Configuring MAC IP Anti-Spoof Settings

To configure settings for a particular interface, click the Edit icon in the Configure column for the desired interface. The Edit Interface dialog is displayed for the selected interface.

The following options are available:

• Anti-Spoof Settings
  • Enable MAC-IP based anti-spoofing: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
  • Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries
  • DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the SonicWall DHCP server
  • DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the DHCP relay, based on IP Helper
• ARP Settings
  • ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
  • ARP Watch: Prevents ARP poisoning of connected machines to protect all clients’ PCs from man-in-the-middle attacks.
• Miscellaneous Settings
  • Enforce Ingress anti-spoof at Layer 2: Enables Layer 2 ingress control on the Native Bridge member or L2B interface. All Layer 2 traffic (including ARP, DHCP, and NetBIOS packets) is validated against the MAC-IP Anti-Spoof Cache. Packets from devices not listed in the cache are blocked and logged.
  • Enforce Ingress anti-spoof at Layer 3: Enables ingress control on the interface at the IP layer, blocking traffic from devices not listed in the MAC-IP Anti-Spoof Cache.
  • Spoof Detection: Logs all devices that fail to pass Anti-spoof cache and lists them in the Spoof Detected List.
  • Allow Management: Allows through all packets destined for the appliance’s IP address, even if coming from devices currently not listed in the Anti-Spoof Cache.
  • Allow DHCP/NetBios packets when MAC Anti-Spoof at Layer 2 is enabled: Enable this option to permit DHCP and NetBIOS traffic to pass through even when the source device is not in the Anti-spoof cache.

The MAC-IP Anti-Spoof Cache for Native Bridge interface and L2B interfaces must be populated using static entries only. The auto-population settings are restricted for Static ARP, DHCP Server, and DHCP Relay.

After your setting selections for this interface are complete, click Save. After the settings have been adjusted, the interface’s listing is updated on the MAC-IP Anti-Spoof page. The green circle with white check mark icons denote which settings have been enabled.

The following interfaces are excluded from the MAC-IP Anti-Spoof list:

• Non-Ethernet interfaces
• Port-shield member interfaces
• High availability interfaces
• High availability data interfaces

Native Bridge interfaces and Layer 2 Bridge pair interfaces are now included in the MAC‑IP Anti‑Spoof interface list and support Layer 2 MAC‑IP Anti‑Spoof enforcement.