How To Restrict traffic from only selected MAC addresses using MAC-IP Anti-Spoof Protection
07/05/2021 
129 
18625
DESCRIPTION:
This article explains how to restrict traffic initiated from internal network, based on MAC addresses, using MAC-IP Anti-spoof protection. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing administrators different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3.
The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet's source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems:
- DHCP Server-based leases (SonicWall's - DHCP Server)
- DHCP relay-based leases (SonicWall's - IP Helper)
- Static ARP entries
- User created static entries
This article explains the use of Static ARP (Address Resolution Protocol) by Binding an IP to a MAC address and ensuring only IP's with static ARP entries are allowed on the network and rest will be blocked. This would serve two purposes, blocking unauthorized access, and allow only listed Mac addresses in the network.
RESOLUTION:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under System | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown below:
Step 3: Check if the settings have been applied as shown below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below: MAC-IP Anti-Spoof check enforced for hosts.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under Manage| Network | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown below:
Step 3: Check if the settings have been applied as shown below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below:
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Step 1: Enable MAC-IP Anti-Spoof protection under Network | MAC-IP Anti-Spoof on a specific interface (it is based on interface and not on zones), for example enable it on X0 as shown below:
Step 2: Click on the "Configure" pencil edit circle to to configure settings for interface X0, select the options as shown with pointing arrows below:
Note: Once ARP Lock and Enforce Ingress anti-spoof options are enabled SonicWall firewall will check the static ARP entries and load them in MAC-IP Anti-Spoof cache. Traffic from any other MAC address and IP address combination would be dropped.
How to Test:
If another machine whose MAC address is not listed in the cache would try to communicate through firewall , it would be dropped as shown below:
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
