Tip: Enable and Configure MAC Address Filtering
Follow Our Daily Tips
Twitter | Blog | RSS | Facebook
MAC address filtering (aka link-layer filtering) is a feature for IPv4 addresses that allows you to include or exclude computers and devices based on their MAC address.
When you configure MAC address filtering, you can specify the hardware types that are exempted from filtering. By default, all hardware types defined in RFC 1700 are exempted from filtering. To modify hardware type exemptions, follow these steps:
1. In the DHCP console, right-click the IPv4 node, and then click Properties.
2. On the Filters tab, click Advanced. In the Advanced Filter Properties dialog box, select the check box for hardware types to exempt from filtering. Clear the check box for hardware types to filter.
3. Click OK to save your changes.
Before you can configure MAC address filtering, you must do the following:
- Enable and define an explicit allow list. The DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list. Any client that previously received IP addresses is denied address renewal if its MAC address isn’t on the allow list.
- Enable and define an explicit deny list. The DHCP server denies DHCP services only to clients whose MAC addresses are in the deny list. Any client that previously received IP addresses is denied address renewal if its MAC address is on the deny list.
- Enable and define an allow list and a block list. The block list has precedence over the allow list. This means that the DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list, provided that no corresponding matches are in the deny list. If a MAC address has been denied, the address is always blocked even if the address is on the allow list.
To enable an allow list, deny list, or both, follow these steps:
1. In the DHCP console, right-click the IPv4 node, and then click Properties.
2. On the Filters tab, you’ll see the current filter configuration details. To use an allow list, select Enable Allow List. To use a deny list, select Enable Deny List.
3. Click OK to save your changes.
Note: As an alternative, you can simply right-click the Allow or Deny node, and then select Enable to enable allow or deny lists. If you right-click the Allow or Deny node and then select Disable, you disable allow or deny lists.
Once you’ve enabled filtering, you define your filters using the MAC address for the client computer or device’s network adapter. On a client computer, you can obtain the MAC address by typing the command ipconfig /all at the command prompt. The Physical Address entry shows the client’s MAC address. You must type this value exactly for the address filter to work.
When you define a filter, you can specify the MAC address with or without the hyphens. This means that you could enter FE-01-56-23-18-94-EB-F2 or FE0156231894EBF2. You also can use an asterisk (*) as a wildcard for pattern matching. To allow any value to match a specific part of the MAC address, you can insert * where the values normally would be, such as:
FE-01-56-23-18-94-*-F2
FE-*-56-23-18-94-*-*
FE-01-56-23-18-*-*-*
FE01*
To configure a MAC address filter, follow these steps:
1. In the DHCP console, double-click the IPv4 node, and then double-click the Filters node.
2. Right-click Allow or Deny as appropriate for the type of filter you are creating, and then click New Filter.
3. Enter the MAC address to filter, and then enter a comment in the Description field if you want to. Click Add. Repeat this step to add other filters.
4. Click Close when you have finished.
From the Microsoft Press book Windows Server 2008 Administrator’s Pocket Consultant, Second Edition by William R. Stanek.
Looking for More Tips?
For more tips on using Microsoft products and technologies, visit the TechNet Magazine Tips library.