Hi,
We have a Cisco6500 as the backbone and a 3560 as router in each of the edges (buildings). Connected to 3560's there are 2960's. Each of the buildings have their own VLAN/subnets.
Recently we found out that infected PC's in every building are sending strange ARP packets and announcing themselves as the gateway of the subnet/VLAN. As a result, instead of using the real gateway (the 3560) all the other users start communicating with the infected PC thinking it is the gateway.
With this strategy, the infected PC serves as the gateway when communicting with the normal PC's but also injecting extra virus/infections when providing data to them.
I have found that this operation is called Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR).
I want to believe and hope that there is a solution available to this problem which affects our thousands of users.
Regards.