out DHCP_FILTER_GLOBAL_INFO *GlobalFilterInfo

)

DWORD

DhcpEnumFilterV4(

__in_z_opt DHCP_CONST WCHAR *ServerIpAddress,

__inout LPDHCP_ADDR_PATTERN ResumeHandle,

__in DWORD PreferredMaximum,

__in DHCP_FILTER_LIST_TYPE ListType,

__out LPDHCP_FILTER_ENUM_INFO *EnumFilterInfo,

__out DWORD *ElementsRead,

__out DWORD *ElementsTotal

)

You can download this tool which can help you manage the Link Layer Filtering by giving you a list of users who are denied IP address

and allowing you to directly manage their filter profiles from the same UI.

 Thanks,

TeamDHCP