Filter
Top Products
Network > MAC-IP Anti-Spoof
377
SonicOS 5.8.1 Administrator Guide
To configure settings for a particular interface, click Configure icon for the desired interface.
The Settings window is now displayed for the selected interface. In this window, the following
settings can be enabled or disabled by clicking on the corresponding checkbox. Once your
setting selections for this interface are complete, click OK. The following options are available:
• Enable: To enable the MAC-IP Anti-Spoof subsystem on traffic through this interface
• Static ARP: Allows the Anti-Spoof cache to be built from static ARP entries
• DHCP Server: Allows the Anti-Spoof cache to be built from active DHCP leases from the
SonicWALL DHCP server
• DHCP Relay: Allows the Anti-Spoof cache to be built from active DHCP leases, from the
DHCP relay, based on IP Helper. To learn about changes to IP Helper, see “Extension to IP
Helper” section on page 382.
• ARP Lock: Locks ARP entries for devices listed in the MAC-IP Anti-Spoof cache. This
applies egress control for an interface through the MAC-IP Anti-Spoof configuration, and
adds MAC-IP cache entries as permanent entries in the ARP cache. This controls ARP
poisoning attacks, as the ARP cache is not altered by illegitimate ARP packets.
• ARP Watch: Enables generation of unsolicited unicast ARP responses towards the client’s
machine for every MAC-IP cache entry on the interface. This process helps prevent man-
in-the-middle attacks.
• Enforce Anti-Spoof: Enables ingress control on the interface, blocking traffic from devices
not listed in the MAC-IP Anti-Spoof cache.
• Spoof Detection List: Logs all devices that fail to pass Anti-spoof cache and lists them in
the Spoof Detected List.
• Allow Management: Allows through all packets destined for the appliance’s IP address,
even if coming from devices currently not listed in the Anti-Spoof cache.