For a while I have been working on ARP spoofing. At work we often have guests on our network and i realized that the existing setup can easily be spoofed. Of course the guests are not on the same network as the rest of the company, but I would like that one guest can't spoof another. I made a test network where i could ARP spoof and get all communication successfully.

For what i have seen/tried/tested, a network switch with ARP proxy can't be spoofed the same way. It's possible to get the incoming traffic, but the outgoing is impossible to get. For me it's more important that the outgoing can't be captured, since it's often here you find sessions, passwords etc. So it seems ARP proxy is what i want.

But before i feel to safe here i would like confirmation that I'm right in my assumption that switched networks with ARP proxy can't be spoofed?

Thanks for the help.