DHCP filtering, sometimes called link-layer filtering, enables you to configure how the DHCP server responds to requests for address and network information. DHCP filtering enables the DHCP server to send information only to known clients or deny information to specific clients.
This is especially important in a data-center scenario in which you likely want to control the devices allowed on the network.
DHCP filtering works with Media Access Control (MAC) addresses, which are sent by the DHCP client along with a DHCP request. Windows Server 2012 has two types of filters: Allow and Deny. An Allow filter sends network information only to those clients listed in the filter. A Deny filter excludes specific clients from obtaining information from the DHCP server.
In an Allow scenario, each authorized MAC address needs to be specifically entered into the filter; otherwise, it can’t obtain information from the DHCP server. Of course, this isn’t an issue if the client is using an address that’s statically assigned on the client itself.
Windows Server 2012 enables filtering with the full MAC address or by using wildcards. For example, these are all valid filters:
Using wildcards enables you to configure a group of the same devices or devices from the same manufacturer as being allowed or denied. This saves the effort of entering each MAC address individually if a group of devices share the same MAC prefix.
DHCP filtering is configured with the DHCP MMC snap-in. Adding a filtered address is accomplished by right-clicking either Allow or Deny (depending on which type you want to set up) and then entering the MAC address details, as shown in Figure 2-7.
FIGURE 2-7 Creating a DHCP filter.
You also need to enable filters at the overall filter (Allow or Deny) level rather than at the individual MAC address level. To enable the Allow or Deny filter, right-click Allow or Deny in the DHCP MMC snap-in and select Enable. You can also enable filters at the scope level.