SonicOS 7 System
- SonicOS 7
- Interfaces
- About Interfaces
- Interface Settings IPv4
- Adding Virtual Interfaces
- Configuring Routed Mode
- Enabling Bandwidth Management on an Interface
- Configuring Interfaces in Transparent IP Mode (Splice L3 Subnet)
- Configuring Wireless Interfaces
- Configuring WAN Interfaces
- Configuring Tunnel Interfaces
- Configuring VPN Tunnel Interfaces
- Configuring Link Aggregation and Port Redundancy
- Configuring One Arm Mode
- Configuring an IPS Sniffer Mode Appliance
- Configuring Security Services (Unified Threat Management)
- Configuring Wire and Tap Mode
- Layer 2 Bridged Mode
- Key Features of SonicOS Layer 2 Bridged Mode
- Key Concepts to Configuring L2 Bridged Mode and Transparent Mode
- Comparing L2 Bridged Mode to Transparent Mode
- Comparison of L2 Bridged Mode to Transparent Mode
- Benefits of Transparent Mode over L2 Bridged Mode
- ARP in Transparent Mode
- VLAN Support in Transparent Mode
- Multiple Subnets in Transparent Mode
- Non-IPv4 Traffic in Transparent Mode
- ARP in L2 Bridged Mode
- VLAN Support in L2 Bridged Mode
- L2 Bridge IP Packet Path
- Multiple Subnets in L2 Bridged Mode
- Non-IPv4 Traffic in L2 Bridged Mode
- L2 Bridge Path Determination
- L2 Bridge Interface Zone Selection
- Sample Topologies
- Configuring Network Interfaces and Activating L2B Mode
- Configuring Layer 2 Bridged Mode
- Asymmetric Routing
- Configuring Interfaces for IPv6
- 31-Bit Network Settings
- PPPoE Unnumbered Interface Support
- Failover & LB
- Neighbor Discovery
- ARP
- MAC IP Anti-Spoof
- Web Proxy
- PortShield Groups
- Static and Transparent Mode
- SonicOS Support of X-Series Switches
- About the X-Series Solution
- Performance Requirements
- Key Features Supported with X-Series Switches
- PortShield Functionality and X-Series Switches
- PoE/PoE+ and SFP/SFP+ Support
- X-Series Solution and SonicPoints
- Managing Extended Switches using GMS
- Extended Switch Global Parameters
- About Links
- Logging and Syslog Support
- Supported Topologies
- Port Graphics
- Port Configuration
- External Switch Configuration
- External Switch Diagnostics
- Configuring PortShield Groups
- VLAN Translation
- IP Helper
- Dynamic Routing
- DHCP Server
- Configuring a DHCP Server
- Configuring Advanced Options
- Configuring DHCP Option Objects
- Configuring DHCP Option Groups
- Configuring a Trusted DHCP Relay Agent Address Group (IPv4 Only)
- Enabling Trusted DHCP Relay Agents
- Configuring IPv4 DHCP Servers for Dynamic Ranges
- Configuring IPv6 DHCP Servers for Dynamic Ranges
- Configuring IPv4 DHCP Static Ranges
- Configuring IPv6 DHCP Static Ranges
- Configuring DHCP Generic Options for DHCP Lease Scopes
- DHCP and IPv6
- Multicast
- Network Monitor
- AWS Configuration
- SonicWall Support
MAC IP Anti-Spoof
MAC and IP address-based attacks are increasingly common in today’s network security environment. These types of attacks often target a Local Area Network (LAN) and can originate from either outside or inside a network. In fact, anywhere internal LANs are somewhat exposed, such as in office conference rooms, schools, or libraries, could provide an opening to these types of attacks. These attacks also go by various names: man-in-the-middle attacks, ARP poisoning, SPITS. The MAC-IP Anti-Spoof feature lowers the risk of these attacks by providing you with different ways to control access to a network, and by eliminating spoofing attacks at OSI Layer 2/3.
The effectiveness of the MAC-IP Anti-Spoof feature focuses on two areas. The first is admission control that allows you the ability to select which devices gain access to the network. The second area is the elimination of spoofing attacks, such as denial-of-service attacks, at Layer 2. To achieve these goals, two caches of information must be built: the MAC-IP Anti-Spoof Cache, and the ARP Cache.
The MAC-IP Anti-Spoof cache validates incoming packets and determines whether they are to be allowed inside the network. An incoming packet’s source MAC and IP addresses are looked up in this cache. If they are found, the packet is allowed through. The MAC-IP Anti-Spoof cache is built through one or more of the following sub-systems:
- DHCP Server-based leases (SonicWall’s - DHCP Server)
- DHCP relay-based leases (SonicWall’s - IP Helper)
- Static ARP entries
- User created static entries
The ARP Cache is built through the following subsystems:
- ARP packets; both ARP requests and responses
- Static ARP entries from user-created entries
- MAC-IP Anti-Spoof Cache
The MAC-IP Anti-Spoof subsystem achieves egress control by locking the ARP cache, so egress packets (packets exiting the network) are not spoofed by a bad device or by unwanted ARP packets. This prevents a firewall from routing a packet to the unintended device, based on mapping. This also prevents man-in-the-middle attacks by refreshing a client’s own MAC address inside its ARP cache.
- MAC IPv4 and IPv6 Anti-Spoof Settings
- Configuring MAC IP Anti-Spoof Settings
- Anti-Spoof Cache
- Spoof Detected List
Was This Article Helpful?
Help us to improve our support portal