Using BloxOne® DDI Lease Filtering to Automate and Optimize DHCP Configurations

Share On Facebook
Share On Twitter
Share On Linkedin

Introduction

Did you know that BloxOne DDI features robust lease filtering for DHCP? Lease filtering can help networking teams leverage automation to determine option sets for clients that meet specific criteria. It can also automatically allow or deny clients. As you can imagine, this can be an incredibly powerful tool if leveraged properly. When configured properly, lease filtering can offer improved security, a better client experience, and save valuable administrative time. In this blog we’ll take a closer look at BloxOne DDI lease filtering, how to use it, and some potential use cases.

Lease Filters

Types of Lease Filters
BloxOne DDI lease filters come in a couple flavors:

Hardware Filters: Hardware filters are based on the client’s hardware type and MAC address. If a client matches the hardware type, or MAC address as defined by the filter, the client is denied access, or has a specific set of options and lease time as defined by the filter applied to it.

There are two types of Hardware Filters in the BloxOne Lease Filter interface:

  • IPv4 Hardware Filter: This option allows for one or many MAC addresses to be input line by line.
  • IPv4 MAC Address Large Selection Filter: This option allows for the upload of a CSV (Comma Separated Value) file to add a large quantity of MAC addresses. The maximum number of MAC addresses supported is 500k. For more information on the required formatting of the CSV file, please view the Infoblox documentation portal.

Option Filters: Option filters filter based on option parameters known as Rules. If a client matches the criteria as defined by the rules specified, the client is denied access, or has a specific set of options and lease time as defined by the filter applied to it.

There are two types of Option Filters in the BloxOne Lease Filter interface:

  • IPv4: This option filter is specifically for IPv4 clients.
  • IPv6: This option filter is specifically for IPv6 clients.

Create a Lease Filter

  1. Log in to the Infoblox CSP, also known as the Cloud Services Portal.
  2. Highlight Manage and click IPAM/DHCP.

    3. Figure 1

  3. On the IPAM/DHCP page, click the Filters tab located near the middle of the page.

    4. Figure 2

  4. On the top left of the filters page, click Create and select IPv4 Hardware Filter, IPv4 MAC Address Large Selection Filter Or Create Option Filter for IPv4 or IPv6.

    5. Figure 3

  5. In the example. I’ve selected IPv4 Hardware Filter. Note that the Option filter panel looks different than the example screenshot.
    • A Name is required. Description and Tags are optional.

      • Figure 4

    • Select one of the following Roles:
      • Option Values (Assign various options). This setting applies options, and a lease time to clients that match the criteria set by the filter.
      • Selection (Control client access to DHCP pools). This setting defines which clients are granted access to the IP Address range this filter is applied to. If this bubble is selected, the filter’s Leases and DHCP Options will no longer be visible, as they are not needed.

        • Figure 5

    • MAC Addresses. Input the hardware addresses of clients this filter will apply to. For option filters this section will be replaced with Rules.

      • Figure 6

    • Leases. Set the Lease Time that will be provided to clients that match the filter’s criteria.

      • Figure 7

    • DHCP Options. Define the Options that will be applied to clients that match the filter’s criteria.

      • Figure 8

    • Header Options. These optional option fields are used by clients and servers to exchange vendor-specific information for clients that require BOOTP and/or PXE. For more information on these fields please see RFC 2132.
      • Server Name. Input the FQDN of the server where the boot file is stored. Complete this field if the hosts in your network send requests for the boot server’s name.

        • Figure 9

      • File Name. Input the name of the boot file that the client downloads.

        • Figure 10

      • Server Address. Input the IP of the server where the boot file is stored. Complete this field if the hosts in your network send requests for the boot server‘s IP.

        • Figure 11

    • Vendor Encapsulated Option Space. The Vendor Encapsulated Option Space allows for the usage of options specific to a vendor. Select the Option Space if required.

      • Figure 12

  6. Click Save & Close to Confirm the creation of the filter.

    7. Figure 13

Use a Lease Filter

Lease filters can be applied to DHCP Global settings, DHCP Configuration Profiles, IP Spaces, Address Blocks, Subnets, and Ranges.

  1. Open the panel of one of the supported containers listed above and scroll down and expand the Filters section.

    2. Figure 14

  2. If an Override switch exists in the container that you’re trying to apply a filter to, click the toggle switch. Note that all of the children containers will have the same filter applied unless the override switch is used in any associated children containers.

    3. Figure 15

  3. Click Add, and add a filter via the dropdown. Repeat this step if additional filters are needed.

    4. Figure 16

  4. Click Save & Close to confirm the application of the filter.

Changing an Existing Lease Filter

  1. To change a lease filter locate the lease filter that you want to make a change to, click the checkbox associated with that filter, then click Edit.

    2. Figure 17

  2. Make any changes needed to the filter, then click Save & Close to confirm any changes made.

    3. Figure 13

Use Cases

Below are a couple example uses cases where lease filters can be leveraged to great effect.

  • Strict Access Control: In some situations organizations may want to strictly control which devices can acquire a DHCP lease in their networks. A hardware lease filter is perfect for this situation. With a bulk upload of MAC addresses, network administrators can ensure that only known devices can acquire a lease from a DHCP server. By doing this network teams can secure one or many of their networks by strict DHCP based access control.
  • Applying Options to a specific type of device: Some types of devices might require a specific set of options when acquiring a lease from a DHCP server. A DHCP Option Filter could be leveraged here. A good example of this could be an IP phone, or maybe an IoT connected manufacturing device. Some of these devices require specific options in order to operate. Options could be as simple as a different DNS or Router based on what type of device they are, or something much more niche such as pointing a device to an iSNS server.

Summary

In summary, DHCP lease filters are an effective way to manage which devices can acquire leases, or define which options devices receive based on either rules or hardware addresses. Networking teams can better secure their networks, and automate the provisioning of options for specific types of devices. Effective use of DHCP lease filters can provide a better client experience, and save valuable administrative time. For additional information regarding Lease Filters please visit the Infoblox Docs for Lease Filters located at https://docs.infoblox.com/space/BloxOneDDI/186843822/Configuring+Filters

Labels:

David Zenone

Technical Marketing Engineer at Infoblox

David Zenone is a Technical Marketing Engineer. David joined Infoblox in late 2019 and has created multiple integrations with NIOS using Outbound Notifications. In addition to building Security Ecosystem integrations David has become a subject matter expert on Infoblox’s SaaS offerings. In his free time he enjoys playing the Guitar, building and playing on PCs, and spending time with his family.

View All Posts

You might also be interested in

You might also be interested in

×