Lets assume we are only talking about IPv4. You can block ARP spoofing. Snooping is a different matter. ARP queries are sent as a broadcast. They go out every port in the VLAN that the host belongs to. This is fundamental to ARP and there is no way to stop this. So if you sit their with a packet sniffer you'll evenually capture enough ARP traffic to build up a list of (MAC,IP Address) combinations. If you *really* want to stop ARP snooping put every port into its own seperate VLAN and use /30 stubs.
... View more