2-5Configuring ARP DetectionFor information about DHCP snooping, refer to DHCP Configuration in the IP Services Volume.Introduction to ARP DetectionThe ARP detection feature allows only the ARP packets of authorized clients to be forwarded, hencepreventing man-in-the-middle attacks.Man-in-the-middle attackAccording to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of thesender to its ARP mapping table even if the MAC address is not the requested one. This design reducesthe ARP traffic on the network, but also makes ARP spoofing possible.As shown in Figure 2-1, Host A communicates with Host C through a switch. After intercepting the trafficbetween Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host Crespectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding tothe peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host Bestablishes independent connections with Host A and Host C and relays messages between them,deceiving them into believing that they are talking directly to each other over a private connection, whilethe entire conversation is actually controlled by Host B. Host B may intercept and modify thecommunication data. Such an attack is called a man-in-the-middle attack.Figure 2-1 Man-in-the-middle attackSwitchHost AHost BIP_ AMAC_ AIP_BMAC_BIP_CMAC_CHost CForgedARP replyForgedARP reply