- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
How To Restrict traffic from only selected MAC addresses using MAC-IP Anti-Spoof Protection
10/14/2021 
144 People found this article helpful
106,771 Views
Description
This article explains how to restrict traffic initiated from internal network, based on MAC addresses, using MAC-IP Anti-spoof protection. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing administrators different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3.
The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet's source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems:
- DHCP Server-based leases (SonicWall's - DHCP Server)
- DHCP relay-based leases (SonicWall's - IP Helper)
- Static ARP entries
- User created static entries
This article explains the use of Static ARP (Address Resolution Protocol) by Binding an IP to a MAC address and ensuring only IP's with static ARP entries are allowed on the network and rest will be blocked. This would serve two purposes, blocking unauthorized access, and allow only listed Mac addresses in the network.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under System | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown below:
Step 3: Check if the settings have been applied as shown below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below: MAC-IP Anti-Spoof check enforced for hosts.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under Manage| Network | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown below:
Step 3: Check if the settings have been applied as shown below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below:
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under Network | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown with pointing arrows below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below:
Related Articles
- Switch from the Policy mode to classic mode on Gen 7 appliances
- Analyzing TCP reset(RST)packets
- ‘Error sending one-time password’ encountered when connecting to NetExtender
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO