SonicOS 7.3 System
Table of Contents
Configuring the Native Bridge for MAC-IP Anti-Spoofing
The Layer 2 MAC-IP Anti-Spoof feature extends MAC-IP Anti-Spoof protection to Native Bridge member interfaces, providing admission control and spoofing prevention for Layer 2 (ARP, DHCP, NetBIOS) and Layer 3 (IP) traffic that traverses the Native Bridge FDB without passing through the Layer 3 MAC-IP Anti-Spoof engine.
Why Layer 2 Enforcement is Needed
In a Native Bridge deployment, when firewalling is disabled on member interfaces, Layer 2 traffic (ARP packets, DHCP exchanges, NetBIOS name resolution) is forwarded directly by the FDB — bypassing the existing Layer 3 MAC-IP Anti-Spoof checks. This creates a security gap: an attacker connected to one Native Bridge member can launch ARP poisoning attacks against devices on other members, redirect traffic through a man-in-the-middle host, or exhaust DHCP address pools via starvation attacks.
With Layer 2 MAC-IP Anti-Spoof enabled, the firewall intercepts Layer 2 traffic at the Native Bridge ingress path and validates it against the MAC-IP Anti-Spoof Cache before the FDB forwards it. This provides protection regardless of whether firewalling is enabled or disabled on the member interfaces.
The following table provides the list of attacks that are prevented with Layer 2 MAC-IP Anti-Spoof enabled.
| Attack Type | Layer 2 Mac IP Spoofing | Layer 3 Mac IP Spoofing |
|---|---|---|
| MAC Spoofing Attack | Yes | No |
| ARP Poisoning / Man-in-the-Middle / Pen Test | Yes | No |
| ARP Poisoning attack on SonicOS | Yes | No |
| MAC-IP Spoofing (L3) to SonicOS | Yes | Yes |
| MAC-IP Spoofing (L3) between Native Bridge Members | Yes (always, regardless of firewalling options) | No (only with firewalling) |
| DHCP Spoofing / Man-in-the-Middle attack | Yes | No |
| DHCP Starvation / DoS | Yes | No |
| NetBIOS Spoofing & Poisoning | Yes | No |
Interaction with Native Bridge Firewalling
| Native Bridge Firewalling | Packet Type | FDB Forwarded (w/o firewalling) | L3 Anti-Spoof Available | Policy / Access Rules | L2 Anti-Spoof Available | MAC Spoof Prevention | ARP Poisoning Prevention | Pen Test |
|---|---|---|---|---|---|---|---|---|
| Disabled | Layer 2 (ARP, etc.) | Yes | No | No | Yes | Yes | Yes | Pass |
| Disabled | IP / Layer 3+ | Yes | No | No | Yes | Yes | Yes | Pass |
| Enabled | Layer 2 (ARP, etc.) | No | No | If service = Any | Yes | Yes | Yes | Pass |
| Enabled | IP / Layer 3+ | No | Yes | Yes | Yes | Yes | Yes | Pass |
With Layer 2 enforcement enabled, spoofed packets are dropped and logged regardless of whether Native Bridge firewalling is enabled or disabled.
To enable Layer 2 MAC-IP Anti-Spoof on a Native Bridge / Layer 2 Bridge (L2B) Interfaces:
-
Navigate to NETWORK | System > MAC-IP Anti-Spoof.
-
Click the Edit icon in the Configure column for the desired Native Bridge member interface.
The Edit Interface displays.
-
Under Anti-Spoof Settings, enable Enable MAC-IP based anti-spoofing.
-
Under Miscellaneous Settings:
-
Enable Enforce Ingress anti-spoof at Layer 2 to activate Layer 2 enforcement.
-
(Optional) enable Spoof Detection to log spoofed devices to the Spoof Detected List.
-
(Optional) enable Allow Management to allow packets destined for the appliance's IP address even from uncached devices.
-
(Optional) enable Allow DHCP/NetBios packets when MAC Anti-Spoof at Layer 2 is enabled if devices on this interface need to perform DHCP discovery before being added to the cache.
-
-
Click Save.
It is recommended to enable both Enforce Ingress anti-spoof at Layer 2 and Enforce Ingress anti-spoof at Layer 3 for comprehensive protection on Native Bridge member interfaces. The Layer 2 setting protects against ARP/DHCP-level attacks while the Layer 3 setting protects against IP-level spoofing.
Layer 2 MAC-IP Anti-Spoof enforcement for L2B mode interfaces follows the same architecture and configuration model as Native Bridge member interfaces.
