macf command (addresses mapping)

Description

The command performs filtering by use static mapping of IP addresses to MAC addresses in an Ethernet network. It may be useful for service providers when they connect to their network a group of clients (such as individual users in an apartment block) via one common access unit. In this case, clients may be tempted to change their IP address to that of a neighbor, thus deceiving provider's accounting system. Using of "macf" command does not guarantee total protection, however, for the common user it is much more difficult to change the MAC address, than the IP address.

Syntax:

macf IFNAME {MAC|"any"} {IP|"any"} "Comment"
macf IFNAME del N
macf IFNAME {[-]dhcp [-]strict | [-]reverse | [-]simple | [-]quiet}
macf show | clear

Parameters

Parameter

Description

IFNAME

An interface identifier to the mapping table of which the filter is added.

{MAC|"any"} {IP|"any"} "Comment"

Adds the filter to the mapping table.

"MAC" – device MAC address.
"IP" – IP address assigned to the device.
"any" – any MAC or IP address.
"Comment" – symbolic comment for ease identification.

NOTE

Two filters with the same MAC addresses can not be added to the table.

del N

Removes the filter with "N" number from the mapping table. Filter number can be checked using the "show" parameter.

{[-]dhcp [-]strict | [-]reverse | [-]simple | [-]quiet}

Allows to select packets filtering mode. "[-]" – cancels the parameter's action. The MAC filter algorithm consists of two steps:

The filter searches for the MAC address in the table.
If the MAC address is found, the IP address matching check is performed.

"strict" – enables strict filtering mode. In this mode all packets received from units not described in the mapping table are discarded. By default "strict" mode is disabled.

CAUTION

If you are remotely configuring a router using telnet, make sure, when enabling the strict mode, that your own workstation is already added correctly in the mapping table. Otherwise you lose control over the router, and disabling the strict mode will be only possible through the router's diagnostics port.

"reverse" – swaps the processing steps: first, an IP address is searched, then the MAC addresses are compared.
"simple" – only the first step of the above algorithm is executed. If the address is found in the mapping table, then the packet is normally handled by the router. Otherwise, the packet will be discarded, regardless of whether the "strict" option is enabled or not (the second address is not checked).
"dhcp" – in this mode macf filter is automatically supplemented with addresses issued by local DHCP server. These records are not stored in a permanent configuration and work until the given address is deleted by DHCP server.
"quiet" – switches off logging to the system log. If the network packet is discarded by a filter, this fact is logged. To reduce the number of registrated packages, only the first attempt from the similar packets group is logged.

If there is an intermediate router between the subscriber terminal and the local network, "reverse strict" or "reverse simple" can be used with all valid workstations IP addresses, and the intermediate router MAC address.

In case, the several local networks are connected to the subscriber terminal, separated by intermediate routers, it is possible to use "simple" or "reverse strict" with intermediate routers MAC addresses.

NOTE

In many cases, this problem can be solved easier by using the "arp" command.

show

Displays the mapping table current state.

clear

Clears the mapping table.

Examples

Add two filters to the mapping table: to "102030405060" and "203040506070" MAC addresses are assigned "1.1.1.1" and "2.2.2.2" IP addresses. Add comments to label the IP addresses ownership.

macf 102030405060  1.1.1.1  Room123
macf 203040506070  2.2.2.2  Room125

Display the mapping table current state.

macf show
macf 1 0020af915099 192.78.64.99  Server
macf 2 0020af9150a3 192.78.64.194 Room94
macf 3 0020af9150a4 192.78.64.134 Room57
macf 4 0020af9150a7 192.78.64.174 Admin

All local network workstations are connected directly to the subscriber terminal "eth0" interface. In this case, simplest filter version can be used, with the "strict" parameter.

macf eth0 strict

Previous⁣⁣ltest (radio link test)Next⁣⁣arp command (ARP protocol)

Last updated 1 year ago

macf command (addresses mapping)

Description

Syntax:

macf IFNAME {MAC|"any"} {IP|"any"} "Comment"
macf IFNAME del N
macf IFNAME {[-]dhcp [-]strict | [-]reverse | [-]simple | [-]quiet}
macf show | clear

Parameters

Parameter

Description

IFNAME

An interface identifier to the mapping table of which the filter is added.

{MAC|"any"} {IP|"any"} "Comment"

Adds the filter to the mapping table.

"MAC" – device MAC address.
"IP" – IP address assigned to the device.
"any" – any MAC or IP address.
"Comment" – symbolic comment for ease identification.

NOTE

Two filters with the same MAC addresses can not be added to the table.

del N

Removes the filter with "N" number from the mapping table. Filter number can be checked using the "show" parameter.

{[-]dhcp [-]strict | [-]reverse | [-]simple | [-]quiet}

Allows to select packets filtering mode. "[-]" – cancels the parameter's action. The MAC filter algorithm consists of two steps:

The filter searches for the MAC address in the table.
If the MAC address is found, the IP address matching check is performed.

"strict" – enables strict filtering mode. In this mode all packets received from units not described in the mapping table are discarded. By default "strict" mode is disabled.

CAUTION

"reverse" – swaps the processing steps: first, an IP address is searched, then the MAC addresses are compared.
"simple" – only the first step of the above algorithm is executed. If the address is found in the mapping table, then the packet is normally handled by the router. Otherwise, the packet will be discarded, regardless of whether the "strict" option is enabled or not (the second address is not checked).
"dhcp" – in this mode macf filter is automatically supplemented with addresses issued by local DHCP server. These records are not stored in a permanent configuration and work until the given address is deleted by DHCP server.
"quiet" – switches off logging to the system log. If the network packet is discarded by a filter, this fact is logged. To reduce the number of registrated packages, only the first attempt from the similar packets group is logged.

NOTE

In many cases, this problem can be solved easier by using the "arp" command.

show

Displays the mapping table current state.

clear

Clears the mapping table.

Examples

Add two filters to the mapping table: to "102030405060" and "203040506070" MAC addresses are assigned "1.1.1.1" and "2.2.2.2" IP addresses. Add comments to label the IP addresses ownership.

macf 102030405060  1.1.1.1  Room123
macf 203040506070  2.2.2.2  Room125

Display the mapping table current state.

macf show
macf 1 0020af915099 192.78.64.99  Server
macf 2 0020af9150a3 192.78.64.194 Room94
macf 3 0020af9150a4 192.78.64.134 Room57
macf 4 0020af9150a7 192.78.64.174 Admin

All local network workstations are connected directly to the subscriber terminal "eth0" interface. In this case, simplest filter version can be used, with the "strict" parameter.

macf eth0 strict

Previous⁣⁣ltest (radio link test)Next⁣⁣arp command (ARP protocol)

Last updated 1 year ago