Firewall
Configuring IP-MAC Binding to Prevent Spoofing
Cisco ISA500 Series Integrated Security Appliances Administration Guide 286
6
IP-MAC Binding allows you to bind an IP address to a MAC address and
vice-versa. It only allows traffic when the host IP address matches a specified
MAC address. By requiring the gateway to validate the source traffic’s IP address
with the unique MAC address of device, this ensures that traffic from the specified
IP address is not spoofed. If a violation (the traffic’s source IP address doesn’t
match the expected MAC address having the same IP address), the packets will
be dropped and can be logged for diagnosis.
NOTE Up to 100 IP-MAC binding rules can be configured on the security appliance.
STEP 1 Click Firewall > MAC Filtering > IP - MAC Binding Rules.
The IP - MAC Binding Rules window opens.
STEP 2 To add an IP-MAC binding rule, click Add.
Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click
the Delete (x) icon. To delete multiple entries, check them and click Delete.
The IP&MAC Binding Rule - Add/Edit window opens.
STEP 3 Enter the following information:
•Name: Enter the name for the IP-MAC binding rule.
•MAC Address: Choose an existing MAC address object. If the MAC address
object that you want is not in the list, choose Create a new address to add
a new MAC address object. To maintain the MAC address objects, go to the
Networking > Address Management page. See Address Management,
page175.
•IP Address: Choose an existing IP address object that you want to bind with
the selected MAC address. If the IP address object that you want is not in the
list, choose Create a new address to add a new IP address object. To
maintain the IP address objects, go to the Networking > Address
Management page. See Address Management, page175.
•Log Dropped Packets: Choose Enable to log all packets that are dropped.
Otherwise, choose Disable.
STEP 4 Click OK to save your settings.
STEP 5 Click Save to apply your settings.