If the functionality is offered, organizations SHOULD bind Layer 2 MAC Addresses and Layer 3 IP Addresses together to tighten the network attack surface and mitigate the threat of ARP Spoofing.
Description: A classic network attack is ARP Spoofing. This involves threat actors manipulating the Address Resolution Protocol (ARP) to associate a legitimate device's (e.g., a router's) IP address with the attacker's MAC address. If successful, this will result in the traffic designated for the router's IP address being sent to the attacker's device instead of the router. Many SOHO routers and wireless access point controllers provide the option to bind IP addresses to their currently associated MAC addresses. By making the two addresses inseparable, attackers will not be able to associate their MAC address with an IP address used by a sensitive network asset.