Книга: Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

Enabling and configuring MAC address filtering

Enabling and configuring MAC address filtering

MAC address filtering (aka link-layer filtering) is a feature for IPv4 addresses that enables you to include or exclude computers and devices based on their MAC address. When you configure MAC address filtering, you can specify the hardware types that are exempted from filtering. By default, all hardware types defined in RFC 1700 are exempted from filtering. To modify hardware type exemptions, follow these steps:

1. In the DHCP console, press and hold or right-click the IPv4 node, and then tap or click Properties.

2. On the Filters tab, tap or click Advanced. In the Advanced Filter Properties dialog box, select the check box for hardware types to exempt from filtering. Clear the check box for hardware types to filter.

3. Tap or click OK to save your changes.

Before you can configure MAC address filtering, you must do one of the following:

? Enable and define an explicit allow list. The DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list. Any client that previously received IP addresses is denied address renewal if its MAC address isn’t on the allow list.

? Enable and define an explicit deny list. The DHCP server denies DHCP services only to clients whose MAC addresses are in the deny list. Any client that previously received IP addresses is denied address renewal if its MAC address is on the deny list.

? Enable and define an allow list and a block list. The block list has precedence over the allow list. This means that the DHCP server provides DHCP services only to clients whose MAC addresses are in the allow list, if no corresponding matches are in the deny list. If a MAC address has been denied, the address is always blocked even if the address is on the allow list.

To enable an allow list, deny list, or both, follow these steps:

1. In the DHCP console, press and hold or right-click the IPv4 node, and then tap or click Properties.

2. On the Filters tab, you’ll find the current filter configuration details. To use an allow list, select Enable Allow List. To use a deny list, select Enable Deny List.

3. Tap or click OK to save your changes.

NOTE As an alternative, you can press and hold or right-click the Allow or Deny node, under the Filters node, and then select enable to enable allow or deny lists. If you press and hold or right-click the Allow or Deny node and then select Disable, you disable allow or deny lists.

After you enable filtering, you define your filters by using the MAC address for the client computer or device’s network adapter. On a client computer, you can obtain the MAC address by entering the command ipconfig /all at the command prompt. The Physical Address entry shows the client’s MAC address. You must enter this value exactly for the address filter to work.

A MAC address is defined by eight pairings of two-digit hexadecimal numbers separated by a hyphen, as shown here:

FE-01-56-23-18-94-EB-F2

When you define a filter, you can specify the MAC address with or without the hyphens. This means that you could enter FE-01-56-23-18-94-EB-F2 or FE0156231894EBF2.

You also can use an asterisk (*) as a wildcard for pattern matching. To allow any value to match a specific part of the MAC address, you can insert * where the values usually would be, as shown here:

FE-01-56-23-18-94-*-F2

FE-*-56-23-18-94-*-*

FE-01-56-23-18-*-*-*

FE01*

To configure a MAC address filter, follow these steps:

1. In the DHCP console, double-tap or double-click the IPv4 node, and then double-tap or double-click the Filters node.

2. Press and hold or right-click Allow or Deny as appropriate for the type of filter you are creating, and then tap or click New Filter.

3. Enter the MAC address to filter, and then if you want to you can enter a comment in the Description text box. Tap or click Add. Repeat this step to add other filters.

4. Tap or click Close when you have finished.

Оглавление книги