I want to know if I'm protected for ARP spoofing.
In my network, all PCs, printers, phones and servers are in distinct VLANs. I got a layer 3 switch for servers, which handles routing between these VLANs, and layer 2 switches for connecting PCs, printers and phones. I use DHCP snooping to be sure that only my DHCP server is giving IP addresses. I have an internet gateway in the same VLAN used for servers. I don't have any specific configuration for ARP on the layer 2 and 3 switches.
Since ARP is blocked by routers, am I open or not to ARP spoofing?
Best Answer
ARP spoofing only works on a LAN, not across LANs, so you are safe from ARP spoofing from outside a LAN. Unfortunately, most successful attacks happen from within a network. For example, a host on your network could be compromised (look at other SE sites to see the large quantity of questions from workers looking to bypass a company's network security to be able to play games or stream videos). Since you are running DHCP snooping, you could add DAI (Dynamic ARP Inspection) to prevent ARP spoofing on a LAN.