DHCP Filtering

Author by Shannon Fritz

Windows Server 2008 R2 includes the ability to explicitly Allow or Deny DHCP requests to defined MAC addresses.  This allows you to prevent unknown devices from obtaining DHCP access to the network by creating a Block List and/or and Allow list. You can read more about it in the DHCP Team Blog site.

Enable filtering

Open the DHCP console and from the Properties of the IPv4 node, select the Filters tab.  Check the box to Enable Deny List.  Click OK.   Note: Do not Enable the Allow list!  Doing so will cause DCHP to operate on a “Whilelist” which require you to create an Allow List entry for every MAC address that should be given an IP address.  By default, DHCP operates ona “Blacklist” which allows all MAC’s to be given an IP except for ones expecitly defined on the Deny List.

Manage the Deny List and Add MAC Addresses

Manually Add or Remove MACs from the Deny filter from the “Filters” node. You can add MAC addresses associated with an existing lease by right clicking it and select Add to Filter.

Monitoring activity (optional)

Open and MMC Console and add the “DHCP Server Extras” snap-in.  You can see historical Blocks and Allows of DHCP requests and well as other DHCP events.   Note: The DHCP Server Extras snap-in is not something that comes with Windows.  It must be downloaded and installed from the Microsoft DHCP Team Blog. If you want even more details, Mark Minasi wrote a very detailed overview of this feature in issue #82 of his free Newsletter.
Author

Shannon Fritz

Infrastructure Architect & Server Team Lead