1-43) Host B compares its own IP address with the destination IP address in the ARP request. If they arethe same, Host B saves the source IP address and source MAC address into its ARP mappingtable, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping tablefor subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.Usually ARP dynamically implements and automatically seeks mappings from IP addresses to MACaddresses, without manual intervention.Introduction to ARP Attack DetectionMan-in-the-middle attackAccording to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping ofthe sender into its ARP mapping table even if the MAC address is not the real one. This can reduce theARP traffic in the network, but it also makes ARP spoofing possible.In Figure 1-3, Host A communicates with Host C through a switch. To intercept the traffic between HostA and Host C, the hacker (Host B) forwards invalid ARP reply messages to Host A and Host Crespectively, causing the two hosts to update the MAC address corresponding to the peer IP address intheir ARP tables with the MAC address of Host B. Then, the traffic between Host A and C will passthrough Host B which acts like a “man-in-the-middle” that may intercept and modify the communicationinformation. Such an attack is called man-in-the-middle attack.Figure 1-3 Network diagram for ARP man-in-the-middle attackARP attack detectionTo guard against the man-in-the-middle attacks launched by hackers or attackers, S5100-SI/EI seriesEthernet switches support the ARP attack detection function. All ARP (both request and response)packets passing through the switch are redirected to the CPU, which checks the validity of all the ARPpackets by using the DHCP snooping table or the manually configured IP binding table. For descriptionof DHCP snooping table and the manually configured IP binding table, refer to the DHCP snoopingsection in the part discussing DHCP in this manual.After you enable the ARP attack detection function, the switch will check the following items of an ARPpacket: the source MAC address, source IP address, port number of the port receiving the ARP packet,and the ID of the VLAN the port resides. If these items match the entries of the DHCP snooping table or