2-12 ARP Attack Defense ConfigurationAlthough ARP is easy to implement, it provides no security mechanism and thus is prone to networkattacks. Currently, ARP attacks and viruses are threatening LAN security. The device can providemultiple features to detect and prevent such attacks.Configuring ARP Active AcknowledgementIntroductionTypically, the ARP active acknowledgement feature is configured on gateway devices to identify invalidARP packets.With this feature enabled, the gateway, upon receiving an ARP packet with a different source MACaddress from that in the corresponding ARP entry, checks whether the ARP entry has been updatedwithin the last minute:z If yes, the gateway does not update the ARP entry;z If not, the gateway unicasts an ARP request to the source MAC address of the ARP entry.Then,z If an ARP reply is received within five seconds, the ARP packet is ignored;z If not, the gateway unicasts an ARP request to the MAC address of the ARP packet.Then,z If an ARP reply is received within five seconds, the gateway updates the ARP entry;z If not, the ARP entry is not updated.Configuring the ARP Active Acknowledgement FunctionFollow these steps to configure ARP active acknowledgement:To do… Use the command… RemarksEnter system view system-view —Enable the ARP activeacknowledgement functionarp anti-attack active-ackenableRequiredDisabled by default.Configuring Source MAC Address Based ARP Attack DetectionIntroductionThis feature allows the device to check the source MAC address of ARP packets. If the number of ARPpackets sent from a MAC address within five seconds exceeds the specified value, the deviceconsiders this an attack.Only the ARP packets delivered to the CPU are detected.