After installing the DHCP role in Windows Server 2016 and setting up the first IPv4 Scopes to serve IP addresses to clients, it’s time to see how DHCP Filters work.
DHCP Filters are primarily used to further shield an infrastructure by allowing or denying specific clients based on their MAC addresses. Setting up DHCP Filters is quite simple and works at the server level, not at Scope level.
In a nutshell, with DHCP Filtering, you can filter clients, based on their MAC addresses, in order to either allow them to receive addresses from a DHCP Server or prevent (Deny) that from happening.
Before proceeding with the implementation of DHCP Filters, you will need to know how these filters are applied.
- When the Allow list is enabled, DHCP Server only serves IP addresses to the clients in this list automatically while rejecting all the others. If clients already had an IP address before filtering, then their IP will not automatically renew when Lease expires.
- When the Deny list is enabled, DHCP Server discards all the clients in this list. If clients already had an IP address and are now in the Deny list, then their Lease will not be renewed once they expire.
- By combining the two, Allow and Deny, the Deny list has precedence. This means that if a client is on the Deny list, it will be prevented in any case even if it is in the Allow list.
Now, let’s see how to configure DHCP filters.
Configure Filters in DHCP Server 2016
In the DHCP console, expand the server and IPv4 objects and go to the Filters object. Here, you’ll see two sub-folders (lists), Allow and Deny. By default, the two lists are deactivated and you can see this from the red down arrow, as shown in the figure below.
To add a DHCP Client to the Allow list, right-click and then click New Filter. Next, type the client’s MAC address and a description (optional) and click the Add button to complete the process.
The MAC address you type can be dashed (eg AA-BB-CC-DD-EE-FF) or without (eg AABBCCDDEEFF). You can also use the asterisk (*) as a wildcard to declare a range of MAC addresses. For example, AA-BB-*-DD-EE-FF, AA-BB-CC-*-*-*, AA-BB-*.
Respectively, follow the same procedure to add clients to the Deny list.
What is important to know is that the Deny list is superior to any other setting. So, if a client does not receive an IP address from a DHCP Server and the Filters are enabled, then your first action will be to check if it is in the Deny and then in Allow lists.
Additionally, you can move one or more clients from one list to another by right-clicking and then choose the corresponding option.
You can do the same for clients already in Address Leases, of course not having to type the MAC address.
Finally, do not forget to enable or disable the Allow and Deny lists by right-clicking and then choosing the corresponding option.
If the DHCP clients are VMs of a Hyper-V Server, you may prefer to set static MAC address instead of dynamic MAC addresses that are assigned by default.
What if the Deny and Allow filters are enabled but the lists is empty? How will the server treat that?
If the allow and deny filters are empty they should be disabled. Otherwise, the allow list contains 0 whitelisted MACs, so the dhcp client is implicitly denied an IP Lease.