If forged ARP packets are sent in a man-in-the-middle (MITM) attack, two communicating devices learn an incorrect address mapping of each other and the data of authorized users is intercepted by the attacker. To prevent this problem, you can enable ARP snooping detection on the device. After ARP snooping detection is enabled, the device compares the source IP address, source MAC address, port number, and VLAN information in a received ARP packet with those in the ARP snooping table. If no ARP snooping entry with the same source IP address and VLAN information as the ARP packet is found, the device creates an ARP snooping entry. If an ARP snooping entry with the same source IP address and VLAN information is found and other information matches, the device determines that the user who sends the ARP packet is a valid user and allows the ARP packet to pass. If an ARP snooping entry with the same source IP address and VLAN information is found but other information does not match, the device discards the ARP packet.