DHCP MAC address Filter management made easy with DHCP PowerShell

Security and network administrators are increasingly wary of internal security threats, in addition to threats from the outside, due to the introduction of uncertified hardware and software on the network, such as personal portable computers and mobile devices that can be potentially compromised and not compliant to the security practices of the organization. Link layer-based filtering for Dynamic Host Configuration Protocol (DHCP) introduced in Windows Server 2008 R2 enables administrators to control network access based on media access control (MAC) address, providing a low-level security method. The link layer filtering controls allow the administrator to specify which MAC addresses are allowed on the network and which are denied access. You can use wild cards to allow or deny network access based on vendor MAC prefixes.

DHCP PowerShell introduced in Windows Server 2012 makes it very easy and seamless for admins to manage Link Layer filtering for IPv4 clients.

Following cmdlets are provided to manage Link Layer Filtering in DHCP Server:

Get-DhcpServerv4FilterList: Gets the enabled/disabled state of allow and deny filter list set.

Set-DhcpServerv4FilterList: Enables/Disables the allow and the deny MAC address filter lists.

Get-DhcpServerv4Filter: Gets the list of all MAC addresses from the allow and/or the deny list.

Add-DhcpServerv4Filter: Adds one or more MAC address filters to the allow or deny list.

Remove-DhcpServerv4Filter: Removes the specified MAC address or MAC address pattern from the allow list or the deny list of the DHCP server.

If you wan to add a large list of MAC addresses to the allow or deny filter list, an input text file in CSV format can be used to provide the MAC address filter list to be configured on the DHCP server. This data can be easily pipelined to Add-DhcpServerv4Filter cmdlet to add the complete list to the DHCP Server. The input text file (filter.csv in the example used later) containing the MAC address filters should be of the following format –


Allow,1a-1b-1c-1d-1e-1f,Filter for Computer1

Allow,2a-2b-2c-2d-2e-2f, Filter for Computer2

Deny,3a-3b-3c-3d-3e-3f, Filter for Computer3

Allow,4a-4b-4c-4d-4e-4f, Filter for Computer4

The following command adds all these filters to the local DHCP Server.

Import-Csv Filter.csv | Add-DhcpServerv4Filter -Force

The Import-Csv cmdlet converts each data record in filter.csv to an object containing List, MacAddress and Description as members of the object. Each object created by Import-Csv is sent through the pipeline to Add-DhcpServerv4Filter which adds the MAC address records to the filter list on the DHCP server.

‘-Force’ parameter ensures that if a filter by same MAC address already exists, it is over-ridden. If ‘-Force’ parameter is not given and MAC address being added to the list already exists in the list on the DHCP server, the cmdlet will return an error.

In case, filters need to be added to DHCP Server running on remote machine, ‘-ComputerName’ parameter can be used to specify remote DHCP Server. Without the ComputerName parameter, as in the example above, the filters will be added to the DHCP server running on the local computer.

Hope this blog added another tool in your PowerShell armory!

Comments (12)

  1. stefano says:

    The MAC filter is a great thing but I don't understand why in the failover they are not replicated

  2. teamdhcp says:

    Stefano, you can use the IPAM console in 2012R2 to configure the MAC filters on the DHCP server. IPAM will perform the configuration on both the DHCP servers. Alternatively, you can use the PowerShell script provided in the following blog –


  3. Ben says:

    What is the difference between the Allow & Deny filters and an allow/deny policy? In my testing, if I have a policy that allows only certain MAC addresses, adding MAC addresses to the allow or deny filter doesn't do anything. Why have both? Please point
    me to documentation that details the use of filters vs. the use of policies. Thanks!

  4. teamdhcp says:

    Ben, allow and deny filters are server level/global settings and apply to all scopes on the DHCP server. With MAC address based policy, you can apply different filters to different scopes on the DHCP server.

  5. Erwan says:

    What about DHCPv6? What are the options for MAC address filtering on DHCPv6?

  6. teamdhcp says:

    Erwan, MAC address filtering is not supported by Windows DHCPv6 server

  7. Linc says:

    What about importing the MACs into a policy? Instead of copy/paste/add?

  8. teamdhcp says:

    Hello Linc, please take a look at the script at which takes an input file of MAC addresses and creates a MAC address based policy.

  9. ike says:

    the export list function in filters doesnt create a list in the importable format?

  10. teamdhcp says:

    ike, output of Get-DhcpServerv4Filter can be used to pipe to Set-DhcpServerv4Filter. Which export function are you referring to. Please elaborate the issue you are facing.

  11. Srijit says:

    If in my DHCP I have three scope one is for my wifi .I want to remove that from Mac filtering from how to do that

    Basically my question is how to exclude one scope from Mac filtering

  12. teamdhcp says:

    Hi Srijit,if you need to filter clients based on MAC address only in 2 of the scopes, you will need to use scope level MAC filtering using DHCP policies. Please see the blog at